Fortinet black logo

Administration Guide

Predefined event handlers

Predefined event handlers

FortiAnalyzer includes many predefined event handlers that you can use to generate events. You can easily create a custom event handler by cloning a predefined event handler and customizing its settings. See Cloning event handlers.

Note

In 6.2.0 and up, predefined event handlers have been consolidated and have multiple filters that can be enabled or disabled individually.

To view predefined event handlers in the FortiAnalyzer GUI, go to FortiSoC > Handlers > Event Handler List. From the More dropdown, select Show Predefined.

The following are a small sample of FortiAnalyzer predefined event handlers.

Event Handler

Description

Default-Compromised Host-Detection-by IOC-By-Threat

Disabled by default

Filter 1:

  • Event Severity: Critical
  • Log Type: Traffic Log
  • Group by: dstip
  • Log messages that match all of the following conditions:
    • tdtype~infected
  • Tags: By_Endpoint, IP, C&C

Filter 2:

  • Event Severity: Critical
  • Log Type: Web Filter
  • Group by: Hostname URL
  • Log messages that match all of the following conditions:
    • tdtype~infected
  • Tags: By_Endpoint, C&C, URL

Filter 3:

  • Event Severity: Critical
  • Log Type: DNS Log
  • Group by: QNAME
  • Log messages that match all of the following conditions:
    • tdtype~infected
  • Tags: By_Endpoint, C&C, Domain

Default-Data-Leak-Detection-By-Threat

Disabled by deafult

Filter 1:

  • Event Severity: Medium
  • Log Type: DLP
  • Group by: Filter Category, Source Endpoint
  • Tags: Signature, Leak

Filter 2:

  • Event Severity: Low
  • Log Type: DLP
  • Group by: Filter Category
  • Event Status: Mitigated
  • Tags: Signature, Leak

Default-Sandbox-Detections-By-Endpoint

Disabled by default

Filter 1:

  • Event Severity: Critical
  • Log Type: AntiVirus
  • Group by: Source Endpoint, Virus Name
  • Log messages that match all of the following conditions:
    • logid==0211009235 or logid==0211009237
  • Tags: By_Endpoint, Sandbox, Signature, Malware

Filter 2:

  • Event Severity: Critical
  • Log Type: AntiVirus
  • Group by: Source Endpoint, Virus Name
  • Log messages that match all of the following conditions:
    • logid==0211009234 or logid==0211009236
  • Tags: By_Endpoint, Sandbox, Signature, Malware

Filter 3:

  • Event Severity: Critical
  • Log Type: AntiVirus
  • Group by: Source Endpoint
  • Log messages that match all of the following conditions:
    • logid==0201009238 and fsaverdict==malicious
  • Tags: By_Endpoint, Sandbox, Malware

Local Device Event

Available only in the Root ADOM.

Enabled by default

  • Devices: Local Device
  • Event Severity: Medium
  • Log Type: Event Log
  • Event Type: Any
  • Group By: Device ID
  • Log messages that match the following conditions:
    • Level Equal To Emergency
  • Tags: System, Local

Default-NOC-Routing-Events

Event handler for FortiGate device type logs to generate events for changes in routing information including BGP Neighbor Status, Routing information change, OSFP Neighbor Status, Neighbor Table Changed and VRRP State Changed.

Disabled by default

Filter 1:

  • Event Severity: Medium
  • Log Type: Event > Any
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc="Routing information changed"
  • Tags: NOC, Routing
  • Custom message: ${logdesc} on ${devname} with message ${msg}

Filter 2:

  • Event Severity: Medium
  • Log Type: Event > Router
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc="BGP neighbor status changed"
  • Tags: NOC, Routing
  • Custom message: ${devname}. BGP neighbor status changed with message ${msg}

Filter 3:

  • Event Severity: Medium
  • Log Type: Event > Router
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc=="OSPF neighbor status changed" OR logdesc=="OSPF6 neighbor status changed"
  • Tags: NOC, Routing
  • Custom message: ${logdesc} on ${devname} with message ${msg}

Filter 4:

  • Event Severity: Medium
  • Log Type: Event > Router
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc=="neighbor table change"
  • Tags: NOC, Routing
  • Custom message: ${logdesc} on ${devname} with message ${msg}

Filter 5:

  • Event Severity: Medium
  • Log Type: Event > Router
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc=="VRRP state changed"
  • Tags: NOC, Routing
  • Custom message: ${logdesc} on ${devname} with message ${msg}

Default-NOC-Network-Events

Event handler for FortiGate device type logs to generate network events including SNMP queries, routing information changes, DHCP lease status changes.

Disabled by default

Filter 1:

  • Event Severity: High
  • Log Type: Event > System
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logid="0100029021" AND logdesc="SNMP query failed"
  • Tags: NOC, Network
  • Custom message: Device: ${devname} ${logdesc} with message: ${msg}

Filter 2:

  • Event Severity: High
  • Log Type: Event > System
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc=="Routing information changed"
  • Tags: NOC, Network
  • Custom message: Device: ${devname} ${logdesc} with message: ${msg}

Filter 3:

  • Event Severity: High
  • Log Type: Event > System
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc=="DHCP client lease granted" OR logdesc=="DHCP lease usage high" OR logdesc=="DHCP lease usage full"
  • Tags: NOC, Network
  • Custom message: DHCP status on Device ${devname} is ${logdesc} with message: ${msg}

Default-NOC-Switch-Events

Event handler for FortiGate device type logs to generate events for Switch-Controller added/deleted or authorized/deauthorized, interface status change, Interface flapping, LAG/MCLAG status.

