Discovery Settings

Before you initiate discovery, you should configure the Discovery Settings in your Supervisor.

• Log in to your Supervisor node.

2. Go to Admin > General Settings > Discovery.
3. Configure the settings as required for your deployment.

See Setting Device Location Information for information on how to manually enter locations for devices, or to upload a CSV file of device locations.

Setting	Description
Virtual IPs	Often a common virtual IP address will exist in multiple machines for load balancing and failover purposes. When you discover devices, you need to have these virtual IP addresses defined within your discovery settings for two reasons: Listing the virtual IP addresses ensures that two or more devices with the same virtual IP will not be merged into one device during device discovery, so each of the load-balanced devices will maintain their separate identity in the CMDB The virtual IP will not be used as an access IP during discovery, since the identity of the device when accessed via the virtual IP is unpredictable Click the Edit icon to enter a Virtual IP address, and then click + to add more.
Excluded Shared Device IPs	An enterprise often has servers that share credentials, for example mail servers, web proxies, and source code control servers, and a large number of users will authenticate to these servers to access their services. Providing a list of of the IP addresses for these servers allows FortiSIEM to exclude these servers from user identity and location calculations in the Analytics > Identity and Location report. For example, suppose user U logs on to server M to retrieve his mail, and server M authenticates user U via Active Directory. If server M is not excluded, the Analytics > Identity and Location Report will contain two entries for user U: one for the workstation that U logs into, and also one for server M. You can eliminate this behavior by adding server M to the list of Server IPs with shared credentials.
Allow Incident Firing On	With this setting you can control incident firings based on approved device status. If you select Approved Devices Only, then FortiSIEM will use this logic to determine if an incident is triggered: If an incident reporting device is not approved, the incident does not trigger If an incident reporting device is approved, then there are two possible cases: (a) at least one Source, Destination or Host IP is approved and the incident triggers, or (b) none of the Source, Destination or Host IPs are approved and the incident does not trigger If you select Approved Devices Only, then when the discovery process completes, you will need to approve devices, as described in Approving Newly Discovered Devices, before incidents are triggered.
CMDB Device Filter	This setting allows you to limit the set of devices that the system automatically discovers from logs and netflows. After receiving a log from a device, the system automatically discovers that device, and then adds it to CMDB. For example, when a Netflow analysis detects a TCP/UDP service is running on a server, the server, along with the open ports, are added to CMDB. Sometimes you may not want to add all of these devices to CMDB, so you can create filters to exclude a specific set of devices from being added to CMDB. Each filter consists of a required Excluded IP Range field and an optional Except field. A device will not be added to CMDB if it falls in the range defined in the Excluded IP Range field. For example, if you wanted to exclude the 172.16. 20.0/24 network from CMDB, you would to add a filter with 172.16.20.0-172.16.20.255 in its Excluded IP Range field. The Except field allows you to specify some exceptions in the excluded range. For example, if you wanted to exclude the 172.16.20.0/24 network without excluding the 172.16.20.0/26 network, you would add a filter with 172.16.2 0.0-172.16.20.255 in the Excluded IP Range field, and 172.16.20.192-172.16.20.255 in the Except field. Click Add to add a new CMDB Device Filter, then click Apply.
Application Filtering	This setting allows you to limit the set of applications/processes that the system automatically learns from discovery. You may be more interested in discovering and monitoring server processes/daemons, rather than client processes, that run on a server. To exclude client processes from being discovered and listed in the CMDB, enter these applications here. An application/process will not be added to CMDB if it matches one of the entries defined in this table.   Click Add, then enter the Process Name and any Parameters for that process that you want to filter.

 

Discovering Infrastructure

FortiSIEM can automatically discover the devices, applications, and users in your IT infrastructure and begin monitoring them. You initiate device discovery by providing the credentials that are needed to access the infrastructure component, and from there FortiSIEM is able to discover information about your component such as the host name, operating system, hardware information such as CPU and memory, software information such as running processes and services, and configuration information. Once discovered, FortiSIEM will also begin monitoring your component on an ongoing basis.

