FortiSIEM Configuring End point Security Software

Leave a reply
Configuring End point Security Software

The following anti-virus and host security (HIPS) applications are supported for discovery and monitoring by AccelOps.

Bit9 Security Platform Configuration

Cisco Security Agent (CSA) Configuration

ESET NOD32 Anti-Virus Configuration

MalwareBytes Configuration

McAfee ePolicy Orchestrator (ePO) Configuration

Sophos Endpoint Security and Control Configuration

Symantec Endpoint Protection Configuration

Trend Micro Intrusion Defense Firewall (IDF) Configuration Trend Micro OfficeScan Configuration

Bit9 Security Platform Configuration

What is Discovered and Monitored

Bit9 Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
 Syslog   Logs Security Monitoring

Event Types

In CMDB > Event Types, search for “Bit9” in the Device Type columns to see the event types associated with this device.

Rules

Bit9 Agent Uninstalled or File Tracking Disabled

Bit9 Fatal Errors

Blocked File Execution

Unapproved File Execution

Reports

Bit9 Account Group Changes

Bit9 Fatal and Warnings Issues

Bit9 Functionality Stopped

Bit9 Security Configuration Downgrades

Bit9 Configuration

Syslog

AccelOps processes events from this device via syslog. Configure the device to send syslog to AccelOps on port 514.

Sample Syslog

<14>1 2015-04-06T16:24:02Z server1.foo.com – – – – Bit9 event: text=”Server discovered new file ‘c:\usersacct\appdata\local\temp\3cziegdd.dll’ [361aa7fbd5d00aa9952e94adc01d6f8d4cb08766eb03ff522ba5c7a2f9e99f9f].” type=”Discovery” subtype=”New file on network” hostname=”SVR123″ username=”SVR123\acct” date=”4/6/2015 4:22:52 PM” ip_address=”10.168.1.1″

process=”c:\abc\infrastructure\bin\scannerreset.exe” file_path=”c:\users\acct\appdata\local\temp\3cziegdd.dll” file_name=”3cziegdd.dll” file_hash=”361aa7fbd5d00aa9952e94adc01d6f8d4cb08766eb03ff522ba5c7a2f9e99 f9f” installer_name=”csc.exe” policy=”High Enforce” process_key=”00000000-0000-1258-01d0-7085edb50080″ server_version=”7.2.0.1395″ file_trust=”-2″ file_threat=”-2″ process_trust=”-1″ process_threat=”-1″

Cisco Security Agent (CSA) Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
 SNMP Trap      

Events

There are no specific events defined for this device.

Rules

AccelOps uses these rules to monitor events for this device:

Rule Description
Agent service control Attempts to modify agent configuration
Agent UI control Attempts to modify agent UI default settings, security settings, configuration, contact information
Application control Attempts to invoke processes in certain application classes
Buffer overflow attacks  
Clipboard access control Attempts to acccess clipboard data written by sensitive data applications
COM component access

control

 Unusual attempts to access certain COM sets including Email objects
Connection rate limit Excessive connections to web servers or from email clients
Data access control Unusual attempts to access restricted data sets such as configuration files, password etc. by suspect applications
File access control Unusual attempts to read or write restricted files sets such as system executables, boot files etc. by suspect applications
Kernel protection Unusual attempts to modify kernel functionality by suspect applications
Network access control Attempts to connect to local network services
Network interface control Attempts by local applications to open a stream connection to the NIC driver
Network shield Attacks based on bad IP/TCP/UDP/ICMP headers, port and host scans etc
Windows event log  
Registry access control Attempts to write certain registry entries
Resource access control Symbolic link protection
Rootkit/kernel protection Unusual attempts to load files after boot
Service restart Service restarts
Sniffer and protocol detection Attempts by packet/protocol sniffer to receive packets
Syslog control Syslog events
System API control Attempts to access Windows Security Access Manager (SAM)

Reports

There are no predefined reports for Cisco Security Agent.