Disabled by default

Filter 1:

  • Event Severity: Medium
  • Log Type: Event > Any
  • Group by: Device Name, Message
  • Log messages that match all of the following conditions:
    • (subtype="switch-controller") and (logdesc=="Switch-Controller discovered" OR logdesc=="Switch-Controller authorized" OR logdesc=="Switch-Controller deauthorized" OR logdesc=="Switch-Controller deleted" OR logdesc=="Switch-Controller warning")
  • Tags: NOC, Switch, Controller
  • Custom message: ${logdesc}

Filter 2:

  • Event Severity: Medium
  • Log Type: Event > Any
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc='FortiSwitch system' and msg~"interface vlan"
  • Tags: NOC, Switch, Controller
  • Custom message: Device ${devname} interface vlan change with message: ${msg}

Filter 3:

  • Event Severity: Medium
  • Log Type: Event > Any
  • Group by: Device Name, Message
  • Log messages that match all of the following conditions:
    • logdesc="FortiSwitch link" AND msg~"switch port"
  • Tags: NOC, Switch, Controller
  • Custom message: ${logdesc} on Device: ${devname} with message: ${msg}

Filter 4:

  • Event Severity: Medium
  • Log Type: Event > Any
  • Group by: Device Name, Message
  • Log messages that match all of the following conditions:
    • msg~"flap"
  • Tags: NOC, Switch, Controller
  • Default message

Filter 5:

  • Event Severity: Medium
  • Log Type: Event > Any
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • msg~"lag" OR msg~"mclag"
  • Tags: NOC, Switch, Controller
  • Custom message: Device: ${devname} LAG-MCLAG status update with message: ${msg}

Default-NOC-HA-Events

Event handler for FortiGate device type logs to generate events for HA cluster updates and alerts including HA Device interface failure, Cluster Primary Changed, cluster member state moved, heartbeat device interface down, HA device syncronization status.

Disabled by default

Filter 1:

  • Event Severity: High
  • Log Type: Event > HA
  • Group by: Device Name, Message
  • Log messages that match all of the following conditions:
    • logdesc=="HA device interface failed" and logid=="0108037898"
  • Tags: NOC, HA, Cluster
  • Default message

Filter 2:

  • Event Severity: High
  • Log Type: Event > HA
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc=="Device set as HA primary"
  • Tags: NOC, HA, Cluster
  • Custom message: Device: ${devname} has been set to HA Primary with msg: ${msg}

Filter 3:

  • Event Severity: High
  • Log Type: Event > HA
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc=="Virtual cluster member state moved" OR logdesc=="Heartbeat device interface down"
  • Tags: NOC, HA, Cluster
  • Custom message: Device: ${devname} ${logdesc} with HA role: ${ha_role}

Filter 4:

  • Event Severity: High
  • Log Type: Event > HA
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc=="HA secondary synchronization failed" OR logdesc=="Secondary sync failed" OR logdesc="Synchronization status with master"
  • Tags: NOC, HA, Cluster
  • Custom message: Device: HA synchronization status for Device: ${devname} ${logdesc}. Message: ${msg}. Status is: ${sync_status}

Default-NOC-Wireless-Events

Event handler for FortiGate device type logs to generate events for wireless wifi, AP updates and alerts including AP Status Change and Fake/Rogue AP detection and AP status, wireless client status changes.

Disabled by default

Filter 1:

  • Event Severity: Medium
  • Log Type: Event > Wireless
  • Group by: Device Name, SSID
  • Log messages that match all of the following conditions:
    • logid="0104043567" AND logdesc=="Fake AP detected"
  • Tags: NOC, Wireless, Wifi, AP
  • Custom message: ${logdesc}. SN: ${sndetected}

Filter 2:

  • Event Severity: Medium
  • Log Type: Event > Wireless
  • Group by: Device Name, SSID
  • Log messages that match all of the following conditions:
    • logid=="0104043563" AND logdesc=="Rogue AP detected"
  • Tags: NOC, Wireless, Wifi, AP
  • Custom message: ${logdesc}. SN: ${sndetected} with message: ${msg}

Filter 3:

  • Event Severity: Medium
  • Log Type: Event > Wireless
  • Group by: Device Name, Message
  • Log messages that match all of the following conditions:
    • subtype="wireless" AND (logid=="0104043551" OR logid=="0104043552" OR logid=="0104043553")
  • Tags: NOC, Wireless, Wifi, AP
  • Custom message: ${logdesc}. of AP: ${ap}

Filter 4:

  • Event Severity: Medium
  • Log Type: Event > Wireless
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • (logdesc=="Wireless client associated" OR logdesc=="Wireless client authenticated" OR logdesc=="Wireless client disassociated" OR logdesc=="Wireless client deauthenticated" OR logdesc=="Wireless client idle" OR logdesc=="Wireless client denied" OR logdesc=="Wireless client kicked" OR logdesc="Wireless client IP assigned" OR logdesc=="Wireless client left WTP" OR logdesc=="Wireless client WTP disconnected")
  • Tags: NOC, Wireless, Wifi, AP
  • Custom message: ${logdesc} for ${ssid} with message: ${msg}

Default-NOC-Security-Events

Event handler for FortiGate device type logs to generate events for security events including Admin Logins failed or disabled, Admin or Admin Monitor Disconnected, Admin password expired and UTM Profile changes.

Disabled by default

Filter 1:

  • Event Severity: High
  • Log Type: Event > System
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc=="Admin login failed" OR logdesc=="Admin login disabled"OR logdesc=="SSL VPN login fail"
  • Tags: NOC, Security, Login, Password
  • Custom message: ${logdesc} for ${user} on device: ${devname} due to: ${reason} with message: ${msg}

Filter 2:

  • Event Severity: High
  • Log Type: Event > System
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc=="Admin password expired""
  • Tags: NOC, Security, Login, Password
  • Custom message: Device: ${devname} ${logdesc} with message: ${msg}

Filter 3:

  • Event Severity: High
  • Log Type: Event > System
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc=="Admin disconnected" OR logdesc=="Admin monitor disconnected"
  • Tags: NOC, Security, Login, Password
  • Custom message: ${logdesc} on device: ${devname} with message: ${msg}

Filter 4:

  • Event Severity: High
  • Log Type: Event > System
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc=="AV updated by admin" OR logdesc=="IPS package - Admin update successful" OR logdesc=="AV package update by SCP failed" OR logdesc=="IPS package failed to update via SCP" OR logdesc=="IPS custom signatures backup failed"
  • Tags: NOC, Security, Login, Password
  • Custom message: Device: ${devname} ${logdesc} with message: ${msg}

Default-NOC-Fabric-Events

Event handler for FortiAnalyzer and FortiGate log device type to detect Fabric events, including device offline, CSF member connection status down or terminated, CSF member configuration changes, automation stitch triggered , licenses that are expiring or failed updates.

