Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
heng
Staff
Staff

Created on ‎08-01-2022 01:13 AM Edited on ‎08-03-2022 01:01 AM By Community Manager

Article Id 219190

Technical Tip: How to configure FortiManager to send its local system event log via email notification

Description

This article describes how to configure the FortiManager to send its local system event log via email notification by using event handler feature.

 

If the local system event log match any condition set in the event handler, it will send email notification.

 

This configuration guide also applied to FortiAnalyzer.
Scope FortiManager, FortiAnalyzer.
Solution

Configuration Steps:

 

1) Enable FortiAnalyzer feature in FortiManager, it requires a reboot.

 

fyheng_0-1659337848695.png

 

OR, enable FortiManager log to external FortiAnalyzer Server:

 

# config system locallog fortianalyzer setting
    set status realtime
    set server "FAZ"
    set severity debug
end

 

2) In FortiManager with FAZ feature or in external FortiAnalyzer , setup the email server via System Settings -> Advanced -> Mail Server -> Create New.

 

fyheng_2-1659337882152.png

 

3) Test the email server and the test email should successfully send out a test email. 

 

fyheng_1-1659337871986.png

 

4) In FortiManager with FortiAnalyzer feature or in external FortiAnalyzer, create an event handler under ADOM: root as the local system event log will match to send an email notification based on the match condition and filter settings.

 

Note.

Tor local system event log handling, it must be created under ADOM: root.

 

fyheng_0-1659338339985.png

 

5) Make sure the handler created is on 'Local Device' if FortiAnalyzer enable on FortiManager and/or then fill in the corresponding filter information using logid 0002011003 for example to detect FortiManager to FortiGate tunnel down.

 

For this example, generic text filter to filter off log_id=0002011003 which stands for  msg=fgfm connection to device Wira-kvm03 is down will be used.

 

log_id=0002011003 type=event subtype=fgfm level=warning desc=fgfm connection down msg=fgfm connection to device Wira-kvm03 is down user=fgfm device=Wira-kvm03 devid=FMG-VM0A17002000 itime=2022-08-01 13:44:07 date=2022-08-01 time=13:44:07 dtime=2022-08-01 13:44:07 itime_t=1659332647

 

fyheng_2-1659338626246.png

 

Select the mail server created earlier and save the configuration.

 

fyheng_0-1659339553375.png

 

6) If any FortiGate to FortiManager connection between FortiManager and FortiGate is down or offline, see the event count increases will be visible and the corresponding log in the system event log as well as in the Alert Message Console in the system dashboard. 

 

fyheng_1-1659339036106.png

 

fyheng_2-1659339158666.png

 

7) An email notification will be received if the event log match the event handler that being configured.

 

fyheng_3-1659339311843.png
1127
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.