Though FortiSIEM is able to automatically manage device discovery, the pulling of event information such as logs and IPS events from your device, and establishing what aspects of your device functionality it can monitor, you can also manually configure the way FortiSIEM interacts with your infrastructure by creating custom event pulling methods and monitoring profiles for your devices.

 

Configuring Syslog over TLS

To receive syslog over TLS, a port needs to be enabled and certificates need to be defined.

The following configurations are already added to phoenix_config.txt in Super/Worker and Collector nodes.

 

Note – the syslog over TLS client needs to be configured to communicate properly with FortiSIEM.

Using Virtual IPs to Access Devices in Clustered Environments

AccelOps communicates to devices and applications using multiple protocols. In many instances, access credentials for discovery protocols such as SNMP and WMI will need to be associated to the real IP address (assigned to a network interface) of the device, while application performance or synthetic transaction monitoring protocols (such as JDBC) will need the Virtual IP (VIP) assigned to the cluster. Since AccelOps uses a single access IP to communicate to a device, you need to create an address translation for the Virtual IPs.

1. Log into your AccelOps virtual appliance as root.
2. Update the mapping in your IP table to map the IP address used in setting up your access credentials to the virtual IP.

As an example, suppose an Oracle database server is running on a server with a network address of 10.1.1.1, which is in a cluster with a VIP of 192.168.1.1. The port used to communicate with Oracle over JDBC is 1521. In this case, the update command would be:

Configuring Wireless LANs

AccelOps supports these wireless local area network devices for discovery and monitoring.

Aruba Networks Wireless LAN Configuration

Cisco Wireless LAN Configuration

Motorola WiNG WLAN AP Configuration Ruckus Wireless LAN Configuration

Aruba Networks Wireless LAN Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP V1/V2c

Sample Aruba Networks Wireless LAN Controller SNMP Trap Messages Settings for Access Credentials

What is Discovered and Monitored

AccelOps uses SNMP and NMAP to discover the device and to collect logs and performance metrics. AccelOps communicates to the WLAN Controller only and discovers all information from the Controller. AccelOps does not communicate to the WLAN Access points directly.

Protocol	Information Discovered	Metrics collected	Used for
SNMP	Controller host name, Controller hardware model, Controller network interfaces, Associated WLAN Access Points	Controller Uptime, Controller Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Radio interface performance metrics	Availability and Performance Monitoring
SNMP Trap	Controller device type	All system logs: User authentication, Admin authentication, WLAN attacks, Wireless link health	Availability, Security and Compliance

Event Types

In CMDB > Event Types, search for “aruba” in the Description and Device Type columns to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “aruba” in the Name column to see the reports associated with this device.

Configuration

SNMP V1/V2c

1. Log in to your Aruba wireless controller with administrative privileges.
2. Go to Configuration > Management > SNMP.
3. For Read Community String, enter public.
4. Select Enable Trap Generation.
5. Next to Read Community String, click Add.
6. Under Trap Receivers, click Add and enter the IP address of your AccelOps virtual appliance.

Sample Aruba Networks Wireless LAN Controller SNMP Trap Messages

Settings for Access Credentials

Cisco Wireless LAN Configuration

 

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
SNMP	Controller host name, Controller hardware model, Controller network interfaces, Associated WLAN Access Points	Controller Uptime, Controller CPU and Memory utilization, Controller Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths)	Availability and Performance Monitoring
SNMP Trap	Controller device type	All system logs: User authentication, Admin authentication, WLAN attacks, Wireless link health	Availability, Security and Compliance

Event Types

In CMDB > Event Types, search for “cisco wireless” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP V1/V2c and SNMP Traps

1. Log in to your Cisco wireless LAN controller with administrative privileges.
2. Go to MANAGEMENT > SNMP > General.
3. Set both SNMP v1 Mode and SNMP v2c Mode to Enable.
4. Go to SNMP > Communities.
5. Click New and create a public community string with Read-Only
6. Click Apply.
7. Go to SNMP > Trap Controls.
8. Select the event traps you want to sent to AccelOps.
9. Click Apply.
10. Go to SNMP > Trap Receivers.
11. Click New and enter the IP address of your AccelOps virtual appliance as a trap receiver.
12. Click Apply.

