Database Server Configuration

AccelOps supports these database servers for discovery and monitoring.

IBM DB2 Server Configuration

Microsoft SQL Server Configuration

Microsoft SQL Server Scripts

SQL Server Database Level Event Creation Script (PH_Database_Level_Events.sql)

SQL Server DDL Event Creation Script (PH_DDL_Server_Level_Events.sql)

SQL Server Table Creation Script (PH_EventDB_Tables_Create.sql)

SQL Server Trigger Creation Script (PH_LogonEventsTrigger.sql)

MySQL Server Configuration

Oracle Database Server Configuration

IBM DB2 Server Configuration

What is Discovered and Monitored

Protocol	Information discovered	Metrics collected	Used for
SNMP	Application type	Process level CPU and memory utilization	Performance Monitoring
WMI	Application type, service mappings	Process level metrics: uptime, CPU utilization, Memory utilization, Read I/O KBytes/sec, Write I/O KBytes/sec	Performance Monitoring
JDBC	None	Database audit trail: Successful and failed database log on, Database CREATE/DELETE/MODIFY operations, Table CREATE/DELETE/MODIFY/INSERT operations	Security Monitoring

Event Types

In CMDB > Event Types, search for “db2” in the Device Type and Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Configuring IBM DB2 Audit on Linux – DB2 side

1. Log in to IBM Installation Manager.
2. Click the Databases tab, and click the + icon to create a new Database Connection.
3. Enter these settings.

Field	Setting
Database Connection Name	Enter a name for the connection, such as AccelOps
Data Server Type	DB2 for Linux, Unix, and Windows
Database Name
Host name	db2.org
Port number	50000
JDBC Security	Clear text password
User ID	The username you want to use to access this Server from AccelOps
Password	The password you want to use with the User ID
JDBC URL	jdbc:db2://db2.org:50000/<databasename>:retrieveMessagesFromServerOnGetMessage=true;securit

4. In the Job Manager tab, click Add Job.
5. For Name, enter audit.
6. For Type, select DB2 CLP Script.
7. Click OK.
8. Add script.
9. Add schedule detail to audit task.
10. Add database to audit task.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Configuring IBM DB2 Audit on Windows – DB2 side

1. Create a non-admin user on Windows, for example “AoAuditUser” , and set password
2. Login DB2 task center, add the user to DB Users, connect it to database 3. Grant Permission (use Administrator), use commands below
3. Create Catalog with db2admin
4. Create task in DB2 user Administrator:
   1. Open DB2 task center, create a task like below
   2. Add schedule
   3. Add task

 

IBMDB2_CHECKING_OBJECT <134>May 14 13:57:39 10.1.2.68 java: [IBMDB2_CHECKING_OBJECT]:[eventSeverity]=PHL_INFO,[objName]=TABLES,[srcI pAddr]=127.0.0.1,[srcApp]=DB2HMON,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.44.41.085567 ,[user]=db2inst1,[eventCategory]=CHECKING,[dbRetCode]=0

IBMDB2_CHECKING_FUNCTION <134>May 14 13:57:39 10.1.2.68 java: [IBMDB2_CHECKING_FUNCTION]:[eventSeverity]=PHL_INFO,[objName]=CHECKING,[ srcIpAddr]=127.0.0.1,[srcApp]=DB2HMON,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.44.40.739649 ,[user]=db2inst1,[eventCategory]=CHECKING,[dbRetCode]=0

IBMDB2_STATEMENT <134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_STATEMENT]:[eventSeverity]=PHL_INFO,[srcIpAddr]=127.0.0.1,[srcAp p]=db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.48.59.433204 ,[user]=db2inst1,[eventCategory]=EXECUTE,[dbRetCode]=0

IBMDB2_COMMIT <134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_COMMIT]:[eventSeverity]=PHL_INFO,[srcIpAddr]=10.1.2.81,[srcApp]= db2jcc_application,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.51.30.447924 ,[srcName]=SP81,[user]=db2inst1,[eventCategory]=EXECUTE,[dbRetCode]=0

IBMDB2_ROLLBACK <134>May 14 13:57:40 10.1.2.68 java:

[IBMDB2_ROLLBACK]:[eventSeverity]=PHL_INFO,[srcIpAddr]=127.0.0.1,[srcApp ]=db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.43.43.827986 ,[user]=db2inst1,[eventCategory]=EXECUTE,[dbRetCode]=0

IBMDB2_CONNECT <134>May 14 13:57:40 10.1.2.68 java:

[IBMDB2_CONNECT]:[eventSeverity]=PHL_INFO,[srcIpAddr]=127.0.0.1,[srcApp] =DB2HMON,[dbName]=SAMPLE,[appVersion]=DB2

v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.44.39.991288 ,[user]=db2inst1,[eventCategory]=EXECUTE,[dbRetCode]=0

IBMDB2_CONNECT_RESET <134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_CONNECT_RESET]:[eventSeverity]=PHL_INFO,[srcIpAddr]=127.0.0.1,[s rcApp]=db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.43.43.829149 ,[user]=db2inst1,[eventCategory]=EXECUTE,[dbRetCode]=0

IBMDB2_CREATE_OBJECT <134>May 14 13:57:40 10.1.2.68 java:

[IBMDB2_CREATE_OBJECT]:[eventSeverity]=PHL_INFO,[objName]=CAN_MONITOR=CA

N_MONITOR_FUNC,[srcIpAddr]=10.1.2.68,[srcApp]=DS_ConnMgt_,[dbName]=SAMPL E,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.30.14.827242 ,[srcName]=10.1.2.68,[user]=db2inst1,[eventCategory]=OBJMAINT,[dbRetCode

]=0

IBMDB2_JDBC_PULL_STAT <134>May 14 13:57:39 10.1.2.68 java:

[IBMDB2_JDBC_PULL_STAT]:[eventSeverity]=PHL_INFO,[reptModel]=DB2,[dbName ]=SAMPLE,[instanceName]=db2inst1,[reptVendor]=IBM,[rptIp]=10.1.2.68,[aud itEventCount]=30,[relayIp]=10.1.2.68,[dbEventCategory]=db2inst1.AUDIT,[a ppGroupName]=IBM DB2 Server IBMDB2_ARCHIVE <134>May 14 13:57:39 10.1.2.68 java:

[IBMDB2_ARCHIVE]:[eventSeverity]=PHL_INFO,[srcIpAddr]=127.0.0.1,[srcApp] =db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.43.44.002046 ,[user]=db2inst1,[eventCategory]=AUDIT,[dbRetCode]=0

IBMDB2_EXTRACT <134>May 14 13:57:39 10.1.2.68 java:

[IBMDB2_EXTRACT]:[eventSeverity]=PHL_INFO,[srcIpAddr]=127.0.0.1,[srcApp] =db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.38.45.865016 ,[user]=db2inst1,[eventCategory]=AUDIT,[dbRetCode]=0

IBMDB2_LIST_LOGS <134>May 14 14:03:39 10.1.2.68 java:

[IBMDB2_LIST_LOGS]:[eventSeverity]=PHL_INFO,[srcIpAddr]=127.0.0.1,[srcAp

Microsoft SQL Server Configuration

What is Discovered and Monitored

Enabling SNMP on Windows Server 2003

Enabling SNMP on Windows 7 or Windows Server 2008 R2

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

JDBC for Performance Monitoring

Create a Read-Only User to Access System Tables

JDBC for Database Audit Trail Collection

Create a Read-Only User to Access System Tables

Settings for Access Credentials

Sample Events

Per Instance Performance Metrics

Per Instance, per Database Performance Metrics

Generic Info

Config Info

Locking Info

Blocking Info

Error Log

Logon Events

DDL Events – Create Database

DDL Events – Create index

Supported Versions

SQL Server 2005

SQL Server 2008

SQL Server 2008 R2

SQL Server 2012

SQL Server 2014

What is Discovered and Monitored

The following protocols are used to discover and monitor various aspects of Microsoft SQL server.

Protocol	Information discovered	Metrics collected	Used for
SNMP	Application type	Process level CPU and memory utilization	Performance Monitoring
WMI	Application type, service mappings	Process level metrics: uptime, CPU utilization, Memory utilization, Read I/O KBytes/sec, Write I/O KBytes/sec	Performance Monitoring
WMI		Windows application event logs – successful and failed login	Security Monitoring
JDBC		General database info: database name, database version, database size, database owner, database created date, database status, database compatibility level Database configuration Info: Configure name, Configure value, Configure max and min value, Configure running value Database backup Info: Database name, Last backup date, Days since last backup	Availability Monitoring
JDBC		Database performance metrics (per-instance): Buffer cache hit ratio, Log cache hit ratio, Transactions /sec, Page reads/sec, Page writes/sec, Page splits/sec, Full scans/sec, Deadlocks/sec, Log flush waits/sec, Latch waits/sec,  Data file(s) size, Log file(s) used, Log growths, Log shrinks, User connections, Target server memory, Total Server Memory, Active database users, Logged-in database users, Available buffer pool pages, Free buffer pool pages, Average wait time Database performance metrics (per-instance, per-database):  Database name, Data file size, Log file used, Log growths, Log shrinks, Log flush waits/sec, Transaction /sec, Log cache hit ratio	Performance Monitoring
JDBC		Locking info: Database id, Database object id, Lock type, Locked resource, Lock mode, Lock status Blocking info: Blocked Sp Id, Blocked Login User, Blocked Database, Blocked Command, Blocked Process Name, Blocking Sp Id,  Blocking Login User, Blocking Database, Blocking Command, Blocking Process Name, Blocked duration	Performance Monitoring
JDBC		Database error log Database audit trail: Failed database logon is also collected through performance monitoring as logon failures cannot be collected via database triggers.	Availability / Performance Monitoring
JDBC	None	Database audit trail: Successful and failed database logon, Various database operation audit trail including CREATE/ALTER/DROP/TRUNCATE operations on tables, table spaces, databases, clusters, users, roles, views, table indices, triggers etc.	Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “sql server” in the Device Name and Description column to see the event types associated with this device.

