Fortigate spesific mail notification

Omerrr34 · ‎04-25-2023

Hello,

I want to send an alert by mail when a specific object is created on the fortigate.

For example;

I am creating a new object, I enter 0.0.0.0/0 as ip address, but I cannot see ip/netmask information in the logs. That's why I couldn't create an alert with siem.

Any ideas on this?

gfleming · ‎04-25-2023

You want logs showing exactly what the full configuration was? I don't know if that's possible.

Can you get your SIEM to make an API call to the FortiGate to query the address object?

Cheers,
Graham

gfleming · ‎04-25-2023

I just tested this myself and I see the details in the cfgattr field:

Apr 25 20:51:30 192.168.0.1 date=2023-04-25 time=19:51:30 devname="xxxxxxx" devid="FGXXXXXXXXXX" eventtime=1682481090039373910 tz="-0700" logid="0100044547" type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="xxxxxxxx" ui="ssh(192.168.X.X)" action="Add" cfgtid=1742143499 uuid="X" cfgpath="firewall.address" cfgobj="TESTADDR" cfgattr="type[ipmask]subnet[0.0.0.0 0.0.0.0]" msg="Add firewall.address TESTADDR"

Have you looked at the raw log messages to ensure it's not showing up there?

Cheers,
Graham

Fortigate spesific mail notification

Nominate a Forum Post for Knowledge Article Creation