Sample SNMP Trap

2008-06-09 08:59:50 192.168.20.9 [192.168.20.9]:SNMPv2-MIB::sysUpTime.0

= Timeticks: (86919800) 10 days, 1:26:38.00

SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.14179.2.6.3.2

SNMPv2-SMI::enterprises.14179.2.6.2.35.0 = Hex-STRING: 00 21 55 4D 66 B0

SNMPv2-SMI::enterprises.14179.2.6.2.36.0 = INTEGER: 0

SNMPv2-SMI::enterprises.14179.2.6.2.37.0 = INTEGER: 1

SNMPv2-SMI::enterprises.14179.2.6.2.34.0 = Hex-STRING: 00 12 F0 0A 3F 15

2010-11-01 12:59:57 0.0.0.0(via UDP: [172.22.2.25]:32769) TRAP2, SNMP v2c, community 1n3t3ng . Cold Start Trap (0) Uptime: 0:00:00.00 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (9165100) 1 day, 1:27:31.00 SNMPv2-MIB::snmpTrapOID.0 = OID:

SNMPv2-SMI::enterprises.9.9.599.0.4

SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.1.0 = Hex-STRING: 00 24 D7 36 A0

00  SNMPv2-SMI::enterprises.9.9.513.1.1.1.1.5.0 = STRING: “AP-2”

SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.8.0 = Hex-STRING: 00 25 45 B7

66 70  SNMPv2-SMI::enterprises.9.9.513.1.2.1.1.1.0 = INTEGER: 0

SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.10.0 = IpAddress: 172.22.4.54

SNMPv2-SMI::enterprises.9.9.599.1.2.1.0 = STRING: “IE\brouse”

SNMPv2-SMI::enterprises.9.9.599.1.2.2.0 = STRING: “IE”

2011-04-05 10:37:42 0.0.0.0(via UDP: [10.10.81.240]:32768) TRAP2, SNMP v2c, community AccelOps . Cold Start Trap (0) Uptime: 0:00:00.00 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1672429600) 193 days, 13:38:16.00 SNMPv2-MIB::snmpTrapOID.0 = OID:

SNMPv2-SMI::enterprises.9.9.615.0.1

SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.1.0 = Hex-STRING: 00 25 BC 80 E8

77  SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.8.0 = Hex-STRING: 6C 50 4D

7D AC 50  SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.9.0 = INTEGER: 1

SNMPv2-SMI::enterprises.9.9.513.1.1.1.1.5.0 = STRING: “AP03-3.rdu2”

SNMPv2-SMI::enterprises.9.9.615.1.2.1.0 = INTEGER: 1

SNMPv2-SMI::enterprises.9.9.615.1.2.2.0 = INTEGER: 5000

SNMPv2-SMI::enterprises.9.9.615.1.2.3.0 = INTEGER: 1

SNMPv2-SMI::enterprises.9.9.615.1.2.4.0 = INTEGER: 31 SNMPv2-SMI::enterprises.9.9.615.1.2.5.0 = INTEGER: -60

SNMPv2-SMI::enterprises.9.9.615.1.2.6.0 = INTEGER: -90 SNMPv2-SMI::enterprises.9.9.615.1.2.7.0 = STRING:

“0,0,0,0,1,20,24,28,3,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0”

SNMPv2-SMI::enterprises.9.9.615.1.2.8.0 = INTEGER: 2 SNMPv2-SMI::enterprises.9.9.615.1.2.9.0 = STRING:

“6c:50:4d:7d:ac:50,e8:04:62:0b:b5:f0”

SNMPv2-SMI::enterprises.9.9.615.1.2.10.0 = STRING: “-83,-85”

SNMPv2-SMI::enterprises.9.9.615.1.2.11.0 = STRING: “1,1”