Rules

In Analytics > Rules, search for ” sql server” in the Name column to see the rules associated with this application or device.

Reports

In Analytics > Reports, search for “sql server” in the Name column to see the reports associated with this application or device. Configuration

SNMP

Enabling SNMP on Windows Server 2003

SNMP is typically enabled by default on Windows Server 2003, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you need to make sure that the SNMP Management tool has been enabled for your device.

1. In the Start menu, go to Administrative Tools > Services.
2. Go to Control Panel > Add or Remove Programs.
3. Click Add/Remove Windows Components.
4. Select Management and Monitoring Tools and click Details.

Make sure that Simple Network Management Tool is selected.

If it isn’t selected, select it, and then click Next to install.

5. Go to Start > Administrative Tools > Services.
6. Select and open SNMP Service.
7. Click the Security
8. Select Send authentication trap.
9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
10. Select Accept SNMP packets from these hosts.
11. Click
12. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
13. Click Add.
14. Click Apply.
15. Under SNMP Service, click Restart service.

Enabling SNMP on Windows 7 or Windows Server 2008 R2

SNMP is typically enabled by default on Windows Server 2008, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you should check that SNMP Services have been enabled for your server.

1. Log in to the Windows 2008 Server where you want to enable SNMP as an administrator.
2. In the Start menu, select Control Panel.
3. Under Programs, click Turn Windows features on/off.
4. Under Features, see if SNMP Services is installed.

If not, click Add Feature, then select SMNP Service and click Next to install the service.

5. In the Server Manager window, go to Services > SNMP Services.
6. Select and open SNMP Service.
7. Click the Security
8. Select Send authentication trap.
9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
10. Select Accept SNMP packets from these hosts.
11. Click
12. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
13. Click Add.
14. Click Apply.
15. Under SNMP Service, click Restart service.

WMI

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
2. Right-click Users and select Add User.
3. Create a user.
4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
5. In the Distributed COM Users Properties dialog, click Add.
6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

7. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
8. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account
9. Go to Start > Control Panel > Administrative Tools > Component Services.
10. Right-click My Computer, and then Properties.
11. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
12. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
13. Click OK.
14. Under Access Permissions, click EditDefault.
15. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
16. Click
17. Under Launch and Activation Permissions, click Edit Limits.
18. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
19. Click OK.
20. Under Launch and Activation Permissions, click Edit Defaults.
21. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
2. Right-click Users and select Add User.
3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

4. Go to Groups, right-click Administrators, and then click Add to Group.
5. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
6. For Enter the object names to select, enter the user you created in step 3.
7. Click OK to close the Domain Admins Properties dialog.
8. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

1. Go to Start > Control Panel > Administrative Tools > Component Services.
2. Right-click My Computer, and then select Properties.
3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
5. Click OK.
6. In the Com Security tab, under Access Permissions, click Edit Defaults.
7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
8. Click OK.
9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
2. Select WMI Control, and then right-click and select Properties.
3. Select the Security
4. Expand the Root directory and select CIMV2.
5. Click Security.
6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot e Enable.
7. Click Advanced.
8. Select the user you created for the monitoring account, and then click Edit.
9. In the Apply onto menu, select This namespace and subnamespaces.
10. Click OK to close the Permission Entry for CIMV2 dialog.
11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
12. In the left-hand navigation, under Services and Applications, select Services.
13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
14. In the Start menu, select Run.
15. Run msc.
16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
18. Select Windows Firewall: Allow remote administration exception.
19. Run exe and enter these commands:
20. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

1. Go to Control Panel > Windows Firewall.
2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
3. Select Windows Management Instrumentation, and the click OK.

JDBC for Performance Monitoring

Creating an User for SQL Server Monitoring

A regular Windows account cannot be used for SQL Server monitoring. AccelOps runs on Linux and certain windows libraries needed to do so are not available on Linux. You have to create a separate user with read-only privileges.

Create a Read-Only User to Access System Tables

1. Log in to your SQL Server with an sa account, and then create a read-only user to access system tables.
2. Log in with your newly created read-only account and run these commands.

Check to see if you get the same results with your read-only account as you do with your sa account.

3. The following additional configuration steps should be performed for the collection of Logon Failures.
   1. For Server 2012 – https://technet.microsoft.com/en-us/library/ms175850(v=sql.110).aspx
   2. For Server 2014 – https://technet.microsoft.com/sr-latn-rs/library/ms175850(v=sql.120)
   3. For Server 2016 – https://msdn.microsoft.com/en-us/library/ms175850.aspx

JDBC for Database Audit Trail Collection

Creating a User for SQL Server Monitoring

A regular Windows account cannot be used for SQL Server monitoring. AccelOps runs on Linux and certain windows libraries needed to do so are not available on Linux. You have to create a separate user with read-only privileges.

Create a Read-Only User to Access System Tables

1. Log in to your SQL Server with an sa account, and then create a read-only user to access system tables.

1. Save the four SQL Server Scripts attached to this topic to My Documents > SQL Server Management Studio > Projects as four separate files.
2. Login to SQL Server Management Studio with an sa account.
3. Browse to and execute the Database and Table Creation script to create the database and tables.
4. Browse to and execute the Logon Trigger Creation script to create triggers.

SQL Server introduced Logon Trigger in SQL Server 2005 SP2, so the database version must be greater than 2005 SP2 for logon trigger creation to succeed.

5. Browse to and execute the DDL Server Level Trigger Creation script to create database events.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure. Settings for Access Credentials

 

Creating a Database Truncate Script

Since audit tables grow after time, it is often a good idea to create a database truncate script that can run as a maintenance task and keep the table size under control.  it is often necessary to create a database truncate procedure as follows

 

1. Log into Microsoft SQL Management Studio and connect to the DB instance.
2. Under Management, go to Maintenance Plans, and create a new plan with the name
3. For Subplan, enter TRUNCATE, and for Description, enter TRUNCATE TABLE.
4. Click the Calendar icon to create a recurring, daily task starting at 12:00AM and running every 30 minutes until 11:59:59PM.
5. Go to View > Tool Box > Execute T-SQL Statement.

A T-SQL box will be added to the subplan.

6. In the T-SQL box, enter this command.
7. Click OK.
8. You will be able to see the history of this script’s actions by right-clicking on the maintenance task, and then selecting View History.

Sample Events

Per Instance Performance Metrics

 

<134>Apr 16 10:17:56 172.16.22.100 java:

[PH_DEV_MON_PERF_MSSQL_SYS|PH_DEV_MON_PERF_MSSQL_SYS]:[eventSeverity]=PH

L_INFO,[hostIpAddr]=172.16.22.100,[hostName]=wwwin.accelops.net,

[appGroupName]=Microsoft SQL Server,[dbDataFileSizeKB]=13149056,[dbLogFileUsedKB]=26326,[dbLogGrowthC ount]=4,[dbLogShrinkCount]=0,[dbLogFlushPerSec]=1.69,[dbTransPerSec]=4.4 4, [dbDeadLocksPerSec]=0,[dbLogCacheHitRatio]=60.01,[dbUserConn]=16,[dbTarg etServerMemoryKB]=1543232,[dbTotalServerMemoryKB]=1464760,[dbPageSplitsP erSec]=0.45, [dbPageWritesPerSec]=0.01,[dbLatchWaitsPerSec]=0.77,[dbPageReadsPerSec]= 0.01,[dbFullScansPerSec]=1.83,[dbBufferCacheHitRatio]=100,[dbCount]=8,[d bUserCount]=25, [dbLoggedinUserCount]=2,[dbPagesInBufferPool]=116850,[dbPagesFreeInBuffe rPool]=2336,[dbAverageWaitTimeMs]=239376, [appVersion]=Microsoft SQL Server 2008 R2 (RTM) – 10.50.1600.1

