Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

alert-event

Use alert-event commands to configure the FortiAnalyzer unit to monitor logs for log messages with certain severity levels, or information within the logs. If the message appears in the logs, the FortiAnalyzer unit sends an email or SNMP trap to a predefined recipient(s) of the log message encountered. Alert event messages provide immediate notification of issues occurring on the FortiAnalyzer unit.

When configuring an alert email, you must configure at least one DNS server. The FortiGate unit uses the SMTP server name to connect to the mail server and must look up this name on your DNS server.

alert-event was removed from the GUI in FortiAnalyzer version 5.0.3. This command has been kept in the CLI for customers who previously configured this function.

Syntax

config system alert-event

edit <name_string>

config alert-destination

edit destination_id <integer>

set type {mail | snmp | syslog}

set from <email_address>

set to <email_address>

set smtp-name <server_name>

set snmp-name <server_name>

set syslog-name <server_name>

end

set enable-generic-text {enable | disable}

set enable-severity-filter {enable | disable}

set event-time-period {0.5 | 1 | 3 | 6 | 12 | 24 | 72 | 168}

set generic-text <string>

set num-events {1 | 5 | 10 | 50 | 100}

set severity-filter {high | low | medium | medium-high | medium-low}

set severity-level-comp {>= | = | <=}

set severity-level-logs {no-check | information | notify | warning |error | critical | alert | emergency}

end

Variable

Description

<name_string>

Enter a name for the alert event. Character limit: 63

destination_id <integer>

Enter the table sequence number, beginning at 1.

type {mail | snmp | syslog}

Select the alert event message method of delivery. Default: mail

from <email_address>

Enter the email address of the sender of the message. This is available when the type is set to mail.

to <email_address>

Enter the recipient of the alert message. This is available when the type is set to mail.

smtp-name <server_name>

Enter the name of the mail server. This is available when the type is set to mail.

snmp-name <server_name>

Enter the snmp server name. This is available when the type is set to snmp.

syslog-name <server_name>

Enter the syslog server name or IPv4 address. This is available when the type is set to syslog.

enable-generic-text {enable | disable}

Enable the text alert option. Default: disable

enable-severity-filter {enable | disable}

Enable the severity filter option. Default: disable

event-time-period {0.5 | 1 | 3 | 6 | 12 | 24 | 72 | 168}

The period of time in hours during which if the threshold number is exceeded, the event will be reported. The following options are available: 

  • 0.5: 30 minutes.
  • 1: 1 hour.
  • 3: 3 hours.
  • 6: 6 hours.
  • 12: 12 hours.
  • 24: 1 day.
  • 72: 3 days.
  • 168: 1 week.

generic-text <string>

Enter the text the alert looks for in the log messages. Character limit: 255

num-events {1 | 5 | 10 | 50 | 100}

Set the number of events that must occur in the given interval before it is reported.

severity-filter {high | low | medium | medium-high | medium-low}

Set the alert severity indicator for the alert message the FortiAnalyzer unit sends to the recipient.

severity-level-comp {>= | = | <=}

Set the severity level in relation to the log level. Log messages are monitored based on the log level. For example, alerts may be monitored if the messages are greater than, and equal to (>=) the Warning log level.

severity-level-logs {no-check | information | notify | warning |error | critical | alert | emergency}

Set the log level the FortiAnalyzer looks for when monitoring for alert messages. The following options are available: 

  • no-check: Do not check severity level for this log type.
  • emergency: The unit is unusable.
  • alert: Immediate action is required.
  • critical: Functionality is affected.
  • error: Functionality is probably affected.
  • warning: Functionality might be affected.
  • notification: Information about normal events.
  • information: General information about unit operations.

Example

In the following example, the alert message is set to send an email to the administrator when 5 warning log messages appear over the span of three hours.

config system alert-event

edit warning

config alert-destination

edit 1

set type mail

set from fmgr@exmample.com

set to admin@example.com

set smtp-name mail.example.com

end

set enable-severity-filter enable

set event-time-period 3

set severity-level-log warning

set severity-level-comp =

set severity-filter medium

end

alert-event

Use alert-event commands to configure the FortiAnalyzer unit to monitor logs for log messages with certain severity levels, or information within the logs. If the message appears in the logs, the FortiAnalyzer unit sends an email or SNMP trap to a predefined recipient(s) of the log message encountered. Alert event messages provide immediate notification of issues occurring on the FortiAnalyzer unit.

