Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AlexRG
New Contributor

Event Handlers Not Working as Expected in 5.6.0

My filters are:

Level [Equal To] Notice

Destination IP [Not Equal To] serverIP_A

Text filter:

srcintf=port30 and service~RDP and action=start

 

The log:

itime=2017-08-24 13:12:44 sentbyte=0 rcvdbyte=0 srccountry=Reserved app=UDP_RDP date=2017-08-24 dstip=serverIP_B duration=0 vd=VD1 group=IT service=UDP_RDP proto=17 user=ME dstcountry=Reserved policytype=policy poluuid=45840192-88ea-51e7-b403-e3009408d646 devid=FG000000 dstport=3389 type=traffic dtime=2017-08-24 13:12:43 devname=FG00 time=13:12:43 sessionid=884716921 itime_t=1503594764 policyid=111 srcintf=port30 srcip=10.0.21.101 sentpkt=0 level=notice appcat=unscanned srcport=55887 logid=0000000015 subtype=forward trandisp=noop action=start dstintf=VLAN_6

 

I'm not getting any hits from that filter.

1 Solution
sgao_FTNT
Staff
Staff

Hi Alex,

Please check which type log and category you select, I tried in the lab with "Traffic" log and "Others" category, with similar filter setting, it works.

 

View solution in original post

6 REPLIES 6
sgao_FTNT
Staff
Staff

Hi Alex,

Please check which type log and category you select, I tried in the lab with "Traffic" log and "Others" category, with similar filter setting, it works.

 

AlexRG

Bah. Don't know how I missed that. Thanks!

 

I'm was also having trouble with the keyword filter. I had a filter working fine in previous versions and it suddenly stopped.

 

The settings are:

[ul]
  • Type: Web Filter
  • Group by: Category
  • Level [Equal To] Notice
  • keyword~'some text' or keyword~'some other text' or keyword~'some more text'[/ul]

     

    I even just tried firing on msg="Search phrase detected" but got nothing.

  • sgao_FTNT
    Staff
    Staff

    not sure how you configured for web filter handler. Here is my test example in lab, please attach a screenshot if still have issue, then I can check it in lab.

     

    AlexRG

    Handler settings attached.

     

    The log:

     

    itime=2017-08-24 15:07:05 sentbyte=0 rcvdbyte=0 agent=Chrome/60.0.3112.101 date=2017-08-24 dstip=13.107.21.200 vd=VD1 group=IT service=HTTP proto=6 eventtype=content hostname=www.bing.com dstintf=port12 msg=Search phrase detected devid=FG000000 dstport=80 type=utm dtime=2017-08-24 15:07:04 profile=PROD_WEB direction=outgoing referralurl=http://www.bing.com/ devname=FG sessionid=885360102 itime_t=1503601625 user=ME srcintf=port32 reqtype=referral srcip=10.0.21.101 keyword=who fixed the event handler level=notice url=/search?q=who+fixed+the+event+handler&qs=n&form=QBLH&sp=-1&pq=who+fixed+the+event+handler&sc=0-25&sk=&cvid=90841C2E9796453D8C64907C4D3770C0 srcport=54561 logid=0314012293 subtype=webfilter time=15:07:04 action=passthrough policyid=4

     

    sgao_FTNT
    Staff
    Staff

    Alex,

    The issue is caused by field "catdesc" is not present in the log, which is defined in handler <Group By>, change Group By to URL, then it works.

    Shawn

    AlexRG

    Yep. That was it. Thanks again!

    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors