General System Administration

Topics in this section contain information on monitoring the health of your FortiSIEM deployment, general system settings such as language, date format, and system logos, and how to add devices to a maintenance calendar.

 

 

FortiSIEM Backend Processes

This topic provides a brief description of FortiSIEM backend system processes, and the nodes (Supervisor, Collector, Worker) that use them.

Process	Function	Used by Supervisor	Used by Worker	Used by Collector
phMonitor	Monitoring other processes	X	X	X
phDiscover	Pulling basic data from target	X		X
phPerfMonitor	Execute performance job	X	X	X
phAgentManager	Execute event pulling job	X	X	X
phCheckpoint	Execute checkpoint monitoring	X	X	X
phEventPackage	Uploading event/SVN file to Supervisor/Worker			X
phParser	Parsing event to shared store (SS)	X	X	X
phDataManager	Save event from SS to Event DB	X	X
phRuleMaster	Determines if a rule should trigger	X
phRuleWorker	Aggregates data for rules	X	X
phQueryMaster	Merges data from QueryWorker	X
phQueryWorker	Executes a query task	X	X
phReportMaster	Merge data from ReportWorker	X
phReportWorker	Aggregates data for reports	X	X
phIPIdentityMaster	Merges IP identity information	X
phIdentityWorker	Collects IP identity information	X	X
Apache	Receives event/SVN files from the Collector	X	X

 

 

Administrator Tools

This topic describes administration tools and scripts that are included with your FortiSIEM deployment, along with information on where to find and how to use them.

Tool	Description	How to Use It
phTools	phTools is a simple tool for starting and stopping backend processes, and for getting change log information. When you upgrade your deployment, for example, you would use phTools to stop all backend processes.	Log in to the FortiSIEM host machine as root. Usage [root@FortiSIEM]# phtools Commands: –change-log, –st art, –stop, –stats Target: ALL –change-log also supports ERROR, T RACE, INFO, DEBUG, CRITICAL
TestSegmentReader	Test Segment Reader is used to quickly read data segments in the eventdb through the command line. You can use this to manually inspect data integrity and parsed event attributes.	Log into the FortiSIEM host machine as root. Usage [root@FortiSIEM]# TestSegment Reader <segmentDir>
phExportEvent	Used to export event information to a CSV file	See Exporting Events to Files
TestDBPurger	A script to selectively delete event data per org and time interval	You can find the script at /opt/phoeni x/bin/TestDBPurger. Run it in
	Use Only to Delete Data for a Single Date You should only use this script to delete data for a single date and organization. If you try to delete data for multiple dates, the script will fail.	terminal mode and follow the instructions.

Managing User Activity

In the User Activity page you can view the users who are logged into your system, user query activity, and locked out users. You can also log users out of the system, stop active user queries, and lock or unlock users from being able to log in. Click the User Activity icon in the upper-right corner of the FortiSIEM web interface to access user activity information.

Managing Logged In Users

In the Logged In Users tab of the User Activity page you can see the users who are currently logged in to your system. You can also log users out of the system, with an option to lock them out as well.

1. Log in to your Supervisor node.
2. In the upper-right corner of the FortiSIEM web interface, click the User Activity

 

3. Click the Logged In Users

You will see a list of all the users who are currently in your system.

4. If you want to log a user out of the system, select the user and click Log Out.
5. If you want to lock a user out of the system, select the user and click Log Out and Lock Out.

Managing Locked Out Users

In the Locked Users tab of the User Activity page you can see the users who are currently locked out of your system, and also unlock them.

1. Log in to your Supervisor node.
2. In the upper-right corner of the FortiSIEM web interface, click the User Activity
3. Click the Locked Users

You will see a list of all users who are locked out of the system.

4. To unlock a user, select the user and then click Unlock.

Managing Active User Queries

In the User Queries tab of the User Activity page you can see the user queries that are running in your system, and also stop queries.

1. In the upper-right corner of the FortiSIEM web interface, click the User Activity
2. Click the User Queries

You will see a list of all the queries that are currently running in your system.

