Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

List of predefined event handlers

FortiAnalyzer includes predefined event handlers for FortiGate and FortiCarrier devices that you can use to generate events.

Event Handler

Description

Application Crashed Event

Enabled by default

  • Severity: Medium
  • Log Type: Event Log
  • Log Subtype: System
  • Group by: Log Description
  • Log messages that match all conditions:
    • Log Description Equal To Application crashed
    • Level Greater Than or Equal To Warning

Conserve Mode

Disabled by default

  • Severity: Critical
  • Log Type: Event
  • Log Subtype: System
  • Group by: Message
  • Log messages that match all conditions:
    • Log Description Equal To System services entered conserve mode

Default-Botnet-Communication-Detection (Filters 1 – 5)

Disabled by default

Filter 1:

  • Severity: High
  • Log Type: AntiVirus
  • Group by: Endpoint, Virus Name
  • Log messages that match all of the following conditions:
    • logid==0202009248

Filter 2:

  • Severity: Critical
  • Log Type: AntiVirus
  • Group by: Endpoint, Virus Name
  • Log messages that match all of the following conditions:
    • logid==0202009249

Filter 3:

  • Severity: High
  • Log Type: DNS Log
  • Group by: Endpoint, Message
  • Log messages that match all of the following conditions:
    • logid==1501054601 OR logid==1501054600

Filter 4:

  • Severity: Critical
  • Log Type: IPS
  • Group by: Endpoint, Attack Name
  • Log messages that match all of the following conditions:
    • attack ~ Botnet and (action=='detected' or action=='pass session')

Filter 5:

  • Severity: High
  • Log Type: IPS
  • Group by: Endpoint, Attack Name
  • Log messages that match all of the following conditions:
    • attack ~ Botnet and action!='detected' and action!='pass session'

Default-Botnet-Communication-Detection (Filters 6 – 7)

Filter 6:

  • Severity: High
  • Log Type: Application Control
  • Group by: Endpoint, Application Name
  • Log messages that match all of the following conditions:
    • Application Category Equal to Botnet
    • action!='pass' AND action!='monitor'

Filter 7:

  • Severity: Medium
  • Log Type: Application Control
  • Group by: Endpoint, Application Name
  • Log messages that match all of the following conditions:
    • Application Category Equal to Botnet
    • (action=='pass' OR action=='monitor')

FOS Event Log Higher Than Warning

Enabled by default

  • Severity: Medium
  • Log Type: Event Log
  • Log Subtype: Any
  • Group by: Log Description
  • Log messages that match all conditions:
    • Level Greater Than or Equal To Warning

HA Failover

Disabled by default

  • Severity: Medium
  • Log Type: Event Log
  • Log Subtype: HA
  • Group by: Log Description
  • Log messages that match any of the following conditions:
    • Log Description Equal To Virtual cluster move member
    • Log Description Equal To Virtual cluster member state moved

Interface Down

Disabled by default

  • Severity: High
  • Log Type: Event Log
  • Log Subtype: System
  • Group by: Message
  • Log messages that match all conditions:
    • Action Equal To interface-stat-change
    • Status Equal To DOWN

Interface Up

Disabled by default

  • Severity: Medium
  • Log Type: Event Log
  • Log Subtype: System
  • Group by: Message
  • Log messages that match all conditions:
    • Action Equal To interface-stat-change
    • Status Equal To UP

IPS - Critical Severity

Enabled by default

  • Severity: Critical
  • Log Type: IPS
  • Group by: Attack Name
  • Log messages that match all conditions:
    • Severity Equal To Critical

IPS - High Severity

Enabled by default

  • Severity: High
  • Log Type: IPS
  • Group by: Attack Name
  • Log messages that match all conditions:
    • Severity Equal To High

IPS - Low Severity

Disabled by default

  • Severity: Low
  • Log Type: IPS
  • Group by: Attack Name
  • Log messages that match all conditions:
    • Severity Equal To Low

IPS - Medium Severity

Disabled by default

  • Severity: Medium
  • Log Type: IPS
  • Group by: Attack Name
  • Log messages that match all conditions:
    • Severity Equal To Medium

IPsec Phase2 Down

Disabled by default

  • Severity: Medium
  • Log Type: Event Log
  • Log Subtype: VPN
  • Group By: VPN Tunnel
  • Log messages that match all conditions:
    • Action Equal To phase2-down

IPsec Phase2 Up

Disabled by default

  • Severity: Medium
  • Log Type: Event Log
  • Log Subtype: VPN
  • Group By: VPN Tunnel
  • Log messages that match all conditions:
    • Action Equal To phase2-up

Local Device Event

Found only in the Root ADOM.