(X64),[serverName]=WIN-08-VCENTER,[instanceName]=MSSQLSERVER,[appPort]=1

433

Per Instance, per Database Performance Metrics

[PH_DEV_MON_PERF_MSSQL_PERDB]:[eventSeverity]=PHL_INFO,[hostIpAddr]=172. 16.22.100,[hostName]=wwwin.accelops.net,[dbName]=tempdb,[appGroupName]=M icrosoft SQL Server, [dbDataFileSizeKB]=109504,[dbLogFileUsedKB]=434,[dbLogGrowthCount]=4,[db LogShrinkCount]=0,[dbTransPerSec]=0.96,[dbLogFlushPerSec]=0.01,[dbLogCac heHitRatio]=44.44, [appVersion]=Microsoft SQL Server 2008 R2 (RTM) – 10.50.1600.1

(X64),[serverName]=WIN-08-VCENTER,[instanceName]=MSSQLSERVER,[appPort]=1

433

Generic Info

[PH_DEV_MON_PERF_MSSQL_GEN_INFO]:[eventSeverity]=PHL_INFO,[dbName]= tempdb,[dbSize]= 3.0,[dbowner]= sa,[dbId]= 2,[dbcreated]= 1321545600, [dbstatus]= Status=ONLINE; Updateability=READ_WRITE;

UserAccess=MULTI_USER; Recovery=SIMPLE; Version=655;

Collation=SQL_Latin1_General_CP1_CI_AS; SQLSortOrder=52;

IsAutoCreateStatistics; IsAutoUpdateStatistics,

[dbcompatibilityLevel]= 100,[spaceAvailable]= 0.9,[appVersion]=

Microsoft SQL Server 2008 (RTM) – 10.0.1600.22 (Intel X86),[serverName]=

WIN03MSSQL\SQLEXPRESS

Config Info

Locking Info

Blocking Info

[PH_DEV_MON_PERF_MSSQL_BLOCKBY_INFO]:[eventSeverity]=PHL_INFO,[blockedSp Id]= 51,[blockedLoginUser]= WIN03MSSQL\Administrator,[blockedDbName]= msdb, [blockedCommand]= UPDATE,[blockedProcessName]= Microsoft SQL Server

Management Studio – Query,[blockingSpId]= 54,[blockingLoginUser]=

WIN03MSSQL\Administrator,

[blockingDbName]= msdb,[blockingCommand]= AWAITING

COMMAND,[blockingProcessName]= Microsoft SQL Server Management Studio –

Query,[blockedDuration]= 5180936,

[appVersion]= Microsoft SQL Server 2008 (RTM) – 10.0.1600.22 (Intel

X86),[serverName]= WIN03MSSQL\SQLEXPRESS

Error Log

Logon Events

134>Feb 08 02:55:34 10.1.2.54 java:

[MSSQL_Logon_Success]:[eventSeverity]=PHL_INFO, [eventTime]=2014-02-08 02:54:00.977, [rptIp]=10.1.2.54, [relayIp]=10.1.2.54, [srcName]=<local machine>, [user]=NT SERVICE\ReportServer$MSSQLSERVEJIANFA, [srcApp]=Report Server, [instanceName]=MSSQLSERVEJIANFA, [procId]=52,

[loginType]=Windows (NT) Login,

[securityId]=AQYAAAAAAAVQAAAALJAZf5XMbcLh8PUDY31LioZ3Uwo=, [isPooled]=1,

[destName]=WIN-S2EDLFIUPQK, [destPort]=1437,

DDL Events – Create Database

<134>Sep 29 15:34:48 10.1.2.54 java:

[MSSQL_Create_database]:[eventSeverity]=PHL_INFO, [eventTime]=2013-09-29

15:34:05.687, [rptIp]=10.1.2.54, [relayIp]=10.1.2.54,

[user]=WIN-S2EDLFIUPQK\Administrator, [dbName]=JIANFA,

[instanceName]=MSSQLSERVER, [objName]=, [procId]=59, [command]=CREATE

DATABASE JIANFA, [destName]=WIN-S2EDLFIUPQK, [destPort]=1433,

DDL Events – Create index

<134>Sep 29 15:34:48 10.1.2.54 java:

[MSSQL_Create_index]:[eventSeverity]=PHL_INFO, [eventTime]=2013-09-29

15:30:40.557, [rptIp]=10.1.2.54, [relayIp]=10.1.2.54,

[user]=WIN-S2EDLFIUPQK\Administrator, [dbName]=master,

[instanceName]=MSSQLSERVER, [objName]=IndexTest, [procId]=58,

[command]=create index IndexTest on dbo.MSreplication_options(optname);,

[schemaName]=dbo, [objType]=INDEX, [destName]=WIN-S2EDLFIUPQK,

[destPort]=1433

 

 

 

 

 

CyberArk Password Vault Configuration

What is Discovered and Monitored

Protocol	Information discovered	Logs parsed	Used for
Syslog (CEF formatted and others)		CyberArk Safe Activity	Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “CyberArk-Vault” in the Device Type column to see close to 400 event types associated with this device.

Rules

In Analytics > Rules, search for “CyberArk”:

CyberArk Vault Blocked Failure

CyberArk Vault CPM Password Disables

CyberArk Vault Excessive Failed PSM Connections

CyberArk Vault Excessive Impersonations

CyberArk Vault Excessive PSM Keystroke Logging Failure

CyberArk Vault Excessive PSM Session Monitoring Failure

CyberArk Vault Excessive Password Release Failure

CyberArk Vault File Operation Failure

CyberArk Vault Object Content Validation Failure

CyberArk Vault Unauthorized User Stations

CyberArk Vault User History Clear

Reports

In Analytics > Reports, search for “CyberArk”:

CyberArk Blocked Operations

CyberArk CPM Password Disables

CyberArk CPM Password Retrieval

CyberArk File Operation Failures

CyberArk Impersonations

CyberArk Object Content Validation Failures

CyberArk PSM Monitoring Failures

CyberArk Password Resets

CyberArk Privileged Command Operations

CyberArk Provider Password Retrieval

CyberArk Trusted Network Area Updates

CyberArk Unauthorized Stations

CyberArk User History Clears

CyberArk User/Group Modification Activity

CyberArk Vault CPM Password Reconcilations

CyberArk Vault CPM Password Verifications

CyberArk Vault Configuration Changes

CyberArk Vault Failed PSM connections

CyberArk Vault Modification Activity

CyberArk Vault PSM Keystore Logging Failures

CyberArk Vault Password Changes from CPM

CyberArk Vault Password Release Failures

CyberArk Vault Successful PSM Connections

Top CyberArk Event Types

Top CyberArk Safes, Folders By Activity

Top CyberArk Users By Activity

CyberArk Configuration for sending syslog in a specific format

1. Open \PrivateArk\Server\DBParm.ini file and edit the SYSLOG section:
   1. SyslogServerIP – Specify AccelOps supervisor, workers and collectors separated by commas.
   2. SyslogServerProtocol – Set to the default value of UDP.
   3. SyslogServerPort – Set to the default value of 514.
   4. SyslogMessageCodeFilter – Set to the default range 0-999.
   5. SyslogTranslatorFile – Set to Syslog\AccelOps.xsl.
   6. UseLegacySyslogFormat – Set to the default value of No.
2. Copy the relevant XSL translator file to the Syslog subfolder specified in the SyslogTranslatorFile parameter in DBParm.ini.
3. Stop and Start Vault (Central Server Administration) for the changes to take effect.

Make sure the syslog format is as follows.

<5>1 2016-02-02T17:24:42Z SJCDVVWCARK01 CYBERARK: Product=”Vault”;Version=”9.20.0000″;MessageID=”295″;Message=”Retrieve password”;Issuer=”Administrator”;Station=”10.10.110.11″;File=”Root\snmpC ommunity”;Safe=”TestPasswords”;Reason=”Test”;Severity=”Info” <30>Mar 22 20:13:42 VA461_1022 CyberArk AIM[2453]: APPAP097I Connection to the Vault has been restored <27>Mar 22 20:10:50 VA461_1022 CyberArk AIM[2453]: APPAP289E Connection to the Vault has failed. Further attempts to connect to the Vault will be avoided for [1] minutes. <27>Mar 24 23:41:58 VA461_1022 CyberArk AIM[2453]: APPAU002E Provider

[Prov_VA461_1022] has failed to fetch password with query [Safe=TestPutta;Object=Telnet91] for application [AccelOps]. Fetch reason: [APPAP004E Password object matching query

Authentication Server Configuration

AccelOps supports these authentication servers for discovery and monitoring.

Cisco Access Control Server (ACS) Configuration

Microsoft Internet Authentication Server (IAS) Configuration

Juniper Networks Steel-Belted RADIUS Configuration

Vasco DigiPass Configuration

CyberArk Password Vault Configuration

Cisco Access Control Server (ACS) Configuration

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

Enable DCOM Permissions for the Monitoring Account

Creating a User Who Belongs to the Domain Administrator Group

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

Enable the Monitoring Account to Access the Monitored Device

Enable DCOM Permissions for the Monitoring Account

Enable Account Privileges in WMI

Allow WMI to Connect Through the Windows Firewall (Windows 2003)

Allow WMI through Windows Firewall (Windows Server 2008, 2012) Syslog

Settings for Access Credentials

What is Discovered and Monitored

Protocol	Information discovered	Metrics collected	Used for
SNMP	Application type	Process level CPU utilization, Memory utilization	Performance Monitoring
WMI	Application type, service mappings	Process level metrics: uptime, CPU Utilization, Memory utilization, Read I/O, Write I/O	Performance Monitoring
Syslog	Application type	Successful and Failed Authentications, Successful and Failed administrative logons, RADIUS accounting logs	Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “cisco secure acs” in the Device Type and Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

1. Log into the device you want to enable SNMP for as an administrator.
2. Go to Control Panel >Program and Features.
3. Click Turn Windows features on or off .
4. If you are installing on a Windows 7 device, select Simple Network Management Protocol (SNMP).