3. To stop a query, select it and then click Stop Query.

Creating Maintenance Window for Devices

You can add a device to a maintenance window. During this period, the device is not monitored, and alerts for the device are not triggered. If you have an FortiSIEM multi-tenant deployment and you log in as a Super/Global user, you can schedule maintenance events for single organizations, the Super/Global organization, or add devices from multiple organizations to the same maintenance event.

1. Log in to your Supervisor node.
2. Go to Admin > Maintenance Calendar.
3. Click Add.
4. Enter a Name and Description for the maintenance event.
5. Set the Time Range and Date Range for the maintenance event.
6. Under Groups and Devices, click Edit.
7. If you have an FortiSIEM multi-tenant deployment, select the Organization that has the devices you want to add to the maintenance calendar.
8. Add Folders or Items to the maintenance event by selecting them, and then using the Folder >> and Item >> buttons to move them into the selection pane.
9. Click OK when you’re done selecting Folders and Items.
10. Select Generate incidents for devices under active maintenance if you want incidents for devices that are part of this maintenance event to be triggered.
11. Click OK.
12. You will now see your maintenance event listed on the calendar. Mouse over any calendar entry to view details of the maintenance event.

Creating Maintenance Window for Synthetic Transaction Monitoring jobs

You can add a Synthetic Transaction Monitoring (STM) job to a maintenance event. During the maintenance event, the STM job is not executed and hence related alerts do not trigger.

If you have an FortiSIEM multi-tenant deployment and you log in as a Super/Global user, you can schedule maintenance events for single organizations, the Super/Global organization, or add devices from multiple organizations to the same maintenance event.

1. Log in to your Supervisor node.
2. Go to Admin > Maintenance Calendar.
3. Click Add.
4. Enter a Name and Description for the maintenance event.
5. Set the Time Range and Date Range for the maintenance event.
6. Under Groups and Devices, click Edit.
7. If you have an FortiSIEM multi-tenant deployment, select the Organization that has the devices you want to add to the maintenance calendar.
8. Click Synthetic Transaction Monitor (STM) to see all the STM jobs under Items in the windows below.
9. Select the Items from the bottom left and then click Item >> to move them into the selection pane.
10. Click OK to Save the configuration.
11. Select Generate incidents for devices under active maintenance if you want incidents for devices that are part of this maintenance event to be triggered.
12. Click OK.
13. You will now see your maintenance event listed on the calendar. Mouse over any calendar entry to view details of the maintenance event.

Creating Reverse SSH Tunnels to Debug Collector Issues

Using SSH Tunnels to Connect to Managed Endpoints

Browser Plugins and Connectivity Protocol Support

Firewall Configuration

Using Role-Based Access Control to Limit Access to Tunnel Creation, Viewing, and Closing Related Links

Using SSH Tunnels to Connect to Managed Endpoints

When you want to quickly debug an issue, you often need to connect to a managed endpoint directly from a browser using protocols such as Telnet/SSH, RDP, or VNC to HTTP(S), depending on the operating system of the endpoint. However, in a multi-tenant deployment, the managed endpoint could be behind a firewall and across the Internet. To further complicate matters, the firewall may not permit an inbound connection for management protocols for security reasons, and also may not allow quick policy changes.

The FortiSIEM solution to this situation is to build a reverse SSH tunnel between the Collector and the Supervisor. The firewall already allows

HTTP(S) sessions from Collector to Supervisor. After also being configured to also allow SSH connections from Collector to Supervisor, FortiSIEM builds an on-demand reverse SSH Tunnel initiated by the Collector. You can then use the tunnel to open a remote management session from your browser to the remote managed endpoint. This blog post on The Geek Stuff describes the process for setting up reverse SSH tunnels on Linux, and provides some additional technical details.

If the managed endpoint is directly accessible from your browser, FortiSIEM can open a direct session. The devices have to be discovered first, and based on this information, FortiSIEM can determine whether to launch a direct or Collector-based session.

