Category Archives: FortiSIEM

FortiSIEM WMI

Leave a reply

WMI

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
  2. Right-click Users and select Add User.
  3. Create a user.
  4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
  5. In the Distributed COM Users Properties dialog, click Add.
  6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

  1. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
  2. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account
  3. Go to Start > Control Panel > Administrative Tools > Component Services.
  4. Right-click My Computer, and then Properties.
  5. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
  6. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
  7. Click OK.
  8. Under Access Permissions, click EditDefault.
  9. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
  10. Click
  11. Under Launch and Activation Permissions, click Edit Limits.
  12. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  13. Click OK.
  14. Under Launch and Activation Permissions, click Edit Defaults.
  15. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

  1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
  2. Right-click Users and select Add User.
  3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

  1. Go to Groups, right-click Administrators, and then click Add to Group.
  2. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
  3. For Enter the object names to select, enter the user you created in step 3.
  4. Click OK to close the Domain Admins Properties dialog.
  5. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

  1. Go to Start > Control Panel > Administrative Tools > Component Services.
  2. Right-click My Computer, and then select Properties.
  3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
  4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
  5. Click OK.
  6. In the Com Security tab, under Access Permissions, click Edit Defaults.
  7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
  8. Click OK.
  9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
  10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
  12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
  2. Select WMI Control, and then right-click and select Properties.
  3. Select the Security
  4. Expand the Root directory and select CIMV2.
  5. Click Security.
  6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot e Enable.
  7. Click Advanced.
  8. Select the user you created for the monitoring account, and then click Edit.
  9. In the Apply onto menu, select This namespace and subnamespaces.
  10. Click OK to close the Permission Entry for CIMV2 dialog.
  11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
  12. In the left-hand navigation, under Services and Applications, select Services.
  13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
  14. In the Start menu, select Run.
  15. Run msc.
  16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
  17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
  18. Select Windows Firewall: Allow remote administration exception.
  19. Run exe and enter these commands:
  20. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

  1. Go to Control Panel > Windows Firewall.
  2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
  3. Select Windows Management Instrumentation, and the click OK.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Syslog

Use the Windows Agent Manager to configure sending syslogs from your device to AccelOps. Sample Windows DNS Syslog

FortiSIEM Microsoft DNS (2003, 2008) Configuration

Leave a reply
Microsoft DNS (2003, 2008) Configuration

What is Discovered and Monitored

Enabling SNMP on Windows Server 2003

Enabling SNMP on Windows 7 or Windows Server 2008 R2

Creating a Generic User Who Does Not Belong to the Local Administrator Group Creating a User Who Belongs to the Domain Administrator Group

Sample Windows DNS Syslog

Settings for Access Credentials

What is Discovered and Monitored

Protocol Information discovered Metrics collected Used for
SNMP Application type Process level CPU utilization, Memory utilization Performance

Monitoring
WMI Application type, service mappings Process level metrics (Win32_Process, Win32_PerfRawData_PerfProc_Process): uptime, CPU utilization, Memory utilization, Read I/O, Write I/O

DNS metrics (Win32_PerfFormattedData_DNS_DNS): DNS requests received, DNS responses sent, WINS requests received, WINS responses sent, Recursive DNS queries received, Recursive DNS queries failed, Recursive DNS queries timeout, Dynamic DNS updates received, Dynamic DNS updates failed, Dynamic DNS updates timeout, Secure DNS update received, Secure DNS update failed, Full DNS Zone Transfer requests sent, Full DNS Zone Transfer requests received, Incremental DNS Zone Transfer requests sent, ncremental DNS Zone

Transfer requests received

 Performance

Monitoring
Syslog Application type DNS name resolution activity: DNS Query Success and Failure by type Security

Monitoring

Event Types

In CMDB > Event Types, search for “microsoft dans” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

Enabling SNMP on Windows Server 2003

SNMP is typically enabled by default on Windows Server 2003, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you need to make sure that the SNMP Management tool has been enabled for your device.

  1. In the Start menu, go to Administrative Tools > Services.
  2. Go to Control Panel > Add or Remove Programs.
  3. Click Add/Remove Windows Components.
  4. Select Management and Monitoring Tools and click Details.