Configuration

SNMP Trap

AccelOps processes events from this device via SNMP traps sent by the device. Configure the device to send send SNMP traps to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example SNMP Trap

2008-05-13 11:00:36 192.168.1.39 [192.168.1.39]:SNMPv2-MIB::sysUpTime.0

= Timeticks: (52695748) 6 days, 2:22:37.48

SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.8590.3.1

SNMPv2-SMI::enterprises.8590.2.1 = INTEGER: 619

SNMPv2-SMI::enterprises.8590.2.2 = INTEGER: 261 SNMPv2-SMI::enterprises.8590.2.3 = STRING:

“sjdevVwindb06.ProspectHills.net”

SNMPv2-SMI::enterprises.8590.2.4 = STRING: “2008-05-13 19:03:21.157”

SNMPv2-SMI::enterprises.8590.2.5 = INTEGER: 5

SNMPv2-SMI::enterprises.8590.2.6 = INTEGER: 452

SNMPv2-SMI::enterprises.8590.2.7 = STRING: “C:\\Program

Files\\RealVNC\\VNC4\\winvnc4.exe”

SNMPv2-SMI::enterprises.8590.2.8 = NULL SNMPv2-SMI::enterprises.8590.2.9

= STRING: “192.168.20.38”

SNMPv2-SMI::enterprises.8590.2.10 = STRING: “192.168.1.39”

SNMPv2-SMI::enterprises.8590.2.11 = STRING: “The process ‘C:\\Program

Files\\RealVNC\\VNC4\\winvnc4.exe’ (as user NT AUTHORITY\\SYSTEM) attempted to accept a connection as a server on TCP port 5900 from 192.168.20.38 using interface Wired\\VMware Accelerated AMD PCNet Adapter. The operation was denied.”

SNMPv2-SMI::enterprises.8590.2.12 = INTEGER: 109

SNMPv2-SMI::enterprises.8590.2.13 = STRING: “192.168.1.39”

SNMPv2-SMI::enterprises.8590.2.14 = STRING: “W”

SNMPv2-SMI::enterprises.8590.2.15 = INTEGER: 3959

SNMPv2-SMI::enterprises.8590.2.16 = INTEGER: 5900

SNMPv2-SMI::enterprises.8590.2.17 = STRING: “Network access control” SNMPv2-SMI::enterprises.8590.2.18 = STRING: “Non CSA applications, server for TCP or UDP services” SNMPv2-SMI::enterprises.8590.2.19 = INTEGER: 33

SNMPv2-SMI::enterprises.8590.2.20 = STRING: “CSA MC Security Module”

SNMPv2-SMI::enterprises.8590.2.21 = NULL

SNMPv2-SMI::enterprises.8590.2.22 = STRING: “NT AUTHORITY\\SYSTEM”

SNMPv2-SMI::enterprises.8590.2.23 = INTEGER: 2

ESET NOD32 Anti-Virus Configuration

What is Discovered and Monitored

ESET NOD32 Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
 Syslog      

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

ESET NOD32 Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps Supervisor.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Example Syslog

MalwareBytes Configuration

What is Discovered and Monitored

Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
 Syslog   Malware detection log Security Monitoring

Event Types

In CMDB > Event Types, search for “malwarebytes” to see the event types associated with this device.

Rules

Malware found but not remediated

Reports

In Analytics > Reports, search for “malware found” to see the reports associated with this device.

Configuration

Syslog

AccelOps processes events from this device via syslog. Configure the device to send syslog to AccelOps on port 514.

Sample Syslog

<45>1 2016-09-23T14:40:35.82-06:00 reportDeviceName

Malwarebytes-Endpoint-Security 1552 – {“security_log”:{“client_id”:”ef5f8fc8-ad0e-46f8-b6d7-1a85d5f73e64″,”hos t_name”:”Abc-cbd”,”domain”:”abc.com”,”mac_address”:”FF-FF-FF-FF-FF”,”ip_ address”:”10.1.1.1″,”time”:”2016-09-23T14:40:14″,”threat_level”:”Moderat e”,”object_type”:”FileSystem”,”object”:”HKLM\\SOFTWARE\\POLICIES\\GOOGLE \\UPDATE”,”threat_name”:”PUM.Optional.DisableChromeUpdates”,”action”:”Qu arantine”,”operation”:”QUARANTINE”,”resolved”:true,”logon_user”:”dsamuel s”,”data”:”data”,”description”:”No

description”,”source”:”MBAM”,”payload”:null,”payload_url”:null,”payload_ process”:null,”application_path”:null,”application”:null}}

McAfee ePolicy Orchestrator (ePO) Configuration

What is Discovered and Monitored ePO Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
SNMP Traps      

Event Types

In CMDB > Event Types, search for “mcafee epolicy” in the Description column to see the event types associated with this application or device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

ePO Configuration

SNMP Trap

AccelOps processes events from this device via SNMP traps sent by the device.

