Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

alert-event

Use alert-event commands to configure the FortiAnalyzer unit to monitor logs for log messages with certain severity levels, or information within the logs. If the message appears in the logs, the FortiAnalyzer unit sends an email or SNMP trap to a predefined recipient(s) of the log message encountered. Alert event messages provide immediate notification of issues occurring on the FortiAnalyzer unit.

When configuring an alert email, you must configure at least one DNS server. The FortiGate unit uses the SMTP server name to connect to the mail server and must look up this name on your DNS server.

alert-event was removed from the GUI in FortiAnalyzer version 5.0.3. This command has been kept in the CLI for customers who previously configured this function.

Syntax

config system alert-event

edit <name_string>

set enable-generic-text {enable | disable}

set enable-severity-filter {enable | disable}

set event-time-period {0.5 | 1 | 3 | 6 | 12 | 24 | 72 | 168}

set generic-text <string>

set num-events {1 | 5 | 10 | 50 | 100}

set severity-filter {high | low | medium | medium-high | medium-low}

set severity-level-comp {>= | = | <=}

set severity-level-logs {no-check | information | notify | warning |error | critical | alert | emergency}

config alert-destination

edit destination_id <integer>

set type {mail | snmp | syslog}

set from <email_address>

set to <email_address>

set smtp-name <server_name>

set snmp-name <server_name>

set syslog-name <server_name>

end

end

Variable

Description

<name_string>

Enter a name for the alert event (character limit = 63).

enable-generic-text {enable | disable}

Enable generic text match (default = disable).

enable-severity-filter {enable | disable}

Enable/disable alert severity filter (default = disable).

event-time-period {0.5 | 1 | 3 | 6 | 12 | 24 | 72 | 168}

The period of time in hours during which if the threshold number is exceeded, the event will be reported:

  • 0.5: 30 minutes (default)
  • 1: 1 hour
  • 3: 3 hours
  • 6: 6 hours
  • 12: 12 hours
  • 24: 1 day
  • 72: 3 days
  • 168: 1 week

generic-text <string>

Text that must be contained in a log to trigger alert (character limit = 255).

num-events {1 | 5 | 10 | 50 | 100}

Set the minimum number of events that must occur in the given interval before it is reported (default = 1).

severity-filter {high | low | medium | medium-high | medium-low}

Set the required log severity to trigger an alert (default = high).

severity-level-comp {>= | = | <=}

Set the log severity threshold comparison criterion (default = =). Log messages are monitored based on the log level. For example, alerts may be monitored if the messages are greater than or equal to (>=) the Warning log level.

severity-level-logs {no-check | information | notify | warning |error | critical | alert | emergency}

Set the log severity threshold level. That is, the log level the FortiManager looks for when monitoring for alert messages.

  • no-check: Do not check severity level for this log type (default).
  • emergency: The unit is unusable.
  • alert: Immediate action is required.
  • critical: Functionality is affected.
  • error: Functionality is probably affected.
  • warning: Functionality might be affected.
  • notification: Information about normal events.
  • information: General information about unit operations.

Variables for config alert-destination subcommand:

destination_id <integer>

Enter the table sequence number, beginning at 1.

type {mail | snmp | syslog}

Select the alert event message method of delivery:

  • mail: Send email alert (default).
  • snmp: Send SNMP trap.
  • syslog: Send syslog message.

from <email_address>

Enter the sender email address to use in alert emails. This is available when type is set to mail.

to <email_address>

Enter the recipient email address to use in alert emails. This is available when type is set to mail.

smtp-name <server_name>

Enter the name of the mail server. This is available when type is set to mail.

snmp-name <server_name>

Enter the snmp server name. This is available when type is set to snmp.

syslog-name <server_name>

Enter the syslog server name or IPv4 address. This is available when type is set to syslog.

Example

In the following example, the alert message is set to send an email to the administrator when 5 warning log messages appear over the span of three hours.

config system alert-event

edit warning

config alert-destination

edit 1

set type mail

set from fmgr@exmample.com

set to admin@example.com

set smtp-name mail.example.com

end

set enable-severity-filter enable

set event-time-period 3

set severity-level-log warning

set severity-level-comp =

set severity-filter medium

end

alert-event

Use alert-event commands to configure the FortiAnalyzer unit to monitor logs for log messages with certain severity levels, or information within the logs. If the message appears in the logs, the FortiAnalyzer unit sends an email or SNMP trap to a predefined recipient(s) of the log message encountered. Alert event messages provide immediate notification of issues occurring on the FortiAnalyzer unit.

