FortiSIEM Configuring Servers

Configuring Servers

AccelOps supports these servers for discovery and monitoring.

HP UX Server Configuration

IBM AIX Server Configuration

IBM OS400 Server Configuration

Linux Server Configuration

Microsoft Windows Server Configuration Sun Solaris Server Configuration

HP UX Server Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics collected Used for
SNMP Host name, generic hardware (cpu, memory, network interface, disk), software (operating system version,

installed software, running processes, open

TCP/UDP ports)

Uptime, CPU/Memory/Network Interface/Disk space utilization, Network

Interface Errors, Running Process Count, Installed Software change,

Running process CPU/memory utilization, Running process start/stop, TCP/UDP port up/down

Performance

Monitoring

SSH Hardware (cpu details, memory) Memory paging rate, Disk I/O utilization Performance

Monitoring

Syslog Vendor, Model General logs including Authentication Success/Failure, Privileged logons, User/Group Modification Security Monitoring and Compliance

Event Types

In CMDB > Event Types, search for “hp_ux” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “hp_ux” in the Name column to see the reports associated with this device.

Configuration

SNMP v1 and v2c

  1. Make sure that snmp libraries are installed. Accelops has been tested to work with the default HP UX package that comes with snmpd preinstalled.
  2. Start snmpd deamon with the default configuration by issuing /etc/init.d/snmpd restart.
  3. Make sure that snmpd is running.

SSH

  1. Make sure that the vmstat and iostat commands are available. If not, install these libraries.
  2. Create a user account that can issue vmstat and iostat AccelOps will use that user account to login to the server.

Settings for Access Credentials

IBM AIX Server Configuration

SSH

What is Discovered and Monitored

Protocol Information Discovered Metrics collected Used for
SNMP Host name, generic hardware (cpu, memory, network interface, disk), software (operating system version,

installed software, running processes, open

TCP/UDP ports)

Uptime, CPU/Memory/Network Interface/Disk space utilization, Network

Interface Errors, Running Process Count, Installed Software change,

Running process CPU/memory utilization, Running process start/stop, TCP/UDP port up/down

Performance

Monitoring

SSH Hardware (cpu details, memory) Memory paging rate, Disk I/O utilization Performance

Monitoring

Syslog Vendor, Model General logs including Authentication Success/Failure, Privileged logons, User/Group Modification Security Monitoring and Compliance

Event Types

In CMDB > Event Types, search for “ibm_aix” in the Device Type and Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP v1 and v2c

  1. Make sure that snmp libraries are installed. Accelops has been tested to work with the default AIX package that comes with snmpd preinstalled.
  2. Start snmpd deamon with the default configuration by issuing /etc/init.d/snmpd restart.
  3. Make sure that snmpd is running.

SSH

  1. Make sure that the vmstat and iostat commands are available. If not, install these libraries.
  2. Create a user account that can issue vmstat and iostat AccelOps will use that user account to log in to the server.

Syslog

  1. Makes sure that /etc/syslog.conf contains a *.* entry and points to a log file.

. @<SENSORIPADDRESS>

 

  1. Refresh syslogd.

# refresh -s syslogd

Settings for Access Credentials

IBM OS400 Server Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Syslog

Sample Parsed IBM OS400 Syslog Messages

What is Discovered and Monitored

Protocol Information

Discovered

Metrics collected Used for
Syslog   General logs including Authentication Success/Failure, Privileged logons, User/Group Modification Security Monitoring and

Compliance

Event Types

In CMDB > Event Types, search for “os400” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps parses IBM OS 400 logs received via the PowerTech Agent as described here. The PowerTech agent sends syslogs to AccelOps. Sample Parsed IBM OS400 Syslog Messages