If you are installing on a Windows 2008 device, in the Server Manager window, go to Features > Add features > SNMP Services.

5. If necessary, select SNMP to enable the service.
6. Go to Programs > Administrative Tools > Services.
7. to set the SNMP community string and include AccelOps in the list of hosts that can access this server via SNMP.
8. Select SNMP Service and right-click Properties.
9. Set the community string to public.
10. Go to the Security tab and enter the AccelOps IP Address.
11. Restart the SNMP service.

WMI

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
2. Right-click Users and select Add User.
3. Create a user.
4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
5. In the Distributed COM Users Properties dialog, click Add.
6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

7. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
8. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account
9. Go to Start > Control Panel > Administrative Tools > Component Services.
10. Right-click My Computer, and then Properties.
11. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
12. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
13. Click OK.
14. Under Access Permissions, click EditDefault.
15. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
16. Click
17. Under Launch and Activation Permissions, click Edit Limits.
18. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
19. Click OK.
20. Under Launch and Activation Permissions, click Edit Defaults.
21. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
2. Right-click Users and select Add User.
3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

4. Go to Groups, right-click Administrators, and then click Add to Group.
5. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
6. For Enter the object names to select, enter the user you created in step 3.
7. Click OK to close the Domain Admins Properties dialog.
8. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

1. Go to Start > Control Panel > Administrative Tools > Component Services.
2. Right-click My Computer, and then select Properties.
3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
5. Click OK.
6. In the Com Security tab, under Access Permissions, click Edit Defaults.
7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
8. Click OK.
9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
2. Select WMI Control, and then right-click and select Properties.
3. Select the Security
4. Expand the Root directory and select CIMV2.
5. Click Security.
6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot e Enable.
7. Click Advanced.
8. Select the user you created for the monitoring account, and then click Edit.
9. In the Apply onto menu, select This namespace and subnamespaces.
10. Click OK to close the Permission Entry for CIMV2 dialog.
11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
12. In the left-hand navigation, under Services and Applications, select Services.
13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
14. In the Start menu, select Run.
15. Run msc.
16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.

• Select Windows Firewall: Allow remote administration exception.

6. Run exe and enter these commands:
7. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

1. Go to Control Panel > Windows Firewall.
2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
3. Select Windows Management Instrumentation, and the click OK.

Syslog

1. Log in to your Cisco Access Controls Server as an administrator.
2. Go to Start > All Programs > CiscoSecure ACS v4.1 > ACS Admin.
3. In the left-hand navigation, click System Configuration, then click Logging.
4. Select Syslog for Failed Attempts, Passed Authentication, and RADIUS Accounting to send these reports to AccelOps.
5. For each of these reports, click Configure under CSV, and select the following attributes to include in the CSV output.

Report	CSV Attributes
Failed Attempts	Message-Type User-Name NAS-IP-Address Authen-Failure-Code Author-Failure-Code Caller-ID NAS-Port Author-Date Group-Name Filter Information Access Device AAA Server
Passed Authentication	Message-Type User-Name NAS-IP-Address Authen-Failure-Code Author-Failure-Code Caller-ID NAS-Port Author-Date Group-Name Filter Information Access Device AAA Server Proxy-IP-Address Source-NAS PEAP/EAP-FAST-Clear-Name Real Name
RADIUS Accounting	User-Name NAS-IP-Address NAS-Port Group-Name Service-Type Framed-Protocol Framed-IP-Address Calling-Station-Id Acct-Status-Type Acct-Input-Octets Acct-Output-Octets Acct-Session-Id Acct-Session-Time Acct-Input-Packets Acct-Output-Packets

6. For each of these reports, click Configure under Syslog, and for Syslog Server, enter the IP address of the AccelOps virtual appliance that will receive the syslogs as the syslog server, enter 514 for Port, and set Max message length to 1024.
7. To make sure your changes take effect, go to System Configuration > Service Control, and click Restart ACS.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure. Settings for Access Credentials

Microsoft Internet Authentication Server (IAS) Configuration

What is Discovered and Monitored

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group Syslog

What is Discovered and Monitored

Protocol	Information Discovered	Metrics Collected	Used For
WMI
Syslog

Event Types

In CMDB > Event Types, search for “microsoft isa” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

WMI

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
2. Right-click Users and select Add User.
3. Create a user.
4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
5. In the Distributed COM Users Properties dialog, click Add.
6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

7. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
8. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account
9. Go to Start > Control Panel > Administrative Tools > Component Services.
10. Right-click My Computer, and then Properties.
11. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
12. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
13. Click OK.
14. Under Access Permissions, click EditDefault.
15. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
16. Click
17. Under Launch and Activation Permissions, click Edit Limits.
18. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
19. Click OK.
20. Under Launch and Activation Permissions, click Edit Defaults.
21. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
2. Right-click Users and select Add User.
3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

4. Go to Groups, right-click Administrators, and then click Add to Group.
5. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
6. For Enter the object names to select, enter the user you created in step 3.
7. Click OK to close the Domain Admins Properties dialog.
8. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

1. Go to Start > Control Panel > Administrative Tools > Component Services.
2. Right-click My Computer, and then select Properties.
3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
5. Click OK.
6. In the Com Security tab, under Access Permissions, click Edit Defaults.
7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
8. Click OK.
9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
2. Select WMI Control, and then right-click and select Properties.
3. Select the Security
4. Expand the Root directory and select CIMV2.
5. Click Security.
6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot e Enable.
7. Click Advanced.
8. Select the user you created for the monitoring account, and then click Edit.
9. In the Apply onto menu, select This namespace and subnamespaces.
10. Click OK to close the Permission Entry for CIMV2 dialog.
11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
12. In the left-hand navigation, under Services and Applications, select Services.
13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
14. In the Start menu, select Run.
15. Run msc.
16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
18. Select Windows Firewall: Allow remote administration exception.
19. Run exe and enter these commands:
20. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

1. Go to Control Panel > Windows Firewall.
2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
3. Select Windows Management Instrumentation, and the click OK.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Syslog

You need to configure your Microsoft Internet Authentication Server to save logs, and then you can use the Windows Agent Manager to configure the type of log information you want sent to AccelOps.

1. Log in to your server as an administrator.
2. Go to Start > Administrative Tools > Internet Authentication Service.
3. In the left-hand navigation, select Remote Access Logging, then select Local File.
4. Right-click on Local File to open the Properties menu, and then select Log File.
5. For Directory, enter C:\WINDOWS\system32\LogFiles\IAS.
6. Click OK.

You can now use Windows Agent Manager to configure what information will be sent to AccelOps.

 

Juniper Networks Steel-Belted RADIUS Configuration

What is Discovered and Monitored

Protocol	Information discovered	Metrics collected	Used for
SNMP	Application type	Process level CPU utilization, Memory utilization	Performance Monitoring
WMI	Application type, service mappings	Process level metrics: uptime, CPU Utilization, Memory utilization, Read I/O, Write I/O	Performance Monitoring
Syslog	Application type	Successful and Failed Authentications, Successful and Failed administrative logons, RADIUS accounting logs	Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “Juniper Steel-Belted RADIUS” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Syslog

1. Login as administrator
2. Install and configure Epilog application to convert log files written by Steelbelted RADIUS server into syslogs for sending to AccelOps
   1. Download Epilog from Epilog download site and install it on your Windows Server.
   2. Launch Epilog from StartAll ProgramsInterSect AllianceEpilog for windows

 

1. Configure Epilog application as follows
   1. Select Log Configuration on left hand panel, click Add button to add log files whose content needs to be sent to AccelOps. These log files are written by the Steelbelted RADIUS server and their paths are correct. Also make sure the Log Type is SteelbeltedLog.

 

1. Select Network Configuration on left hand panel. On the right, set the destination address to that of AccelOps server, port to 514 and make sure that syslog header is enabled. Then click Change Configuration button.

 

• Click the “Apply the latest audit configuration” link on the left hand side to apply the changes to Epilog applications. DHCP logs will now sent to AccelOps in real time.

Vasco DigiPass Configuration

What is Discovered and Monitored

Protocol	Information discovered	Metrics collected	Used for
Syslog		Successful and Failed Authentications, Successful and Failed administrative logons	Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “Vasco DigiPass” in the Device Type column to see the event types associated with this device. Some important ones are

Vasco-DigiPass-KeyServer-AdminLogon-Success

Vasco-DigiPass-KeyServer-UserAuth-Success

Vasco-DigiPass-KeyServer-UserAuth-Failed

Vasco-DigiPass-KeyServer-AccountLocked

Vasco-DigiPass-KeyServer-AccountUnlocked

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Configure the Vasco DigiPass management Console to send syslog to AccelOps. AccelOps is going to parse the logs automatically. Make sure the syslog format is as follows.