Make sure that Simple Network Management Tool is selected.

If it isn’t selected, select it, and then click Next to install.

  1. Go to Start > Administrative Tools > Services.
  2. Select and open SNMP Service.
  3. Click the Security
  4. Select Send authentication trap.
  5. Under Accepted communities, make sure there is an entry for public that is set to read-only.
  6. Select Accept SNMP packets from these hosts.
  7. Click
  8. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
  9. Click Add.
  10. Click Apply.
  11. Under SNMP Service, click Restart service.

Enabling SNMP on Windows 7 or Windows Server 2008 R2

SNMP is typically enabled by default on Windows Server 2008, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you should check that SNMP Services have been enabled for your server.

  1. Log in to the Windows 2008 Server where you want to enable SNMP as an administrator.
  2. In the Start menu, select Control Panel.
  3. Under Programs, click Turn Windows features on/off.
  4. Under Features, see if SNMP Services is installed.

If not, click Add Feature, then select SMNP Service and click Next to install the service.

  1. In the Server Manager window, go to Services > SNMP Services.
  2. Select and open SNMP Service.
  3. Click the Security
  4. Select Send authentication trap.
  5. Under Accepted communities, make sure there is an entry for public that is set to read-only.
  6. Select Accept SNMP packets from these hosts.
  7. Click
  8. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
  9. Click Add.
  10. Click Apply.
  11. Under SNMP Service, click Restart service.

FortiSIEM Microsoft DHCP (2003, 2008) Configuration

Leave a reply
Microsoft DHCP (2003, 2008) Configuration

What is Discovered and Monitored

Enabling SNMP on Windows Server 2003

Enabling SNMP on Windows 7 or Windows Server 2008 R2

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Settings for Access Controls

What is Discovered and Monitored

Protocol Information discovered Metrics collected Used for
SNMP Process details Process level CPU utilization, Memory utilization Performance Monitoring
WMI Process details,

process to service mappings

 Process level metrics (Win32_Process, Win32_PerfRawData_PerfProc_Process): uptime, CPU utilization, Memory utilization, Read I/O, Write I/O

DHCP metrics (Win32_PerfFormattedData_DHCPServer_DHCPServer): DHCP request rate, release rate, decline rate, Duplicate Drop rate, Packet Rate, Active Queue length, DHCP response time, Conflict queue length

 Performance Monitoring
Syslog Application type DHCP address release/renew events that are used by AccelOps for Identity and location:

attributes include IP Address, MAC address, Host Name

 Security and compliance (associate machines to IP addresses)

Event Types

In CMDB > Event Types, search for “microsoft dhcp” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

Enabling SNMP on Windows Server 2003

SNMP is typically enabled by default on Windows Server 2003, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you need to make sure that the SNMP Management tool has been enabled for your device.

  1. In the Start menu, go to Administrative Tools > Services.
  2. Go to Control Panel > Add or Remove Programs.
  3. Click Add/Remove Windows Components.
  4. Select Management and Monitoring Tools and click Details.

Make sure that Simple Network Management Tool is selected.

If it isn’t selected, select it, and then click Next to install.

  1. Go to Start > Administrative Tools > Services.
  2. Select and open SNMP Service.
  3. Click the Security
  4. Select Send authentication trap.
  5. Under Accepted communities, make sure there is an entry for public that is set to read-only.
  6. Select Accept SNMP packets from these hosts.
  7. Click
  8. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
  9. Click Add.
  10. Click Apply.
  11. Under SNMP Service, click Restart service.

Enabling SNMP on Windows 7 or Windows Server 2008 R2

SNMP is typically enabled by default on Windows Server 2008, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you should check that SNMP Services have been enabled for your server.

  1. Log in to the Windows 2008 Server where you want to enable SNMP as an administrator.
  2. In the Start menu, select Control Panel.
  3. Under Programs, click Turn Windows features on/off.
  4. Under Features, see if SNMP Services is installed.

If not, click Add Feature, then select SMNP Service and click Next to install the service.