If the device is discovered by the Supervisor, then it opens a direct session

If the device is discovered by a Collector, then it opens a reverse SSH tunnel from the collector, and then initiates a session over this tunnel

FortiSIEM has several features for managing SSH tunnels, including:

You can define the port of the reverse SSH tunnel. By default it is set to 19999, but it can be changed to any port.

FortiSIEM automatically times out each tunnel after a day, although you can manually delete a tunnel at any time

FortiSIEM provides full tunnel management auditing, such as a reporting on who creates and deletes a tunnel

FortiSIEM supports a broad group of connectivity protocols protocols. You can can launch any connectivity application by specifying the port, and FortiSIEM will create the tunnel.

RBAC is supported at the Collector level – if the user can visit the Collector health page, then the user can open a remote collector tunnel.

Browser Plugins and Connectivity Protocol Support

Since FortiSIEM runs from a browser, some integrations are possible if certain browser plugins are installed. The best use case is:

Using the Firefox browser to connect to FortiSIEM

The FireSSH browser plugin is already installed in Firefox

You launch a remote session to the managed endpoint over SSH

FortiSIEM launches the FireSSH browser plugin and passes the managed endpoint IP

You type in your user name and password, and if the authentication succeeds, then the shell appears

This table lists the browsers, and the protocols supported by their plugins, that you can use to connect to the managed endpoint.

Always type the end host/device credentials for direct connections over a reverse tunnel even though the displayed IP/port belongs to the Supervisor.

Web Browser	Connectivity Protocol	Supported Browser Plugin	Integration
Firefox	SSH	FireSSH	The plugin launches. You need to provide your user name and password for the end host/device
	Telnet	None	A dialog shows the Supervisor’s port/tunnel endpoint to connect to. Use your favorite external telnet client to telnet to <Supervisor-IP> and the port.
	HTTP(S)	None required	Another tab opens. You will need to provide your user name and password if the endpoint device requires it.
	RDP	None	A dialog shows the Supervisor’s port/tunnel endpoint to connect to. Use your favorite external remote desktop client to connect to <Supervisor-IP> and the port.
	VNC	None	A dialog shows the Supervisor’s port/tunnel endpoint to connect to. Use your favorite external VNC client to connect to <Supervisor-IP> and the port.
	Other	None	A dialog shows the Supervisor’s port/tunnel endpoint to connect to. Use your favorite external application client to connect to  <Supervisor-IP> and the port.
Chrome	SSH	FireSSH	The plugin launches. You need to provide your user name and password for the end host/device.
	Telnet	None	A dialog shows the Supervisor’s port/tunnel endpoint to connect to. Use your favorite external telnet client to telnet to <Supervisor-IP> and the port.
	RDP	Chrome RDP	A dialog opens for the Chrome RDP plugin. Make sure your popup blocker is disabled, or that you allow popups from this site. Click Launch App to launch the plugin in a new tab. A dialog shows the Supervisor’s port/tunnel endpoint to connect to. Enter <Supervisor-IP>:<Supervisor Port> to connect. Alternatively, you can use your favorite RDP client.
	HTTP(S)	None required	Another tab opens. You will need to provide your user name and password if the endpoint device requires it.
	VNC	None	A dialog shows the Supervisor’s port/tunnel endpoint to connect to. Use your favorite external VNC client to connect to <Supervisor-IP> and the port.
	Other	None	A dialog shows the Supervisor’s port/tunnel endpoint to connect to. Use your favorite external application client to connect to  <Supervisor-IP> and the port.
Safari (on OSX only)	SSH	Mac Terminal	A new terminal window launches and connects via SSH to <Supervisor-IP> and <Supervisor-port>. Enter your user name and password for the end host/device.
	Telnet	Mac Terminal	A new terminal window launches and connects via telnet to <Supervisor-IP> and <Supervisor-port>. Enter your user name and password for the end host/device.
	RDP	None	A dialog opens for the Chrome RDP plugin. Make sure your popup blocker is disabled, or that you allow popups from this site. Click Launch App to launch the plugin in a new tab. A dialog shows the Supervisor’s port/tunnel endpoint to connect to. Enter <Supervisor-IP>:<Supervisor Port> to connect. Alternatively, you can use your favorite RDP client.
	HTTP(S)	None required	Another tab opens. You will need to provide your user name and password if the endpoint device requires it.
	VNC	None	A dialog shows the Supervisor’s port/tunnel endpoint to connect to. Use your favorite external VNC client to connect to <Supervisor-IP> and the port.
	Other	None	A dialog shows the Supervisor’s port/tunnel endpoint to connect to. Use your favorite external application client to connect to  <Supervisor-IP> and the port.
Internet Explorer	SSH, Telnet, RDP, HTTP(S), VNC, Other	No plugin integration	Create the tunnel and then connect to the <Supervisor-Port> that is displayed using an external application.

