Using the logs sent by your Fortigate Firewall to your Fortianalyzer, you can set up an monitoring/alerting function for any logs or events captured. This is very helpful in monitoring critical systems and functions such as interface flaps or VPN IPsec Issues. You can monitor any events as long as it is logged. In this example, I will setup a monitoring and alert functions for any Admin Login fail attempts.
On the Fortianalyzer (FAZ) (I am using FortiOS v5.6 for the FAZ), select Event Management -> Event Handler List
Create a new Handler, For this example we will match logid sent by the Fortigate to your FAZ. In this example, we will match event logs for failed admin logins.
Select, the Log Type. (Other logs maybe on a different Log Type, Failed Logins falls under Event Log) and Event Category or Subtype (for this example, System) .
Reference: For the complete list of Log IDs, Type and Subtype you can use
Go to –> https://docs.fortinet.com/uploaded/files/3610/FortiOS-5.6.0-Log-Reference.pdf
On the Log Field, choose LogID, Match set to “Equal To” and Value being the Message ID.
The Message ID is actually a 10-digit field, where the first two digits represents the Log type. (00 for Traffic Log and 01 for Event Log) and last 6 digit is for the LogID, and just fill in zeroes in between to complete a 10-digit value. So for LogID 32002, use the value: 0100032002
And finally, supply in the email details of the recipients and the source email and the subject and the SMTP server that will route the mail.