Mar 18 17:49:36 ROBINSON CEF :0|PowerTech|Interact|2.0|UNA0603|A File

Server transaction was allowed for user BRENDAN.|2| src =10.0.1.60 dst

=10.0.1.180 msg=TYPE:JRN CLS :AUD JJOB :QPWFSERVSO JUSER :BRENDAN JNBR

:025355 PGM :PLKR108JEL OBJECT : LIBRARY : MEMBER: DETAIL: OB BRENDAN

*FILESRV CRTSTRMFIL QPWFSERVSO LNS0811 000112 00023

/home/BRENDAN/subfolder

Mar 18 17:48:36 ROBINSON CEF :0|PowerTech|Interact|2.0|UNA0604|A File

Server transaction was allowed for user BRENDAN.|2| src =10.0.1.60 dst

=10.0.1.180 msg=TYPE:JRN CLS :AUD JJOB :QPWFSERVSO JUSER :BRENDAN JNBR

:025355 PGM :PLKR108JEL OBJECT : LIBRARY : MEMBER: DETAIL: OB BRENDAN

*FILESRV DLTSTRMFIL QPWFSERVSO LNS0811 000112 00025

/home/BRENDAN/BoardReport

Mar 18 17:53:00 ROBINSON CEF :0|PowerTech|Interact|2.0|UNA0703|A System i FTP Client transaction was allowed for user BRENDAN.|3| src =10.0.1.180 dst =10.0.1.180 msg=TYPE:JRN CLS :AUD JJOB :QTFTP00149 JUSER :BRENDAN JNBR :029256 PGM :PLKR108JEL OBJECT : LIBRARY : MEMBER: DETAIL:

ST BRENDAN *FTPCLIENT DELETEFILE QTFTP00149 LNS0811 000112 00033

/QSYS.LIB/PAYROLL.LIB/NEVADA.FILE

Linux Server Configuration

What is Discovered and Monitored

Configuration

Settings for Access Credentials

What is Discovered and Monitored

Protocol Information Discovered Metrics collected Used for  
SNMP Host name, generic hardware (cpu, memory, network interface, disk), software (operating system version, installed software, running processes, open TCP/UDP ports) Uptime, CPU/Memory/Network Interface/Disk space utilization, Swap space utilization, Network Interface Errors, Running Process Count,

Installed Software change, Running process CPU/memory utilization,

Running process start/stop, TCP/UDP port up/down

Performance

Monitoring

SSH OS type, Hardware (cpu details, memory) Memory paging rate, Disk I/O utilization Performance

Monitoring

   
Syslog Vendor, Model General logs including Authentication Success/Failure, Privileged logons, User/Group Modification Security Monitoring and Compliance  
Syslog (via

AccelOps LinuxFileMon agent)

  File or directory change: User, Type of change, directory or file name Security Monitoring and Compliance

Event Types

In CMDB > Event Types, search for “linux” in the Description column to see the event types associated with this device.

Rules

In Analytics > Rules, search for “linux” in the Name column to see the rules associated with this device.

Reports

In Analytics > Reports, search for “linux” in the Name column to see the reports associated with this device.

Configuration

SNMP v1 and v2c

  1. Make sure that snmp libraries are installed. AccelOps has been tested to work with net-snmp libraries.
  2. Log in to your server with administrative access.
  3. Make these modifications to the /etc/snmp/snmpd.conf file:
    1. Define the community string for AccelOps usage and permit snmp access from AccelOps IP.
    2. Allow AccelOps read-only access to the mib-2
    3. Allow Accelops read-only access to the enterprise MIB: UCD-SNMP-MIB.
    4. Open up the entire tree for read-only view.
  4. Reduce the logging level to avoid per connection logging which may cause resource issues (see here for more details)
    1. Edit /etc/sysconfig/snmpd (on RedHat/CentOS) or /etc/defaults/snmpd (on Debian/Ubuntu)
    2. Look for the line that passes the command line options to snmpd. On RedHat Enterprise 6 this looks like

 

  1. Change the range from 0-6 to 0-5

 

 

  1. Restart the snmpd deamon by issuing /etc/init.d/snmpd restart.
  2. Add the snmpd daemon to start from boot by issuing chkconfig snmpd on.
  3. Make sure that snmpd is running.

SNMP v3

Configuring rwcommunity/rocommunity or com2sec

  1. Log in to your Linux server.
  2. Stop SNMP.
  3. Use vi to edit the /etc/snmp/snmpd.conf

Before you edit this file, make sure you have created a backup, as it is very important to have a valid version of this file so the snap daemon has correct credentials.

  1. At the end of the file, add this line, substituting your username for snmpv3user and removing the <> tags: rouser <snmpv3user>.
  2. Save the file.
  3. Use vi to edit the /var/lib/snmp/snmpd.conf

Before you edit this file, make sure you have created a backup, as it is very important to have a valid version of this file for the SNMP daemon to function correctly.

  1. At the end of the file, add this line, entering the username you entered in step 4, and then passwords for that user for MD5 and DES.

If you want to use SHA or AES, then add those credentials as well.

