Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Create New Handler pane

Following is a description of the options available in the Create New Handler pane:

Field

 

Description

Status

Enable or disable the event handler.

Name

Add a name for the handler.

Description

Type a description of the event handler.

Devices

Select the devices to include.

  • All Devices.
  • Specify: To add devices, click the Add icon.
  • Local Device: Select if the event handler is for local FortiAnalyzer event logs. This option is only available in the root ADOM and is used to query FortiAnalyzer event logs.

    For Local Device, the Log Type must be Event Log and Log Subtype must be Any.

Filters

Configure one or more filters for the handler. You can add multiple filters each with its own set of filter settings.

 

Log Type

Select the log type from the dropdown list.

When Devices is set to Local Device, you cannot change the Log Type or Log Subtype.

 

Log Subtype

Select the category of event that this handler monitors. The available options depends on the platform type.

This option is only available when Log Type is set to Event Log or Traffic Log.

 

Group By

Select how to group the events. Some Group By selections allow a secondary Group By option. If available, click Add beside the Group By field to add a secondary Group By option.

 

Logs match

Select All or Any of the following conditions.

 

Log Field

Select a log field to filter from the dropdown list. The available options depends on the selected log type.

 

Match Criteria

Select a match criteria from the dropdown list. The available options depends on the selected log field.

 

Value

Either select a value from the dropdown list or enter a value in the text box. The available options depends on the selected log field.

 

Add

Add Log Field to the filter.

 

Remove

Delete the filter.

 

Generic Text Filter

Enter a generic text filter. For more information on creating a generic text filter, see Creating custom event handlers using the Generic Text Filter. For information on text format, hover the cursor over the help icon. The operator ~ means contains and !~ means does not contain.

 

Generate alert when at least n matches occurred over a period of n minutes

Enter threshold values to generate alerts. Enter the number of matching events that must occur in the number of minutes to generate an alert.

 

Event Message

If you wish, enter a custom event message. The default message is the Group By value.

 

Event Status

Select Allow FortiAnalyzer to choose or select a status from the dropdown list: Unhandled, Mitigated, Contained, or (Blank).

 

Event Severity

Select the severity from the dropdown list: Critical, High, Medium, or Low.

 

Tags

If you wish, enter custom tags.

Notifications

Configure alerts for the handler.

 

Send Alert Email

Send an alert by email. Specify email parameters including the mail server. For more information, see Mail Server.

 

Send SNMP(...) Trap

Select one or both checkboxes and specify an SNMP community or user from the dropdown list. Click the add icon to create a new SNMP community or user. For more information, see SNMP.

 

Send Alert to Syslog Server

Send an alert to the syslog server. Select a syslog server from the dropdown list. Click the add icon to create a new syslog server. For more information, see Syslog Server.

 

Send Each Alert Separately

Select to send each alert individually instead of in a group.

Create New Handler pane

Following is a description of the options available in the Create New Handler pane:

Field

 

Description

Status

Enable or disable the event handler.

Name

Add a name for the handler.

Description

Type a description of the event handler.

Devices

Select the devices to include.

  • All Devices.
  • Specify: To add devices, click the Add icon.
  • Local Device: Select if the event handler is for local FortiAnalyzer event logs. This option is only available in the root ADOM and is used to query FortiAnalyzer event logs.

    For Local Device, the Log Type must be Event Log and Log Subtype must be Any.

Filters

Configure one or more filters for the handler. You can add multiple filters each with its own set of filter settings.

 

Log Type

Select the log type from the dropdown list.

When Devices is set to Local Device, you cannot change the Log Type or Log Subtype.

 

Log Subtype

Select the category of event that this handler monitors. The available options depends on the platform type.

This option is only available when Log Type is set to Event Log or Traffic Log.

 

Group By

Select how to group the events. Some Group By selections allow a secondary Group By option. If available, click Add beside the Group By field to add a secondary Group By option.

 

Logs match

Select All or Any of the following conditions.

 

Log Field

Select a log field to filter from the dropdown list. The available options depends on the selected log type.

 

Match Criteria

Select a match criteria from the dropdown list. The available options depends on the selected log field.

 

Value

Either select a value from the dropdown list or enter a value in the text box. The available options depends on the selected log field.

 

Add

Add Log Field to the filter.

 

Remove

Delete the filter.

 

Generic Text Filter

Enter a generic text filter. For more information on creating a generic text filter, see Creating custom event handlers using the Generic Text Filter. For information on text format, hover the cursor over the help icon. The operator ~ means contains and !~ means does not contain.

 

Generate alert when at least n matches occurred over a period of n minutes

Enter threshold values to generate alerts. Enter the number of matching events that must occur in the number of minutes to generate an alert.

 

Event Message

If you wish, enter a custom event message. The default message is the Group By value.

 

Event Status

Select Allow FortiAnalyzer to choose or select a status from the dropdown list: Unhandled, Mitigated, Contained, or (Blank).

 

Event Severity

Select the severity from the dropdown list: Critical, High, Medium, or Low.

 

Tags

If you wish, enter custom tags.

Notifications

Configure alerts for the handler.

 

Send Alert Email

Send an alert by email. Specify email parameters including the mail server. For more information, see Mail Server.

 

Send SNMP(...) Trap

Select one or both checkboxes and specify an SNMP community or user from the dropdown list. Click the add icon to create a new SNMP community or user. For more information, see SNMP.

 

Send Alert to Syslog Server

Send an alert to the syslog server. Select a syslog server from the dropdown list. Click the add icon to create a new syslog server. For more information, see Syslog Server.

 

Send Each Alert Separately

Select to send each alert individually instead of in a group.