FortiSIEM Availability Related Rules and Reports

Availability Related Rules and Reports
AccelOps Availability Rules

System component issues

System Collector Down: Detects that collector is down

System Collector Event Delayed: Detects that collector has not sent an event to AccelOps cloud for more than 10 minutes System Worker Down: Detects that system worker is down License Issues

System License Warning: High Event Rate: Detects that the system is receiving events at a rate that is higher than the license limit.

Events beyond the license limit would be dropped unless the license is upgraded

System License Warning: High Config Items: Detects that the number of CMDB configuration items is close to the license limit additonal configuration items would not be stored unless the license is upgraded.

Notification issues

Scheduled Report Send Error: Detects that system has failed to deliver a scheduled report

Incident Notification Error: Detects that system has failed to take notification action on an incident

Large Supervisor JMS Request Queue: Detects that Supervisor JMS Request queue is very large

Large Supervisor JMS System Queue: Detects that Supervisor JMS System queue is very large

Data collection errors

WMI Service Unavailable: Detects that WMI service is unavailable

SNMP Service Unavailable: Detects that SNMP service is unavailable

Performance Monitoring Error: Detects that the system failed to monitor a performance monitoring metric

No Events Reported In Last Hour: Detects that a reporting device that reported events (logs etc) in the last hour did not report any events this hour. This does not include monitoring events (like CPU, Memory etc). This indicates that there is a problem in the network or at the reporting device.

Large Worker Input Event Queue: Detects that Worker input event queue is very large (greater than 100MB). This indicates that the workers are falling behind in handling events and cannot keep pace with the rate at which workers are sending events. Consider ading more workers or adding resources to workers.

Large Worker Input SVN Queue: Detects that Worker input SVN queue is very large (greater than 100MB). This indicates that the workers are falling behind in handling SVN files from collectors or from the parser modules. Check the SVN installation. Event Storage/Archiving/Purging issues

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “FortiSIEM Availability Related Rules and Reports

  1. Sanju

    Hi Mike,

    For the Rule: Large Worker Input SVN Queue

    Large Worker Input SVN Queue: Detects that Worker input SVN queue is very large (greater than 100MB). This indicates that the workers are falling behind in handling SVN files from collectors or from the parser modules. Check the SVN installation.

    What is the meaning of “Check the SVN installation?” .. what is the recommended action to do that?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.