  1. Save the file.
  2. Reduce the logging level to avoid per connection logging which may cause resource issues (see here for more details)
    1. Edit /etc/sysconfig/snmpd (on RedHat/CentOS) or /etc/defaults/snmpd (on Debian/Ubuntu)
    2. Look for the line that passes the command line options to snmpd. On RedHat Enterprise 6 this looks like

 

  1. Change the range from 0-6 to 0-5

 

 

  1. Restart SNMP.
  2. View the contents of the /var/lib/snmp/snmpd.conf

If this works, restarting snmpd will have no errors, also the entry that you created under /var/lib/snmp/snmpd.conf will be removed

  1. Run snmpwalk -v 3 -u <snmpv3user> -l authpriv <IP> -a MD5 -A <snmpv3md5password> -x DES -X <snmpv3des password> .

You will see your snmpwalk if this works, if there are any errors after this please reference net-snmp for further instructions.

Configuring net-smnp-devel

If you havenet-snmp-devel on your Linux server/client, follow these steps to configure SNMP v3.

  1. Stop SNMP.
  2. Run net-snmp-config –create-snmpv3-user -ro -A <MD5passwordhere> -X <DESpasswordhere> -x DES -a MD5

<SNMPUSERNAME>.

  1. Restart SNMP.
  2. Test by following step 10 from above.

SSH

  1. Make sure that the vmstat and iostat commands are available. If not, install these libraries.
  2. Create a user account that can issue vmstat and iostat AccelOps will use that user account to log in to the server.

Syslog

AccelOps uses the LinuxFileMon monitoring agent to detect user activity and create syslogs. When a change as defined in the configuration file is detected, the agent gets the user information from the Audit module and sends a syslog to AccelOps. You will need to install the agent on your Linux server to send syslogs to AccelOps.

  1. Log in to your server as root.
  2. Install the audit service.

This is needed for obtaining user information. For more information about Linux audit files, see this blog post.

  1. Copy the LinuxFileMon executable from the AccelOps /opt/phoenix/bin directory to any location on the server.

This is the agent that monitors the file changes.

  1. Edit the LinuxFileMon configuration file conf as shown here.

The file should be in the same directory as the executable.

  1. Start the LinuxFileMon agent.

Sample Parsed Linux Syslog Message

Settings for Access Credentials

Microsoft Windows Server Configuration

What is Discovered and Monitored

Configuration

Setting Access Credentials

What is Discovered and Monitored

Metrics in bold are unique to Microsoft Windows Server monitoring.

Installed Software Monitored via SNMP

Although information about installed software is available via both SNMP and WMI, AccelOps uses SNMP to obtain installed software information to avoid an issue in Microsoft’s WMI implementation for the Win32_Product WMI class – see Microsoft KB 974524 article for more information. Because of this bug, WMI calls to the Win32_Product class create many unnecessary Windows event log messages indicating that the Windows Installer has reconfigured all installed applications.

Winexe execution and its effect

AccelOps uses the winexe command during discovery and monitoring of Windows servers for the following purposes

  1. Windows domain controller diagnostic (dcdiag) and replication monitoring (repadmin /replsummary)
  2. HyperV Performance Monitoring
  3. Windows Custom performance monitoring – to run a command (e.g. powershell) remotely on windows systems Note that running the winexe command remotely will automatically install the winexesvc command on the windows server.
Protocol Information Discovered Metrics collected Used for
SNMP Host name, generic hardware (cpu, memory, network interface, disk), software (operating system version, i

nstalled software, running processes, open TCP/UDP ports)

Uptime, Overall CPU/Memory/Network Interface/Disk space utilization, Network Interface Errors, Running Process Count, Installed Software change, Running process CPU/memory utilization, Running process start/stop, TCP/UDP port up/down, Performance

Monitoring

SNMP vendor specific server hardware (hardware model, hardware serial number, fans, power supply, disk, raid battery). Currently supported vendors include HP and Dell Hardware module status – fan, power supply, thermal status, battery, disk, memory . Currently supported vendors include HP and Dell  
WMI Win32_ComputerSystem: Host name, OS

