Event handlers determine what events are to be generated from logs. Enable an event handler to start generating events. To see which event handlers are enabled or disabled, see Enabling event handlers.
When ADOMs are enabled, each ADOM has its own event handlers and lists of events. Ensure you are in the correct ADOM when working in FortiSoC/Incidents & Events.
You can use predefined event handlers to generate events. There are predefined event handlers for FortiGate, FortiSandbox, FortiMail, and FortiWeb devices. In a Security Fabric ADOM, all predefined event handlers are displayed.
You can create custom event handlers. An easy way to create a custom event handler is to clone a predefined event handler and customize its settings. See Cloning event handlers.
Configure event handlers to generate events for all devices, a specific device, or for the local FortiAnalyzer unit. You can create event handlers for FortiGate, FortiCarrier, FortiCache, FortiMail, FortiManager, FortiWeb, FortiSandbox devices, and syslog servers. Event handlers can also be configured for SIEM logs by selecting the SIEM log device type when configuring an event handler.
To see event handlers, go to FortiSoC/Incidents & Events > Event Monitor > Event Handler List.
Event handlers generate events only from Analytics logs and not Archive logs. For more information, see Analytics and Archive logs.
In an Analyzer–Collector collaboration scenario, the Analyzer evaluates event handlers. For more information, see Analyzer–Collector collaboration.
You can also import and export event handlers, allowing you to develop custom event handlers and deploy them in bulk to other ADOMS or FortiAnalyzer units. For more information, see Importing and exporting event handlers.