May 16 18:21:50 vascoservername ikeyserver[3575]: {Success}, {Administration}, {S-001003}, {A command of type [User] [Unlock] was successful.}, {0xA46B6230BA60B240CE48011B0C30D393}, {Source Location:10.1.2.3}, {Client Location:10.1.2.3}, {User ID:flast}, {Domain:company.com}, {Input Details: {User ID : flast} {Domain Name : company.com}}, {Output Details: {User ID : flast} {Password : ********} {Created Time : 2013/05/13 19:06:52} {Modified Time : 2013/05/16 18:21:49} {Has Digipass : Unassigned} {Status : 0} {Domain Name : company.com} {Local Authentication : Default} {Back-end Authentication : Default} {Disabled : no} {Lock Count : 0} {Locked : no} {Last Password Set Time : 2013/05/13 19:06:52} {Static Password History : d0NdVMhSdvdNEQJkkKTWmiq8iB4K1dWreMf5FQlZM7U=} {Key ID : SSMINSTALLSENSITIVEKEY}}, {Object:User}, {Command:Unlock}, {Client

Type:Administration Program}

May 15 20:27:35 vascoservername ikeyserver[3575]: {Success},

{Administration}, {S-004001}, {An administrative logon was successful.},

{0x25AB20F3222F554A96CFFD2886AE4C71}, {Source Location:10.1.2.3},

{Client Location:10.1.2.3}, {User ID:admin}, {Domain:company.com},

{Client Type:Administration Program}

May 17 18:43:22 vascoservername ikeyserver[3582]: {Info}, {Initialization}, {I-002010}, {The SOAP protocol handler has been initialized successfully.}, {0x0E736D24D54E717E6F5DA6C09E89F8EE}, {Version:3.4.7.115}, {Configuration Details:IP-Address: 10.1.2.3, IP-Port: 8888, Supported-Cipher-Suite: HIGH, Server-Certificate:

/var/identikey/conf/certs/soap-custom.pem, Private-Key-Password:

********, CA-Certificate-Store:

/var/identikey/conf/certs/soap-ca-certificate-store.pem,

Client-Authentication-Method: none, Reverify-Client-On-Reconnect: False,

DPX-Upload-Location: /var/dpx/}

Redhat JBOSS Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

JMX

Configuring JMX on the JBOSS Application Server

Configuring AccelOps to Use the JMX Protocol with JBOSS Application Server

Settings for Access Credentials

Sample Event for JBOSS Metrics

What is Discovered and Monitored

Protocol	Information discovered	Metrics collected	Used for
JMX		Generic information: Application version, Application port Availability metrics: Uptime, Application Server State CPU metrics: Application server instance, CPU utilization Memory metrics: Heap utilization, Heap used memory, Heap free memory, Heap max memory,  Heap commit memory, Max System dumps on disk, Max heap dumps on disk Servlet metrics: Application name, Web application name, Servlet Name, Invocation count, Request errors Database pool metrics: Application server instance, JDBC provider, Data source, Pool size, Closed connections, Active Connections, Requests wait for connections, Connection use time, Connection factory type, Peak connections Thread pool metrics: Application server instance, Thread pool name, Execute threads, Peak execute threads Application level metrics: Application name, Web application name, Application server instance, Web application context root, Active sessions, Peak active sessions EJB metrics: Application name, Application server instance, EJB component name	Performance Monitoring

Event Types

In CMDB > Event Types, search for “boss” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for jobs” in the Name column to see the reports associated with this application or device. Configuration

JMX

 

1. Enable authentication security check. Open the file ${JBoss_Home}\server\default\deploy\jmx-jboss-beans.xml, find the J MXConnector bean, and uncomment the securityDomain
2. Modify the file ${JBoss_Home}\server\default\conf\props\jmx-console-roles.properties to configure the JMX administrator role.
3. Modify the file ${JBoss_Home}\server\default\conf\props\jmx-console-users.properties to configure the username and password for JMX.
4. Configure DNS resolution for the JBOSS application server in your AccelOps Supervsior, Workers, and Collectors by adding the IP address and DNS name of the JBOSS application server to their /etc/hosts If DNS is already configured to resolve the JBOSS application server name, you can skip this step.
5. Start JBoss.

Configuring AccelOps to Use the JMX Protocol with JBOSS Application Server

To configure JMX communications between your JBOSS application server and AccelOps, you need to copy several files from your application server to the JBOSS configuration directory for each AccelOps virtual appliance that will be used for discovery and performance monitoring jobs. AccelOps does not include these files because of licensing restrictions.

JBOSS Version	Files to Copy
4.x, 5.x, 6.x	Copy ${JBoss_Home}/lib/jboss-bootstrap-api.jar  to /opt/phoenix/config/JBoss/
7.0	No copying is necessary
7.1	Copy ${JBoss_Home}/bin/client/jboss-client.jar  to /opt/phoenix/config/JBoss/

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

<134>Feb 06 11:38:35 10.1.2.16 java: [PH_DEV_MON_JBOSS_CPU]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.16,[ hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=1090,[appV ersion]=6.1.0.Final “Neo”,[appServerState]=STARTED,[sysUpTime]=6202359,[cpuUtil]=2

<134>Feb 06 11:38:36 10.1.2.16 java:

[PH_DEV_MON_JBOSS_MEMORY]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.1 6,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=1090,[a ppVersion]=6.1.0.Final “Neo”,[appServerState]=STARTED,[freeMemKB]=264776,[freeSwapMemKB]=142786

4,[memTotalMB]=4095,[memUtil]=94,[swapMemUtil]=83,[swapMemTotalMB]=8189, [virtMemCommitKB]=1167176,[heapUsedKB]=188629,[heapMaxKB]=466048,[heapCo mmitKB]=283840,[heapUtil]=66,[nonHeapUsedKB]=106751,[nonHeapMaxKB]=31129 6,[nonHeapCommitKB]=107264,[nonHeapUtil]=99 <134>Feb 06 11:38:36 10.1.2.16 java: [PH_DEV_MON_JBOSS_APP]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.16,[ hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=1090,[appV ersion]=6.1.0.Final “Neo”,[webContextRoot]=//localhost/,[webAppState]=RUNNING,[cacheMaxSize]

=10240,[cacheTTL]=5000,[reqProcessTimeAvg]=10472,[startTime]=1353919592, [cookiesAllowed]=true,[cachingAllowed]=true,[linkingAllowed]=false,[cros sContextAllowed]=true

<134>Feb 06 11:38:36 10.1.2.16 java:

[PH_DEV_MON_JBOSS_SERVLET]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2. 16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=1090,[ appVersion]=6.1.0.Final “Neo”,[webAppName]=//localhost/admin-console,[servletName]=Faces

Servlet,[totalRequests]=6,[reqErrors]=0,[loadTime]=0,[reqProcessTimeAvg]

=10610

<134>Feb 06 11:38:36 10.1.2.16 java:

[PH_DEV_MON_JBOSS_DB_POOL]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2. 16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=1090,[ appVersion]=6.1.0.Final “Neo”,[dataSource]=DefaultDS,[dataSourceState]=Started

<134>Feb 06 11:38:36 10.1.2.16 java: [PH_DEV_MON_JBOSS_REQUEST_PROCESSOR]:[eventSeverity]=PHL_INFO,[destIpAdd r]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPo rt]=1090,[appVersion]=6.1.0.Final “Neo”,[reqProcessorName]=ajp-0.0.0.0-8009,[recvBytes]=0,[sentBytes]=0,[r eqProcessTimeAvg]=0,[reqProcessTimeMax]=0,[totalRequests]=0,[reqRate]=0, [reqErrors]=0

<134>Feb 06 11:38:36 10.1.2.16 java: [PH_DEV_MON_JBOSS_EJB]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.16,[ hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=1090,[appV ersion]=6.1.0.Final “Neo”,[ejbComponentName]=ejbjar.jar,[ejbBeanName]=HelloWorldBeanRemote,[ ejbAvailCount]=0,[ejbCreateCount]=0,[ejbCurrCount]=0,[ejbMaxCount]=0,[ej bRemovedCount]=0,[ejbInstanceCacheCount]=null,[ejbPassivations]=null,[ej bTotalInstanceCount]=null

<134>Feb 06 11:38:36 10.1.2.16 java:

[PH_DEV_MON_JBOSS_THREAD_POOL]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.