Win32_WindowsProductActivation: OS Serial Number

Win32_OperatingSystem: Memory, Uptime

Win32_BIOS: Bios

Win32_Processor: CPU

Win32_LogicalDisk: Disk info

Win32_NetworkAdapterConfiguration: network interface

Win32_Service: Services

Win32_Process: Running processes

Win32_QuickFixEngineering: Installed Patches

Win32_OperatingSystem: Uptime

Win32_PerfRawData_PerfOS_Processor: Detailed CPU utilization

Win32_PerfRawData_PerfOS_Memory: Memory utilization, paging/swapping metrics

Win32_LogicalDisk: Disk space utilization

Win32_PerfRawData_PerfOS_PagingFile: Paging file utilization

Win32_PerfRawData_PerfDisk_LogicalDisk: Disk I/O metrics

Win32_PerfRawData_Tcpip_NetworkInterface: Network Interface utilization

Win32_Service: Running process uptime, start/stop status

Win32_Process, Win32_PerfRawData_PerfProc_Process: Process CPU/memory/I/O utilization

Performance

Monitoring

WMI   Security, Application and System Event Logs  including logon, file/folder edits, network traffic (Win32_NTLogEvent) Security and

Compliance

Snare agent   Security, Application and System Event Logs  including logon, file/folder edits, network traffic (Win32_NTLogEvent) Security and

Compliance

Correlog agent   Security, Application and System Event Logs ncluding logon, file/folder edits, network traffic (Win32_NTLogEvent) Security and

Compliance

AccelOps

Agent

  Security, Application and System Event Logs, DNS, DHCP, IIS, DFS logs,

Custom log files, File Integrity Monitoring, Registry Change Monitoring, Installed Software Change Monitoring, WMI and Powershell output monitoring

Security and

Compliance

Supported Operating Systems

Windows Server 2003 Server

Windows Server 2008

Windows Server 2008 R2

Windows Server 2012

Windows Server 2012 R2

Windows Server 2016

Event Types

In CMDB > Event Types, search for “windows server” in the Description column to see the event types associated with this application or device.

Rules

In Analytics > Rules, search for “windows server”in the Name column to see the rules associated with this application or device.

Reports

In Analytics > Reports, search for “windows server” in the Name column to see the reports associated with this application or device.

Configuration

SNMP

Enabling SNMP on Windows Server 2003

SNMP is typically enabled by default on Windows Server 2003, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you need to make sure that the SNMP Management tool has been enabled for your device.

  1. In the Start menu, go to Administrative Tools > Services.
  2. Go to Control Panel > Add or Remove Programs.
  3. Click Add/Remove Windows Components.
  4. Select Management and Monitoring Tools and click Details.

Make sure that Simple Network Management Tool is selected.

If it isn’t selected, select it, and then click Next to install.

  1. Go to Start > Administrative Tools > Services.
  2. Select and open SNMP Service.
  3. Click the Security
  4. Select Send authentication trap.
  5. Under Accepted communities, make sure there is an entry for public that is set to read-only.
  6. Select Accept SNMP packets from these hosts.
  7. Click
  8. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
  9. Click Add.
  10. Click Apply.
  11. Under SNMP Service, click Restart service.

Enabling SNMP on Windows 7 or Windows Server 2008 R2

SNMP is typically enabled by default on Windows Server 2008, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you should check that SNMP Services have been enabled for your server.

  1. Log in to the Windows 2008 Server where you want to enable SNMP as an administrator.
  2. In the Start menu, select Control Panel.
  3. Under Programs, click Turn Windows features on/off.
  4. Under Features, see if SNMP Services is installed.

If not, click Add Feature, then select SMNP Service and click Next to install the service.

  1. In the Server Manager window, go to Services > SNMP Services.
  2. Select and open SNMP Service.
  3. Click the Security
  4. Select Send authentication trap.
  5. Under Accepted communities, make sure there is an entry for public that is set to read-only.
  6. Select Accept SNMP packets from these hosts.
  7. Click
  8. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
  9. Click Add.
  10. Click Apply.
  11. Under SNMP Service, click Restart service.

WMI

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
  2. Right-click Users and select Add User.
  3. Create a user.
  4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
  5. In the Distributed COM Users Properties dialog, click Add.
  6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

  1. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
  2. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account
  3. Go to Start > Control Panel > Administrative Tools > Component Services.
  4. Right-click My Computer, and then Properties.
  5. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
  6. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
  7. Click OK.
  8. Under Access Permissions, click EditDefault.
  9. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
  10. Click
  11. Under Launch and Activation Permissions, click Edit Limits.
  12. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  13. Click OK.
  14. Under Launch and Activation Permissions, click Edit Defaults.
  15. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

  1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
  2. Right-click Users and select Add User.
  3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