  1. In the Server Manager window, go to Services > SNMP Services.
  2. Select and open SNMP Service.
  3. Click the Security
  4. Select Send authentication trap.
  5. Under Accepted communities, make sure there is an entry for public that is set to read-only.
  6. Select Accept SNMP packets from these hosts.
  7. Click
  8. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
  9. Click Add.
  10. Click Apply.
  11. Under SNMP Service, click Restart service.

WMI

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
  2. Right-click Users and select Add User.
  3. Create a user.
  4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
  5. In the Distributed COM Users Properties dialog, click Add.
  6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

  1. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
  2. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account
  3. Go to Start > Control Panel > Administrative Tools > Component Services.
  4. Right-click My Computer, and then Properties.
  5. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
  6. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
  7. Click OK.
  8. Under Access Permissions, click EditDefault.
  9. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
  10. Click
  11. Under Launch and Activation Permissions, click Edit Limits.
  12. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  13. Click OK.
  14. Under Launch and Activation Permissions, click Edit Defaults.
  15. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

  1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
  2. Right-click Users and select Add User.
  3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

  1. Go to Groups, right-click Administrators, and then click Add to Group.
  2. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
  3. For Enter the object names to select, enter the user you created in step 3.
  4. Click OK to close the Domain Admins Properties dialog.
  5. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

  1. Go to Start > Control Panel > Administrative Tools > Component Services.
  2. Right-click My Computer, and then select Properties.
  3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
  4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
  5. Click OK.
  6. In the Com Security tab, under Access Permissions, click Edit Defaults.
  7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
  8. Click OK.
  9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
  10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
  12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
  2. Select WMI Control, and then right-click and select Properties.
  3. Select the Security
  4. Expand the Root directory and select CIMV2.
  5. Click Security.
  6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot e Enable.
  7. Click Advanced.
  8. Select the user you created for the monitoring account, and then click Edit.
  9. In the Apply onto menu, select This namespace and subnamespaces.
  10. Click OK to close the Permission Entry for CIMV2 dialog.
  11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
  12. In the left-hand navigation, under Services and Applications, select Services.
  13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
  14. In the Start menu, select Run.
  15. Run msc.
  16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
  17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
  18. Select Windows Firewall: Allow remote administration exception.
  19. Run exe and enter these commands:
  20. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

  1. Go to Control Panel > Windows Firewall.
  2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
  3. Select Windows Management Instrumentation, and the click OK.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Syslog

  1. Log into your Microsoft DHCP server as an administrator.
  2. Go to Start > Administrative Tools > DHCP.
  3. Select the DHCP server you want to monitor, then right-click and select Properties.
  4. Click the General tab, and then select Enable DHCP audit logging.
  5. Click the DNS tab, and then select Dynamically update DNS A and PTR records only if requested by the DHCP clients and Discard A and PTR records when lease is deleted.
  6. Click the Advanced
  7. Set Audit log file path to C:\WINDOWS\system32\dhcp.
  8. Set Database path to C:\\WINDOWS\system32\dhcp.
  9. Set Backup path to C:\\WINDOWS\System32\dhcp\backup.
  10. Clock OK to complete configuration.

Use the Windows Agent Manager to further configure sending syslogs from your device to AccelOps.

  1. Sample Microsoft DHCP Syslog

<15>May 27 17:22:43 ADS-Pri.ACME.net WinDHCPLog 0

11,05/27/08,17:22:43,Renew,192.168.20.46,Lucy-XPS.ACME.net,009096F27636,

<15>Jun 20 12:20:58 ADS-Pri.ACME.net WinDHCPLog 0

10,06/20/08,12:20:58,Assign,192.168.20.35,mission.,000D5639076C,

<13>Mar 29 10:25:28 192.168.0.10 WinDHCPLog 0

30,03/29/10,10:25:27,DNS Update

Request,40.20.168.192,John-lap.ACME.net,,

<13>Mar 29 10:25:05 192.168.0.10 WinDHCPLog 0

32,03/29/10,10:25:01,DNS Update

Successful,192.168.20.32,Mary-laptop.ACME.net,,

<13>Jun  1 14:24:08 192.168.0.10 WinDHCPLog 0 31,06/01/10,14:24:08,DNS

Update Failed,192.168.26.31,Joe-LAPTOP.ACME.net,-1,  <13>Jun  1 14:24:08 192.168.0.10 WinDHCPLog 0 25,06/01/10,14:24:07,0 leases expired and 1 leases deleted,,,,