1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=10

90,[appVersion]=6.1.0.Final

Oracle WebLogic Configuration

What is Discovered and Monitored

Protocol	Information discovered	Metrics collected	Used for
JMX		Generic information: Application version, Application port, SSL listen port, Listen port enabled flag, SSL listen port enabled Availability metrics: Uptime, Application Server State Memory metrics: Total memory, Free memory, Used memory, Memory utilization, Heap utilization, Heap used memory, Heap max memory,  Heap commit memory, Total nursery memory Servlet metrics: Application name, App server instance, Web application name, Web context name, Servlet name, Invocation count, Servlet execution time Database pool metrics: Application name, App server instance, Data source, Active connection count, Connection limit, Leaked connections, Reserve requests, Requests wait for connections Thread pool metrics: App server instance, Completed requests, Execute threads, Pending requests, Standby threads, Total threads EJB metrics: EJB component name, EJB state, EJB idle beans, EJB used beans, EJB pooled beans, EJB Waiter threads, EJB committed Transactions, EJB timedout transactions, EJB rolledback transactions, EJB activations, EJB Passivations, EJB cache hits, EJB cache misses, EJB cache accesses, EJB cache hit ratio Application level metrics: Application name, App server instance, Web application name, Web context root, Peak active sessions, Current active sessions, Total active sessions, Servlet count, Single threaded servlet pool count,	Performance Monitoring

 

Event Types

In CMDB > Event Types, search for “WebLogic in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “WebLogic” in the Name column to see the reports associated with this application or device.

Configuration

JMX

Enable and Configure Internet Inter-ORB Protocol (IIOP)

1. Log into the administration console of your WebLogic application server.
2. In the Change Center of the administration console, click Lock & Edit.
3. In the left-hand navigation, expand Environment and select Servers.
4. Click the Protocols tab, then select IIOP.
5. Select Enable IIOP.
6. Expand the Advanced
7. For Default IIOP Username and Default IIOP Password, enter the username and password that you will use as the access credentials when configuring AccelOps to communicate with your application server.

Enable IIOP Configuration Changes

1. Go to the Change Center of the administration console.
2. Click Activate Changes.

You can now configure AccelOps to communicate with your IBM Websphere device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Sample Event for WebLogic Metrics

<134>Jan 22 02:12:20 10.1.2.16 java:

[PH_DEV_MON_WEBLOGIC_GEN]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.1 6,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=7001,[a ppVersion]=WebLogic Server 10.3  Fri Jul 25 16:30:05 EDT 2008 1137967 ,[appServerInstance]=examplesServer,[appServerState]=RUNNING,[sysUpTime]

=1358476145,[appPort]=7001,[sslListenPort]=7002,[listenPortEnabled]=true

,[sslListenPortEnabled]=true

<134>Jan 22 02:12:20 10.1.2.16 java:

[PH_DEV_MON_WEBLOGIC_MEMORY]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.

2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=7001

,[appVersion]=WebLogic Server 10.3  Fri Jul 25 16:30:05 EDT 2008 1137967

,[appServerInstance]=examplesServer,[appServerState]=RUNNING,[heapUsedKB ]=153128,[heapCommitKB]=262144,[heapFreeKB]=109015,[heapUtil]=59,[heapMa xKB]=524288,[usedMemKB]=4086224,[freeMemKB]=107624,[memTotalMB]=4095,[me mUtil]=97,[nurserySizeKB]=88324  <134>Jan 22 02:12:22 10.1.2.16 java:

[PH_DEV_MON_WEBLOGIC_SERVLET]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1

.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=700

1,[appVersion]=WebLogic Server 10.3  Fri Jul 25 16:30:05 EDT 2008

1137967 ,[appServerInstance]=examplesServer,[appName]=consoleapp,[webAppName]=ex amplesServer_/console,[servletName]=/framework/skeletons/wlsconsole/plac eholder.jsp,[webContextRoot]=/console,[invocationCount]=1094,[servletExe cutionTimeMs]=63

<134>Jan 22 02:15:24 10.1.2.16 java:

[PH_DEV_MON_WEBLOGIC_DB_POOL]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1

.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=700

1,[appVersion]=WebLogic Server 10.3  Fri Jul 25 16:30:05 EDT 2008

1137967 ,[appServerInstance]=examplesServer,[appName]=examples-demoXA-2,[dataSou rce]=examples-demoXA-2,[activeConns]=0,[connLimit]=1,[leakedConns]=0,[re serveRequests]=0,[waitForConnReqs]=0  <134>Jan 22 02:12:20 10.1.2.16 java:

[PH_DEV_MON_WEBLOGIC_THREAD_POOL]:[eventSeverity]=PHL_INFO,[destIpAddr]=

10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]

=7001,[appVersion]=WebLogic Server 10.3  Fri Jul 25 16:30:05 EDT 2008

1137967 ,[appServerInstance]=examplesServer,[completedRequests]=14066312,[execut eThreads]=7,[pendingRequests]=0,[standbyThreads]=5,[totalThreads]=43  <134>Jan 22 02:12:20 10.1.2.16 java:

[PH_DEV_MON_WEBLOGIC_EJB]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.1 6,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=7001,[a ppVersion]=WebLogic Server 10.3  Fri Jul 25 16:30:05 EDT 2008 1137967 ,[appServerInstance]=examplesServer,[ejbComponentName]=ejb30,[ejbIdleBea ns]=0,[ejbUsedBeans]=0,[ejbPooledBeans]=0,[ejbWaiter]=0,[ejbCommitTransa ctions]=0,[ejbTimedOutTransactions]=0,[ejbRolledBackTransactions]=0,[ejb Activations]=0,[ejbPassivations]=0,[ejbCacheHits]=0,[ejbCacheMisses]=0,[ ejbCacheAccesses]=0,[ejbCacheHitRatio]=0

<134>Jan 22 02:12:23 10.1.2.16 java:

[PH_DEV_MON_WEBLOGIC_APP]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.1 6,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=7001,[a ppVersion]=WebLogic Server 10.3  Fri Jul 25 16:30:05 EDT 2008 1137967

,[appServerInstance]=examplesServer,[appName]=webservicesJwsSimpleEar,[w ebAppName]=examplesServer_/jws_basic_simple,[webContextRoot]=/jws_basic_ simple,[activeSessions]=0,[activeSessionsPeak]=0,[activeSessionTotal]=0,

[numServlet]=4,[singleThreadedServletPool]=5

Microsoft ASP.NET Configuration

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

Enable DCOM Permissions for the Monitoring Account

Creating a User Who Belongs to the Domain Administrator Group

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

Enable the Monitoring Account to Access the Monitored Device

Enable DCOM Permissions for the Monitoring Account

Enable Account Privileges in WMI

Allow WMI to Connect Through the Windows Firewall (Windows 2003)

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

Sample Event for ASP.NET Metrics

What is Discovered and Monitored

Protocol	Information discovered	Metrics collected	Used for
WMI		Request Execution Time, Request Wait Time, Current Requests, Disconnected Requests, Queued requests, Disconnected Requests	Performance Monitoring

Event Types

In CMDB > Event Types, search for “asp.net” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “asp.net” in the Name column to see the reports associated with this application or device.

Configuration

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
2. Right-click Users and select Add User.
3. Create a user.
4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
5. In the Distributed COM Users Properties dialog, click Add.
6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

7. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
8. Repeat steps 4 through 7 for the Performance Monitor Users group.

Enable DCOM Permissions for the Monitoring Account

1. Go to Start > Control Panel > Administrative Tools > Component Services.
2. Right-click My Computer, and then Properties.
3. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
4. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
5. Click OK.
6. Under Access Permissions, click EditDefault.
7. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
8. Click
9. Under Launch and Activation Permissions, click Edit Limits.
10. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
11. Click OK.
12. Under Launch and Activation Permissions, click Edit Defaults.
13. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
2. Right-click Users and select Add User.
3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

4. Go to Groups, right-click Administrators, and then click Add to Group.
5. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
6. For Enter the object names to select, enter the user you created in step 3.
7. Click OK to close the Domain Admins Properties dialog.
8. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

1. Go to Start > Control Panel > Administrative Tools > Component Services.
2. Right-click My Computer, and then select Properties.
3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
5. Click OK.
6. In the Com Security tab, under Access Permissions, click Edit Defaults.
7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
8. Click OK.
9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
2. Select WMI Control, and then right-click and select Properties.
3. Select the Security
4. Expand the Root directory and select CIMV2.
5. Click Security.
6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot e Enable.
7. Click Advanced.
8. Select the user you created for the monitoring account, and then click Edit.
9. In the Apply onto menu, select This namespace and subnamespaces.
10. Click OK to close the Permission Entry for CIMV2 dialog.
11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
12. In the left-hand navigation, under Services and Applications, select Services.
13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
14. In the Start menu, select Run.
15. Run msc.
16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
18. Select Windows Firewall: Allow remote administration exception.
19. Run exe and enter these commands:
20. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

1. Go to Control Panel > Windows Firewall.
2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
3. Select Windows Management Instrumentation, and the click OK.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Sample Event for ASP.NET Metrics