  1. Go to Groups, right-click Administrators, and then click Add to Group.
  2. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
  3. For Enter the object names to select, enter the user you created in step 3.
  4. Click OK to close the Domain Admins Properties dialog.
  5. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

  1. Go to Start > Control Panel > Administrative Tools > Component Services.
  2. Right-click My Computer, and then select Properties.
  3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
  4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
  5. Click OK.
  6. In the Com Security tab, under Access Permissions, click Edit Defaults.
  7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
  8. Click OK.
  9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
  10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
  12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
  2. Select WMI Control, and then right-click and select Properties.
  3. Select the Security
  4. Expand the Root directory and select CIMV2.
  5. Click Security.
  6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot e Enable.
  7. Click Advanced.
  8. Select the user you created for the monitoring account, and then click Edit.
  9. In the Apply onto menu, select This namespace and subnamespaces.
  10. Click OK to close the Permission Entry for CIMV2 dialog.
  11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
  12. In the left-hand navigation, under Services and Applications, select Services.
  13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
  14. In the Start menu, select Run.
  15. Run msc.
  16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
  17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
  18. Select Windows Firewall: Allow remote administration exception.
  19. Run exe and enter these commands:
  20. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

  1. Go to Control Panel > Windows Firewall.
  2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
  3. Select Windows Management Instrumentation, and the click OK.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Syslog

Use the Windows Agent Manager to configure sending syslogs from your device to AccelOps.

Sample Windows Server Syslog

Configuring the Security Audit Logging Policy

Because Windows generates a lot of security logs, you should specify the categories of events that you want logged and available for monitoring by AccelOps.

  1. Log in the machine where you want to configure the policy as an administrator.
  2. Go to Programs > Administrative Tools > Local Security Policy.
  3. Expand Local Policies and select Audit Policy.

You will see the current security audit settings.

  1. Selet a policy and edit the Local Security Settings for the events you want audited. Recommended settings are:
Policy Description Settings
Audit account logon events and Audit logon events For auditing logon activity Select Su ccess and Failure
Audit object access events For auditing access to files and folders. There is an additional configuration requirement for specifying which files and folders, users and user actions will be audited. See the next section, C onfiguring the File Auditing Policy. Select Su ccess and Failure
Audit system events Includes system up/down messages  

Configuring the File Auditing Policy

When you enable the policy to audit object access events, you also need to specify which files, folders, and user actions will be logged. You should be very specific with these settings, and set their scope to be as narrow as possible to avoid excessive logging. For this reason you should also specify system-level folders for auditing.

  1. Log in the machine where you want to set the policy with administrator privileges. On a domain computer, a Domain administrator account is needed
  2. Open Windows Explorer, select the file you want to set the auditing policy for, right-click on it, and select Properties.
  3. In the Security tab, click Advanced.
  4. Select the Auditing tab, and then click Add.

This button is labeled Edit in Windows 2008.

  1. In the Select User or Group dialog, click Advanced, and then find and select the users whose access to this file you want to monitor.
  2. Click OK when you are done adding users.
  3. In the Permissions tab, set the permissions for each user you added.

The configuration is now complete. Windows will generate audit events when the users you specified take the actions specified on the files or fold ers for which you set the audit policies.

Setting Access Credentials

 

 

Sun Solaris Server Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics collected Used for
SNMP Host name, generic hardware (cpu, memory, network interface, disk), software (operating system version,

installed software, running processes, open

TCP/UDP ports)

Uptime, CPU/Memory/Network Interface/Disk space utilization, Network

Interface Errors, Running Process Count, Installed Software change,

Running process CPU/memory utilization, Running process start/stop, TCP/UDP port up/down

Performance

Monitoring

SSH Hardware (cpu details, memory) Memory paging rate, Disk I/O utilization Performance

Monitoring

Syslog Vendor, Model General logs including Authentication Success/Failure, Privileged logons, User/Group Modification Security Monitoring and Compliance

Event Types

In CMDB > Event Types, search for “solaris” in the Device Type and Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP v1 and v2c

  1. Check if the netsnmp package installed. Solaris has built-in snmp packages. If the netsnmp is not installed, use pkgadd cmd to install it.
  2. Start snmnp with the default configuration.

SSH

  1. Make sure that the vmstat and iostat commands are available. If not, install these libraries.
  2. Create a user account that can issue vmstat and iostat AccelOps will use that user account to log in to the server.

Settings for Access Credentials

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.