Disabled by default

Filter 1:

  • Event Severity: High
  • Log Type: Application
  • Group by: Logging Device Name, Message
  • Log messages that match all of the following conditions:
    • desc="Device offline"
  • Tags: NOC, Fabric
  • Custom message: ${logdev_id} is offline

Filter 2:

  • Event Severity: High
  • Log Type: Event > System
  • Group by: Device Name, Message
  • Log messages that match all of the following conditions:
    • logdesc="FortiAnalyzer connection down"
  • Tags: NOC, Fabric
  • Default message

Filter 3:

  • Event Severity: High
  • Log Type: Event > System
  • Group by: Device Name, Message
  • Log messages that match all of the following conditions:
    • logdesc="Connection with authorized CSF member terminated"
  • Tags: NOC, Fabric
  • Custom message: ${logdesc} on: ${devid} due to: ${reason}

Filter 4:

  • Event Severity: Medium
  • Log Type: Event > System
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc="Automation stitch triggered"
  • Tags: NOC, Fabric
  • Custom message: ${logdesc} on: ${devname} with message: ${msg} and stitch action: ${stitchaction}

Filter 5:

  • Event Severity: Critical
  • Log Type: Event > System
  • Group by: Device Name, Message
  • Log messages that match all of the following conditions:
    • logdesc~"license failed" OR logdesc~"license expiring"
  • Tags: NOC, Fabric
  • Custom message: ${logdesc} on: ${devid}

Filter 6:

  • Event Severity: Critical
  • Log Type: Event > System
  • Group by: Device Name, Message
  • Log messages that match all of the following conditions:
    • logdesc~"update" AND logdesc~"failed"
  • Tags: NOC, Fabric
  • Custom message: ${logdesc} on: ${devname} with message: ${msg}

Filter 7:

  • Event Severity: Medium
  • Log Type: Event > System
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc=="Settings modified by Security Fabric service" OR logdesc=="Looped configuration in Security Fabric service" OR logdesc=="Connection with CSF member established and authorized" OR logdesc=="Connection with authorized CSF member terminated" OR logdesc=="Serial number of upstream is changed"
  • Tags: NOC, Fabric
  • Custom message: Device: ${devname} change with message: ${msg}

Default-NOC-System-Events

Event handler for FortiGate device type logs to generate events for system events including Power failure and device shutdown, High Resource usage (CPU, Mem, Storage), log device full status warnings and disk rolled, and devices entering/exiting conserve mode.

Disabled by default

Filter 1:

  • Event Severity: Critical
  • Log Type: Event, System
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc="Device shutdown"
  • Tags: NOC, System, Power, CPU, Memory, Storage
  • Custom message: ${devname} experienced $logdesc with message: ${msg}

Filter 2:

  • Event Severity: High
  • Log Type: Event > System
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc=="conserve mode"
  • Tags: NOC, System, Power, CPU, Memory, Storage
  • Custom message: ${logdesc} on Device: ${devname} with message ${msg}

Filter 3:

  • Event Severity: High
  • Log Type: Event, System
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc=="Disk log full over first warning" OR logdesc=="Memory log full over first warning level" OR logdesc=="Memory log full over second warning level" OR logdesc=="Memory log full over final warning level" OR logdesc=="Disk full" OR logdesc=="Disk log rolled" OR logdesc=="Log disk full"
  • Tags: NOC, System, Power, CPU, Memory, Storage
  • Custom message: Device: ${devname} ${logdesc} with message: ${msg}

Filter 4:

  • Event Severity: High
  • Log Type: Event, System
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • cpu>="80"
  • Tags: NOC, System, Power, CPU, Memory, Storage
  • Custom message: ${devid} performance cpu: ${cpu}

Filter 5:

  • Event Severity: Medium
  • Log Type: Event, System
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • mem>="75"
  • Tags: NOC, System, Power, CPU, Memory, Storage
  • Custom message: ${devid} performance memory: ${memory}

Default-NOC-VPN-Events

Event handler for FortiGate device type logs to generate events for VPN status changes including IPsec Phase1 error or failure, and Phase2 Up/Down and errors, Ipsec Tunnel Up/Down, VPN SSL login failures, IPSec ESP Error, IPsec DPD failures.

Disabled by default

Filter 1:

  • Event Severity: High
  • Log Type: Event, VPN
  • Group by: Device Name, End User
  • Log messages that match all of the following conditions:
    • logid=="0101039426" and action=="ssl-login-fail"
  • Tags: NOC, VPN
  • Custom message: ${logdesc} due to: ${reason}

Filter 2:

  • Event Severity: High
  • Log Type: Event, VPN
  • Group by: Device Name, Message
  • Log messages that match all of the following conditions:
    • (logid=="0101037124" OR logid=="0101037120") and (logdesc=="IPsec phase 1 error" OR status="fail")
  • Tags: NOC, VPN
  • Custom message: ${logdesc} due to: ${status} with reason: ${reason}

Filter 3:

  • Event Severity: High
  • Log Type: Event, VPN
  • Group by: Device Name, Message
  • Log messages that match all of the following conditions:
    • logid=="0101037131" and logdesc=="IPsec ESP"
  • Tags: NOC, VPN
  • Custom message: ${status} on: ${devname}, ${error_num}

Filter 4:

  • Event Severity: High
  • Log Type: Event, VPN
  • Group by: Device Name, Message
  • Log messages that match all of the following conditions:
    • logid=="0101037136" and logdesc=="IPsec DPD failed"
  • Tags: NOC, VPN
  • Custom message: ${msg} on device: ${devname}

Filter 5:

  • Event Severity: High
  • Log Type: Event, VPN
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logid="0101037138" and (action="tunnel-up" or action= "tunnel-down")
  • Tags: NOC, VPN
  • Custom message: ${msg} due to: ${action}

Filter 6:

  • Event Severity: High
  • Log Type: Event, VPN
  • Group by: Device Name, Message
  • Log messages that match all of the following conditions:
    • logid=="0101037125" and logdesc=="IPsec phase 2 error"
  • Tags: NOC, VPN
  • Custom message: ${logdesc} due to: ${reason}

Filter 7:

  • Event Severity: Medium
  • Log Type: Event, VPN
  • Group by: Device Name, Message
  • Log messages that match all of the following conditions:
    • logid=="0101037139" and (action=="phase2-up" OR action=="phase2-down")
  • Tags: NOC, VPN
  • Custom message: ${logdesc} due to: ${action}

Default-NOC-SD-WAN-Events

Event handler for FortiGate device type logs to generate events for SD-WAN status, alerts, and health check events including SLA targets/SLA met or not met for jitter, latency, packetloss, Health-check server status (alive or dead), status (up or down), and member status change.

