Event Management : Event handler
 
Event handler
The event handler allows you to view, create new, edit, delete, clone, and search event handlers. You can select these options in the toolbar. The right-click menu includes these options and also includes the ability to enable or disable configured event handlers. You can create event handlers for a specific device, multiple devices, or log arrays. You can select to create event handlers for traffic logs or event logs.
FortiManager v5.0 Patch Release 5 or later includes five default event handlers for FortiGate and FortiCarrier devices. Click on the event handler name to enable or disable the event handler and to assign devices to the event handler.
Table 16: Default event handlers 
Event Handler
Description
Antivirus Event
Status: Disabled (Default)
Devices: All FortiGates, All FortiCarriers (Default)
Severity: High
Log Type: Traffic Log
Event Category: AntiVirus
Group by: Virus Name
Log messages that match all conditions:
Level Greater Than or Equal To Information
Event Handling: Generate alert when at least 1 matches occurred over a period of 30 minutes. Select one of the following: Send Alert Email, Send SNMP Trap to, Send Alert to Syslog Server.
APP Ctrl
Status: Disabled (Default)
Devices: All FortiGates, All FortiCarriers (Default)
Severity: Medium
Log Type: Traffic Log
Event Category: Application Control
Group by: Application Name
Log messages that match any of the following conditions:
Application Category Equal To Botnet
Application Category Equal To Proxy
Event Handling: Generate alert when at least 1 matches occurred over a period of 30 minutes. Select one of the following: Send Alert Email, Send SNMP Trap to, Send Alert to Syslog Server.
DLP
Status: Disabled (Default)
Devices: All FortiGates, All FortiCarriers (Default)
Severity: Medium
Log Type: Traffic Log
Event Category: DLP
Group by: DLP Rule Name
Log messages that match all conditions:
Security Action Equal To Blocked
Event Handling: Generate alert when at least 1 matches occurred over a period of 30 minutes. Select one of the following: Send Alert Email, Send SNMP Trap to, Send Alert to Syslog Server.
IPS Event
Status: Disabled (Default)
Devices: All FortiGates, All FortiCarriers (Default)
Severity: High
Log Type: Traffic Log
Event Category: IPS
Group by: Attack Name
Log messages that match all conditions:
Level Greater Than or Equal To Critical
Event Handling: Generate alert when at least 1 matches occurred over a period of 30 minutes. Select one of the following: Send Alert Email, Send SNMP Trap to, Send Alert to Syslog Server.
Web Filter
Status: Disabled (Default)
Devices: All FortiGates, All FortiCarriers (Default)
Severity: Medium
Log Type: Traffic Log
Event Category: WebFilter
Group by: Hostname URL
Log messages that match any of the following conditions:
Web Category Equal To Child Abuse, Discrimination, Drug Abuse, Explicit Violence, Extremist Groups, Hacking, Illegal or Unethical, Plagiarism, Proxy Avoidance, Malicious Websites, Phishing, Spam URLs
Event Handling: Generate alert when at least 1 matches occurred over a period of 30 minutes. Select one of the following: Send Alert Email, Send SNMP Trap to, Send Alert to Syslog Server.
Go to the Event Management tab and select Event Handler in the tree menu.
Figure 256: Event handler page
The following information and options are available:
Create New
Select to create a new event handler. This option is available in the toolbar and right-click menu. See “To create a new event handler:”.
Edit
Select an event handler and select edit to make changes to the entry. This option is available in the toolbar and right-click menu. See “To edit an event handler:”.
Delete
Select one or all event handlers and select delete to remove the entry or entries. This option is available in the toolbar and right-click menu. The default event handlers cannot be deleted. See “To delete an event handler:”.
Clone
Select an event handler in this page and click to clone the entry. A cloned entry will have Copy added to its name field. You can rename the cloned entry while editing the event handler. This option is available in the toolbar and right-click menu. See “To clone an event handler:”.
Status
The status of the event handler. This field will display when enabled and when disabled.
Name
The name of the event handler.
Filters
The filters that you have configured for the event handler.
Event Type
The event category of the event handler. One of the following: AntiVirus, Application Control, DLP, IPS, or WebFilter.
Devices
The devices that you have configured for the event handler. This field will either display All FortiGates or list each device or log array.
Severity
The severity that you configured for the event handler. This field will display Critical, High, Medium, or Low.
Send Alert to
The email address, SNMP server, or syslog server that has been configured for the event handler.
Enable
Right-click an event handler and select Enable in the pop-up menu. See “To enable an event handler:”.
Disable
Right-click an event handler and select Disable in the pop-up menu. See “To disable an event handler:”.