I want to send an alert by mail when a specific object is created on the fortigate.
I am creating a new object, I enter 0.0.0.0/0 as ip address, but I cannot see ip/netmask information in the logs. That's why I couldn't create an alert with siem.
Any ideas on this?
You want logs showing exactly what the full configuration was? I don't know if that's possible.
Can you get your SIEM to make an API call to the FortiGate to query the address object?
I just tested this myself and I see the details in the cfgattr field:
Apr 25 20:51:30 192.168.0.1 date=2023-04-25 time=19:51:30 devname="xxxxxxx" devid="FGXXXXXXXXXX" eventtime=1682481090039373910 tz="-0700" logid="0100044547" type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="xxxxxxxx" ui="ssh(192.168.X.X)" action="Add" cfgtid=1742143499 uuid="X" cfgpath="firewall.address" cfgobj="TESTADDR" cfgattr="type[ipmask]subnet[0.0.0.0 0.0.0.0]" msg="Add firewall.address TESTADDR"
Have you looked at the raw log messages to ensure it's not showing up there?
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.