Event Management – FortiManager 5.2

Event Management

In the Event Management tab you can configure events handlers based on log type and logging filters. You can select to send the event to an email address, SNMP community, or syslog server. Events can be configured per device, for all devices, or for the local FortiManager. You can create event handlers for FortiGate, FortiCarrier, FortiCache, FortiMail, FortiManager, FortiWeb, FortiSandbox devices, and syslog servers. In v5.2.0 or later, Event Management supports local FortiManager event logs.

Events can also be monitored, and the logs associated with a given event can be viewed.

When rebuilding the SQL database, Event Management will not be available until after the rebuild is completed. Select the Show Progress link in the message to view the status of the SQL rebuild.

Events

The events page provides a list of the generated events. Right-clicking on an event in the table gives you the option of viewing event details including the raw log entries associated with that event, adding review notes, and acknowledging the event.

To view events, go to the Event Management tab and select Event Management > All Events. You can also view events by severity and by handler. When ADOMs are enabled, select the ADOM, and then select All Events.

Events page

The following information is displayed:

Events

Count The number of log entries associated with the event. Click the heading to sort events by count.
Event Name The name of the event. Click the heading to sort events by event name.
Severity The severity level of the event. Event severity level is a user configured variable. The severity can be Critical, High, Medium, or Low. Click the heading to sort events by severity.
Event Type The event type. For example, Traffic orEvent. Click the heading to sort events by event type. IPS and Application Control event names are links. Select the link to view additional information.
Additional Info Additional information about the event. Click the heading to sort events by additional information.
Last Occurrence The date and time that the event was created and added to the events page. Click the heading to sort events by last occurrence.
Pagination Adjust the number of logs that are listed per page and browse through the pages.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiManager and tagged , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

4 thoughts on “Event Management – FortiManager 5.2

  1. PIotr

    What if FortiManager and Anaylzer functions are split into separate machines ?
    On FAZ I can see only “Local FortiAnalyzer” as a source of such System events. FortiManager system events are not even displayed in FortiView->Event->System.
    Is there a way to get system events from FortiManager on separate machine to trigger an event via EventManager on (separated) FortiAnalyzer ?

    Reply
    1. Mike Post author

      Plotr,

      I am having a hard time understanding what you are trying to do. Are you trying to log your FortiManager to the FortiAnalyzer and view all system events etc there? Let me know and I will see if I can help!

      Reply
      1. Piotr

        Hello Mike,
        I have FortiManager (FMG) and FortiAnalyzer (FAZ) fuctionality running on separate machines.
        My goal is to have all EventLogs of type System available on FAZ ( where such System logs from remote enforcement modules like FortiGate are already stored).
        Then I want to have an EventManager Handler on FAZ to react on different administrator activity events – so far it only works on logs collected from FortiGate-s ( or eventually local FAZ , as there is a radio button selecting this source ).
        I have set up such a handler , which is sensitive for admin login, configuration changes etc.

        When one of the admins changes something via FMG, such activity is not seen by the EventHandler because FMG system logs are not stored in FAZ. I do not know if there is a way to deliver FMG system logs to FAZ like FortGate-s do , so information stored in them can be used in FAZ to trigger events.
        Otherwise this EventHandler (on FAZ) has incomplete information ( it has admin activity from FortiGate-s but not from FMG) – and I cannot treat it as 100% reliable source of information about all entry points where admins can enter the system and for example make change of configuration.

        This is needed for supervisory upon administrators activity.

        Sorry for bad language and hard-understandable explanation.
        Thank you in advance for your effort.

        Reply
        1. Mike Post author

          The FMG can log to a syslog device. The FortiAnalyzer will have minimal understanding of this. I would setup logging and alerts on the FortiManager itself most likely if you want alerts of changes etc. Either that or just have it dump to a SIEM like Splunk or ArcSight (i prefer splunk for cost of deployment etc). I reached out to my Fortinet SE just to verify and outside of SYSLOG there is no real “direct logging” to a FAZ from a FMG. I am sure someone out there has found a way to hack something up but I have not personally ever tried.

          Reply

Leave a Reply to Mike Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.