Agent-less Target File Monitoring
You can use target file monitoring to make sure that a specific file, for example a device configuration file, is always identical in content to a gold standard target file that you import into FortiSIEM. When you enable a target file monitor, it will:
- Pre-compute the checksum of the gold standard target file imported into FortiSIEM.
- Periodically, log in to the system using SSH and compute the checksum of the file.
- Create an event when the content of the monitored file is different than the gold standard target file.
Supported Servers
Example Events
Adding the File Integrity Monitoring Performance Object
Performance Object Configuration for File Integrity Monitoring
Associating Device Types to Performance Objects
Testing the Performance Monitor
Enabling the Performance Monitor
Checking the Difference between Versions of Monitored Files
Supported Servers
Target file monitoring is supported for these servers:
Linux variants
Unix variants
Windows (with Unix tools installed that allow SSH)
Example Events
Two events that are generated by FortiSIEM when the target file is modified.
File Monitors and Event Types
Unlike other custom monitors, you don’t need to set the event type to associate with the monitor. When you select File Monitor for the Used For option, this automatically associates the event types with the file or directory you specify for monitoring. These examples include the event type associated with each monitoring event.
Event Type: PH_DEV_MON_CUST_TARGET_FILE_CHANGE
This indicates that content of the target file has changed. You can see that the values for prehash and hash are different.
This indicates what was changed, as you can see with theaddedItem, deletedItem, oldSVNVersion, and newSVNVersion attributes.
<14>Mar 27 14:02:28 VA223_TestaThon phPerfMonitor[3740]:
[PH_DEV_MON_CUST_TARGET_FILE_DELTA]:[eventSeverity]=PHL_INFO,
[procName]=phPerfMonitor,[fileName]=phSvnUpdate.cpp,[lineNumber]=205,[ph
CustId]=1,[hostName]=CO228SP222,
[hostIpAddr]=192.168.64.228,[fileName]=/home/admin/TargetFileMon/tartget
1.txt,[oldSVNVersion]=15,[newSVNVersion]=20,
[deletedItem]=(none),[addedItem]=newline;,[phLogDetail]=
Adding the File Integrity Monitoring Performance Object
In multi-tenant deployments, the performance object should be created by the Super/Global account, and will apply to all organizations. For both multi-tenant and enterprise deployments, the performance object can be created for an organization by any user who has access to the Admin ta b.
In this case, you will create one performance object in which you will upload the gold target file and enter the path to the file you want to monitor. You don’t need to create a new event type or event attribute type, as these are automatically associated with the performance object when you select File Monitoring for the Used For field.
Performance Object Configuration for File Integrity Monitoring
| Field | Setting |
| Name | LinuxTargetFileMon |
| Type | Application |
| Method | Login |
| Used For | File Monitor |
| File Path | home/admin/FileMon/file.txt |
| Target File | Click Upload and browse to the location of the file that you want to use as the gold target |
Associating Device Types to Performance Objects
You should associate the performance object to the Linux, Unix, or SSH-capable Windows device type that contains the file or directory path you want to monitor.
Testing the Performance Monitor
Before testing the monitor, make sure you have defined the access credentials for the device, created the IP address to credentials mapping, and tested connectivity.
- Go to Admin > Device Support > Performance Monitoring.
- Select the performance monitor you created, and then click Test.
- For IP, enter the address of the device, and select either the Supervisor or Collector node that will retrieve the information for this monitor.
- Click Test.
You should see succeed under Result, and the parsed event attributes in the test result pane.
- When the test succeeds, click Close, and then click Apply to register the new monitor with the backend module.
Enabling the Performance Monitor
- Discover or re-discover the device you want to monitor.
- Once the device is successfully discovered, make sure that the monitor is enabled and pulling metrics.
Checking the Difference between Versions of Monitored Files
When the monitor detects a difference between the files, it will trigger the rule Audited target file content modified, and the rule will continue to trigger and generate incidents until the checksums of the files match. You can compare the original monitored file against the new version in the CMDB.
- Go to CMDB > Devices.
- Select the device where the monitored filed is located
- Click the Configuration
In the left pane you will see a list of all the files, and their versions, on the device.
- To compare files, select one, CNTRL/select the other, and then click Diff.