Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gbamania
Staff
Staff

Created on ‎02-22-2022 10:56 PM Edited on ‎09-08-2025 10:07 PM By Moderator

Article Id 205355

Technical Tip: Using wildcard in field filter in Automation-stitch

Description

This article describes how to trigger an automation-stitch by matching a partial string in a log field using a wildcard.
Scope Versions 6.4.3 and later.
Versions 7.0.0 and later.
Solution
  • Use Wildcard (*) to match a substring in the field’s value.
  • It can be used to match a string in the field of a log.
  • Example: This example shows how to catch the 'Down BGP Notification' string in the field 'msg' when a log of BGP is generated.

 

Log:

 

Field: msg

Value: "BGP: %BGP-5-ADJCHANGE: VRF 0 neighbor 192.168.10.2 Down BGP Notification FSM-ERR

 

date=2022-01-22 time=14:14:06 eventtime=1642889646347816623 tz="-0800" logid="0103020300" type="event" subtype="router" level="warning" vd="root" logdesc="BGP neighbor status changed" msg="BGP: %BGP-5-ADJCHANGE: VRF 0 neighbor 192.168.10.2 Down BGP Notification FSM-ERR

 

Syntax:

 

config system automation-trigger
    edit "trigger name>
        set event-type event-log
        set logid <log id>  <----- Select the event ID.
            config field
                edit 1
                    set name "msg"    <----- Fields of the log message.
                    set value "*Down BGP Notification*"    <----- String of the 'msg' field with * to match the sub-string.
                next

            end
    next
end

 

Configuration:

 

config system automation-stitch
    edit "bgp down neighbor"
        set trigger "bgP_neighbor_down"

            config action
                edit 1
                    set action "fortigate_email"
                    set required enable
                next
            end
    next
end

config system automation-trigger
    edit "bgP_neighbor_down"
        set event-type event-log
        set logid 20300 <----- Select the event ID which is for BGP neighbor status changed.

            config field
                edit 1
                    set name "msg" <----- Fields of the log message.
                    set value "*Down BGP Notification*" <----- String of the msg fields along with * to match the string.
                next
            end
    next
end

HQ # show system automation-action fortigate_email
config system automation-action
    edit "fortigate_email"
        set action-type email
        set email-to "xyz@yahoo.com"
        set email-subject "login_failed"
    next
end
4641
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.