SNMPv2-SMI::enterprises.9.9.512.1.1.1.1.11.5 = INTEGER: 1

Settings for Access Credentials

Motorola WiNG WLAN AP Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
Syslog		All system logs: User authentication, Admin authentication, WLAN attacks, Wireless link health	Availability, Security and Compliance

Event Types

Over 127 event types – In CMDB > Event Types, search for “Motorola-WiNG” to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Configure devices to send syslog to AccelOps – make sure that the version matches the format below

Ruckus Wireless LAN Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
SNMP	Controller host name, Controller hardware model, Controller network interfaces, Associated WLAN Access Points	Controller Uptime, Controller Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Controller WLAN Statistics, Access Point Statistics, SSID performance Stats	Availability and Performance Monitoring

Event Types

PH_DEV_MON_RUCKUS_CONTROLLER_STAT

[PH_DEV_MON_RUCKUS_CONTROLLER_STAT]:[eventSeverity]=PHL_INFO,[fileN ame]=deviceRuckusWLAN.cpp,[lineNumber]=555,[hostName]=guest-zd-01,[ hostIpAddr]=172.17.0.250,[numAp]=41,[numWlanClient]=121,[newRogueAP ]=0,[knownRogueAP]=0,[wlanSentBytes]=0,[wlanRecvBytes]=0,[wlanSentB itsPerSec]=0.000000,[wlanRecvBitsPerSec]=0.000000,[lanSentBytes]=16 6848,[lanRecvBytes]=154704,[lanSentBitsPerSec]=7584.000000,[lanSent

BitsPerSec]=7032.000000,[phLogDetail]=

PH_DEV_MON_RUCKUS_ACCESS_POINT_STAT

[PH_DEV_MON_RUCKUS_ACCESS_POINT_STAT]:[eventSeverity]=PHL_INFO,[fil eName]=deviceRuckusWLAN.cpp,[lineNumber]=470,[hostName]=AP-10.20.30 .3,[hostIpAddr]=10.20.30.3,[description]=,[numRadio]=0,[numWlanClie nt]=0,[knownRogueAP]=0,[connMode]=layer3,[firstJoinTime]=1404672517 29776,[lastBootTime]=140467251729776,[lastUpgradeTime]=140467251729

776,[sentBytes]=0,[recvBytes]=0,[sentBitsPerSec]=0.000000,[recvBits

PerSec]=0.000000,[phLogDetail]=

PH_DEV_MON_RUCKUS_SSID_PERF

[PH_DEV_MON_RUCKUS_SSID_PERF]:[eventSeverity]=PHL_INFO,[fileName]=d eviceRuckusWLAN.cpp,[lineNumber]=807,[hostName]=c1cs-guestpoint-zd01,[hostIpAddr]=172.17.0.250,[wlanSsid]=GuestPoint,[description]=We lcome SSID for not yet authorized APs.,[wlanName]=Welcome SSID,[authenMethod]=open,[encryptAlgo]=none,[isGuest]=1,[srcVLAN]=5 98,[sentBytes]=0,[recvBytes]=0,[sentBitsPerSec]=0.000000,[recvBitsP erSec]=0.000000,[authSuccess]=0,[authFailure]=0,[assocSuccess]=0,[a ssocFailure]=0,[assocDeny]=0,[disassocAbnormal]=0,[disassocLeave]=0 ,[disassocMisc]=0,[phLogDetail]=

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Configure the Controller so that AccelOps can connect to via SNMP.

 

Configuring WAN Accelerators

AccelOps supports these wide area network accelerators for discovery and monitoring.

Cisco Wide Area Application Server Configuration

Riverbed SteelHead WAN Accelerator Configuration

Cisco Wide Area Application Server Configuration

 

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
SNMP	Host name, Software version, Hardware model, Network interfaces	Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Disk space utilization, Process cpu/memory utilization	Availability and Performance Monitoring

Event Types

[PH_DEV_MON_SYS_PROC_COUNT]:[eventSeverity]=PHL_INFO,[fileName]=phP erfJob.cpp,[lineNumber]=11710,[hostName]=edge.bank.com,[hostIpAddr] =10.19.1.5,[procCount]=429,[pollIntv]=176,[phLogDetail]=

PH_DEV_MON_NET_INTF_UTIL

[PH_DEV_MON_NET_INTF_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phI ntfFilter.cpp,[lineNumber]=323,[intfName]=GigabitEthernet 1/0,[intfAlias]=,[hostName]=edge.bank.com,[hostIpAddr]=10.19.1.5,[p ollIntv]=56,[recvBytes64]=0,[recvBitsPerSec]=0.000000,[inIntfUtil]= 0.000000,[sentBytes64]=0,[sentBitsPerSec]=0.000000,[outIntfUtil]=0.

