Event handler

Event handler allows you to view, create new, edit, delete, clone, and search event handlers. You can select these options in the toolbar. The right-click menu includes these options and also includes the ability to enable or disable configured event handlers. You can create event handlers for a specific device, multiple devices, or log arrays. You can select to create event handlers for traffic logs or event logs. Events for FortiMail and FortiWeb devices are created within their respective ADOMs.

Table 14: Default event handlers
Event Handler	Description
Antivirus Event	Severity: High Filters: Traffic Log, Log messages that match all conditions: • Level Greater Than or Equal To Notice • Security Event Equal To AntiVirus Event Handling: Generate alert when 1 or more of each type occur in 30 minutes
APP Ctrl	Severity: Medium Filters: Traffic Log, Log messages that match all conditions: • Security Action Equal To Blocked • Security Event Equal To Application Control Event Handling: Generate alert when 1 or more of each type occur in 30 minutes
DLP	Severity: Medium Filters: Traffic Log, Log messages that match all conditions: • Level Greater Than or Equal To Notice • Security Event Equal To DLP Event Handling: Generate alert when 1 or more of each type occur in 30 minutes
IPS Event	Severity: High Filters: Traffic Log, Log messages that match all conditions: • Level Greater Than or Equal To Notice • Security Event Equal To IPS Event Handling: Generate alert when 1 or more of each type occur in 30 minutes
Web Filter	Severity: Medium Filters: Traffic Log, Log messages that match all conditions: • Security Action Equal to Blocked • Security Event Equal to WebFilter Event Handling: Generate alert when 1 or more of each type occur in 30 minutes

Figure 242: Event handler page


Name	The name of the event handler.
Filters	The filters that you have configured for the event handler.
Devices	The devices that you have configured for the event handler. This field will either display All FortiGates or list each device or log array.
Severity	The severity that you configured for the event handler. This field will display Critical, High, Medium, or Low.
Send Alert to	The email address, SNMP server, or syslog server that has been configured for the event handler.
Status	The status of the event handler. This field will display a green circle check mark when enabled or a grey circle x when disabled.
Create New	Select to create a new event handler. This option is available in the toolbar and right-click menu.
Edit	Select an event handler and select edit to make changes to the entry. This option is available in the toolbar and right-click menu.
Delete	Select one or all event handlers and select delete to remove the entry(s). This option is available in the toolbar and right-click menu. The default event handlers cannot be deleted.
Clone	Select an event handler in this page and click to clone the entry. A cloned entry will have Copy added to the name field. You can rename the cloned entry while editing the event handler. This option is available in the toolbar and right-click menu.
Select All	Select an event handler and select Select All in the right-click pop-up menu. You can then select Delete in the toolbar to select all entries.
Enable	Select an event handler and select Enable in the right-click pop-up menu.
Disable	Select an event handler and select Disable in the right-click pop-up menu.