FortiSIEM Custom Command Output Monitor

Leave a reply

Custom Command Output Monitor

You may already have commands or scripts for your devices that collect important metrics or perform some useful function. By creating a custom command output monitor, you can import the output of those commands into the AccelOps event database, where it can be used to create reports , write rules to alert against anomolies, or trigger the execution of scripts. Creating a custom command output monitor involves collecting a sample output from the command, and then creating a performance object that uses regex to parse the command output, maps the output event attributes to AccelOps event attribute types, and then associates those to an event type.

Creating a Custom SSH Command Output Monitor

Creating a Custom Multi-Line SSH Command Output Monitor

Creating a Custom WINEXE Command Output Monitor

Device Types Supported for Custom SSH Command Output Monitors

Linux variants

Unix variants – IBM AIX, HP UX

Microsoft Windows (with Cygwin tools installed that allows SSH)

Cisco IOS, NX-OS, ASA, CatOS

Juniper JunOS, SSG, ISG

PaloAlto PANOS

Fortinet FortiGate

HP Procurve, H3C

Extreme Ntwork XOS

Foundry BigIron

Avaya ERS

Device Types Supported for Custom WINEXE Command Output Monitors

Microsoft Windows

 

Creating a Custom SSH Command Output Monitor

Mapping SSH Command Outputs to FortiSIEM Event Attribute Types

Creating New Event Attribute Types and Event Types

Event Attributes

Event Types

Adding the iostat Command Output Performance Object

Performance Object Configuration for Event Type PH_DEV_MON_CUST_CMD

Associating Device Types to Performance Objects

Testing the Performance Monitor

Enabling the Performance Monitor

Writing Queries for the Performance Metrics

In this example, the regular expression is used to parse a single line of the command output.

Planning

Mapping SSH Command Outputs to FortiSIEM Event Attribute Types

In this example, you want to monitor the output of the iostat command. On a Linux machine, the output would look similar to this:

 

From this example, you can see that to create a monitor for the iostat command output, you would need to:

  1. Create the event attribute types readBytes,readRate, tps, writtenBytes, writtenRate, and diskName, to correspond to Blk_ read, Blk_read/s, tps, Blk_wrtn, Blk_wrtn/s, and Device from the command output.
  2. Create an event type, PH_DEV_MON_CUST_CMD, that will contain the event attribute types readBytes, readRate, tps, writtenByte s, writtenRate, and diskName,
  3. Create a performance object containing the regular expression that will parse the command output and match value positions to event attribute types, and then associate those event attribute types and values to PH_DEV_MON_CUST_CMD.

Creating New Event Attribute Types and Event Types

Event Attributes

Create these event attribute types:

Name Display Name Value Type Display Format Type
diskName Disk Name Rawvalue  STRING
tps Transactions/s Rawvalue DOUBLE
readRate Read Rate Rawvalue DOUBLE
readBytes Read Bytes Rawvalue INTEGER
writtenBytes Written Bytes Rawvalue INTEGER
writtenRate Written Rate Rawvalue DOUBLE

Event Types

Create this event type:

Name Device Type Severity
PH_DEV_MON_CUST_CMD Centos IOS Low
Adding the iostat Command Output Performance Object

In this case, you will create one performance object that will use a regular expression to parse the command output, match value positions in the command output against FortiSIEM event attributes, and then associate those with the event type PH_DEV_MON_CUST_CMD.

Performance Object Configuration for Event Type PH_DEV_MON_CUST_CMD

Field Setting
Name cmd-iostat
Type Application
Method Login
Used For Command Output Monitoring
Command iostat
Regular

Expression

 (^[^]+)\s+([0-9]+\.?[0-9]+|\d+)\s+([0-9]+\.?[0-9]+|\d+)\s+([0-9]+\.?[0-9]+|\d+)\s+([0-9]+\?[0-9]+|\d+)\s+([0
Matched Attribute

Count

 6
List of

Attributes

  
Matched Position Format Type Event Attribute  
1 STRING RawValue diskName
2 DOUBLE RawValue tps
3 DOUBLE RawValue readRate
5 INTEGER RawValue readBytes
6 INTEGER RawValue writtenBytes
4 DOUBLE RawValue writtenRate
 
Event Type PH_DEV_MON_CUST_CMD
Polling

Frequency

 60 seconds
Associating Device Types to Performance Objects
Field Settings
Name cmd-iostat
Device Types  Centos Linux
Perf Objects  cmd-iostat(SSH)- Default Interval:1mins
Testing the Performance Monitor

Before testing the monitor, make sure you have defined the access credentials for the D-Link device, created the IP address to credentials mapping, and tested connectivity.