Firewall Configuration

If there is a firewall between the Collector and the Supervisor, the firewall needs to allow SSH from the Collector to the Supervisor. The default setting uses a non-standard port, 19999, so make sure you configure the firewall between the Collector and the Supervisor to allow outbound TCP connections on port 19999.

Using Role-Based Access Control to Limit Access to Tunnel Creation, Viewing, and Closing

For security and management reasons, you may want to limit the ability of users to create tunnels. The easiest way to do this is through user roles that have defined access capabilities. For example

To prevent the creation of any tunnels for a role, disallow access to the CMDB tab for that role, or disallow access to the particular device or device group. This second option lets you create fine-grained controls for tunnel creation, for example:

Admins who are able to view Network devices can only open tunnels to Network devices

Admins who are able to view Servers can only open tunnels to Servers

Admins who are able to view a custom-created device group can only open tunnel to that specific custom group

To prevent viewing and closing existing tunnels, disallow access to the Admin > Collector Health page

Related Links

Setting Up User Roles

 

Auditing the Creation and Deletion of SSH Tunnels

FortiSIEM includes a system-defined report that shows the SSH tunnel open/close history for the time range that you specify.

1. Log in to your Supervisor node.
2. Go to Analytics > Reports > System Audit.
3. Select the SSH Tunnel Open/Close History
4. Run the report as described in Running System and User-Defined Reports and Baseline Reports.

Creating a Remote Tunnel to a Device Monitored by a Collector

Prerequisites

You should review the browsers and plugins that are supported for the connectivity protocol you want to use to connect to the device.

Procedure

1. Log in to your Supervisor node.
2. Go to CMDB > Devices.
3. Search for or browse to the device you want to establish the connection to.
4. In the IP Address column for that device, click on the IP address associated with it to open the Options
5. In the Options menu, select Connect To… .
6. Enter the Protocol and Port you want to use to connect to the device.

For SSH this is Port 22.

7. Select Create Tunnel.

A tunnel will be established between the Supervisor and the Collector that is monitoring the device.

8. Use your browser and plugins to establish remote connectivity to the device as described in Creating Reverse SSH Tunnels to Debug Collector Issues.

Managing Remote Tunnels to Collector Devices

After you have created tunnels to collector devices, you can view and manage those tunnels in the Collector Health page.

1. Log in to your Supervisor node.
2. Go to Admin > Collector Health.
3. Click Tunnels.

The existing tunnels will be displayed in a table with these columns:

Column Name	Description
Host IP	The IP address of the managed endpoint
Super Port	Sessions are opened on this port on the Supervisor to connect to the managed endpoint. This ensures that the Supervisor will use the correct tunnel to reach the managed endpoint.
Protocol	The protocol used to establish the connection to the endpoint
Collector	The Collector that monitors the endpoint
PID	The process ID of the tunnel. If you kill this process, it will kill the tunnel
Opened Time	The time when the tunnel was opened

4. You can close a tunnel by selecting it and then clicking Close, or you can close all tunnels at the same time by clicking Close All.

Managing System Date Format and Logos

The UI page under Admin > General Settings contains fields that you can use to change the date format for your FortiSIEM user interface, and to upload logos to be used within the user interface and on PDF reports.

