AccelOps Generated Event Format

AccelOps Generated Event Format
AccelOps Generated Events

AccelOps is an event based analytics system. When it monitors systems and applications, it produces events containing the collected metrics this section describes details of such events. This can used to write custom queries, reports and rules.

System Performance Monitoring Events

Availability Monitoring Events

VMware Monitoring Events

Hardware Monitoring Events

Application Monitoring Events

Network Flow Monitoring Events

Security Information Management

System Performance Monitoring Events

System Performance Monitoring Events

AccelOps generates the following events related to system monitoring events

CPU Monitoring Event

Memory Monitoring

Disk space Monitoring

Disk I/O Monitoring

Network I/O Monitoring

Disk Growth Trend – Daily

Disk Growth Trend – Weekly

Disk Growth Trend – Monthly

CPU Monitoring

Event Type: PH_DEV_MON_SYS_CPU_UTIL

Description: Event containing CPU utilization metrics

Cisco IOS (SNMP), , Cisco NX-OS, Extreme ExtremeOS, Foundry Ironware, HP ProCurve

Cisco ASA/PIX/FWSM (SNMP), Checkpoint FW-1, Juniper SSG/ISG, Palo Alto Firewall, Sonicwall SonicOS, Fortinet FortiOS Cisco IPS (SNMP), Tippingpoint IPS (SNMP)

NetApp DataONTAP

Microsoft Windows (SNMP, WMI), Linux (SNMP), Solaris (SNMP), HP-UX (SNMP), IBM AIX (SNMP) Key Attributes:

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_MON_SYS_CPU_UTIL
Event

Severity

eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event

Severity

Category

eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to Low, 5-8 are mapped to Medium and 9-10 are mapped to High
Event

Receive

Time

phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date IP address of device reporting this event. In this case set to the device reporting the utilization (same as

Host name attribute)

Relaying IP relayDevIpAddr Date IP address of device relaying this event from the source to AccelOps. In general it could be a syslog-ng IP address but in this, since AccelOps talks to the device directly, Relaying IP is set to AccelOps IP Address.
Raw Event

Log

rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
Host name hostName string Host name (as in AccelOps CMDB) of the device whose CPU utilization is being reported
Host IP

Address

hostIpAddr IP Access IP (as in AccelOps CMDB) of the device whose CPU utilization is being reported
CPU

utilization

cpuUtil double Overall CPU utilization (between 0-100). The number is an average over all CPUs in a multi-cpu system.
User CPU

Utilization

sysCpuUtil double User CPU utilization (between 0-100). The number is an average over all CPUs in a multi-cpu system. Av ailable for Linux (via SNMP) only.
System

CPU

Utilization

userCpuUtil double System CPU utilization (between 0-100). The number is an average over all CPUs in a multi-cpu system. Available for Linux (via SNMP) only.
Poll Interval pollIntv uint32 Polling interval in seconds

Memory Monitoring

Event Type: PH_DEV_MON_SYS_MEM_UTIL

Description: Event containing system memory utilization metrics Source:

Cisco IOS (SNMP), , Cisco NX-OS, Extreme ExtremeOS, Foundry Ironware, HP ProCurve

 

Cisco ASA/PIX/FWSM (SNMP), Checkpoint FW-1, Juniper SSG/ISG, Palo Alto Firewall, Sonicwall SonicOS, Fortinet FortiOS Cisco IPS (SNMP), Tippingpoint IPS (SNMP)

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_MON_SYS_DISK_UTIL
Event

Severity

eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event

Severity

Category

eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to Low, 5-8 are mapped to Medium and 9-10 are mapped to High
Event

Receive

Time

phRecvTime Date Time at which AccelOps generated this event

Microsoft Windows (SNMP, WMI), Linux (SNMP,SSH), Solaris (SNMP), HP-UX (SNMP,SSH), IBM AIX (SNMP,SSH) Key Attributes:

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_MON_SYS_MEM_UTIL
Event Severity eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event Severity

Category

eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to

Low, 5-8 are mapped to Medium and 9-10 are mapped to High

Event Receive

Time

phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date IP address of device reporting this event. In this case set to the device reporting the utilization (same as

Host name attribute)

Relaying IP relayDevIpAddr Date IP address of device relaying this event from the source to AccelOps. In general it could be a syslog-ng IP address but in this, since AccelOps talks to the device directly, Relaying IP is set to AccelOps IP Address.
Raw Event Log rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
Host name hostName string Host name (as in AccelOps CMDB) of the device whose memory utilization is being reported
Host IP

Address

hostIpAddr IP Access IP (as in AccelOps CMDB) of the device whose memory utilization is being reported
Memory

utilization

memUtil double Overall system physical memory utilization (between 0-100).
Buffer Memory

(KB)

bufMemKB uint32 Size of buffered memory. Available for Linux (via SNMP) only.
Cache Memory

(KB)

cacheMemKB uint32 Size of cached memory. Available for Linux (via SNMP) only.
Swap memory

Utilization

swapMemUtil double Swap Memory Utilization. Available for Linux (via SNMP) only.
Free Swap

Memory (KB)

freeSwapMemKB uint32 Free Swap Memory. Available for Linux (via SNMP) only.
Swap Read

Rate

(Pages/sec)

swapInRate double Rate at which pages are swapped in. Available for Windows (WMI), Linux (SSH), HP-UX (SSH), IBM AIX (SSH).
Swap Write

Rate

(Pages/sec)

swapOutRate double Rate at which pages are swapped out. Available for Windows (WMI), Linux (SSH), HP-UX (SSH), IBM AIX (SSH).
Poll Interval pollIntv uint32 Polling interval in seconds.
This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.