Disabled by default

Filter 1:

  • Event Severity: High
  • Log Type: Event, SD-WAN
  • Group by: Device Name, Health Check
  • Log messages that match all of the following conditions:
    • subtype=="sdwan" AND metric=="jitter" AND msg~"SLA failed"
  • Tags: NOC, SD-WAN
  • Custom message: On ${devname} the SLA for the ${healthcheck} failed for ${metric} with the current value of ${jitter} which violates the target ID ${slatargetid}.

Filter 2:

  • Event Severity: High
  • Log Type: Event, SD-WAN
  • Group by: Device Name, Health Check
  • Log messages that match all of the following conditions:
    • subtype=="sdwan" AND metric=="latency" AND msg~"SLA failed"
  • Tags: NOC, SD-WAN
  • Custom message: On ${devname} the SLA for the ${healthcheck} failed for ${metric} with the current value of ${latency} which violates the target ID ${slatargetid}.

Filter 3:

  • Event Severity: High
  • Log Type: Event, SD-WAN
  • Group by: Device Name, Health Check
  • Log messages that match all of the following conditions:
    • subtype=="sdwan" AND metric=="packetloss" AND msg~"SLA failed"
  • Tags: NOC, SD-WAN
  • Custom message: On ${devname} the SLA for the ${healthcheck} failed for ${metric} with the current value of ${packetloss} which violates the target ID ${slatargetid}.

Filter 4:

  • Event Severity: Medium
  • Log Type: Event, SD-WAN
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logid="0113022925" AND newvalue="die"
  • Tags: NOC, SD-WAN
  • Custom message: Device: ${devname} with status ${newvalue}. ${msg}.

Filter 5:

  • Event Severity: Medium
  • Log Type: Event, SD-WAN
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logid="0113022925" AND newvalue="alive"
  • Tags: NOC, SD-WAN
  • Custom message: Device: ${devname} with status ${newvalue}. ${msg}.

Filter 6:

  • Event Severity: Medium
  • Log Type: Event, SD-WAN
  • Group by: Device Name, Health Check
  • Log messages that match all of the following conditions:
    • logid="0113022925" AND status=="up"
  • Tags: NOC, SD-WAN
  • Custom message: Device: ${devname} ${msg} status is ${status}.

Filter 7:

  • Event Severity: Medium
  • Log Type: Event, SD-WAN
  • Group by: Device Name, Health Check
  • Log messages that match all of the following conditions:
    • logid="0113022925" AND status=="down"
  • Tags: NOC, SD-WAN
  • Custom message: Device: ${devname} ${msg} status is ${status}.

Filter 8:

  • Event Severity: Medium
  • Log Type: Event, SD-WAN
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logid="0113022923" AND msg="Number of pass member changed."
  • Tags: NOC, SD-WAN
  • Custom message: ${msg} from ${oldvalue} to ${newvalue} for ${devname}

Filter 9:

  • Event Severity: Medium
  • Log Type: Event, SD-WAN
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logid="0113022923" AND msg="Member status changed. Member out-of-sla."
  • Tags: NOC, SD-WAN
  • Custom message: ${msg}. Member is now ${member} on ${devname}.

Below are examples of raw logs that would trigger the associated default event handler.

Default Event Handler

Example Log

Local Device Event

id=6872390755323740160 itime=2020-09-14 10:06:03 euid=1 epid=1 dsteuid=1 dstepid=1 log_id=0034043006 subtype=logdb type=event level=warning time=10:06:03 date=2020-09-14 user=system action=delete msg=Requested to trim database tables older than 60 days to enforce the retention policy of Adom root. userfrom=system desc=Trim local db devid=FAZ-VMTM20001572 devname=FAZ-VMTM20001572 dtime=2020-09-14 10:06:03 itime_t=1600103163

Default-Compromised Host-Detection-by IOC-By-Threat

date=2020-09-20 time=07:41:20 id=6874471739997290516 itime=2020-09-20 00:41:20 euid=3 epid=1161 dsteuid=3 dstepid=101 type=utm subtype=ips level=warning sessionid=917509475 policyid=2 srcip=172.16.93.164 dstip=5.79.68.109 srcport=51392 dstport=80 proto=6 logid=0421016399 service=HTTP eventtime=1537181449 crscore=30 crlevel=high srcintfrole=lan dstintfrole=wan direction=outgoing url=/ hostname=survey-smiles.com profile=default eventtype=malicious-url srcintf=95-FortiCloud dstintf=OSPF msg=URL blocked by malicious-url-list devid=FG100D3G02000011 vd=root dtime=2020-09-20 07:41:20 itime_t=1600587680 devname=FG100D3G02000011
Default-Risky-App-Detection-By-Threat
date=2020-09-20 time=07:41:23 id=6874471752882192399 itime=2020-09-20 00:41:23 euid=3 epid=1201 dsteuid=3 dstepid=101 type=utm subtype=app-ctrl level=information action=pass sessionid=3003333495 policyid=79 srcip=172.16.80.218 dstip=122.195.166.40 srcport=38625 dstport=26881 proto=6 logid=1059028704 service=tcp/26881 eventtime=1537399002 incidentserialno=603516169 crscore=5 crlevel=low direction=outgoing apprisk=high appid=6 srcintfrole=lan dstintfrole=wan applist=scan appcat=P2P app=BitTorrent eventtype=app-ctrl-all srcintf=80-software-r dstintf=port7 msg=P2P: BitTorrent_HTTP.Track, devid=FG100D3G02000011 vd=root dtime=2020-09-20 07:41:23 itime_t=1600587683 devname=FG100D3G02000011

Default_NOC_Routing_Events

date=2021-02-08 time=10:36:09 eventtime=1612809370040652208 tz="-0800" logid="0103027001" type="event" subtype="router" level="information" vd="root" logdesc="VRRP state changed" interface="port1" msg="VRRP vrid 200 vrip 172.17.200.200 changes state from Master to Backup due to ADVERTISEMENT with higherer priority received"

FortiOS system events

FortiOS predefined system event handlers are consolidated into a single event handler with multiple filters called Default FOS System Events.

Events are organized by device in the FortiSoC/Incidents & Events dashboards, which can be expanded to view all related events.

Default FOS System Event filters apply tags to each event, allowing you to identify which Default FOS System Event filter triggered the event.

Tooltip

If you are upgrading from a version before FortiAnalyzer 6.2.0, the existing legacy predefined handlers which are enabled or have been modified will be available as custom handlers. In the Event Handler List, select the More dropdown and choose Show Custom.

