Scope
FortiSIEM vv6.x+.
Solution
The ‘system event category’ has to be specified to view the events related to the system.
Step 1: Create the rule for collector down.
Filters: System Event Category = 3 AND Event Type CONTAIN PH_COLLECTOR_DOWN <----- Verify the events in analytics. Group By: Collector ID Action > Incident Attribute: Event Attribute - CollectorID SubPattern - Collector_Down Event Attribute - CollectorID
Step 2: Enable the rule.
Rule XML:
<rules><DataRequest active="false" advanced="true" custId="0" dataCreationType="USER" dbId="138045104" entityVersion="4" fireInternalIncident="false" functionCategory="Availability" id="138045104" naturalId="PH_SYS_Rule_1713323530076" phIncidentCategory="Internal" subFunction="PH_RULE_Availability_FortiSIEM" type="Rule"> <Name>Collector Down Rule</Name> <Description/> <Remediation/> <CustomerScope groupByEachCustomer="true"> <Include/> <Exclude/> </CustomerScope> <PatternClause window="300"> <SubPattern id="84153257" name="Collector_Down"> <SingleEvtConstr>phEventCategory=3 AND eventType CONTAIN "PH_COLLECTOR_DOWN"</SingleEvtConstr> <GroupEvtConstr>COUNT(*)>=1</GroupEvtConstr> <GroupByAttr>collectorId</GroupByAttr> </SubPattern> </PatternClause> <IncidentDef eventType="Collector_Down_Rule" eventTypeGroup="PH_SYS_EVENT_PH_RULE_AVAIL" fireFreq="3600" severity="9"> <ArgList>collectorId=Collector_Down.collectorId</ArgList> </IncidentDef> <DynWatchListDef/> <userRoles> <roles custId="0">967901</roles> </userRoles> <TriggerEventDisplay> <AttrList>phRecvTime,eventType,reptDevIpAddr,rawEventMsg</AttrList> </TriggerEventDisplay> <IncidentTitle>Collector Down</IncidentTitle> </DataRequest> </rules>
When the collector goes down, this rule will be triggered. It is possible to add this in the notification policy to be alerted via email.