000000,[recvPkts64]=0,[sentPkts64]=0,[inIntfPktErr]=0,[inIntfPktErr

Pct]=0.000000,[outIntfPktErr]=0,[outIntfPktErrPct]=0.000000,[inIntf PktDiscarded]=0,[inIntfPktDiscardedPct]=0.000000,[outIntfPktDiscard ed]=0,[outIntfPktDiscardedPct]=0.000000,[outQLen64]=0,[intfInSpeed6 4]=100000000,[intfOutSpeed64]=100000000,[intfAdminStatus]=,[intfOpe rStatus]=,[daysSinceLastUse]=0,[totIntfPktErr]=0,[totBitsPerSec]=0. 000000,[phLogDetail]=

PH_DEV_MON_PROC_RESOURCE_UTIL

[PH_DEV_MON_PROC_RESOURCE_UTIL]:[eventSeverity]=PHL_INFO,[fileName] =phPerfJob.cpp,[lineNumber]=4320,[swProcName]=syslogd,[hostName]=ed ge.bank.com,[hostIpAddr]=10.19.1.5,[procOwner]=,[memUtil]=0.038191, [cpuUtil]=0.000000,[appName]=Syslog Server,[appGroupName]=Unix

Syslog Server,[pollIntv]=116,[swParam]=-s -f

/etc/syslog.conf-diamond,[phLogDetail]=

Rules

Regular monitoring rules

Reports

Regular monitoring reports

Configuration

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

 

 

Riverbed SteelHead WAN Accelerator Configuration

 

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
SNMP	Host name, Software version, Hardware model, Network interfaces	Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Disk space utilization, Process cpu/memory utilization	Availability and Performance Monitoring
SNMP		Hardware status	Availability and Performance Monitoring
SNMP		Bandwidth metrics: Inbound Optimized Bytes – LAN side, WAN side, Outbound optimized bytes LAN side and WAN side Connection metrics: Optimized connections, Passthrough connections, Half-open optimized connections, Half-closed Optimized connections, Established optimized connections, Active optimized connections Top Usage metrics: Top source (Source IP, Total Bytes), Top destination (Destination IP, Total Bytes), Top Application (TCP/UDP port, Total Bytes), Top Talker (Source IP, Source Port, Destination IP, Destination Port, Total Bytes) Peer status: For every peer: State, Connection failures, Request timeouts, Max latency	Availability and Performance Monitoring
SNMP Trap		All traps: software errors, hardware errors, admin login, performance issues – cpu, memory, peer latency issues. Around 115 traps defined in CMDB > Event Types. The mapped event types start with “Riverbed-“.	Availability, Security and Compliance

Event Types

In CMDB > Event Types, search for “steelhead” in the Description and Device Type columns to see the event types associated with this device.

Rules

In Analytics > Rules, search for “steelhead” in the Name column to see the rules associated with this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

SNMP Trap

AccelOps processes events from this device via SNMP traps sent by the device. Configure the device to send send SNMP traps to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example SNMP Trap

Settings for Access Credentials

Configuring Vulnerability Scanners

AccelOps supports these vulnerability scanners for discovery and monitoring.