  1. Log in to the McAfee EPO console.
  2. Go to Menu > Configuration > Registered Servers, and then click New Server.

The Registered Server Builder opens.

  1. For Server type, enter SNMP Server.
  2. For Name, enter the IP address of your SNMP server.
  3. Enter any Notes, and then click Next to go to the Details
  4. For Address, enter the IP address or DNS Name for the AccelOps virtual appliance that will receive the SNMP trap.
  5. For SNMP Version, select SNMPv1.
  6. For Community, enter public.
  7. Click Send Test Trap, and then click OK.
  8. Log in to your Supervisor node and use Real Time Search to see if AccelOps received the trap.
Example SNMP Trap

2011-04-14 01:28:46 192.168.20.214(via UDP: [192.168.20.214]:45440)

TRAP, SNMP v1, community public SNMPv2-SMI::enterprises.3401 Enterprise Specific Trap (5) Uptime:

0:00:00.30

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.9.245 = STRING: “To

SJ-Dev-S-RH-DNS-01”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.11.245 = STRING: “My

Organization”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.12.245 = STRING: “Directory”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.18.245 = STRING: “Any”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.19.245 = STRING: “Any”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.33.245 = STRING: “(Any)”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.15.245 = STRING: “4/16/08

3:07:04 AM”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.31.245 = STRING: “1278” SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.32.245 = STRING: “file infected.  No cleaner  available, file deleted successfully” SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.16.245 = STRING: “1”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.17.245 = STRING: “1”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.13.245 = STRING: “VirusScan” SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.14.245 = STRING: “Virus detected and removed” SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.22.245 = STRING: “EICAR test file” SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.23.245 = STRING: “Not

Available” SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.24.245 = STRING:

“192.168.1.6” SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.25.245 = STRING:

“SJDEVSWINIIS01” SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.26.245 = STRING:

“C:\Documents and

Settings\administrator.PROSPECTHILLS\Desktop\eicar.com”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.27.245 = STRING: “3”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.6.245 = STRING: “4/16/08

3:07:04 AM”

Sophos Endpoint Security and Control Configuration

What is Discovered and Monitored

Sophos Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
 SNMP Trap      

Event Types

In CMDB > Event Types, search for “sophos endpoint” in the Device Type column to see the event types associated with this application or device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device. .

Sophos Configuration

SNMP Trap

AccelOps processes Sophos Endpoint control events via SNMP traps sent from the management console. Configure the management console to send SNMP traps to AccelOps, and the system will automatically recognize the messages.

SNMP Traps are configured within the Sophos policies.

  1. In the Policies pane, double-click the policy you want to change.
  2. In the policy dialog, in the Configure panel, click Messaging.
  3. In the Messaging dialog, go to the SNMP messaging tab and select Enable SNMP messaging.
  4. In the Messages to send panel, select the types of event for which you want Sophos Endpoint Security and Control to send SNMP messages.
  5. In the SNMP trap destination field, enter the IP address of the recipient.
  6. In the SNMP community name field, enter the SNMP community name.

Sample SNMP Trap

Symantec Endpoint Protection Configuration

What is Discovered and Monitored

Symantec Endpoint Protection Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
 Syslog   Logs Security Monitoring

Event Types

In CMDB > Event Types, search for “symantec endpoint” in the Device Type and Description columns to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Symantec Endpoint Protection Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device.

Configuring Log Transmission to AccelOps

  1. Log in to Symantec Endpoint Protection Manager.
  2. Go to Admin> Configure External Logging > Servers > General.
  3. Select Enable Transmission of Logs to a Syslog Server.
  4. For Syslog Server, enter the IP address of the AccelOps virtual appliance.
  5. For UDP Destination Port, enter 514.

