Event Management – FortiManager 5.2
In the Event Management tab you can configure events handlers based on log type and logging filters. You can select to send the event to an email address, SNMP community, or syslog server. Events can be configured per device, for all devices, or for the local FortiManager. You can create event handlers for FortiGate, FortiCarrier, FortiCache, FortiMail, FortiManager, FortiWeb, FortiSandbox devices, and syslog servers. In v5.2.0 or later, Event Management supports local FortiManager event logs.
Events can also be monitored, and the logs associated with a given event can be viewed.
When rebuilding the SQL database, Event Management will not be available until after the rebuild is completed. Select the Show Progress link in the message to view the status of the SQL rebuild.
The events page provides a list of the generated events. Right-clicking on an event in the table gives you the option of viewing event details including the raw log entries associated with that event, adding review notes, and acknowledging the event.
To view events, go to the Event Management tab and select Event Management > All Events. You can also view events by severity and by handler. When ADOMs are enabled, select the ADOM, and then select All Events.
The following information is displayed:
|Count||The number of log entries associated with the event. Click the heading to sort events by count.|
|Event Name||The name of the event. Click the heading to sort events by event name.|
|Severity||The severity level of the event. Event severity level is a user configured variable. The severity can be Critical, High, Medium, or Low. Click the heading to sort events by severity.|
|Event Type||The event type. For example, Traffic orEvent. Click the heading to sort events by event type. IPS and Application Control event names are links. Select the link to view additional information.|
|Additional Info||Additional information about the event. Click the heading to sort events by additional information.|
|Last Occurrence||The date and time that the event was created and added to the events page. Click the heading to sort events by last occurrence.|
|Pagination||Adjust the number of logs that are listed per page and browse through the pages.|
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos
Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos
What if FortiManager and Anaylzer functions are split into separate machines ?
On FAZ I can see only “Local FortiAnalyzer” as a source of such System events. FortiManager system events are not even displayed in FortiView->Event->System.
Is there a way to get system events from FortiManager on separate machine to trigger an event via EventManager on (separated) FortiAnalyzer ?
I am having a hard time understanding what you are trying to do. Are you trying to log your FortiManager to the FortiAnalyzer and view all system events etc there? Let me know and I will see if I can help!
I have FortiManager (FMG) and FortiAnalyzer (FAZ) fuctionality running on separate machines.
My goal is to have all EventLogs of type System available on FAZ ( where such System logs from remote enforcement modules like FortiGate are already stored).
Then I want to have an EventManager Handler on FAZ to react on different administrator activity events – so far it only works on logs collected from FortiGate-s ( or eventually local FAZ , as there is a radio button selecting this source ).
I have set up such a handler , which is sensitive for admin login, configuration changes etc.
When one of the admins changes something via FMG, such activity is not seen by the EventHandler because FMG system logs are not stored in FAZ. I do not know if there is a way to deliver FMG system logs to FAZ like FortGate-s do , so information stored in them can be used in FAZ to trigger events.
Otherwise this EventHandler (on FAZ) has incomplete information ( it has admin activity from FortiGate-s but not from FMG) – and I cannot treat it as 100% reliable source of information about all entry points where admins can enter the system and for example make change of configuration.
This is needed for supervisory upon administrators activity.
Sorry for bad language and hard-understandable explanation.
Thank you in advance for your effort.
The FMG can log to a syslog device. The FortiAnalyzer will have minimal understanding of this. I would setup logging and alerts on the FortiManager itself most likely if you want alerts of changes etc. Either that or just have it dump to a SIEM like Splunk or ArcSight (i prefer splunk for cost of deployment etc). I reached out to my Fortinet SE just to verify and outside of SYSLOG there is no real “direct logging” to a FAZ from a FMG. I am sure someone out there has found a way to hack something up but I have not personally ever tried.