McAfee Foundstone Vulnerability Scanner Configuration

Nessus Vulnerability Scanner Configuration

Qualys Vulnerability Scanner Configuration

Rapid7 NeXpose Vulnerability Scanner Configuration

McAfee Foundstone Vulnerability Scanner Configuration

What is Discovered and Monitored

Protocol	Metrics collected	Used for
JDBC (SQL Server)	Scan name, Scanned Host Name, Host OS, Vulnerability category, Vulnerability name, Vulnerability severity, Vulerability CVE Id, Vulnerability Score, Vulnerability Consequence	Security Monitoring

Event Types

In CMDB > Event Types, search for “foundstone” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined rules for this device.

Configuration

JDBC

AccelOps connects to the faultline database in the McAfee vulnerability scanner to collect metrics. This is a SQL Server database, so you will need to have set up access credentials for the database over JDBC to set up access credentials in AccelOps and initiate discovery. Settings for Access Credentials

 

 

Nessus Vulnerability Scanner Configuration

What is Discovered and Monitored

Protocol	Metrics collected	Used for
Nessus API	Scan name, Scanned Host Name, Host OS, Vulnerability category, Vulnerability name, Vulnerability severity, Vulerability CVE Id and Bugtraq Id, Vulnerability CVSS Score, Vulnerability Consequence	Security Monitoring

Event Types

In CMDB > Event Types, search for “nessus” in the Description and Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “nessus” in the Description column to see the reports associated with this device.

Configuration

Nessus API

Create a user name and password that AccelOps can use as access credentials for the API. Make sure the user has permissions to view the scan report files on the Nessus device. You can check if your user has the right permissions by running a scan report as that user.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Settings for Access Credentials

Qualys Vulnerability Scanner Configuration

What is Discovered and Monitored

Protocol	Metrics collected	Used for
Qualys API	Scan name, Scanned Host Name, Host OS, Vulnerability category, Vulnerability name, Vulnerability severity, Vulerability CVE Id and Bugtraq Id, Vulnerability Consequence	Security Monitoring

Event Types

In CMDB > Event Types, search for “qualys” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “qualys” in the Description column to see the reports associated with this device.

Configuration

Qualys API

Create a user name and password that AccelOps can use as access credentials for the API.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Settings for Access Credentials

Rapid7 NeXpose Vulnerability Scanner Configuration

What is Discovered and Monitored

Protocol	Metrics collected	Used for
Rapid7 Nexpose API	Scan name, Scanned Host Name, Host OS, Vulnerability category, Vulnerability name, Vulnerability severity, Vulerability CVE Id and Bugtraq Id, Vulnerability CVSS Score, Vulnerability Consequence	Security Monitoring

Event Types

In CMDB > Event Types, search for “rapid7” in the Description and Device Type columns to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Rapid7 NeXpose API

1. Log into the device manger for your vulnerability scanner with administrative credentials.
2. Go to Administration > General > User Configuration, and create a user that AccelOps can use to access the device.
3. Go to Reports > General > Report Configuration.
4. Create a report with the Report format set to Simple XM

AccelOps can only pull reports in this format.

Settings for Access Credentials

Juniper Networks SSL VPN Gateway Configuration

What is Discovered and Monitored

Configuration

Settings for Access Credentials

What is Discovered and Monitored

Protocol	Information Discovered	Metrics Collected	Used For
SNMP
Syslog

Event Types

In CMDB > Event Types, search for “junos_dynamic_vpn” in the Name column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

1. Log into your device with administrative credentials.
2. Go to System > Log/Monitoring > SNMP.
3. Under Agent Properties, enter public for Community.

Syslog

VPN Access Syslogs

1. Go to System > Log/Monitoring > User Access > Settings.
2. Under Select Events to Log, select Login/logout, User Settings, and Network Connect.
3. Under Syslog Servers, enter the IP address of your AccelOps virtual appliance, and set the Facility to LOCAL0.
4. Click Save Changes.

Admin Access Syslogs

1. Go to System > Log/Monitoring > Admin Access > Settings.
2. Under Select Events to Log, selectAdministrator changes, License Changes, and Administrator logins.
3. Under Syslog Servers, enter the IP address of your AccelOps virtual appliance, and set the Facility to LOCAL0.
4. Click Save Changes.

Sample Parsed Juniper Networks SSL VPN Syslog Messages

Settings for Access Credentials