Enabled by default

  • Devices: Local Device
  • Severity: Medium
  • Log Type: Event Log
  • Event Type: Any
  • Group By: Lod Description
  • Log messages that match any of the following conditions:
    • Level Equal Greater Than or Equal To Warning

Malware Traffic Allowed By AntiVirus

Disabled by default

  • Severity: High
  • Log Type: AntiVirus
  • Group By: Virus Name
  • Log messages that match all conditions:
    • Level Greater Than or Equal to Information
    • logid==0211008193 or logid==0211008195

Malware Traffic Allowed by FortiSandbox

Disabled by default

  • Severity: High
  • Log Type: AntiVirus
  • Group By: Virus Name
  • Log messages that match all conditions:
    • Level Greater Than or Equal to Information
    • logid==0211009235 or logid==0211009237

Malware Traffic Blocked by AntiVirus

Disabled by default

  • Severity: Medium
  • Log Type: AntiVirus
  • Group By: Virus Name
  • Log messages that match all conditions:
    • Level Greater Than or Equal to Information
    • logid==0211008192 or logid==0211008194

Malware Traffic Blocked by FortiSandbox Signature Update

Disabled by default

  • Severity: Medium
  • Log Type: AntiVirus
  • Group By: Virus Name
  • Log messages that match all conditions:
    • Level Greater Than or Equal to Information
    • logid==0211009234 or logid==0211009236

Power Supply Failure

Disabled by default

  • Severity: Critical
  • Log Type: Event Log
  • Log Subtype: System
  • Group by: Message
  • Log messages that match all conditions:
    • Action Equal To power-supply-monitor
    • Status Equal To failure

UTM Antivirus Event

Enabled by default

  • Severity: High
  • Log Type: Antivirus Log
  • Group by: Virus Name
  • Log messages that match all conditions:
    • Level Greater Than or Equal To Information
    • virus!='' and virus!='N/A' and dtype!='fortisandbox'

UTM App Ctrl Event

Enabled by default

  • Severity: Critical
  • Log Type: Application Control
  • Group by: Application Name
  • Log messages that match any of the following conditions:
    • Application Category Equal To Botnet
    • Application Category Equal To Proxy

UTM DLP Event

Disabled by default

  • Severity: Medium
  • Log Type: DLP
  • Group by: Profile
  • Log messages that match all conditions:
    • Action Equal To Block

UTM Web Filter Event

Enabled by default

  • Severity: Medium
  • Log Type: Web Filter
  • Group by: Category
  • Log messages that match any of the following conditions:
    • Web Category Equal To Child Abuse
    • Web Category Equal To Discrimination
    • Web Category Equal To Drug Abuse
    • Web Category Equal To Explicit Violence
    • Web Category Equal To Extremist Groups
    • Web Category Equal To Hacking
    • Web Category Equal To Illegal or Unethical
    • Web Category Equal To Plagiarism
    • Web Category Equal To Proxy Avoidance
    • Web Category Equal To Malicious Websites
    • Web Category Equal To Phishing
    • Web Category Equal To Spam URLs

List of predefined event handlers

FortiAnalyzer includes predefined event handlers for FortiGate and FortiCarrier devices that you can use to generate events.

Event Handler

Description

Application Crashed Event

Enabled by default

  • Severity: Medium
  • Log Type: Event Log
  • Log Subtype: System
  • Group by: Log Description
  • Log messages that match all conditions:
    • Log Description Equal To Application crashed
    • Level Greater Than or Equal To Warning

Conserve Mode

Disabled by default

  • Severity: Critical
  • Log Type: Event
  • Log Subtype: System
  • Group by: Message
  • Log messages that match all conditions:
    • Log Description Equal To System services entered conserve mode

Default-Botnet-Communication-Detection (Filters 1 – 5)

Disabled by default

Filter 1:

  • Severity: High
  • Log Type: AntiVirus
  • Group by: Endpoint, Virus Name
  • Log messages that match all of the following conditions:
    • logid==0202009248

Filter 2:

  • Severity: Critical
  • Log Type: AntiVirus
  • Group by: Endpoint, Virus Name
  • Log messages that match all of the following conditions:
    • logid==0202009249

Filter 3:

  • Severity: High
  • Log Type: DNS Log
  • Group by: Endpoint, Message
  • Log messages that match all of the following conditions:
    • logid==1501054601 OR logid==1501054600

Filter 4:

  • Severity: Critical
  • Log Type: IPS
  • Group by: Endpoint, Attack Name
  • Log messages that match all of the following conditions:
    • attack ~ Botnet and (action=='detected' or action=='pass session')

Filter 5:

  • Severity: High
  • Log Type: IPS
  • Group by: Endpoint, Attack Name
  • Log messages that match all of the following conditions:
    • attack ~ Botnet and action!='detected' and action!='pass session'

Default-Botnet-Communication-Detection (Filters 6 – 7)

Filter 6:

  • Severity: High
  • Log Type: Application Control
  • Group by: Endpoint, Application Name
  • Log messages that match all of the following conditions:
    • Application Category Equal to Botnet
    • action!='pass' AND action!='monitor'

Filter 7:

  • Severity: Medium
  • Log Type: Application Control
  • Group by: Endpoint, Application Name
  • Log messages that match all of the following conditions:
    • Application Category Equal to Botnet
    • (action=='pass' OR action=='monitor')

FOS Event Log Higher Than Warning

Enabled by default

  • Severity: Medium
  • Log Type: Event Log
  • Log Subtype: Any
  • Group by: Log Description
  • Log messages that match all conditions:
    • Level Greater Than or Equal To Warning