Configuring the Types of Logs to Send to AccelOps

  1. Go to Admin> Configure External Logging > Servers > Log Filter.
  2. Select the types of logs and events you want to send to AccelOps.
Sample Syslog

<13>Feb 23 12:36:37 QA-V-Win03-App1.ProspectHills.net SymAntiVirus  0   2701170C2410,3,2,1,QA-V-WIN03-APP1,Administrator,,,,,,,16777216,”Scan started on selected drives and folders and all

extensions.”,1235421384,,0,,,,,0,,,,,,,,,,,{C11B44CF-35C9-4342-AB3D-E0E9 E3756510},,(IP)-0.0.0.0,,ACME,00:50:56:A3:30:2F,11.0.1000.1112,,,,,,,,,,

,,,,,,0,,,,,

<54>Jun 11 12:24:38 SymantecServer sjdevswinapp05: Site: Site sjdevswinapp05,Server: sjdevswinapp05,Domain: Default,Admin: admin,Administrator  log on failed

<54>Jun 11 12:24:51 SymantecServer sjdevswinapp05: Site: Site sjdevswinapp05,Server: sjdevswinapp05,Domain: Default,Admin:

admin,Administrator  log on succeeded

<54>Feb 23 13:08:29 SymantecServer sjdevswinapp05: Virus found,Computer name: Filer,Source: Real Time Scan,Risk name: EICAR Test String,Occurrences: 1,C:/Documents and

Settings/Administrator.PROSPECTHILLS/Local Settings/Temp/vpqz3cxj.com,””,Actual action: Cleaned by deletion,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2009-02-23 21:06:51,Inserted: 2009-02-23 21:08:29,End: 2009-02-23 21:06:51,Domain: Default,Group: Global\Prospecthills,Server:

sjdevswinapp05,User: Administrator,Source computer:  ,Source IP: 0.0.0.0

Mar 16 15:11:06 SymantecServer aschq97: NF77088-PCA,Local:

192.168.128.255,Local: 138,Local: FFFFFFFFFFFF,Remote:

192.168.128.86,Remote: ,Remote: 138,Remote:

0015C53B9216,UDP,Inbound,Begin: 2009-03-16 15:05:02,End: 2009-03-16 15:05:02,Occurrences: 1,Application: C:/WINDOWS/system32/ntoskrnl.exe,Rule: Allow local file sharing,Location: Default,User: ,Domain: ASC

<54>Feb 24 11:51:19 SymantecServer sjdevswinapp05: QA-V-Win03-App2,[SID: 20352] HTTP Whisker/Libwhisker Scan (1) detected.  Traffic has been allowed from this application: C:\WINDOWS\system32 toskrnl.exe,Local: 0.0.0.0,Local: 000000000000,Remote: ,Remote: 192.168.1.4,Remote:

000000000000,Inbound,TCP,Intrusion ID: 0,Begin: 2009-02-24 11:50:01,End:

2009-02-24 11:50:01,Occurrences: 1,Application:

C:/WINDOWS/system32/ntoskrnl.exe,Location: Default,User:

Administrator,Domain: PROSPECTHILLS

<54>Jul 28 08:08:52 SymantecServer corpepp01: 6910p-X751008R,Category:

2,Symantec AntiVirus,New virus definition file loaded. Version:

130727ag.

<54>Jul 28 08:09:32 SymantecServer corpepp01: CORPMIO-H4VYWB1,Category: 2,Symantec AntiVirus,Symantec Endpoint Protection services shutdown was successful.