FortiSIEM Linux DHCP Configuration

Leave a reply
Linux DHCP Configuration

What is Discovered and Monitored

Configure Linux DHCP to Forward Logs to Syslog Daemon

Configure Syslog to Forward to Accelops

Sample Syslog

Settings for Access Credentials

What is Discovered and Monitored

Protocol Information discovered Metrics collected Used for
SNMP Application type Process level CPU utilization, Memory utilization Performance Monitoring
Syslog Application type DHCP address release/renew events that are used by AccelOps for Identity and location: attributes include IP Address, MAC address, Host Name Security and compliance (associate machines to IP addresses)

Event Types

In CMDB > Event Types, search for “linux dhcp” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

  1. Make sure that snmp libraries are installed.

AccelOps has been tested to work with net-snmp libraries.

  1. Log in to your device with administrator credentials.
  2. Modify the /etc/snmp/snmpd.conf file:
    1. Define the community string for AccelOps usage and permit snmp access from AccelOps IP.
    2. Allow AccelOps to (read-only) view the mib-2 tree.
    3. Open up the entire tree for read-only view.
  3. Restart the snmpd deamon by issuing /etc/init.d/snmpd restart.
  4. Add the snmpd daemon to start from boot by issuing chkconfig snmpd on.
  5. Make sure that snmpd is running.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Syslog

Configure Linux DHCP to Forward Logs to Syslog Daemon

  1. Edit conf and insert the line log-facility local7;.
  2. Restart dhcpd by issuing /etc/init.d/dhcpd restart. Configure Syslog to Forward to Accelops
  3. Edit conf and add a new line: Local7.* @<IP address of AccelOps server>.
  4. Restart syslog daemon by issuing /etc/init.d/syslog restart. Sample Syslog

FortiSIEM ISC BIND DNS Configuration

Leave a reply
ISC BIND DNS Configuration

What is Discovered and Monitored

Protocol Information discovered Metrics collected Used for
SNMP Application type Process level CPU utilization, Memory utilization Performance Monitoring
Syslog Application type DNS name resolution activity: DNS Query Success and Failure by type Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “isc bind” in the Device Type and Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Syslog

Configure the ISC BIND DNS Server to Send Syslogs

  1. Edit conf and add a new line: include /var/named/conf/logging.conf;.
  2. Edit the /var/named/conf/logging.conf file, and in the channel queries_file { } section add syslog local3;
  3. Restart BIND by issuing /etc/init.d/named restart.

Configure Syslog to Send to AccelOps

  1. Edit conf and add a new line: Local7.* @<IP address of the AccelOps server>.
  2. Restart the syslog daemon by issuing /etc/init.d/syslog restart.

Settings for Access Credentials

Sample BIND DNS Logs

FortiSIEM Oracle Database Server Configuration

Leave a reply

Oracle Database Server Configuration

Supported Versions

What is Discovered and Monitored

Event Types

Rules

Reports

SNMP

JDBC for Database Performance Monitoring – Oracle Database Server

JDBC for Database Auditing – Oracle Database Server

Configuring listener log and error log via SNARE – Oracle side

Settings for Access Credentials

Sample Events

System Level Database Performance Metrics

Table Space Performance Metrics

Oracle Audit Trail (AccelOps Generated Events)

Oracle Audit Log

Oracle Listener Log

Oracle Alert Log

Supported Versions

Oracle Database 10g

Oracle Database 11g

Oracle Database 12c

What is Discovered and Monitored

Protocol Information discovered Metrics collected Used for
SNMP Application type Process level CPU and memory utilization Performance

Monitoring
WMI Application type, service mappings Process level metrics: uptime, CPU utilization, Memory utilization, Read I/O KBytes/sec, Write I/O KBytes/sec Performance