Predefined event handlers

FortiAnalyzer includes many predefined event handlers that you can use to generate events. You can easily create a custom event handler by cloning a predefined event handler and customizing its settings. See Cloning event handlers.

Note

In 6.2.0 and up, predefined event handlers have been consolidated and have multiple filters that can be enabled or disabled individually.

To view predefined event handlers in the FortiAnalyzer GUI, go to FortiSoC > Handlers > Event Handler List. From the More dropdown, select Show Predefined.

The following are a small sample of FortiAnalyzer predefined event handlers.

Event Handler

Description

Default-Compromised Host-Detection-by IOC-By-Threat

Disabled by default

Filter 1:

  • Event Severity: Critical
  • Log Type: Traffic Log
  • Group by: dstip
  • Log messages that match all of the following conditions:
    • tdtype~infected
  • Tags: By_Endpoint, IP, C&C

Filter 2:

  • Event Severity: Critical
  • Log Type: Web Filter
  • Group by: Hostname URL
  • Log messages that match all of the following conditions:
    • tdtype~infected
  • Tags: By_Endpoint, C&C, URL

Filter 3:

  • Event Severity: Critical
  • Log Type: DNS Log
  • Group by: QNAME
  • Log messages that match all of the following conditions:
    • tdtype~infected
  • Tags: By_Endpoint, C&C, Domain

Default-Data-Leak-Detection-By-Threat

Disabled by deafult

Filter 1:

  • Event Severity: Medium
  • Log Type: DLP
  • Group by: Filter Category, Source Endpoint
  • Tags: Signature, Leak

Filter 2:

  • Event Severity: Low
  • Log Type: DLP
  • Group by: Filter Category
  • Event Status: Mitigated
  • Tags: Signature, Leak

Default-Sandbox-Detections-By-Endpoint

Disabled by default

Filter 1:

  • Event Severity: Critical
  • Log Type: AntiVirus
  • Group by: Source Endpoint, Virus Name
  • Log messages that match all of the following conditions:
    • logid==0211009235 or logid==0211009237
  • Tags: By_Endpoint, Sandbox, Signature, Malware

Filter 2:

  • Event Severity: Critical
  • Log Type: AntiVirus
  • Group by: Source Endpoint, Virus Name
  • Log messages that match all of the following conditions:
    • logid==0211009234 or logid==0211009236
  • Tags: By_Endpoint, Sandbox, Signature, Malware

Filter 3:

  • Event Severity: Critical
  • Log Type: AntiVirus
  • Group by: Source Endpoint
  • Log messages that match all of the following conditions:
    • logid==0201009238 and fsaverdict==malicious
  • Tags: By_Endpoint, Sandbox, Malware

Local Device Event

Available only in the Root ADOM.

Enabled by default

  • Devices: Local Device
  • Event Severity: Medium
  • Log Type: Event Log
  • Event Type: Any
  • Group By: Device ID
  • Log messages that match the following conditions:
    • Level Equal To Emergency
  • Tags: System, Local

Default-NOC-Routing-Events

Event handler for FortiGate device type logs to generate events for changes in routing information including BGP Neighbor Status, Routing information change, OSFP Neighbor Status, Neighbor Table Changed and VRRP State Changed.

Disabled by default

Filter 1:

  • Event Severity: Medium
  • Log Type: Event > Any
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc="Routing information changed"
  • Tags: NOC, Routing
  • Custom message: ${logdesc} on ${devname} with message ${msg}

Filter 2:

  • Event Severity: Medium
  • Log Type: Event > Router
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc="BGP neighbor status changed"
  • Tags: NOC, Routing
  • Custom message: ${devname}. BGP neighbor status changed with message ${msg}

Filter 3:

  • Event Severity: Medium
  • Log Type: Event > Router
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc=="OSPF neighbor status changed" OR logdesc=="OSPF6 neighbor status changed"
  • Tags: NOC, Routing
  • Custom message: ${logdesc} on ${devname} with message ${msg}

Filter 4:

  • Event Severity: Medium
  • Log Type: Event > Router
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc=="neighbor table change"
  • Tags: NOC, Routing
  • Custom message: ${logdesc} on ${devname} with message ${msg}

Filter 5:

  • Event Severity: Medium
  • Log Type: Event > Router
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc=="VRRP state changed"
  • Tags: NOC, Routing
  • Custom message: ${logdesc} on ${devname} with message ${msg}

Default-NOC-Network-Events

Event handler for FortiGate device type logs to generate network events including SNMP queries, routing information changes, DHCP lease status changes.

Disabled by default

Filter 1:

  • Event Severity: High
  • Log Type: Event > System
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logid="0100029021" AND logdesc="SNMP query failed"
  • Tags: NOC, Network
  • Custom message: Device: ${devname} ${logdesc} with message: ${msg}

Filter 2:

  • Event Severity: High
  • Log Type: Event > System
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc=="Routing information changed"
  • Tags: NOC, Network
  • Custom message: Device: ${devname} ${logdesc} with message: ${msg}

Filter 3:

  • Event Severity: High
  • Log Type: Event > System
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc=="DHCP client lease granted" OR logdesc=="DHCP lease usage high" OR logdesc=="DHCP lease usage full"
  • Tags: NOC, Network
  • Custom message: DHCP status on Device ${devname} is ${logdesc} with message: ${msg}

Default-NOC-Switch-Events

Event handler for FortiGate device type logs to generate events for Switch-Controller added/deleted or authorized/deauthorized, interface status change, Interface flapping, LAG/MCLAG status.