<52>Jul 28 08:10:13 SymantecServer corpepp01: TEMPEXP02,Category:

0,Smc,Failed to disable Windows firewall

<54>Jul 28 08:08:52 SymantecServer corpepp01: 8440p-X0491JYR,Category:

0,Smc,Connected to Symantec Endpoint Protection Manager (10.0.11.17)

<54>Jul 28 08:08:52 SymantecServer corpepp01: 8440p-X0491JYR,Category:

0,Smc,Disconnected from Symantec Endpoint Protection Manager

(10.0.11.17)

<54>Jul 28 08:09:52 SymantecServer corpepp01: CORPES-3042,Category:

0,Smc,Connected to Symantec Endpoint Protection Manager (corphqepp01) <54>Jul 28 08:09:52 SymantecServer corpepp01: CORPES-3042,Category: 0,Smc,Disconnected from Symantec Endpoint Protection Manager (corpepp01)

<54>Jul 28 08:09:32 SymantecServer corpepp01: CORPMIO-H4VYWB1,Category:

0,Smc,Network Threat Protection – – Engine version: 11.0.480  Windows

Version info:  Operating System: Windows XP (5.1.2600 Service Pack 3)

Network  info:  No.0  “Local Area Connection 3”  00-15-c5-46-58-1e

“Broadcom NetXtreme 57xx Gigabit Controller” 10.0.208.66

<54>Jul 28 07:55:32 SymantecServer corpepp01: tol-afisk,Blocked,Unauthorized NT call rejected by protection driver.,System,Begin: 2011-07-27 15:29:57,End: 2011-07-27 15:29:57,Rule:

Trend Micro Intrusion Defense Firewall (IDF) Configuration

What is Discovered and Monitored

Trend Micro Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
 Syslog      

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Trend Micro Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Example Syslog

Trend Micro OfficeScan Configuration

What is Discovered and Monitored

Trend Micro Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
 SNMP Trap      

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Trend Micro Configuration

SNMP Trap

AccelOps processes events from this device via SNMP traps sent by the device. Configure the device to send send SNMP traps to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example SNMP Trap

2011-04-14 02:17:54 192.168.20.214(via UDP: [192.168.20.214]:45440)

TRAP, SNMP v1, community public    SNMPv2-SMI::enterprises.6101

Enterprise Specific Trap (5) Uptime: 0:00:00.30   SNMPv2-SMI::enterprises.6101.141 = STRING: “Virus/Malware:

Eicar_test_file Computer: SJDEVVWINDB05 Domain: ABC File:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\yc8eayj0.com Date/Time: 4/10/2008 14:23:26 Result: Virus successfully detected, cannot perform the Clean action (Quarantine) ”

Configuring Environmental Sensors

AccelOps supports these devices for monitoring.

APC Netbotz Environmental Monitor Configuration

APC UPS Configuration

Generic UPS Configuration

Liebert FPC Configuration

Liebert HVAC Configuration Liebert UPS Configuration

APC Netbotz Environmental Monitor Configuration

What is Monitored and Collected

Event Types

Rules

Reports

Configuration

SNMP

SNMP Trap

Example SNMP Trap

Setting Access Credentials

What is Monitored and Collected

 

Protocol Information

Discovered

 Metrics collected Used for
SNMP

(V1, V2c)

 Host name, Hardware model, Network interfaces Temperature: Sensor Id, Sensor label, Enclosure Id, Temperature

Relative Humidity: Sensor Id, Sensor label, Enclosure Id, Relative Humidity

Air Flow: Sensor Id, Sensor label, Enclosure Id, Air Flow

Dew Point Temperature: Sensor Id, Sensor label, Enclosure Id, Dew Point Temperature Current: Sensor Id, Sensor label, Enclosure Id, Current

Audio Sensor Reading: Sensor Id, Sensor label, Enclosure Id, Audio Sensor Reading

Dry Contact Sensor Reading: Sensor Id, Sensor label, Enclosure Id, Dry Contact Sensor Reading

Door Switch Sensor Reading: Sensor Id, Sensor label, Enclosure Id, Door Switch Sensor Reading (Open/Close)

Camera Motion Sensor Reading: Sensor Id, Sensor label, Enclosure Id, Camera Motion Sensor Reading (Motion/No Motion)

Hadware Status (for NBRK0200): Contact Status, Output Relay Status, Outlet Status, Alarm

Device Status, Memory Sensor Status, Memory Output Status, Memory Outlet Status, memory Beacon Status

EMS Status (for NBRK0200): EMS Hardware Status, Connection State

Hardware Probe (for NBRK0200): Sensor Id, Temperature, Relative Humidity, Connection State Code

Module Sensor (for NBRK0200): Sensor Name, Sensor location, Temperature, Relative Humidity, Connection State Code

 Availability and

Performance

Monitoring
SNMP Trap (V1,

V2c)

 SNMP Trap See Event Types for more information about viewing the SNMP traps collected by AccelOps for this device. Availability and

Performance

Monitoring

 

Event Types

In CMDB > Event Types, search for “NetBotz” in the Name column to see the event types associated with this application or device.