Monitoring
JDBC   Generic database information: version, Character Setting, Archive Enabled, Listener Status, Instance Status, Last backup date,  
JDBC   Database performance metrics: Buffer cache hit ratio, Row cache hit ratio, Library cache hit ratio, Shared pool free ratio, Wait time ratio, Memory Sorts ratio, Host CPU Util ratio, CPU Time ratio, Disk Read/Write rates

(operations and MBps),  Network I/O Rate, Enqueue Deadlock rate, Database Request rate, User Transaction rate, User count, Logged on user count, Session Count, System table space usage, User table space usage, Temp table space usage, Last backup date, Days since last backup

Table space performance metrics: Table space name, table space type, table space  usage, table space free space, table space next extent

 Performance

Monitoring
Syslog   Listener log, Alert log, Audit Log  
JDBC None Database audit trail: Successful and failed database logon, Various database operation audit trail including CREATE/ALTER/DROP/TRUNCATE operations on tables, table spaces, databases, clusters, users, roles, views, table indices, triggers etc. Security

Monitoring

Event Types

In CMDB > Event Types, search for “oracle database” in the Description column to see the event types associated with this device.

Rules

In Analytics > Rules, search for “oracle database” in the Description column to see the rules associated with this application or device.

Reports

In Analytics > Reports, search for “oracle database” in the Name column to see the reports associated with this application or device. Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

JDBC for Database Performance Monitoring – Oracle Database Server

To configure your Oracle Database Server for performance monitoring by AccelOps, you need to create a read-only user who has select permissions for the database. This is the user you will use to create the access credentials for AccelOps to communicate with your database server.

  1. Open the SQLPlus application.
  2. Log in with a system-level account.

Verify the permissions.

JDBC for Database Auditing – Oracle Database Server

  1. Enable auditing by modifying the Oracle instance initialization file init<SID>.ora.

This is typically located in $ORACLE_BASE/admin/<SID>/pfile where DIS is the Oracle instance

Configuring listener log and error log via SNARE – Oracle side

  1. Install and configure Epilog application to send syslog to AccelOps
  2. Download Epilog from Epilog download site and install it on your Windows Server.
  3. Launch Epilog from StartAll ProgramsInterSect AllianceEpilog for windows

 

  1. Configure Epilog application as follows
    1. Select Log Configuration on left hand panel, click Add button to add Oracle Listener log file to be sent to AccelOps. Also make sure the Log Type is OracleListenerLog.
    2. Click Add button to add Oracle Alert log file to be sent to AccelOps. Also make sure the Log Type is OracleAlertLog.
  • After adding both the files, SNARE Log Configuration will show both the files included as follows
  1. Select Network Configuration on left hand panel. On the right, set the destination address to that of AccelOps server, port to 514 and make sure that syslog header is enabled. Then click Change Configuration button.
  2. Click the “Apply the latest audit configuration” link on the left hand side to apply the changes to Epilog applications.

 

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

System Level Database Performance Metrics

[PH_DEV_MON_PERF_ORADB]:[eventSeverity]=PHL_INFO, [hostIpAddr]=10.1.2.8,

[hostName]=Host-10.1.2.8, [appGroupName]=Oracle Database Server,

[appVersion]=Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 –

Production, [instanceName]=orcl, [instanceStatus]=OPEN,

[charSetting]=ZHS16GBK, [archiveEnabled]=FALSE,

[lastBackupDate]=1325566287,

[listenerStatus]=OPEN,[dbBufferCacheHitRatio]=100,[dbMemorySortsRatio]=1

00,[dbUserTransactionPerSec]=0.13,[dbPhysicalReadsPerSec]=0,

[dbPhysicalWritesPerSec]=0.48,[dbHostCpuUtilRatio]=0,[dbNetworkKBytesPer

Sec]=0.58,[dbEnqueueDeadlocksPerSec]=0,[dbCurrentLogonsCount]=32,[dbWait

TimeRatio]=7.13,[dbCpuTimeRatio]=92.87, [dbRowCacheHitRatio]=100,[dbLibraryCacheHitRatio]=99.91,[dbSharedPoolFre eRatio]=18.55,[dbSessionCount]=40,[dbIOKBytesPerSec]=33.26,[dbRequestsPe rSec]=3.24, [dbSystemTablespaceUsage]= 2.88,[dbTempTablespaceUsage]=

