FortiSIEM Microsoft ASP.NET Configuration

Microsoft ASP.NET Configuration

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

Enable DCOM Permissions for the Monitoring Account

Creating a User Who Belongs to the Domain Administrator Group

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

Enable the Monitoring Account to Access the Monitored Device

Enable DCOM Permissions for the Monitoring Account

Enable Account Privileges in WMI

Allow WMI to Connect Through the Windows Firewall (Windows 2003)

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

Sample Event for ASP.NET Metrics

What is Discovered and Monitored

Protocol Information discovered Metrics collected Used for
WMI   Request Execution Time, Request Wait Time, Current Requests, Disconnected Requests, Queued requests, Disconnected Requests Performance

Monitoring

Event Types

In CMDB > Event Types, search for “asp.net” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “asp.net” in the Name column to see the reports associated with this application or device.

Configuration

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
  2. Right-click Users and select Add User.
  3. Create a user.
  4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
  5. In the Distributed COM Users Properties dialog, click Add.
  6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

  1. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
  2. Repeat steps 4 through 7 for the Performance Monitor Users group.

Enable DCOM Permissions for the Monitoring Account

  1. Go to Start > Control Panel > Administrative Tools > Component Services.
  2. Right-click My Computer, and then Properties.
  3. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
  4. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
  5. Click OK.
  6. Under Access Permissions, click EditDefault.
  7. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
  8. Click
  9. Under Launch and Activation Permissions, click Edit Limits.
  10. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  11. Click OK.
  12. Under Launch and Activation Permissions, click Edit Defaults.
  13. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

  1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
  2. Right-click Users and select Add User.
  3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

  1. Go to Groups, right-click Administrators, and then click Add to Group.
  2. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
  3. For Enter the object names to select, enter the user you created in step 3.
  4. Click OK to close the Domain Admins Properties dialog.
  5. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

  1. Go to Start > Control Panel > Administrative Tools > Component Services.
  2. Right-click My Computer, and then select Properties.
  3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
  4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
  5. Click OK.
  6. In the Com Security tab, under Access Permissions, click Edit Defaults.
  7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
  8. Click OK.
  9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
  10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
  12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
  2. Select WMI Control, and then right-click and select Properties.
  3. Select the Security
  4. Expand the Root directory and select CIMV2.
  5. Click Security.
  6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot e Enable.
  7. Click Advanced.
  8. Select the user you created for the monitoring account, and then click Edit.
  9. In the Apply onto menu, select This namespace and subnamespaces.
  10. Click OK to close the Permission Entry for CIMV2 dialog.
  11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
  12. In the left-hand navigation, under Services and Applications, select Services.
  13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
  14. In the Start menu, select Run.
  15. Run msc.
  16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
  17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
  18. Select Windows Firewall: Allow remote administration exception.
  19. Run exe and enter these commands:
  20. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

  1. Go to Control Panel > Windows Firewall.
  2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
  3. Select Windows Management Instrumentation, and the click OK.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Sample Event for ASP.NET Metrics

Oracle GlassFish Server Configuration

JMX

What is Discovered and Monitored

Protocol Information discovered Metrics collected Used for
JMX   Generic information: Application version, Application port

Availability metrics: Uptime, Application Server State

CPU metrics: CPU utilization

Memory metrics: Total memory, Free memory, Memory utilization, Virtual committed memory, Total Swap

Memory, Free Swap Memory, Swap memory utilization, Heap Utilization, Heap Used Memory, Heap max memory,  Heap commit memory, Non-heap Utilization, Non-heap used memory, Non-heap max memory, Non-heap commit memory

Servlet metrics: Web application name, Servlet Name, Count allocated, Total requests, Request errors, Avg Request Processing time

Session metrics: Web context path, Peak active sessions, Current active sessions, Duplicate sessions, Expired sessions, Rejected sessions, Average session lifetime, Peak session lifetime, Session processing time, Session create rate, Session expire rate, Process expire frequency, Max session limited, Max inactive Interval Database metrics: Data source

Thread pool metrics: Current live threads, Max live threads

Request processor metrics: Request processor name, Received Bytes, Sent Bytes, Total requests, Average

Request Process time, Max Request Processing time, Request Rate, Request Errors, Max open connections, Current open connections, Last Request URI, Last Request method, Last Request completion time

Application level metrics: Cache TTL, Max cache size, Average request processing time, App server start time, Cookies allowed flag, Caching allowed flag, Linking allowed flag, Cross Context Allowed flag

EJB metrics: EJB component name, EJB state, EJB start time

Connection metrics: Request processor name, HTTP status code, HTTP total accesses

Performance

Monitoring

Event Types

In CMDB > Event Types, search for “glassfish” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “glassfish” in the Name column to see the reports associated with this application or device. Configuration

JMX

  1. The default JMX port used by Oracle GlassFish is 8686. If you want to change it, modify the node jmx-connector of the file ${GlassF ish_Home}\domains\${Domain_Name}\config\domain.xml.
  2. The username and password for JMX are the same as the web console.

