Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
heng
Staff
Staff

Created on ‎08-01-2022 01:13 AM Edited on ‎04-22-2025 01:49 AM By Staff

Article Id 219190

Technical Tip: How to configure FortiManager to send its local system event log via email notification

Description

This article describes how to configure the FortiManager to send its local system event log via email notification by using the event handler feature.

 

If the local system event log matches any condition set in the event handler, it will send email notification. This configuration guide also applies to FortiAnalyzer.
Scope FortiManager, FortiAnalyzer.
Solution

Configuration Steps:

  1. Enable the FortiAnalyzer feature in FortiManager, it requires a reboot.

 

fyheng_0-1659337848695.png

 

OR, enable FortiManager log to the external FortiAnalyzer Server:

 

config system locallog fortianalyzer setting
    set status realtime
    set server "FAZ"
    set severity debug
end

                      2.png

 

  1. In FortiManager with the FortiAnalyzer feature or an external FortiAnalyzer, set up the email server via System Settings -> Advanced -> Mail Server -> Create New.

 

fyheng_2-1659337882152.png

 

  1. Test the email server, and the test email should successfully send out a test email. 

 

fyheng_1-1659337871986.png

 

  1. In FortiManager with FortiAnalyzer feature or an external FortiAnalyzer, create an event handler under ADOM: root, as the local system event log will match to send an email notification based on the match condition and filter settings.

 

Note:

For local system event log handling, it must be created under ADOM: root.

 

fyheng_0-1659338339985.png

 

  1. Make sure the handler created is on 'Local Device' if FortiAnalyzer is enabled on FortiManager and/or then fill in the corresponding filter information using logid 0002011003, for example, to detect FortiManager to FortiGate tunnel down.

 

For this example, a generic text filter to filter off log_id=0002011003, which stands for  msg=fgfm connection to device Wira-kvm03 is down, will be used.

 

log_id=0002011003 type=event subtype=fgfm level=warning desc=fgfm connection down msg=fgfm connection to device Wira-kvm03 is down user=fgfm device=Wira-kvm03 devid=FMG-VM0A17002000 itime=2022-08-01 13:44:07 date=2022-08-01 time=13:44:07 dtime=2022-08-01 13:44:07 itime_t=1659332647

 

fyheng_2-1659338626246.png

 

Select the mail server created earlier and save the configuration.

 

fyheng_0-1659339553375.png

 

  1. If any FortiGate to FortiManager connection between FortiManager and FortiGate is down or offline, see the event count increases will be visible and the corresponding log in the system event log as well as in the Alert Message Console in the system dashboard. 

 

fyheng_1-1659339036106.png

 

fyheng_2-1659339158666.png

 

  1. An email notification will be received if the event log matches the event handler that is being configured.

 

fyheng_3-1659339311843.png
2867
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.