0,[dbUsersTablespaceUsage]= 0.01,[dbUserCount]=

2,[dbInvalidObjectCount]= 4

Table Space Performance Metrics

Oracle Audit Trail (AccelOps Generated Events)

Oracle Audit Log

<172>Oracle Audit[25487]: LENGTH : ‘153’ ACTION :[004] ‘bjn’ DATABASE

USER:[9] ‘user’ PRIVILEGE :[4] ‘NONE’ CLIENT USER:[9] ‘user’ CLIENT

TERMINAL:[14] ‘terminal’ STATUS:[1] ‘0’]

<172>Oracle Audit[6561]: LENGTH : ‘158’ ACTION :[6] ‘COMMIT’ DATABASE

USER:[8] ‘user’ PRIVILEGE :[6] ‘SYSDBA’ CLIENT USER:[6] ‘user’ CLIENT

TERMINAL:[0] ” STATUS:[1] ‘0’ DBID:[9] ‘200958341’

<172>Oracle Audit[28061]: LENGTH: 265 SESSIONID:[9] 118110747

ENTRYID:[5] 14188 STATEMENT:[5] 28375 USERID:[8] user ACTION:[3] 100 RETURNCODE:[1] 0 COMMENT$TEXT:[99] Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=10.90.217.247)(PORT=4566)) PRIV$USED:[1] 5

Oracle Listener Log

Oracle Alert Log

DHCP and DNS Server Configuration

AccelOps supports these DHCP and DNS servers for discovery and monitoring.

Infoblox DNS/DHCP Configuration

ISC BIND DNS Configuration

Linux DHCP Configuration

Microsoft DHCP (2003, 2008) Configuration Microsoft DNS (2003, 2008) Configuration

Infoblox DNS/DHCP Configuration

What is Discovered and Monitored

Protocol Information discovered Metrics collected Used for
SNMP Host Name, Hardware model, Serial number, Network Interfaces, Running

processes, Installed software

 System CPU utilization, Memory utilization, Disk usage, Disk I/O Performance

Monitoring
SNMP   Process level CPU utilization, Memory utilization  
SNMP   Zone Transfer metrics:  For each zone: DNS Responses Sent, Failed DNS Queries,

DNS Referrals, Non-existent DNS Record Queries, DNS Non-existent Domain

Queries, Recursive DNS Query Received

DNS Cluster Replication metrics: DNS Replication Queue Status, Sent Queue

From Master, Last Sent Time From Master, Sent Queue To Master, Last Sent Time To Master

DNS Performance metrics: NonAuth DNS Query Count, NonAuth Avg DNS

Latency, Auth DNS Query Count, Auth Avg DNS Latency, Invalid DNS Port

Response, Invalid DNS TXID Response

DHCP Performance metrics: Discovers/sec, Requests/Sec, Releases/Sec,

Offers/sec, Acks/sec, Nacks/sec, Declines/sec, Informs/sec

DDNS Update metrics: DDNS Update Success, DDNS Update Fail, DDNS Update

Reject, DDNS Prereq Update Reject, DDNS Update Latency, DDNS Update Timeout

DHCP subnet usage metrics: For each DHCP Subnet (addr, mask) – percent used

 Security Monitoring and compliance
SNMP   Hardware status Availability monitoring
SNMP

Trap

   Hardware failures, Software failures Availability monitoring

Event Types

In CMDB > Event Types, search for “infoblox” in the Device Type and Description columns to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “infoblox” in the Name and Description column to see the reports associated with this application or device. Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

SNMP Trap

AccelOps processes events from this device via SNMP traps sent by the device. Configure the device to send send SNMP traps to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Settings for Access Credentials

 

