timestamp of configuration changes alert

yeowkm99 · ‎09-13-2022

We have enabled configuration changes alert in out fortigate under Security Fabric->Automation->Configuration Change.

Eg. the timestamp and email was sent out at 14 Sept 8.18am when no users login to the firewall to make changes.

pminarik · ‎09-14-2022

Hi yeowkm99,

The config change condition is triggered when the System event log ID 32102 (LOG_ID_CHG_CONFIG) is logged. One peculiarity about this event is that it is logged only when the admin user finally logs out (i.e. it is not recorded live as changes happen). So the most likely explanation would be that someone made some changes, forgot to log out, and when their session expired and they were automatically logged out, the config change event got finally recorded.

[ corrections always welcome ]

View solution in original post

pminarik · ‎09-14-2022

Hi yeowkm99,

The config change condition is triggered when the System event log ID 32102 (LOG_ID_CHG_CONFIG) is logged. One peculiarity about this event is that it is logged only when the admin user finally logs out (i.e. it is not recorded live as changes happen). So the most likely explanation would be that someone made some changes, forgot to log out, and when their session expired and they were automatically logged out, the config change event got finally recorded.

[ corrections always welcome ]