Adding an alert event – Fortinet FortiAnalyzer 3.0 MR7 User Manual
Page 142
FortiAnalyzer Version 3.0 MR7 Administration Guide
134
05-30007-0082-20080908
Alert Events
Alert
Adding an alert event
Adding an alert event enables you to receive notification when certain types of log
messages are received.
To add a new alert event
1
Go to Alert > Alert Event.
2
Select Create New.
3
Configure the following options:
Alert Name
Enter a name indicating the type of alert the FortiAnalyzer is
monitoring for.
Device Selection
Select the devices the FortiAnalyzer unit monitors for the alert
event. Select from the Available Devices list and select the right
arrow to move the device name to the Selected Devices list. Hold
the SHIFT or CTRL keys while selecting to select multiple devices.
Trigger(s)
Select the triggers that the FortiAnalyzer unit uses to indicate
when to send an alert message. Select the following:
•
a log type to monitor, such as Event Log or Attack Log
•
the severity level to monitor for within the log messages, such
as >=
•
the severity of the log message to match, such as Critical
For example, selecting Event Log >= Warning, the FortiAnalyzer
unit will send alerts when an event log message has a level of
Warning, Error, Critical, Alert and Emergency.
These options are used in conjunction with Generic Text and
Device Selection to specify which log messages will trigger the
FortiAnalyzer unit to send an alert message.
Log Filters
(Generic Text)
Select the check box Generic Text to enable log filters, and then
enter log message filter text.
This text is used in conjunction with Trigger(s) and Device
Selection to specify which log messages will trigger the
FortiAnalyzer unit to send an alert message.
Enter an entire word, which is delimited by spaces, as it appears
in the log messages that you want to match. Inexact or incomplete
words or phrases may not match. For example, entering log_i or
log_it may not match; entering log_id=0100000075 will
match all log messages containing that whole word.
Do not use special characters, such as quotes (‘) or asterisks (*).
If the log message that you want to match contains special
characters, consider entering a substring of the log message that
does not contain special characters. For example, instead of
entering, User 'admin' deleted report 'Report_1', you
might enter admin.
Threshold
Set the threshold or log message level frequency that the
FortiAnalyzer unit monitors for before sending an alert message.
For example, set the FortiAnalyzer unit to send an alert only after
it receives five emergency messages in an hour.
Destination(s)
Select where the FortiAnalyzer unit sends the alert message.
Send alert to
Select an email address, SNMP trap or Syslog server from the list.
You must configure the SNMP traps or Syslog server, before you
can select them from the list.
For the FortiAnalyzer unit to send an email message, you must
configure a DNS server and mail server account. For information,
“Configuring alerts by email server” on page 135
For information on configuring SNMP traps, see
SNMP traps and alerts” on page 136
For information on configuring Syslog servers, see