1. Log in to your Supervisor node.
2. Go to Admin > General Settings > UI.
3. Select the Date Format you want to use to display dates in the user interface, and then click Change.
4. Click Change to choose a UI Logo that will be displayed alongside the main application tabs for your FortiSIEM deployment.

The logo file must be in in PNG format, and should not be more than 200 pixels wide or 60 pixels high (54 pixels is the ideal height).

5. Click Change to choose a Report Logo that will be used in the header of reports you export to PDF.

The logo file must be in SVG format, 160 pixels wide and 40 pixels high, or other dimensions with a 4:1 width/height ratio.

For  Service Provider installs, UI Logos can also be set on a per organization basis.

1. SSH to Supervisor via root
2. Change user to admin ‘su admin’
3. Change directory by running ‘cd /opt/glassfish3/glassfish/domains/domain1/applications/phoenix/phoenix-web-1.0_war/resources/header’
4. Create a logo per organization
   1. mkdir org
   2. cd org
   3. Create Organizations IDs as directories. Eg: ‘mkdir 2001’ (To find Org ids, Goto Admin > Setup Wizard > Organizations > ID)
5. Copy PNG files to respected Organizations as logo.png. For example:

/opt/glassfish3/glassfish/domains/domain1/applications/phoenix/phoenix-web-1.0_war/resources/header/org/2001/logo.png

6. Logon to Organization e.g: Org1 (id: 2001) and make sure that UI logo is updated

 

Viewing Cloud Health and System Information

The Admin > Cloud Health page shows you the status of the nodes in your deployment, as well as the processes running on them.

1. Go to Admin > Cloud Health.
2. Click on any node to view its Process Details.

See FortiSIEM Backend Processes for more information about the system role played by each process.

3. You can access other information about your FortiSIEM deployment by clicking the Alert icon in the upper-right corner of the user interface, which will show you Alerts and Tasks for the system within the last 24 hours.

Viewing Collector Health

If your FortiSIEM deployment includes Collectors, you can monitor the status of the Collectors in the Admin > Collector Health page. You can also upgrade Collectors from this page, as described in Setting Up the Image Server for Collector Upgrades.

1. Log in to your Supervisor node.
2. Go to Admin > Collector Health.
3. Select a Collector and click Show Processes to see the processes running on that Collector.

See FortiSIEM Backend Processes for more information about the processes that run on Collectors.

4. You can also Stop or Start a Collector by selecting it and clicking the appropriate button.

Properties associated with Collector Health include:

Collector Property	Description
Org Name	Name of the organization to which the Collector belongs
Collector Name	The name of the Collector
IP Address	The IP address of the Collector
Status	The status of the Collector as either Up or Down
Health	Displays the health of the Collector based on the health of the modules running on it. If Health is Critical, it means that one of the modules is not running on the Collector.
Up Time	Total time that the Collector has been up
Last Performance Data	The time when the collector last reported its performance status to the cloud
Last Status Update	The time when the collector last reported its status to the cloud
Last Event Data	The time when the collector last reported events to the cloud
CPU Utilization	Overall CPU utilization of the Collector
Memory Utilization	Overall memory utilization of the Collector
Version	Which version of FortiSIEM the Collector is running on
Build Date	The date on which the version of FortiSIEM the Collector is running on was built
Upgrade Version	If the Collector has been upgraded, the version it was upgraded to
Install Status	If you upgrade the Collector, the status of the upgrade is shown here as either Success or Failed
Download Status	If an image was downloaded to the Collector as described in Setting Up the Image Server for Collector Upgrades, the status of the download is shown here as Success or Failed
Allocated EPS	The number of events per second (EPS) dynamically allocated by the system to this collector. See Dynamic Distribution of Events per Second (EPS) across Collectors for more information about how EPS is allocated across Collectors.
Incoming EPS	The EPS that the Collector is currently seeing

 

 

 

 

Viewing License Information and Adding Nodes to a License

The License Management page in the Admin tab shows information associated with your current FortiSIEM license, and allows you to add virtual appliances and Report Servers to your deployment as your license allows.