Disabled by default

Filter 1:

  • Event Severity: Medium
  • Log Type: Event > Any
  • Group by: Device Name, Message
  • Log messages that match all of the following conditions:
    • (subtype="switch-controller") and (logdesc=="Switch-Controller discovered" OR logdesc=="Switch-Controller authorized" OR logdesc=="Switch-Controller deauthorized" OR logdesc=="Switch-Controller deleted" OR logdesc=="Switch-Controller warning")
  • Tags: NOC, Switch, Controller
  • Custom message: ${logdesc}

Filter 2:

  • Event Severity: Medium
  • Log Type: Event > Any
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc='FortiSwitch system' and msg~"interface vlan"
  • Tags: NOC, Switch, Controller
  • Custom message: Device ${devname} interface vlan change with message: ${msg}

Filter 3:

  • Event Severity: Medium
  • Log Type: Event > Any
  • Group by: Device Name, Message
  • Log messages that match all of the following conditions:
    • logdesc="FortiSwitch link" AND msg~"switch port"
  • Tags: NOC, Switch, Controller
  • Custom message: ${logdesc} on Device: ${devname} with message: ${msg}

Filter 4:

  • Event Severity: Medium
  • Log Type: Event > Any
  • Group by: Device Name, Message
  • Log messages that match all of the following conditions:
    • msg~"flap"
  • Tags: NOC, Switch, Controller
  • Default message

Filter 5:

  • Event Severity: Medium
  • Log Type: Event > Any
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • msg~"lag" OR msg~"mclag"
  • Tags: NOC, Switch, Controller
  • Custom message: Device: ${devname} LAG-MCLAG status update with message: ${msg}

Default-NOC-HA-Events

Event handler for FortiGate device type logs to generate events for HA cluster updates and alerts including HA Device interface failure, Cluster Primary Changed, cluster member state moved, heartbeat device interface down, HA device syncronization status.

Disabled by default

Filter 1:

  • Event Severity: High
  • Log Type: Event > HA
  • Group by: Device Name, Message
  • Log messages that match all of the following conditions:
    • logdesc=="HA device interface failed" and logid=="0108037898"
  • Tags: NOC, HA, Cluster
  • Default message

Filter 2:

  • Event Severity: High
  • Log Type: Event > HA
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc=="Device set as HA primary"
  • Tags: NOC, HA, Cluster
  • Custom message: Device: ${devname} has been set to HA Primary with msg: ${msg}

Filter 3:

  • Event Severity: High
  • Log Type: Event > HA
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc=="Virtual cluster member state moved" OR logdesc=="Heartbeat device interface down"
  • Tags: NOC, HA, Cluster
  • Custom message: Device: ${devname} ${logdesc} with HA role: ${ha_role}

Filter 4:

  • Event Severity: High
  • Log Type: Event > HA
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc=="HA secondary synchronization failed" OR logdesc=="Secondary sync failed" OR logdesc="Synchronization status with master"
  • Tags: NOC, HA, Cluster
  • Custom message: Device: HA synchronization status for Device: ${devname} ${logdesc}. Message: ${msg}. Status is: ${sync_status}

Default-NOC-Wireless-Events

Event handler for FortiGate device type logs to generate events for wireless wifi, AP updates and alerts including AP Status Change and Fake/Rogue AP detection and AP status, wireless client status changes.

Disabled by default

Filter 1:

  • Event Severity: Medium
  • Log Type: Event > Wireless
  • Group by: Device Name, SSID
  • Log messages that match all of the following conditions:
    • logid="0104043567" AND logdesc=="Fake AP detected"
  • Tags: NOC, Wireless, Wifi, AP
  • Custom message: ${logdesc}. SN: ${sndetected}

Filter 2:

  • Event Severity: Medium
  • Log Type: Event > Wireless
  • Group by: Device Name, SSID
  • Log messages that match all of the following conditions:
    • logid=="0104043563" AND logdesc=="Rogue AP detected"
  • Tags: NOC, Wireless, Wifi, AP
  • Custom message: ${logdesc}. SN: ${sndetected} with message: ${msg}

Filter 3:

  • Event Severity: Medium
  • Log Type: Event > Wireless
  • Group by: Device Name, Message
  • Log messages that match all of the following conditions:
    • subtype="wireless" AND (logid=="0104043551" OR logid=="0104043552" OR logid=="0104043553")
  • Tags: NOC, Wireless, Wifi, AP
  • Custom message: ${logdesc}. of AP: ${ap}

Filter 4:

  • Event Severity: Medium
  • Log Type: Event > Wireless
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • (logdesc=="Wireless client associated" OR logdesc=="Wireless client authenticated" OR logdesc=="Wireless client disassociated" OR logdesc=="Wireless client deauthenticated" OR logdesc=="Wireless client idle" OR logdesc=="Wireless client denied" OR logdesc=="Wireless client kicked" OR logdesc="Wireless client IP assigned" OR logdesc=="Wireless client left WTP" OR logdesc=="Wireless client WTP disconnected")
  • Tags: NOC, Wireless, Wifi, AP
  • Custom message: ${logdesc} for ${ssid} with message: ${msg}

Default-NOC-Security-Events

Event handler for FortiGate device type logs to generate events for security events including Admin Logins failed or disabled, Admin or Admin Monitor Disconnected, Admin password expired and UTM Profile changes.

Disabled by default

Filter 1:

  • Event Severity: High
  • Log Type: Event > System
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc=="Admin login failed" OR logdesc=="Admin login disabled"OR logdesc=="SSL VPN login fail"
  • Tags: NOC, Security, Login, Password
  • Custom message: ${logdesc} for ${user} on device: ${devname} due to: ${reason} with message: ${msg}

Filter 2:

  • Event Severity: High
  • Log Type: Event > System
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc=="Admin password expired""
  • Tags: NOC, Security, Login, Password
  • Custom message: Device: ${devname} ${logdesc} with message: ${msg}

Filter 3:

  • Event Severity: High
  • Log Type: Event > System
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc=="Admin disconnected" OR logdesc=="Admin monitor disconnected"
  • Tags: NOC, Security, Login, Password
  • Custom message: ${logdesc} on device: ${devname} with message: ${msg}

Filter 4:

  • Event Severity: High
  • Log Type: Event > System
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc=="AV updated by admin" OR logdesc=="IPS package - Admin update successful" OR logdesc=="AV package update by SCP failed" OR logdesc=="IPS package failed to update via SCP" OR logdesc=="IPS custom signatures backup failed"
  • Tags: NOC, Security, Login, Password
  • Custom message: Device: ${devname} ${logdesc} with message: ${msg}

Default-NOC-Fabric-Events

Event handler for FortiAnalyzer and FortiGate log device type to detect Fabric events, including device offline, CSF member connection status down or terminated, CSF member configuration changes, automation stitch triggered , licenses that are expiring or failed updates.