Oracle GlassFish Server Configuration

JMX

What is Discovered and Monitored

Protocol	Information discovered	Metrics collected	Used for
JMX		Generic information: Application version, Application port Availability metrics: Uptime, Application Server State CPU metrics: CPU utilization Memory metrics: Total memory, Free memory, Memory utilization, Virtual committed memory, Total Swap Memory, Free Swap Memory, Swap memory utilization, Heap Utilization, Heap Used Memory, Heap max memory,  Heap commit memory, Non-heap Utilization, Non-heap used memory, Non-heap max memory, Non-heap commit memory Servlet metrics: Web application name, Servlet Name, Count allocated, Total requests, Request errors, Avg Request Processing time Session metrics: Web context path, Peak active sessions, Current active sessions, Duplicate sessions, Expired sessions, Rejected sessions, Average session lifetime, Peak session lifetime, Session processing time, Session create rate, Session expire rate, Process expire frequency, Max session limited, Max inactive Interval Database metrics: Data source Thread pool metrics: Current live threads, Max live threads Request processor metrics: Request processor name, Received Bytes, Sent Bytes, Total requests, Average Request Process time, Max Request Processing time, Request Rate, Request Errors, Max open connections, Current open connections, Last Request URI, Last Request method, Last Request completion time Application level metrics: Cache TTL, Max cache size, Average request processing time, App server start time, Cookies allowed flag, Caching allowed flag, Linking allowed flag, Cross Context Allowed flag EJB metrics: EJB component name, EJB state, EJB start time Connection metrics: Request processor name, HTTP status code, HTTP total accesses	Performance Monitoring

Event Types

In CMDB > Event Types, search for “glassfish” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “glassfish” in the Name column to see the reports associated with this application or device. Configuration

JMX

1. The default JMX port used by Oracle GlassFish is 8686. If you want to change it, modify the node jmx-connector of the file ${GlassF ish_Home}\domains\${Domain_Name}\config\domain.xml.
2. The username and password for JMX are the same as the web console.

You can now configure AccelOps to communicate with your Oracle GlassFish device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure. Settings for Access Credentials

<134>Jan 22 02:00:29 10.1.2.201 java:

[PH_DEV_MON_GLASSFISH_APP]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.

201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201,[destDevPort]=868

6,[appVersion]=Sun Java System Application Server 9.1_02,[webContextRoot]=,[webAppState]=RUNNING,[cacheMaxSize]=10240,[cac heTTL]=5000,[reqProcessTimeAvg]=0,[startTime]=1358755971,[cookiesAllowed ]=true,[cachingAllowed]=false,[linkingAllowed]=false,[crossContextAllowe d]=true  <134>Jan 22 02:00:29 10.1.2.201 java:

[PH_DEV_MON_GLASSFISH_CPU]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.

201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201,[destDevPort]=868

6,[appVersion]=Sun Java System Application Server

9.1_02,[sysUpTime]=35266,[cpuUtil]=60

<134>Jan 22 02:00:29 10.1.2.201 java:

[PH_DEV_MON_GLASSFISH_MEMORY]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1

.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201,[destDevPort]=

8686,[appVersion]=Sun Java System Application Server 9.1_02,[freeMemKB]=479928,[freeSwapMemKB]=6289280,[memTotalMB]=16051,[me mUtil]=98,[swapMemUtil]=1,[swapMemTotalMB]=6142,[virtMemCommitKB]=402586 4,[heapUsedKB]=1182575,[heapMaxKB]=3106432,[heapCommitKB]=3106432,[heapU til]=38,[nonHeapUsedKB]=193676,[nonHeapMaxKB]=311296,[nonHeapCommitKB]=2 77120,[nonHeapUtil]=69

<134>Jan 22 02:00:29 10.1.2.201 java:

[PH_DEV_MON_GLASSFISH_SESSION]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.

1.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201,[destDevPort]

=8686,[appVersion]=Sun Java System Application Server 9.1_02,[webContextPath]=/__JWSappclients,[activeSessionsPeak]=0,[duplica teSession]=0,[activeSessions]=0,[expiredSession]=0,[rejectedSession]=0,[ sessionProcessTimeMs]=85,[sessionLifetimeAvg]=0,[sessionLifetimePeak]=0, [maxSessionLimited]=-1,[maxInactiveInterval]=1800

<134>Jan 22 02:00:29 10.1.2.201 java:

[PH_DEV_MON_GLASSFISH_SERVLET]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.

1.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201,[destDevPort]

=8686,[appVersion]=Sun Java System Application Server

9.1_02,[webAppName]=phoenix,[webAppState]=RUNNING,[servletName]=DtExport

Servlet,[totalRequests]=0,[reqErrors]=0,[reqProcessTimeAvg]=0

<134>Jan 22 02:00:29 10.1.2.201 java:

[PH_DEV_MON_GLASSFISH_CONN_STAT]:[eventSeverity]=PHL_INFO,[destIpAddr]=1 0.1.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201,[destDevPor t]=8686,[appVersion]=Sun Java System Application Server 9.1_02,[reqProcessorName]=http8181,[httpStatusCode]=304,[httpTotalAccess es]=0

<134>Jan 22 02:00:29 10.1.2.201 java:

[PH_DEV_MON_GLASSFISH_EJB]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.

201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201,[destDevPort]=868

6,[appVersion]=Sun Java System Application Server 9.1_02,[ejbComponentName]=phoenix-domain-1.0.jar,[ejbState]=RUNNING,[sta rtTime]=1358755963,  <134>Jan 22 02:00:29 10.1.2.201 java:

[PH_DEV_MON_GLASSFISH_JMS]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.

201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201,[destDevPort]=868

6,[appVersion]=Sun Java System Application Server

9.1_02,[jmsSource]=jms/RequestQueue

<134>Jan 22 02:00:29 10.1.2.201 java: [PH_DEV_MON_GLASSFISH_REQUEST_PROCESSOR]:[eventSeverity]=PHL_INFO,[destI pAddr]=10.1.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201,[de stDevPort]=8686,[appVersion]=Sun Java System Application Server 9.1_02,[reqProcessorName]=http4848,[recvBytes]=0,[sentBytes]=0,[totalReq uests]=0,[reqRate]=0,[reqProcessTimeAvg]=0,[reqProcessTimeMax]=0,[maxOpe nConnections]=0,[lastRequestURI]=null,[lastRequestMethod]=null,[lastRequ estCompletionTime]=0,[openConnectionsCount]=0,[reqErrors]=0

<134>Jan 22 02:00:29 10.1.2.201 java:

[PH_DEV_MON_GLASSFISH_THREAD_POOL]:[eventSeverity]=PHL_INFO,[destIpAddr] =10.1.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201,[destDevP ort]=8686,[appVersion]=Sun Java System Application Server 9.1_02,[liveThreads]=106,[liveThreadsMax]=138

<134>Jan 22 02:06:29 10.1.2.201 java:

[PH_DEV_MON_GLASSFISH_DB_POOL]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.

Configuring Applications

This section describes how to configure applications for discovery and for providing information to AccelOps.

What is Discovered and Monitored

Protocol	Information discovered	Metrics collected	Used for
JMX		Generic information: Application version, Application port Availability metrics: Uptime, Application Server State CPU metrics: CPU utilization Memory metrics: Total memory, Free memory, Memory utilization, Virtual committed memory, Total Swap Memory, Free Swap Memory, Swap memory utilization, Heap Utilization, Heap Used Memory, Heap max memory,  Heap commit memory, Non-heap Utilization, Non-heap used memory, Non-heap max memory, Non-heap commit memory Servlet metrics: Web application name, Servlet Name, Count allocated, Total requests, Request errors, Load time, Avg Request Processing time Session metrics: Web context path, Peak active sessions, Current active sessions, Duplicate sessions, Expired sessions, Rejected sessions, Average session lifetime, Peak session lifetime, Session processing time, Session create rate, Session expire rate, Process expire frequency, Max session limited, Max inactive Interval Database metrics: Web context path, Data source, Database driver, Peak active sessions, Current active sessions, Peak idle sessions, Current idle sessions Thread pool metrics: Thread pool name, Application port, Total threads, Busy threads, Keep alive threads, Max threads, Thread priority, Thread pool daemon flag Request processor metrics: Request processor name, Received Bytes, Sent Bytes, Average Request Process time, Max Request Processing time, Request Rate, Request Errors	Performance Monitoring

 

Event Types

In CMDB > Event Types, search for “tomcat” in the Device Type and Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “tomcat” in the Name column to see the reports associated with this application or device. Configuration

JMX

1. Add the necessary parameters to the Tomcat startup script.

Windows

Modify the file ${CATALINA_BASE}\bin\catalina.bat by adding these arguments for JVM before the comment rem

—-Execute The Requested Command ——

Linux

Modify the file ${CATALINA_BASE}/bin/catalina.sh by adding these arguments for JVM before the comment # —-Execute

3. Edit the password file password.

The first column is user name and the second column is password). AccelOps only needs monitor access.