1. Log in to your Supervisor node.
2. Go to Admin > License Management.
3. Under License Information you will see detailed information about both Allowed and Current Usage for the number of virtual appliances, EPS, number of devices, and other attributes associated with you FortiSIEM license.
4. Under VA Information you will see the name and IP address of the virtual appliances, and their roles, in your FortiSIEM deployment. Click Add, and then enter an IP address for other nodes that you want to add to your license.
5. Under Report Server Information you will see the IP address of any Report Servers in your deployment. Click Add, and then enter an IP address for other Report Servers that you want to add to your license.

Calculations for License Usage Statistics

Statistic	Calculation	Notes
EPS		AccelOps calculates the EPS for your system using a counter that records the total number of received events in a three minute time interval. Every second, a thread wakes up and checks the counter value. If the counter is less than 110% of the license limit (using the calculation 1.1 x EPS License x 180) , then AccelOps will continue to collect events. If you exceed 110% of your licensed EPS, events are dropped for the remainder of the three minute window, and an email notification is triggered. At the end of the three minute window the counter resets and resumes receiving events.
Number of Devices		Each entry in CMDB > Devices counts as one device. Exceptions to this are: Mobile Devices VoIP Phones These devices are not counted against the number of devices that are licensed for your deployment.

 

 

Using Beaconing to Communicate with AccelOps Support

Your FortiSIEM virtual appliance includes a beaconing feature that periodically transmits information about the functioning of your FortiSIEM deployment to FortiSIEM support. This information includes the health of your FortiSIEM virtual appliances, performance data, and summary information about the configuration of your deployment. This information is used exclusively by FortiSIEM support for forensic analysis of your system, and is never shared with anyone.

The basic version of the beaconing feature is included with your FortiSIEM license, but you can opt out of the service at any time by going to Adm in > License Management and clearing the Enable Beaconing Data Upload option. You can also purchase the advanced version of the beaconing service, which includes added support services. Contact FortiSIEM Sales or Support for more information.

To find the level of beaconing support on your deployment, go to the License Information table under Admin > License Management, and scroll down the License Attribute column to look for the row labeled Beaconing Support.

Basic Beaconing Support

Advanced Beaconing Support

Basic Beaconing Support

Basic Beaconing periodically uploads health and usage information from FortiSIEM instance. This includes

Customer Name

Organization Name (for Service Provider installations)

Organization Collector Name

Number of devices discovered by category (Network, Server, Storage) and their types

Performance Monitoring Jobs and their status

Discovery Error Types, Event parsing errors, Operational errors

Incident names, severity and count

Event rate

Event Type

FortiSIEM system incidents and license issues

IP address and host name are not transmitted to the cloud.

For specific details, see these rules and reports which contain data periodic sent to the cloud.

Beaconing Reports and Rules	Summary Information Uploaded
CMDB > CMDB Reports > Beaconing	1.  CMDB Device Types 2.  CMDB Network Device Count 3.  CMDB Server Count 4.  CMDB Storage Device Count 5.  PING Monitored Device Count 6.  Performance Monitor Status
Analytics > Reports > Beaconing Reports > Beaconing Customer	1.    Beaconing Customer: System Operational Errors 2.    Beaconing Customer: Discovery Errors 3.    Beaconing Customer: Event Parsing Errors 4.    Beaconing Customer: Failed or falling behind monitoring jobs 5.    Beaconing Customer: Incidents By Severity, Count 6.    Beaconing Customer: Incidents Dropped 7.    Beaconing Customer: System Event Processing Statistics 8.    Beaconing Customer: Top CMDB Device Types By Count 9.    Beaconing Customer: Top Customers, Collectors By Unknown Event Types 10.  Beaconing Customer: Top Event Types By Count 11.  Beaconing Customer: Top Internal Modules By Log Count
Analytics > Rules > Beaconing	1.    FortiSIEM Report Server license about to expire 2.    FortiSIEM Report Server license expired 3.    Device License Exceeded – Device Not Added To CMDB 4.    Excessive Clock Skew Between Collector and Supervisor nodes 5.    Excessive External Event Dropped By License 6.    System Collector Down 7.    System Collector Event Delayed 8.    System License Warning: Max Number of Devices Exceeded License 9.    System Report Server Down 10.  System Worker Down