Disabled by default

Filter 1:

  • Event Severity: High
  • Log Type: Application
  • Group by: Logging Device Name, Message
  • Log messages that match all of the following conditions:
    • desc="Device offline"
  • Tags: NOC, Fabric
  • Custom message: ${logdev_id} is offline

Filter 2:

  • Event Severity: High
  • Log Type: Event > System
  • Group by: Device Name, Message
  • Log messages that match all of the following conditions:
    • logdesc="FortiAnalyzer connection down"
  • Tags: NOC, Fabric
  • Default message

Filter 3:

  • Event Severity: High
  • Log Type: Event > System
  • Group by: Device Name, Message
  • Log messages that match all of the following conditions:
    • logdesc="Connection with authorized CSF member terminated"
  • Tags: NOC, Fabric
  • Custom message: ${logdesc} on: ${devid} due to: ${reason}

Filter 4:

  • Event Severity: Medium
  • Log Type: Event > System
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc="Automation stitch triggered"
  • Tags: NOC, Fabric
  • Custom message: ${logdesc} on: ${devname} with message: ${msg} and stitch action: ${stitchaction}

Filter 5:

  • Event Severity: Critical
  • Log Type: Event > System
  • Group by: Device Name, Message
  • Log messages that match all of the following conditions:
    • logdesc~"license failed" OR logdesc~"license expiring"
  • Tags: NOC, Fabric
  • Custom message: ${logdesc} on: ${devid}

Filter 6:

  • Event Severity: Critical
  • Log Type: Event > System
  • Group by: Device Name, Message
  • Log messages that match all of the following conditions:
    • logdesc~"update" AND logdesc~"failed"
  • Tags: NOC, Fabric
  • Custom message: ${logdesc} on: ${devname} with message: ${msg}

Filter 7:

  • Event Severity: Medium
  • Log Type: Event > System
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc=="Settings modified by Security Fabric service" OR logdesc=="Looped configuration in Security Fabric service" OR logdesc=="Connection with CSF member established and authorized" OR logdesc=="Connection with authorized CSF member terminated" OR logdesc=="Serial number of upstream is changed"
  • Tags: NOC, Fabric
  • Custom message: Device: ${devname} change with message: ${msg}

Default-NOC-System-Events

Event handler for FortiGate device type logs to generate events for system events including Power failure and device shutdown, High Resource usage (CPU, Mem, Storage), log device full status warnings and disk rolled, and devices entering/exiting conserve mode.

Disabled by default

Filter 1:

  • Event Severity: Critical
  • Log Type: Event, System
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc="Device shutdown"
  • Tags: NOC, System, Power, CPU, Memory, Storage
  • Custom message: ${devname} experienced $logdesc with message: ${msg}

Filter 2:

  • Event Severity: High
  • Log Type: Event > System
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc=="conserve mode"
  • Tags: NOC, System, Power, CPU, Memory, Storage
  • Custom message: ${logdesc} on Device: ${devname} with message ${msg}

Filter 3:

  • Event Severity: High
  • Log Type: Event, System
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logdesc=="Disk log full over first warning" OR logdesc=="Memory log full over first warning level" OR logdesc=="Memory log full over second warning level" OR logdesc=="Memory log full over final warning level" OR logdesc=="Disk full" OR logdesc=="Disk log rolled" OR logdesc=="Log disk full"
  • Tags: NOC, System, Power, CPU, Memory, Storage
  • Custom message: Device: ${devname} ${logdesc} with message: ${msg}

Filter 4:

  • Event Severity: High
  • Log Type: Event, System
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • cpu>="80"
  • Tags: NOC, System, Power, CPU, Memory, Storage
  • Custom message: ${devid} performance cpu: ${cpu}

Filter 5:

  • Event Severity: Medium
  • Log Type: Event, System
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • mem>="75"
  • Tags: NOC, System, Power, CPU, Memory, Storage
  • Custom message: ${devid} performance memory: ${memory}

Default-NOC-VPN-Events

Event handler for FortiGate device type logs to generate events for VPN status changes including IPsec Phase1 error or failure, and Phase2 Up/Down and errors, Ipsec Tunnel Up/Down, VPN SSL login failures, IPSec ESP Error, IPsec DPD failures.

Disabled by default

Filter 1:

  • Event Severity: High
  • Log Type: Event, VPN
  • Group by: Device Name, End User
  • Log messages that match all of the following conditions:
    • logid=="0101039426" and action=="ssl-login-fail"
  • Tags: NOC, VPN
  • Custom message: ${logdesc} due to: ${reason}

Filter 2:

  • Event Severity: High
  • Log Type: Event, VPN
  • Group by: Device Name, Message
  • Log messages that match all of the following conditions:
    • (logid=="0101037124" OR logid=="0101037120") and (logdesc=="IPsec phase 1 error" OR status="fail")
  • Tags: NOC, VPN
  • Custom message: ${logdesc} due to: ${status} with reason: ${reason}

Filter 3:

  • Event Severity: High
  • Log Type: Event, VPN
  • Group by: Device Name, Message
  • Log messages that match all of the following conditions:
    • logid=="0101037131" and logdesc=="IPsec ESP"
  • Tags: NOC, VPN
  • Custom message: ${status} on: ${devname}, ${error_num}

Filter 4:

  • Event Severity: High
  • Log Type: Event, VPN
  • Group by: Device Name, Message
  • Log messages that match all of the following conditions:
    • logid=="0101037136" and logdesc=="IPsec DPD failed"
  • Tags: NOC, VPN
  • Custom message: ${msg} on device: ${devname}

Filter 5:

  • Event Severity: High
  • Log Type: Event, VPN
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logid="0101037138" and (action="tunnel-up" or action= "tunnel-down")
  • Tags: NOC, VPN
  • Custom message: ${msg} due to: ${action}

Filter 6:

  • Event Severity: High
  • Log Type: Event, VPN
  • Group by: Device Name, Message
  • Log messages that match all of the following conditions:
    • logid=="0101037125" and logdesc=="IPsec phase 2 error"
  • Tags: NOC, VPN
  • Custom message: ${logdesc} due to: ${reason}

Filter 7:

  • Event Severity: Medium
  • Log Type: Event, VPN
  • Group by: Device Name, Message
  • Log messages that match all of the following conditions:
    • logid=="0101037139" and (action=="phase2-up" OR action=="phase2-down")
  • Tags: NOC, VPN
  • Custom message: ${logdesc} due to: ${action}

Default-NOC-SD-WAN-Events

Event handler for FortiGate device type logs to generate events for SD-WAN status, alerts, and health check events including SLA targets/SLA met or not met for jitter, latency, packetloss, Health-check server status (alive or dead), status (up or down), and member status change.