  1. Go to Admin > Device Support > Performance Monitoring.
  2. Select the performance monitor you created, and then click Test.
  3. For IP, enter the address of the device, and select either the Supervisor or Collector node that will retrieve the information for this monitor.
  4. Click Test.

You should see succeed under Result, and the parsed event attributes in the test result pane.

  1. When the test succeeds, click Close, and then click Apply to register the new monitor with the backend module.
Enabling the Performance Monitor
  1. Discover or re-discover the device you want to monitor.
  2. Once the device is successfully discovered, make sure that the monitor is enabled and pulling metrics.
Writing Queries for the Performance Metrics

You can now use a simple query to make sure that that the metrics are pulled correctly. The search results should display the metrics for the event attributes you defined.

Create a structured historical search with these settings:

Filter Criteria Display Columns Time For

Organizations
Structured

Reporting IP IN <IP Range> AND Event Type

=”PH_DEV_MON_CUST_CM”; Group by:[None]

 Disk Name,Transactions/s,Read Rate,Read Bytes,

Written Bytes,Written Rate

 Last 10

Minutes

 All
Creating a Custom Multi-Line SSH Command Output Monitor

In some cases, the output from a command may run over several lines. An example, as shown in the code block below, is the show interfaces command for Cisco IOS routers. Here the information for each interface, such as Vlan1, Vlan2, etc., needs to be consolidated into a single FortiSIEM event. This topic will show you how to configure a performance object for multi-line SSH command outputs, including an example of the regular expression you would use to parse the example output.

Planning

Mapping a Multi-Line SSH Command Output to FortiSIEM Event Attribute Types

Creating New Event Attribute Types and Event Types Event Types

Adding the show interfaces Command Output Performance Object

Performance Object Configuration for Event Type PH_DEV_MON_CUST_SHOW_INTF

Associating Device Types to Performance Objects

Testing the Performance Monitor

Enabling the Performance Monitor

Writing Queries for the Performance Metrics

Planning

Mapping a Multi-Line SSH Command Output to FortiSIEM Event Attribute Types

In this example, you want to monitor the output of the ‘show interfaces’ command, which would look similar to this for a Cisco IOS router:

Vlan1 is up, line protocol is up

Hardware is EtherSVI, address is 00d0.055b.5000 (bia 00d0.055b.5000)

Description: DevNet

Internet address is 192.168.20.1/22   MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,      reliability 255/255, txload 1/255, rxload 1/255   Encapsulation ARPA, loopback not set

Keepalive not supported

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:00, output 00:00:00, output hang never

Last clearing of “show interface” counters never   Input queue: 1/75/12681/0 (size/max/drops/flushes); Total output drops: 0   Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 3583000 bits/sec, 1726 packets/sec

5 minute output rate 3118000 bits/sec, 1064 packets/sec   L2 Switched: ucast: 2060202231 pkt, 586057481378 bytes – mcast:

62824587 pkt, 9271104426 bytes   L3 in Switched: ucast: 43940778993 pkt, 16358818361299 bytes – mcast:

0 pkt, 0 bytes mcast   L3 out Switched: ucast: 37329069590 pkt, 18769383194932 bytes mcast: 0 pkt, 0 bytes      44460046444 packets input, 16420615020121 bytes, 0 no buffer

Received 52655932 broadcasts (0 IP multicasts)

0 runts, 0 giants, 146 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored      37746681819 packets output, 18872504999045 bytes, 0 underruns

0 output errors, 0 interface resets

0 output buffer failures, 0 output buffers swapped out

Vlan2 is up, line protocol is up

Hardware is EtherSVI, address is 00d0.055b.5000 (bia 00d0.055b.5000)

Description: ServerNet

Internet address is 192.168.0.1/24   MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,      reliability 255/255, txload 1/255, rxload 1/255   Encapsulation ARPA, loopback not set

Keepalive not supported

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:00, output 00:00:01, output hang never

Last clearing of “show interface” counters never

Input queue: 0/75/16/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 1652000 bits/sec, 367 packets/sec

5 minute output rate 258000 bits/sec, 177 packets/sec   L2 Switched: ucast: 3422947811 pkt, 2275729058787 bytes – mcast:

4291290 pkt, 528654887 bytes   L3 in Switched: ucast: 17926721335 pkt, 14810495462969 bytes – mcast:

0 pkt, 0 bytes mcast   L3 out Switched: ucast: 13822525718 pkt, 7788778830975 bytes mcast: 0 pkt, 0 bytes      19067733427 packets input, 15044884652941 bytes, 0 no buffer

Received 4283101 broadcasts (0 IP multicasts)

0 runts, 0 giants, 2 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

13850959642 packets output, 7791605865261 bytes, 0 underruns

0 output errors, 0 interface resets

0 output buffer failures, 0 output buffers swapped out

Vlan3 is up, line protocol is up

Hardware is EtherSVI, address is 00d0.055b.5000 (bia 00d0.055b.5000)

Description: newbuildnet

Internet address is 192.168.24.1/24   MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,      reliability 255/255, txload 1/255, rxload 1/255   Encapsulation ARPA, loopback not set

Keepalive not supported

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:04, output 00:00:01, output hang never

Last clearing of “show interface” counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 23000 bits/sec, 1 packets/sec

5 minute output rate 1000 bits/sec, 1 packets/sec   L2 Switched: ucast: 319623039 pkt, 321540971691 bytes – mcast: 6427637 pkt, 563598014 bytes   L3 in Switched: ucast: 9237477530 pkt, 10166398798345 bytes – mcast: 0 pkt, 0 bytes mcast   L3 out Switched: ucast: 5881512921 pkt, 4457997315264 bytes mcast: 0 pkt, 0 bytes

9289735817 packets input, 10171188457635 bytes, 0 no buffer

Received 6427548 broadcasts (0 IP multicasts)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

From this example, you can see that to create a monitor for the ‘show interfaces’ command output, you would need to:

  1. Create an event type, PH_DEV_MON_CUST_SHOW_INTF, that will contain the event attribute types intfName, recvBitsPerSec, rec vPacketsPerSec, sentBitsPerSec, and sentPacketsPerSec, all of which are already contained in the FortiSIEM event attribute types library.
  2. Create a performance object containing the regular expression that will parse the command output and match values against the event attribute types, and then associate those event attribute types and values to PH_DEV_MON_CUST_CMD. Creating New Event Attribute Types and Event Types

Event Types

Create this event type:

Name Device Type Severity
PH_DEV_MON_CUST_SHOW_INTF Cisco IOS Low
Adding the show interfaces Command Output Performance Object

In this case, you will create one performance object that will use a regular expression to parse the command output, match value positions in the command output against FortiSIEM event attributes, and then associate those with the event type PH_DEV_MON_CUST_SHOW_INTF.

Performance Object Configuration for Event Type PH_DEV_MON_CUST_SHOW_INTF

Field Setting
Name ssh-multiline-CiscoIOS
Type System
Method Login
Used For Command Output Monitoring
Command show interfaces
Regular

Expression

 \n(\S*?) is [administratively down|up|down](?!\n\S.)*5 minute input rate\s+(\d+)\s+bits\/sec.*?5 minute output rate\s+(\d+)\s+bits\/sec,\s+(\d+)\s+packets\/sec
Matched

Attribute Count

 5
List of

Attributes

  
Matched Position Format Type Event Attribute  
1 STRING RawValue intfName
2 INTEGER RawValue recvBitsPerSec
3 INTEGER RawValue recvPacketsPerSec
4 INTEGER RawValue sentBitsPerSec
5 INTEGER RawValue sentPacketsPerSec
 
Event Type PH_DEV_MON_CUST_SHOW_INTF
Polling

Frequency

 60 seconds
Associating Device Types to Performance Objects
Field Settings
Name ssh-Cisco-Intf-Status
Device Types  Cisco IOS
Perf Objects  ssh-multiline-CiscoIOS(SSH)-Default Interval:1mins
Testing the Performance Monitor

Before testing the monitor, make sure you have defined the access credentials for the Cisco IOS device, created the IP address to credentials mapping, and tested connectivity.

  1. Go to Admin > Device Support > Performance Monitoring.
  2. Select the performance monitor you created, and then click Test.
  3. For IP, enter the address of the device, and select either the Supervisor or Collector node that will retrieve the information for this monitor.
  4. Click Test.

You should see succeed under Result, and the parsed event attributes in the test result pane.

  1. When the test succeeds, click Close, and then click Apply to register the new monitor with the backend module.
Enabling the Performance Monitor
  1. Discover or re-discover the device you want to monitor.
  2. Once the device is successfully discovered, make sure that the monitor is enabled and pulling metrics.
Writing Queries for the Performance Metrics

You can now use a simple query to make sure that that the metrics are pulled correctly. The search results should display the metrics for the event attributes you defined.