 

Event types for NetBotz NBRK0200

In Analytics > Rules, search for “NetBotz” in the Name column to see the rules associated with this application or device.

Reports

In Analytics > Reports, search for “Netbotz” in the Name column to see the reports associated with this application or device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

SNMP Trap

AccelOps processes events from this device via SNMP traps sent by the device. Configure the device to send send SNMP traps to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example SNMP Trap

Setting Access Credentials

 

APC UPS Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP

SNMP Trap

Example SNMP Trap

Setting Access Credentials

What is Discovered and Monitored

Protocol Information Discovered Metrics collected Used for
SNMP

(V1, V2c)

 Host name, Hardware model, Network interfaces UPS metrics: Remaining battery charge, Battery status, Replace battery indicator, Time on battery, Output status, Output load, Output voltage, Output frequency Availability and

Performance

Monitoring
SNMP

Trap

     Availability and

Performance

Monitoring

Event Types

In CMDB > Event Types, search for “apc” in the Device Type column to see the event types associated with this device.

Rules

In Analytics > Rules, search for “apc” in the Name column to see the rules associated with this device.

Reports

In Analytics > Reports, search for “apc” in the Name column to see the reports associated with this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

SNMP Trap

AccelOps processes events from this device via SNMP traps sent by the device. Configure the device to send send SNMP traps to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example SNMP Trap

Setting Access Credentials

Generic UPS Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics collected Used for
SNMP

(V1, V2c)

 Host name, Hardware model, Network interfaces UPS metrics: Remaining battery charge, Battery status, Time on battery, Estimated

Seconds Remaining, Output voltage, Output current, Temperature

 Availability and

Performance

Monitoring

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Setting Access Credentials

Liebert FPC Configuration

What is Discovered and Monitored

Protocol Information

Discovered

 Metrics collected Used for
SNMP

(V1, V2c)

 Host name, Hardware model, Network interfaces Output voltage (X-N, Y-N, Z-N), Output current (X, Y. Z), Neutral Current, Ground current, Output power, Power

Factor, Output Frequency, Output Voltage THD (Vx, Vy, Vz), Output Current THD (Lx, Ly. Lz), Output KWh,

Output Crest factor (Lx, Ly, Lz), Output K-factor (Lx, Ly, Lz), Output Lx Capacity, output Ly capacity

 Availability

and

Performance

Monitoring

Event Types

In CMDB > Event Types, search for “LIebert FPC” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “Liebert FPC” in the Name column to see the reports associated with this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

 

Liebert HVAC Configuration

What is Discovered and Monitored

Protocol Information

Discovered

 Metrics collected Used for
SNMP

(V1, V2c)

 Host name,

Hardware model, Network

interfaces

 HVAC metrics: Temperature: current value, upper threshold, lower threshold, Relative Humidity: current value, upper threshold, lower threshold, System state, Cooling state, Heating state, Humidifying state, Dehumidifying state, Economic cycle, Fan state, Heating capacity, Cooling capacity Availability

and

Performance

Monitoring

AccelOps uses SNMP to discover and collector metrics from Generic UPS devices – requires the presence of UPS-MIB on the UPS device.

Follow Liebert HVAC documentation to enable AccelOps to poll the device via SNMP.

Event Types

In CMDB > Event Types, search for “Liebert HVAC” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “Liebert HVAC” in the Name column to see the reports associated with this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

 

Liebert UPS Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics collected Used for
SNMP

(V1, V2c)

 Host name, Hardware model, Network interfaces UPS metrics: Remaining battery charge, Battery status, Time on battery, Estimated

Seconds Remaining, Output voltage, Output current, Temperature

 Availability and

Performance

Monitoring

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.