FortiSIEM MySQL Server Configuration

Leave a reply

MySQL Server Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

SNMP

JDBC for Database Auditing – MySQL Server

Settings for Access Credentials

Sample events

System Level Performance Metrics

Table Space Performance Metrics

System Level Performance Metrics

Logon/Logoff Events

Database CREATE/DELETE/MODIFY Events

Table CREATE/DELETE/MODIFY Events

What is Discovered and Monitored

Protocol Information discovered Metrics collected Used for
SNMP Application type Process level CPU and memory utilization Performance

Monitoring
WMI Application type, service mappings Process level metrics: uptime, CPU utilization, Memory utilization, Read I/O KBytes/sec, Write I/O KBytes/sec Performance

Monitoring
JDBC   Generic database information: Version, Character Setting  
JDBC   Database performance metrics:  User COnnections, Table Updates, table Selects, Table Inserts, Table Deletes,

Temp Table Creates, Slow Queries, Query cache Hits, Queries registered in cache, Database Questions, Users,

Live Threads

Table space performance metrics: Table space name, table space type, Character set and Collation, table space usage, table space free space, Database engine, Table version, Table Row Format, Table Row Count, Average Row Length, Index File length, Table Create time, Table Update Time

 Performance

Monitoring
JDBC None Database audit trail: Successful and failed database log on, Database CREATE/DELETE/MODIFY operations, Table CREATE/DELETE/MODIFY/INSERT operations Security

Monitoring

Event Types

In CMDB > Event Types, search for “mysql” in the Device Type and Description columns to see the event types associated with this device.

Rules

In Analytics > Rules, search for “mysql” in the Name column to see the rules associated with this application or device.

Reports

In Analytics > Reports, search for “”mysql” in the Name and Description columns to see the reports associated with this application or device. Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

JDBC for Database Auditing – MySQL Server

You need to configure your MySQL Server to write audit logs to a database table. This topic in the MySQL documentation explains more about how to set the destination tables for log outputs.

  1. Start MySQL server with TABLE output enabled.
  2. Login to mysql, run the following SQL commands to enable general.log in MyISAM.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure. Settings for Access Credentials

System Level Performance Metrics

Table Space Performance Metrics

<134>Apr 29 10:06:07 172.16.22.227 java: [PH_DEV_MON_PERF_MYSQLDB_TABLESPACE]: [eventSeverity]=PHL_INFO,

[appGroupName]=MySQL Database Server,

[instanceName]=mysql, [tablespaceName]=general_log, [tablespaceType]=PERMANENT, [tablespaceUsage]=0.01,

[tablespaceFreeSpace]=4193886,

[dbEngine]=MyISAM, [tableVersion]=10, [tableRowFormat]=dynamic,

[tableRows]=124, [tableAvgRowLength]=80, [tableIndexLength]=1024,

[tableCreateTime]=2013-04-29 15:12:30, [tableUpdateTime]=2013-04-29

12:35:46, [tableCollation]=utf8_general_ci

System Level Performance Metrics

Logon/Logoff Events

<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_ Logon_Success]:

[eventSeverity]=PHL_INFO, [eventTime]=2013-04-29 15:14:54,

[rptIp]=172.16.22.227,

[srcIp]=172.16.22.227, [user]=admin, [logonTime]=2013-04-29 15:14:54,

[logoffTime]=, [actionName]=Connect, [msg]=admin@172.16.22.227 on

<134>Apr 10 14:29:22 abc-desktop java:

[MYSQL_Logoff]:[eventSeverity]=PHL_INFO, [eventTime]=2013-04-10

14:29:22, [rptIp]=172.16.22.227,

[srcIp]=172.16.22.227, [user]=admin, [logonTime]=,

[logoffTime]=2014-04-10 14:29:22, [actionName]=quit, [msg]=

<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_ Logon_Fail]:

[eventSeverity]=PHL_WARN, [eventTime]=2013-04-29 15:14:54,

[rptIp]=172.16.22.227,

[srcIp]=172.16.22.227, [user]=admin, [logonTime]=2013-04-29 15:14:54,

[logoffTime]=, [actionName]=Connect, [msg]=Access denied for user ‘admin’@’172.16.22.227’ (using password:

YES)