When configuring an alert email, you must configure at least one DNS server. The FortiGate unit uses the SMTP server name to connect to the mail server and must look up this name on your DNS server.

alert-event was removed from the GUI in FortiAnalyzer version 5.0.3. This command has been kept in the CLI for customers who previously configured this function.

Syntax

config system alert-event

edit <name_string>

set enable-generic-text {enable | disable}

set enable-severity-filter {enable | disable}

set event-time-period {0.5 | 1 | 3 | 6 | 12 | 24 | 72 | 168}

set generic-text <string>

set num-events {1 | 5 | 10 | 50 | 100}

set severity-filter {high | low | medium | medium-high | medium-low}

set severity-level-comp {>= | = | <=}

set severity-level-logs {no-check | information | notify | warning |error | critical | alert | emergency}

config alert-destination

edit destination_id <integer>

set type {mail | snmp | syslog}

set from <email_address>

set to <email_address>

set smtp-name <server_name>

set snmp-name <server_name>

set syslog-name <server_name>

end

end

Variable

Description

<name_string>

Enter a name for the alert event (character limit = 63).

enable-generic-text {enable | disable}

Enable generic text match (default = disable).

enable-severity-filter {enable | disable}

Enable/disable alert severity filter (default = disable).

event-time-period {0.5 | 1 | 3 | 6 | 12 | 24 | 72 | 168}

The period of time in hours during which if the threshold number is exceeded, the event will be reported:

  • 0.5: 30 minutes (default)
  • 1: 1 hour
  • 3: 3 hours
  • 6: 6 hours
  • 12: 12 hours
  • 24: 1 day
  • 72: 3 days
  • 168: 1 week

generic-text <string>

Text that must be contained in a log to trigger alert (character limit = 255).

num-events {1 | 5 | 10 | 50 | 100}

Set the minimum number of events that must occur in the given interval before it is reported (default = 1).

severity-filter {high | low | medium | medium-high | medium-low}

Set the required log severity to trigger an alert (default = high).

severity-level-comp {>= | = | <=}

Set the log severity threshold comparison criterion (default = =). Log messages are monitored based on the log level. For example, alerts may be monitored if the messages are greater than or equal to (>=) the Warning log level.

severity-level-logs {no-check | information | notify | warning |error | critical | alert | emergency}

Set the log severity threshold level. That is, the log level the FortiManager looks for when monitoring for alert messages.

  • no-check: Do not check severity level for this log type (default).
  • emergency: The unit is unusable.
  • alert: Immediate action is required.
  • critical: Functionality is affected.
  • error: Functionality is probably affected.
  • warning: Functionality might be affected.
  • notification: Information about normal events.
  • information: General information about unit operations.

Variables for config alert-destination subcommand:

destination_id <integer>

Enter the table sequence number, beginning at 1.

type {mail | snmp | syslog}

Select the alert event message method of delivery:

  • mail: Send email alert (default).
  • snmp: Send SNMP trap.
  • syslog: Send syslog message.

from <email_address>

Enter the sender email address to use in alert emails. This is available when type is set to mail.

to <email_address>

Enter the recipient email address to use in alert emails. This is available when type is set to mail.

smtp-name <server_name>

Enter the name of the mail server. This is available when type is set to mail.

snmp-name <server_name>

Enter the snmp server name. This is available when type is set to snmp.

syslog-name <server_name>

Enter the syslog server name or IPv4 address. This is available when type is set to syslog.

Example

In the following example, the alert message is set to send an email to the administrator when 5 warning log messages appear over the span of three hours.

config system alert-event

edit warning

config alert-destination

edit 1

set type mail

set from fmgr@exmample.com

set to admin@example.com

set smtp-name mail.example.com

end

set enable-severity-filter enable

set event-time-period 3

set severity-level-log warning

set severity-level-comp =

set severity-filter medium

end