Disabled by default

Filter 1:

  • Event Severity: High
  • Log Type: Event, SD-WAN
  • Group by: Device Name, Health Check
  • Log messages that match all of the following conditions:
    • subtype=="sdwan" AND metric=="jitter" AND msg~"SLA failed"
  • Tags: NOC, SD-WAN
  • Custom message: On ${devname} the SLA for the ${healthcheck} failed for ${metric} with the current value of ${jitter} which violates the target ID ${slatargetid}.

Filter 2:

  • Event Severity: High
  • Log Type: Event, SD-WAN
  • Group by: Device Name, Health Check
  • Log messages that match all of the following conditions:
    • subtype=="sdwan" AND metric=="latency" AND msg~"SLA failed"
  • Tags: NOC, SD-WAN
  • Custom message: On ${devname} the SLA for the ${healthcheck} failed for ${metric} with the current value of ${latency} which violates the target ID ${slatargetid}.

Filter 3:

  • Event Severity: High
  • Log Type: Event, SD-WAN
  • Group by: Device Name, Health Check
  • Log messages that match all of the following conditions:
    • subtype=="sdwan" AND metric=="packetloss" AND msg~"SLA failed"
  • Tags: NOC, SD-WAN
  • Custom message: On ${devname} the SLA for the ${healthcheck} failed for ${metric} with the current value of ${packetloss} which violates the target ID ${slatargetid}.

Filter 4:

  • Event Severity: Medium
  • Log Type: Event, SD-WAN
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logid="0113022925" AND newvalue="die"
  • Tags: NOC, SD-WAN
  • Custom message: Device: ${devname} with status ${newvalue}. ${msg}.

Filter 5:

  • Event Severity: Medium
  • Log Type: Event, SD-WAN
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logid="0113022925" AND newvalue="alive"
  • Tags: NOC, SD-WAN
  • Custom message: Device: ${devname} with status ${newvalue}. ${msg}.

Filter 6:

  • Event Severity: Medium
  • Log Type: Event, SD-WAN
  • Group by: Device Name, Health Check
  • Log messages that match all of the following conditions:
    • logid="0113022925" AND status=="up"
  • Tags: NOC, SD-WAN
  • Custom message: Device: ${devname} ${msg} status is ${status}.

Filter 7:

  • Event Severity: Medium
  • Log Type: Event, SD-WAN
  • Group by: Device Name, Health Check
  • Log messages that match all of the following conditions:
    • logid="0113022925" AND status=="down"
  • Tags: NOC, SD-WAN
  • Custom message: Device: ${devname} ${msg} status is ${status}.

Filter 8:

  • Event Severity: Medium
  • Log Type: Event, SD-WAN
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logid="0113022923" AND msg="Number of pass member changed."
  • Tags: NOC, SD-WAN
  • Custom message: ${msg} from ${oldvalue} to ${newvalue} for ${devname}

Filter 9:

  • Event Severity: Medium
  • Log Type: Event, SD-WAN
  • Group by: Device Name, Log Description
  • Log messages that match all of the following conditions:
    • logid="0113022923" AND msg="Member status changed. Member out-of-sla."
  • Tags: NOC, SD-WAN
  • Custom message: ${msg}. Member is now ${member} on ${devname}.

Below are examples of raw logs that would trigger the associated default event handler.

Default Event Handler

Example Log

Local Device Event

id=6872390755323740160 itime=2020-09-14 10:06:03 euid=1 epid=1 dsteuid=1 dstepid=1 log_id=0034043006 subtype=logdb type=event level=warning time=10:06:03 date=2020-09-14 user=system action=delete msg=Requested to trim database tables older than 60 days to enforce the retention policy of Adom root. userfrom=system desc=Trim local db devid=FAZ-VMTM20001572 devname=FAZ-VMTM20001572 dtime=2020-09-14 10:06:03 itime_t=1600103163

Default-Compromised Host-Detection-by IOC-By-Threat

date=2020-09-20 time=07:41:20 id=6874471739997290516 itime=2020-09-20 00:41:20 euid=3 epid=1161 dsteuid=3 dstepid=101 type=utm subtype=ips level=warning sessionid=917509475 policyid=2 srcip=172.16.93.164 dstip=5.79.68.109 srcport=51392 dstport=80 proto=6 logid=0421016399 service=HTTP eventtime=1537181449 crscore=30 crlevel=high srcintfrole=lan dstintfrole=wan direction=outgoing url=/ hostname=survey-smiles.com profile=default eventtype=malicious-url srcintf=95-FortiCloud dstintf=OSPF msg=URL blocked by malicious-url-list devid=FG100D3G02000011 vd=root dtime=2020-09-20 07:41:20 itime_t=1600587680 devname=FG100D3G02000011
Default-Risky-App-Detection-By-Threat
date=2020-09-20 time=07:41:23 id=6874471752882192399 itime=2020-09-20 00:41:23 euid=3 epid=1201 dsteuid=3 dstepid=101 type=utm subtype=app-ctrl level=information action=pass sessionid=3003333495 policyid=79 srcip=172.16.80.218 dstip=122.195.166.40 srcport=38625 dstport=26881 proto=6 logid=1059028704 service=tcp/26881 eventtime=1537399002 incidentserialno=603516169 crscore=5 crlevel=low direction=outgoing apprisk=high appid=6 srcintfrole=lan dstintfrole=wan applist=scan appcat=P2P app=BitTorrent eventtype=app-ctrl-all srcintf=80-software-r dstintf=port7 msg=P2P: BitTorrent_HTTP.Track, devid=FG100D3G02000011 vd=root dtime=2020-09-20 07:41:23 itime_t=1600587683 devname=FG100D3G02000011

Default_NOC_Routing_Events

date=2021-02-08 time=10:36:09 eventtime=1612809370040652208 tz="-0800" logid="0103027001" type="event" subtype="router" level="information" vd="root" logdesc="VRRP state changed" interface="port1" msg="VRRP vrid 200 vrip 172.17.200.200 changes state from Master to Backup due to ADVERTISEMENT with higherer priority received"

FortiOS system events

FortiOS predefined system event handlers are consolidated into a single event handler with multiple filters called Default FOS System Events.

Events are organized by device in the FortiSoC/Incidents & Events dashboards, which can be expanded to view all related events.

Default FOS System Event filters apply tags to each event, allowing you to identify which Default FOS System Event filter triggered the event.

Tooltip

If you are upgrading from a version before FortiAnalyzer 6.2.0, the existing legacy predefined handlers which are enabled or have been modified will be available as custom handlers. In the Event Handler List, select the More dropdown and choose Show Custom.