Database CREATE/DELETE/MODIFY Events

Table CREATE/DELETE/MODIFY Events

<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_Create_table]:

[eventSeverity]=PHL_INFO, [eventTime]=2013-04-29 15:14:54,

[rptIp]=172.16.22.227,

[srcIp]=172.16.22.227, [user]=admin, [actionName]=Query, [msg]=CREATE TABLE tutorials_tbl(     tutorial_id INT NOT NULL AUTO_INCREMENT, tutorial_title VARCHAR(100) NOT NULL,     tutorial_author VARCHAR(40) NOT NULL,     submission_date DATE,     PRIMARY KEY ( tutorial_id )    )

<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_Delete_table]:

[eventSeverity]=PHL_INFO, [eventTime]=2013-04-29 15:14:54,

[rptIp]=172.16.22.227,

[srcIp]=172.16.22.227, [user]=admin, [actionName]=Query, [msg]=DELETE FROM tutorials_tbl WHERE tutorial_id=2NOT NULL,

tutorial_author VARCHAR(40) NOT NULL,     submission_date DATE,    PRIMARY KEY ( tutorial_id )

<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_Insert_table]: [eventSeverity]=PHL_INFO, [eventTime]=2013-04-29 15:14:54,

[rptIp]=172.16.22.227,

[srcIp]=172.16.22.227, [user]=admin, [actionName]=Query, [msg]=INSERT INTO tutorials_tbl       (tutorial_title, tutorial_author, submission_date)      VALUES      (“Learn Java”, “John Smith”, NOW())

<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_Drop_table]:

[eventSeverity]=PHL_INFO, [eventTime]=2013-04-29 15:14:54,

[rptIp]=172.16.22.227, [srcIp]=172.16.22.227, [user]=admin, [actionName]=Query, [msg]=DROP table sliutable

FortiSIEM Microsoft SQL Server Scripts

1 Reply

Microsoft SQL Server Scripts

SQL Server Database Level Event Creation Script (PH_Database_Level_Events.sql)

SQL Server DDL Event Creation Script (PH_DDL_Server_Level_Events.sql)

CREATE TRIGGER PH_DDL_Server_Level_Events

ON ALL SERVER

 

FOR DDL_ENDPOINT_EVENTS, DDL_LOGIN_EVENTS, DDL_GDR_SERVER_EVENTS,

DDL_AUTHORIZATION_SERVER_EVENTS,

CREATE_DATABASE, ALTER_DATABASE, DROP_DATABASE

/**FOR DDL_SERVER_LEVEL_EVENTS**/

AS

DECLARE @eventData AS XML;

SET @eventData = EVENTDATA(); /**declare @eventData as XML; set @eventData = EVENTDATA();**/

insert into PH_Events.dbo.DDLEvents(EventTime, EventType, SPID, ServerName, LoginName, ObjectName, ObjectType, SchemaName, DatabaseName, CommandText, XMLEvent) values(cast(@eventData.query(‘data(//PostTime)’) as varchar(64)),        cast(@eventData.query(‘data(//EventType)’) as varchar(128)),        cast(@eventData.query(‘data(//SPID)’) as varchar(128)),        cast(@eventData.query(‘data(//ServerName)’) as varchar(128)),        cast(@eventData.query(‘data(//LoginName)’) as varchar(128)),        cast(@eventData.query(‘data(//ObjectName)’) as varchar(128)),        cast(@eventData.query(‘data(//ObjectType)’) as varchar(128)),        cast(@eventData.query(‘data(//SchemaName)’) as varchar(128)),        cast(@eventData.query(‘data(//DatabaseName)’) as varchar(64)),        cast(@eventData.query(‘data(//TSQLCommand/CommandText)’) as varchar(128)),      /**  DB_NAME(),**/

@eventData);

SQL Server Table Creation Script (PH_EventDB_Tables_Create.sql)

 

SQL Server Trigger Creation Script (PH_LogonEventsTrigger.sql)

This script is to create a server level trigger called PH_LoginEvents. It will record all logon events when a user establishes a session to the database server. The trigger locates at the database server > Server Objects > Triggers.