Manage event handlers
You can create traffic, event, and extended log handlers to monitor network traffic and events based on specific log filters. These log handlers can then be edited, deleted, cloned, and enabled or disabled as needed.
To create a new event handler:
- Go to Event Management > Event Handler.
- Select Create New in the toolbar, or right-click on an the entry and select Create New in the right-click menu.
The Create New Event Handler dialog box is displayed.
Figure 115:Create new event handler dialog box
- Enter a name for the new event handler and select OK.
The Event Handler page opens with the Definition tab displayed.
Figure 116:Create event handler definition page
- Configure the following settings:
| Status | Enable or disable the event handler.
• Enabled • Disabled |
| Name | Edit the name if required. |
| Description | Enter a description for the event handler. |
| Devices | Select All Devices, select Specify and use the add icon, , to add devices. Select Local FortiAnalyzer if the event handler is for local FortiAnalyzer event logs.
Local FortiAnalyzer is available in the root ADOM only and is used to query FortiAnalyzer event logs. |
| Severity | Select the severity from the drop-down list. Select one of the following:
• Critical • High • Medium • Low |
| Filters | |
| Log Type | Select the log type from the drop-down list. The available options are: Traffic Log, Event Log, Application Control, DLP, IPS, Virus, and Web Filter.
The Log Type is Event Log when Devices is Local FortiAnalyzer. |
| Event Category | Select the category of event that this handler will monitor from the drop-down list.
• AntiVirus • Application Control • DLP • IPS • WebFilter • Others This option is only available when Log Type is set to Traffic Log and Devices is set to All Devices or Specify. |
| Group by | Select the criterium by which the information will be grouped.
This option is not available when Log Type is set to Traffic Log. |
| Log message that match | Select either All or Any of the Following Conditions.
When Devices is Local FortiAnalyzer, this option is not available. |
| Add Filter | Select the add icon to add log filters.
When Devices is Local FortiAnalyzer, this option is not available. You can only set one log field filter. |
| Log Field | Select a log field to filter from the drop-down list. The available options will vary depending on the selected log type. |
| Match Criteria | Select a match criteria from the drop-down list. The available options will vary depending on the selected log field. |
| Value | Either select a value from the drop-down list, or enter a value in the text box. The available options will vary depending on the selected log field. |
| Delete | Select the delete icon, to delete the filter. A minimum of one filter is required. |
| Generic Text Filter | Enter a generic text filter. For more information on creating a text filter, hover the cursor over the help icon. |
- Select Apply to save the Definition
- Select the Notification
Figure 117:Notification tab
- Configure the following settings:
| Generate alert when at least | Enter threshold values to generate alerts. Enter the number, in the first text box, of each type of event that can occur in the number of minutes entered in the second text box. |
| Send Alert Email | Select the checkbox to enable. Enter an email address in the To and From text fields, enter a subject in the Subject field, and select the email server from the drop-down list. Select the add icon, , to add an email server.For information on creating a new mail server, see “Mail server” on page 108. |
| Send SNMP Trap to | Select the checkbox to enable this feature. Select an SNMP community from the drop-down list. Select the add icon, , to add a SNMP community. For information on creating a new SNMP community, see “To create a new SNMP community:” on page 106. |
Send Alert to Syslog Select the checkbox to enable this feature. Select a syslog server
Server from the drop-down list. Select the add icon, , to add a syslog server. For information on creating a new syslog server, see “Syslog server” on page 108.
- Select Apply to create the new event handler.
- Select Return to return to the Event Handler
To edit an event handler:
- Go to Event Management > Event Handler.
- Select an event handler entry and either select Edit in the toolbar, or right-click on the entry and select Edit in the pop-up menu. The Edit Event Handler page opens.
- Edit the settings as required.
- Select Apply to save the configuration.
- Select Return to return to the Event Handler
To clone an event handler:
- Go to Event Management > Event Handler.
- Select an event handler entry and either select Clone in the toolbar, or right-click on the entry and select Clone in the pop-up menu. The Clone Event Handler window opens.
- Edit the settings as required.
- Select Apply to save the configuration.
- Select Return to return to the Event Handler
To delete an event handler:
- Go to Event Management > Event Handler.
- Select an event handler entry and either select Delete in the toolbar, or right-click on the entry and select Delete in the pop-up menu.
- Select OK in the confirmation dialog box to delete the event handler.
- Go to Event Management > Event Handler.
- Select an event handler entry, right-click and select Enable in the pop-up menu. The status field will display a enabled icon, .
To disable an event handler:
- Go to Event Management > Event Handler.
- Select an event handler entry, right-click and select Disable in the pop-up menu. The status field will display a disabled icon, .
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Thanks for nice share. I have some confusion regarding SNMP community and syslog server. I want to know what is thus, which purpose you want to use this.Would you please simplify thus things.