When configuring an alert email, you must configure at least one DNS server. The FortiGate unit uses the SMTP server name to connect to the mail server and must look up this name on your DNS server.

alert-event was removed from the GUI in FortiAnalyzer version 5.0.3. This command has been kept in the CLI for customers who previously configured this function.

Syntax

config system alert-event

edit <name_string>

config alert-destination

edit destination_id <integer>

set type {mail | snmp | syslog}

set from <email_address>

set to <email_address>

set smtp-name <server_name>

set snmp-name <server_name>

set syslog-name <server_name>

end

set enable-generic-text {enable | disable}

set enable-severity-filter {enable | disable}

set event-time-period {0.5 | 1 | 3 | 6 | 12 | 24 | 72 | 168}

set generic-text <string>

set num-events {1 | 5 | 10 | 50 | 100}

set severity-filter {high | low | medium | medium-high | medium-low}

set severity-level-comp {>= | = | <=}

set severity-level-logs {no-check | information | notify | warning |error | critical | alert | emergency}

end

Variable

Description

<name_string>

Enter a name for the alert event. Character limit: 63

destination_id <integer>

Enter the table sequence number, beginning at 1.

type {mail | snmp | syslog}

Select the alert event message method of delivery. Default: mail

from <email_address>

Enter the email address of the sender of the message. This is available when the type is set to mail.

to <email_address>

Enter the recipient of the alert message. This is available when the type is set to mail.

smtp-name <server_name>

Enter the name of the mail server. This is available when the type is set to mail.

snmp-name <server_name>

Enter the snmp server name. This is available when the type is set to snmp.

syslog-name <server_name>

Enter the syslog server name or IPv4 address. This is available when the type is set to syslog.

enable-generic-text {enable | disable}

Enable the text alert option. Default: disable

enable-severity-filter {enable | disable}

Enable the severity filter option. Default: disable

event-time-period {0.5 | 1 | 3 | 6 | 12 | 24 | 72 | 168}

The period of time in hours during which if the threshold number is exceeded, the event will be reported. The following options are available: 

  • 0.5: 30 minutes.
  • 1: 1 hour.
  • 3: 3 hours.
  • 6: 6 hours.
  • 12: 12 hours.
  • 24: 1 day.
  • 72: 3 days.
  • 168: 1 week.

generic-text <string>

Enter the text the alert looks for in the log messages. Character limit: 255

num-events {1 | 5 | 10 | 50 | 100}

Set the number of events that must occur in the given interval before it is reported.

severity-filter {high | low | medium | medium-high | medium-low}

Set the alert severity indicator for the alert message the FortiAnalyzer unit sends to the recipient.

severity-level-comp {>= | = | <=}

Set the severity level in relation to the log level. Log messages are monitored based on the log level. For example, alerts may be monitored if the messages are greater than, and equal to (>=) the Warning log level.

severity-level-logs {no-check | information | notify | warning |error | critical | alert | emergency}

Set the log level the FortiAnalyzer looks for when monitoring for alert messages. The following options are available: 

  • no-check: Do not check severity level for this log type.
  • emergency: The unit is unusable.
  • alert: Immediate action is required.
  • critical: Functionality is affected.
  • error: Functionality is probably affected.
  • warning: Functionality might be affected.
  • notification: Information about normal events.
  • information: General information about unit operations.

Example

In the following example, the alert message is set to send an email to the administrator when 5 warning log messages appear over the span of three hours.

config system alert-event

edit warning

config alert-destination

edit 1

set type mail

set from fmgr@exmample.com

set to admin@example.com

set smtp-name mail.example.com

end

set enable-severity-filter enable

set event-time-period 3

set severity-level-log warning

set severity-level-comp =

set severity-filter medium

end