You can now configure AccelOps to communicate with your Oracle GlassFish device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure. Settings for Access Credentials

<134>Jan 22 02:00:29 10.1.2.201 java:

[PH_DEV_MON_GLASSFISH_APP]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.

201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201,[destDevPort]=868

6,[appVersion]=Sun Java System Application Server 9.1_02,[webContextRoot]=,[webAppState]=RUNNING,[cacheMaxSize]=10240,[cac heTTL]=5000,[reqProcessTimeAvg]=0,[startTime]=1358755971,[cookiesAllowed ]=true,[cachingAllowed]=false,[linkingAllowed]=false,[crossContextAllowe d]=true  <134>Jan 22 02:00:29 10.1.2.201 java:

[PH_DEV_MON_GLASSFISH_CPU]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.

201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201,[destDevPort]=868

6,[appVersion]=Sun Java System Application Server

9.1_02,[sysUpTime]=35266,[cpuUtil]=60

<134>Jan 22 02:00:29 10.1.2.201 java:

[PH_DEV_MON_GLASSFISH_MEMORY]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1

.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201,[destDevPort]=

8686,[appVersion]=Sun Java System Application Server 9.1_02,[freeMemKB]=479928,[freeSwapMemKB]=6289280,[memTotalMB]=16051,[me mUtil]=98,[swapMemUtil]=1,[swapMemTotalMB]=6142,[virtMemCommitKB]=402586 4,[heapUsedKB]=1182575,[heapMaxKB]=3106432,[heapCommitKB]=3106432,[heapU til]=38,[nonHeapUsedKB]=193676,[nonHeapMaxKB]=311296,[nonHeapCommitKB]=2 77120,[nonHeapUtil]=69

<134>Jan 22 02:00:29 10.1.2.201 java:

[PH_DEV_MON_GLASSFISH_SESSION]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.

1.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201,[destDevPort]

=8686,[appVersion]=Sun Java System Application Server 9.1_02,[webContextPath]=/__JWSappclients,[activeSessionsPeak]=0,[duplica teSession]=0,[activeSessions]=0,[expiredSession]=0,[rejectedSession]=0,[ sessionProcessTimeMs]=85,[sessionLifetimeAvg]=0,[sessionLifetimePeak]=0, [maxSessionLimited]=-1,[maxInactiveInterval]=1800

<134>Jan 22 02:00:29 10.1.2.201 java:

[PH_DEV_MON_GLASSFISH_SERVLET]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.

1.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201,[destDevPort]

=8686,[appVersion]=Sun Java System Application Server

9.1_02,[webAppName]=phoenix,[webAppState]=RUNNING,[servletName]=DtExport

Servlet,[totalRequests]=0,[reqErrors]=0,[reqProcessTimeAvg]=0

<134>Jan 22 02:00:29 10.1.2.201 java:

[PH_DEV_MON_GLASSFISH_CONN_STAT]:[eventSeverity]=PHL_INFO,[destIpAddr]=1 0.1.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201,[destDevPor t]=8686,[appVersion]=Sun Java System Application Server 9.1_02,[reqProcessorName]=http8181,[httpStatusCode]=304,[httpTotalAccess es]=0

<134>Jan 22 02:00:29 10.1.2.201 java:

[PH_DEV_MON_GLASSFISH_EJB]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.

201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201,[destDevPort]=868

6,[appVersion]=Sun Java System Application Server 9.1_02,[ejbComponentName]=phoenix-domain-1.0.jar,[ejbState]=RUNNING,[sta rtTime]=1358755963,  <134>Jan 22 02:00:29 10.1.2.201 java:

[PH_DEV_MON_GLASSFISH_JMS]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.

201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201,[destDevPort]=868

6,[appVersion]=Sun Java System Application Server

9.1_02,[jmsSource]=jms/RequestQueue

<134>Jan 22 02:00:29 10.1.2.201 java: [PH_DEV_MON_GLASSFISH_REQUEST_PROCESSOR]:[eventSeverity]=PHL_INFO,[destI pAddr]=10.1.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201,[de stDevPort]=8686,[appVersion]=Sun Java System Application Server 9.1_02,[reqProcessorName]=http4848,[recvBytes]=0,[sentBytes]=0,[totalReq uests]=0,[reqRate]=0,[reqProcessTimeAvg]=0,[reqProcessTimeMax]=0,[maxOpe nConnections]=0,[lastRequestURI]=null,[lastRequestMethod]=null,[lastRequ estCompletionTime]=0,[openConnectionsCount]=0,[reqErrors]=0

<134>Jan 22 02:00:29 10.1.2.201 java:

[PH_DEV_MON_GLASSFISH_THREAD_POOL]:[eventSeverity]=PHL_INFO,[destIpAddr] =10.1.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201,[destDevP ort]=8686,[appVersion]=Sun Java System Application Server 9.1_02,[liveThreads]=106,[liveThreadsMax]=138

<134>Jan 22 02:06:29 10.1.2.201 java:

[PH_DEV_MON_GLASSFISH_DB_POOL]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.