HA Failover

Disabled by default

  • Severity: Medium
  • Log Type: Event Log
  • Log Subtype: HA
  • Group by: Log Description
  • Log messages that match any of the following conditions:
    • Log Description Equal To Virtual cluster move member
    • Log Description Equal To Virtual cluster member state moved

Interface Down

Disabled by default

  • Severity: High
  • Log Type: Event Log
  • Log Subtype: System
  • Group by: Message
  • Log messages that match all conditions:
    • Action Equal To interface-stat-change
    • Status Equal To DOWN

Interface Up

Disabled by default

  • Severity: Medium
  • Log Type: Event Log
  • Log Subtype: System
  • Group by: Message
  • Log messages that match all conditions:
    • Action Equal To interface-stat-change
    • Status Equal To UP

IPS - Critical Severity

Enabled by default

  • Severity: Critical
  • Log Type: IPS
  • Group by: Attack Name
  • Log messages that match all conditions:
    • Severity Equal To Critical

IPS - High Severity

Enabled by default

  • Severity: High
  • Log Type: IPS
  • Group by: Attack Name
  • Log messages that match all conditions:
    • Severity Equal To High

IPS - Low Severity

Disabled by default

  • Severity: Low
  • Log Type: IPS
  • Group by: Attack Name
  • Log messages that match all conditions:
    • Severity Equal To Low

IPS - Medium Severity

Disabled by default

  • Severity: Medium
  • Log Type: IPS
  • Group by: Attack Name
  • Log messages that match all conditions:
    • Severity Equal To Medium

IPsec Phase2 Down

Disabled by default

  • Severity: Medium
  • Log Type: Event Log
  • Log Subtype: VPN
  • Group By: VPN Tunnel
  • Log messages that match all conditions:
    • Action Equal To phase2-down

IPsec Phase2 Up

Disabled by default

  • Severity: Medium
  • Log Type: Event Log
  • Log Subtype: VPN
  • Group By: VPN Tunnel
  • Log messages that match all conditions:
    • Action Equal To phase2-up

Local Device Event

Found only in the Root ADOM.

Enabled by default

  • Devices: Local Device
  • Severity: Medium
  • Log Type: Event Log
  • Event Type: Any
  • Group By: Lod Description
  • Log messages that match any of the following conditions:
    • Level Equal Greater Than or Equal To Warning

Malware Traffic Allowed By AntiVirus

Disabled by default

  • Severity: High
  • Log Type: AntiVirus
  • Group By: Virus Name
  • Log messages that match all conditions:
    • Level Greater Than or Equal to Information
    • logid==0211008193 or logid==0211008195

Malware Traffic Allowed by FortiSandbox

Disabled by default

  • Severity: High
  • Log Type: AntiVirus
  • Group By: Virus Name
  • Log messages that match all conditions:
    • Level Greater Than or Equal to Information
    • logid==0211009235 or logid==0211009237

Malware Traffic Blocked by AntiVirus

Disabled by default

  • Severity: Medium
  • Log Type: AntiVirus
  • Group By: Virus Name
  • Log messages that match all conditions:
    • Level Greater Than or Equal to Information
    • logid==0211008192 or logid==0211008194

Malware Traffic Blocked by FortiSandbox Signature Update

Disabled by default

  • Severity: Medium
  • Log Type: AntiVirus
  • Group By: Virus Name
  • Log messages that match all conditions:
    • Level Greater Than or Equal to Information
    • logid==0211009234 or logid==0211009236

Power Supply Failure

Disabled by default

  • Severity: Critical
  • Log Type: Event Log
  • Log Subtype: System
  • Group by: Message
  • Log messages that match all conditions:
    • Action Equal To power-supply-monitor
    • Status Equal To failure

UTM Antivirus Event

Enabled by default

  • Severity: High
  • Log Type: Antivirus Log
  • Group by: Virus Name
  • Log messages that match all conditions:
    • Level Greater Than or Equal To Information
    • virus!='' and virus!='N/A' and dtype!='fortisandbox'

UTM App Ctrl Event

Enabled by default

  • Severity: Critical
  • Log Type: Application Control
  • Group by: Application Name
  • Log messages that match any of the following conditions:
    • Application Category Equal To Botnet
    • Application Category Equal To Proxy

UTM DLP Event

Disabled by default

  • Severity: Medium
  • Log Type: DLP
  • Group by: Profile
  • Log messages that match all conditions:
    • Action Equal To Block

UTM Web Filter Event

Enabled by default

  • Severity: Medium
  • Log Type: Web Filter
  • Group by: Category
  • Log messages that match any of the following conditions:
    • Web Category Equal To Child Abuse
    • Web Category Equal To Discrimination
    • Web Category Equal To Drug Abuse
    • Web Category Equal To Explicit Violence
    • Web Category Equal To Extremist Groups
    • Web Category Equal To Hacking
    • Web Category Equal To Illegal or Unethical
    • Web Category Equal To Plagiarism
    • Web Category Equal To Proxy Avoidance
    • Web Category Equal To Malicious Websites
    • Web Category Equal To Phishing
    • Web Category Equal To Spam URLs