Advanced Beaconing Support

In advanced beaconing support, system logs and audit logs from your FortiSIEM deployment are uploaded to FortiSIEM support in addition to the information listed under basic beaconing support. This allows FortiSIEM support to closely monitor your FortiSIEM deployment for errors and problems remotely without the risk of system log rollover, and to provide an accelerated path to problem resolution.

Advanced beaconing support can be enabled via a license change. You will need to re-register your FortiSIEM deployment after FortiSIEM Sales has enabled advanced beaconing on the license server. During re-registration, FortiSIEM services will continue to run except for a restart of the p hMonitor service.

AccelOps Event Categories and Handling

This topic provides a brief description of various types of event categories in FortiSIEM

Event Categories

System Event Category	Description	Counted in EPS License	phstatus -a outout	Stored in DB?
0	External events and not flow events (e.g. syslog, SNMP Trap, Event pulling)	Yes	EPS	Yes
1	Incidents (events that begin with PH_RULE)	No	EPS INTERNAL	Yes
2	FortiSIEM Audit Events (events that begin with PH_AUDIT)	No	EPS INTERNAL	Yes
3	FortiSIEM Internal system logs, free format	No	EPS INTERNAL	Yes
4	External flow events (Netflow, Sflow)	Yes	EPS	Yes
5	FortiSIEM Internal health events for summary dashboards	No	EPS INTERNAL	Yes
6	FortiSIEM Performance Monitoring events (events that begin with PH_DEV_MON)	Yes	EPS PERF	Yes
7	AO Beaconing events	No	EPS INTERNAL	Yes
8	FortiSIEM Real Time Performance Probe Events	No	EPS INTERNAL	No
99	FortiSIEM Internal Rule Engine	No	EPS INTERNAL	No

Event handling at various nodes

Running “phstatus -a” command at various nodes provides the events handled by that node.The output shows the statistics at 3min, 15min and 30 min averages.

If you run “phstatus -a” at a Supervisor, you get the aggregated view across all nodes

Reported EPS by events

The following events report eps which includes EPS (EXTERNAL) and EPS PERF – to be measured against license

1. PH_SYSTEM_EVENTS_PER_SEC: this reports eps at a organization level
2. PH_SYSTEM_PERF_EVENTS_PER_SEC: this reports performance monitoring related eps (counted against license)
3. PH_SYSTEM_INTERNAL_EVENTS_PER_SEC: this reports internal eps (not counted against license)
4. PH_SYSTEM_IP_EVENTS_PER_SEC: this reports eps reported by a device level
5. PH_SYSTEM_DEVAPP_EVENTS_PER_SEC: his reports eps reported by a device level but also has vendor, model info

Changing Dashboard Theme

The UI page under Admin > General Settings contains fields that you can use to change the theme for widget dashboards

My Dashboard

Availability/Performance > Avail/Perf Widgets

Biz Svc Dashboard

Dashboards By Function

To do this

1. Log in to your Supervisor node.
2. Go to Admin > General Settings > UI.
3. Select the Dashboard Theme you want to use, and then click Change.
4. Refresh the browser.

 

 

 

Installing OS Security Patches

You may want to install OS level security patches to fix some recently found vulnerabilities.

First check whether the CVEs you are interested in have already been patched by the current FortiSIEM version. You can do this by running the following command.

To upgrade OS packages on Super, Worker, or Collectors, run the following command as root

We use a headless chrome browser for STM but chrome is not supported by Google on CentOS6 or 7 platforms. To upgrade that package to the latest version, we use a third party system.

Run the following commands as root on Super/Worker/Collector