Create a structured historical search with these settings:

Filter Criteria Display Columns Time For Organizations
Structured

Event Type = “PH_DEV_MON_CUST_SHOW_INTF”; Group by:[None]

 Event Receive Last 10 Minutes All
Creating a Custom WINEXE Command Output Monitor

There may be times when you want the output of a PowerShell command from a Microsoft server as an input for FortiSIEM. Because PowerShell commands can’t be sent via SSH, you need to configure a WINEXE performance object to send the command, parse the output, and associate values to FortiSIEM event attribute types.

Often there is a need to have powershell command output from Microsoft servers into FortiSIEM. These commands cannot be run on Windows systems via SSH. The equivalent way of remotely running a command on Windows systems is Winexe. FortiSIEM will run the Winexe command on Windows systems, collect the output and parse the output into fields for use in FortiSIEM analytics.

Planning

For this example, assume you want to monitor disabled users in Microsoft Active Directory. You would use this command:

which would have an output similar to this:

From this example, you can see that to create a monitor for the iostat command output, you would need to:

  1. Create an event type, PH_DEV_MON_CUST_DISABLED_USERS, that will contain the event attribute types distName, samAccount, and sid, all of which are already contained in the FortiSIEM event attribute types library, and which match to DistinguishedName, S amAccountName, and SID in the command output.
  2. Create a performance object containing the regular expression that will parse the command output and match values against the event attribute types, and then associate those event attribute types and values to PH_DEV_MON_CUST_CMD.

After enabling the WIINEXE output monitor, you should see an event similar to this in FortiSIEM:

Creating New Event Attribute Types and Event Types

Event Types

Create this event type:

Name Device Type Severity
PH_DEV_MON_CUST_DISABLED_USERS Cisco IOS Low
Adding the show interfaces Command Output Performance Object

In this case, you will create one performance object that will use a regular expression to parse the command output, match value positions in the command output against FortiSIEM event attributes, and then associate those with the event type PH_DEV_MON_CUST_DISABLED_USERS. Performance Object Configuration for Event Type PH_DEV_MON_CUST_DISABLED_USERS

Name WINEXE-AD-Disabled-Users-Output
Type System
Method WINEXE
Used For Command Output Monitoring
Command Import-Module ActiveDirectory:Get-ADUser

-LDAPFilter{(useraccountcontrol:1.2.840.113556.1.4.803:2)}
Regular Expression \nDistinguishedName\s+:\s+(.*?)\n.*?SamAccountName\s+:\s+(.*?)\nSID\s+(.*?)\n
Matched Attribute

Count

 3
List of Attributes  
Matched Position Format Type Event Attribute  
1 STRING RawValue disName
2 STRING RawValue samAccount
3 STRING RawValue sid
 
Event Type PH_DEV_MON_CUST_DISABLED_USERS
Polling Frequency 60 seconds
Associating Device Types to Performance Objects
Field Settings
Name DiscoverDisabledUsers
Device Types MIcrosoft Windows Server 2008

MIcrosoft Windows Server 2008 R2

MIcrosoft Windows Server 2012

MIcrosoft Windows Server 2012 R2
Perf Objects  WINEXE-AD-Disabled-Users-Output(WINEXE)-Default Interval:1mins
Testing the Performance Monitor

Before testing the monitor, make sure you have defined the access credentials for the D-Link device, created the IP address to credentials mapping, and tested connectivity.

  1. Go to Admin > Device Support > Performance Monitoring.
  2. Select the performance monitor you created, and then click Test.
  3. For IP, enter the address of the device, and select either the Supervisor or Collector node that will retrieve the information for this monitor.
  4. Click Test.

You should see succeed under Result, and the parsed event attributes in the test result pane.

  1. When the test succeeds, click Close, and then click Apply to register the new monitor with the backend module.
Enabling the Performance Monitor
  1. Discover or re-discover the device you want to monitor.
  2. Once the device is successfully discovered, make sure that the monitor is enabled and pulling metrics.
Writing Queries for the Performance Metrics

You can now use a simple query to make sure that that the metrics are pulled correctly. The search results should display the metrics for the event attributes you defined.

Create a structured historical search with these settings:

Filter Criteria Display Columns Time For Organizations
Structured

Event Type = PH_DEV_MON_CUST_DISABLED_USERS; Group by:[None]

 Event Receive Last 10 Minutes All
Custom File Monitor

You can create custom file monitors to monitor changes to directories and specific files, and also to trigger incidents when the content of a monitored file is changed from a target gold file.

Agent-less File-Integrity Monitoring Agent-less Target File Monitoring

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.