Event log category triggers
There are six automation triggers based on event log categories:
- Anomaly logs
- IPS logs
- SSH logs
- Traffic violations
- Virus logs
- Web filter violations
When multi VDOM mode is enabled, individual VDOMs can be specified so that the trigger is only applied to those VDOMs.
config system automation-trigger edit <name> set event-type {ips-logs | anomaly-logs | virus-logs | ssh-logs | webfilter-violation | traffic-violation} set vdom <name> next end
A maximum of 16 log IDs can be set as triggers for the event log. |
Example
In this example, an automation stitch is created that uses an anomaly logs trigger and an email notification action. The trigger specifies which VDOMs should be used. There is a three-second delay between the trigger and action.
To configure an automation stitch with the anomaly logs trigger in the GUI:
- Configure the trigger:
Go to Security Fabric > Automation, select the Trigger tab, and click Create New.
In the Event Log Category section, click Anomaly Logs.
Enter a name (anomaly-logs) and add the required VDOMs (root, vdom-nat, vdom-tp).
Click OK.
- Configure the action:
Go to Security Fabric > Automation, select the Action tab, and click Create New.
In the Notifications section, click Email and enter the following:
Name
email_default_rep_message
To
Enter an email address
Subject
CSF stitch alert
Replacement message
Enable
Click OK.
- Configure the stitch:
Go to Security Fabric > Automation, select the Stitch tab, and click Create New.
Enter the name, anomaly-logs-stitch.
Click Add Trigger. Select anomaly-logs and click Apply.
Click Add Action. Select email_default_rep_message and click Apply.
Click Add delay (between the trigger and action). Enter 3 and click OK.
Click OK.
To configure an automation stitch with the anomaly logs trigger in the CLI:
- Configure the trigger:
config system automation-trigger edit "anomaly-logs" set event-type anomaly-logs set vdom "root" "vdom-nat" "vdom-tp" next end
- Configure the action:
config system automation-action edit "email_default_rep_message" set action-type email set email-to "admin@fortinet.com" set email-subject "CSF stitch alert" set replacement-message enable next end
- Configure the stitch:
config system automation-stitch edit "anomaly-logs-stitch" set description "anomaly-logs" set trigger "anomaly-logs" config actions edit 1 set action "email_default_rep_message" set delay 3 set required enable next end next end
Verification
Once the anomaly log is generated, the automation stitch is triggered end the email notification is sent.
To confirm that the stitch was triggered in the GUI:
- Go to Security Fabric > Automation and select the Stitch tab.
- Verify the Last Triggered column.
To confirm that the stitch was triggered in the CLI:
# diagnose test application autod 2 ... stitch: anomaly-logs-stitch destinations: all trigger: anomaly-logs type:anomaly logs field ids: (id:6)vd=root,vdom-nat,vdom-tp local hit: 1 relayed to: 0 relayed from: 0 actions: email_default_rep_message type:email interval:0 delay:3 required:yes subject: CSF stitch alert body: %%log%% sender: mailto:admin@fortinet.com;