4. In Linux, set permissions for the access and jmxremote.password files so that they are read-only and accessible only by the Tomcat operating system user.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Sample Event for Tomcat Metrics

<134>Jan 22 01:57:32 10.1.2.16 java:

[PH_DEV_MON_TOMCAT_CPU]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.16,

[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=9218,[app

Version]=Apache

Tomcat/7.0.27,[appServerState]=STARTED,[sysUpTime]=2458304,[cpuUtil]=0

<134>Jan 22 01:57:32 10.1.2.16 java:

[PH_DEV_MON_TOMCAT_MEMORY]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2. 16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=9218,[ appVersion]=Apache Tomcat/7.0.27,[appServerState]=STARTED,[freeMemKB]=116504,[freeSwapMemKB

]=2974020,[memTotalMB]=4095,[swapMemTotalMB]=8189,[virtMemCommitKB]=1699 00,[memUtil]=98,[swapMemUtil]=65,[heapUsedKB]=18099,[heapMaxKB]=932096,[ heapCommitKB]=48896,[heapUtil]=37,[nonHeapUsedKB]=22320,[nonHeapMaxKB]=1 33120,[nonHeapCommitKB]=24512,[nonHeapUtil]=91

<134>Jan 22 01:57:33 10.1.2.16 java:

[PH_DEV_MON_TOMCAT_SERVLET]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2

.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=9218,

[appVersion]=Apache

Tomcat/7.0.27,[webAppName]=//localhost/host-manager,[servletName]=HTMLHo stManager,[countAllocated]=0,[totalRequests]=0,[reqErrors]=0,[loadTime]= 0,[reqProcessTimeAvg]=0,[maxInstances]=20,[servletState]=STARTED

<134>Jan 22 01:57:33 10.1.2.16 java:

[PH_DEV_MON_TOMCAT_SESSION]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2

.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=9218,

[appVersion]=Apache Tomcat/7.0.27,[webContextPath]=/host-manager,[activeSessionsPeak]=0,[act iveSessions]=0,[duplicateSession]=0,[expiredSession]=0,[rejectedSession] =0,[sessionLifetimeAvg]=0,[sessionLifetimePeak]=0,[sessionProcessTimeMs] =0,[sessionCreateRate]=0,[sessionExpireRate]=0,[webAppState]=STARTED,[pr ocessExpiresFrequency]=6,[maxSessionLimited]=-1,[maxInactiveInterval]=18 00

<134>Jan 22 01:57:33 10.1.2.16 java: [PH_DEV_MON_TOMCAT_DB]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.16,[ hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=9218,[appV ersion]=Apache Tomcat/7.0.27,[webContextPath]=/host-manager,[dataSource]=”jdbc/postgres 1″,[dbDriver]=org.postgresql.Driver,[activeSessionsPeak]=20,[activeSessi ons]=0,[idleSessionsPeak]=10,[idleSessions]=0

<134>Jan 22 01:57:33 10.1.2.16 java:

[PH_DEV_MON_TOMCAT_THREAD_POOL]:[eventSeverity]=PHL_INFO,[destIpAddr]=10

.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=9

218,[appVersion]=Apache Tomcat/7.0.27,[threadPoolName]=ajp-apr-18009,[appPort]=18009,[totalThrea ds]=0,[busyThreads]=0,[keepAliveThreads]=0[maxThreads]=200,[threadPriori ty]=5,[threadPoolIsDaemon]=true

<134>Jan 22 01:57:33 10.1.2.16 java: [PH_DEV_MON_TOMCAT_REQUEST_PROCESSOR]:[eventSeverity]=PHL_INFO,[destIpAd dr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevP ort]=9218,[appVersion]=Apache

IBM WebSphere Configuration

What is Discovered and Monitored

Install the perfServletApp Application

Configure Security for the Application

Start the Application

Settings for Access Credentials

Protocol	Information discovered	Metrics collected	Used for
HTTP / HTTP(S)		Generic information: Application version, Application port Availability metrics: Uptime, Application Server State CPU metrics: Application server instance, CPU utilization Memory metrics: Heap utilization, Heap used memory, Heap free memory, Heap max memory,  Heap commit memory Servlet metrics: Application name, Web application name, Servlet Name, Invocation count Database pool metrics: Application server instance, JDBC provider, Data source, Pool size, Closed connections, Active Connections, Requests wait for connections, Connection use time, Connection factory type, Peak connections Thread pool metrics: Application server instance, Thread pool name, Execute threads, Peak execute threads Transaction metrics: Application server instance, Active Transaction, Committed Transaction, Rolled back Transaction Authentication metrics: Application name, Application server instance, Authentication Method, Count	Performance Monitoring
JMX		Generic information: Application version, Application port Availability metrics: Uptime, Application Server State CPU metrics: Application server instance, CPU utilization Memory metrics: Heap utilization, Heap used memory, Heap free memory, Heap max memory,  Heap commit memory, Max System dumps on disk, Max heap dumps on disk Servlet metrics: Application name, Web application name, Servlet Name, Invocation count, Request errors Database pool metrics: Application server instance, JDBC provider, Data source, Pool size, Closed connections, Active Connections, Requests wait for connections, Connection use time, Connection factory type, Peak connections Thread pool metrics: Application server instance, Thread pool name, Execute threads, Peak execute threads Application level metrics: Application name, Web application name, Application server instance, Web application context root, Active sessions, Peak active sessions EJB metrics: Application name, Application server instance, EJB component name	Performance Monitoring
Syslog			Log analysis

Event Types

In CMDB > Event Types, search for “websphere” in the Description column to see the event types associated with this device.

PH_DEV_MON_WEBSPHERE_CPU (from HTTPS)

 

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “websphere” in the Name column to see the reports associated with this device.

Configuration

HTTP(S)

Install the perfServletApp Application

• Log in to your Websphere administration console.

2. Go to Applications > Application Types > WebSphere enterprise application.
3. Click Install.
4. Select Remote file system and browse to {WebSphere_Home}/AppServer/installableApps/PerfServletApp.ear.
5. Click Next.

The Context Root for the application will be set to /wasPerfTool, but you can edit this during installation.  Configure Security for the Application

1. Go to Security > Global Security.
2. Select Enable application security.
3. Go to Applications > Application Types > Websphere Enterprise Applications.
4. Select perfServletApp.
5. Click Security role to user/group mapping.
6. Click Map Users/Groups.

 

7. Use the Search feature to find and select the AccelOps user you want to provide with access to the application,
8. Click Map Special Subjects.
9. Select All Authenticated in Application’s Realm.
10. Click OK.

Start the Application

1. Go to Applications > Application Types > WebSphere enterprise application.
2. Select perfServletApp.
3. Click Start.
4. In a web browser, launch the application by going to http://<ip>:<port>/wasPerfTool/servlet/perfservlet.

JMX

Configuring the Default JMX Port

By default, your Websphere application server uses port 8880 for JMX. You can change this by logging in to your application server console and going to Application servers > {Server Name} > Ports > SOAP_CONNECTOR_ADDRESS. The username and password for JMX are the same as the credentials logging into the console.

To configure JMX communications between your Websphere application server and AccelOps, you need to copy several files from your application server to the Websphere configuration directory for each AccelOps virtual appliance that will be used for discovery and performance monitoring jobs. AccelOps does not include these files because of licensing restrictions.

1. Copy these files to the directory /opt/phoenix/config/websphere/ for each Supervisor, Worker, and Collector in your AccelOps deployment.

File Type	Location
Client Jars	a.  ${WebSphere_Home}/AppServer/runtimes/com.ibm.ws.admin.client.jar b.  ${WebSphere_Home}/AppServer/plugins/com.ibm.ws.security.crypto.jar
SSL files	a.  ${WebSphere_Home}/AppServer/profiles/${Profile_Name}/etc/DummyClientKeyFile.jks b.  ${WebSphere_Home}/AppServer/profiles/${Profile_Name}/etc/DummyClientTrustFile.jks

2. Install IBM JDK 1.6 or higher in the location /opt/phoenix/config/websphere/java for each Supervisor, Worker, and Collector in your AccelOps deployment.

You can now configure AccelOps to communicate with your IBM Websphere device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

You can now configure AccelOps to communicate with your IBM Websphere device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Configuring FortiSIEM Windows Agents

This section describes how to setup FortiSIEM Windows Agent and Agent Manager as part of FortiSIEM infrastructure.

Configure FortiSIEM Supervisor

Register Windows Agent Manager to FortiSIEM Supervisor

Configure Windows Agent Manager

License and Template Assignments in Agent Manager via Export/Import Verify Events in FortiSIEM

Sample logs generated by FortiSIEM Windows Agents

Windows System logs

Windows Application logs

Windows Security logs

Windows DNS logs

Windows DHCP logs

Windows IIS logs

Windows DFS logs

Windows file content monitoring logs

Windows File integrity monitoring logs

Windows Installed Software logs

Windows Registry change logs

Windows WMI logs

Windows Powershell logs

Procedure

Configure FortiSIEM Supervisor

1. Go to Admin > License Management and make sure that there are entries for Basic and Advanced Windows Agents.
2. Go to Admin > Setup Wizard and add Agent Managers
   1. Click on Windows Agents tab
   2. Click Add and enter information for an Windows Agent Manager. This information will be used by the Agent Manager to register to FortiSIEM
      1. Enter Agent Manager Name
      2. Enter the number of Basic Agents and Advanced Agents assigned to this Agent Manager

• Enter the Start Time and End Time for license validity

1. Choose Event Upload Destination – this is where the Agent Manager will upload events to.
   1. Select the Organization (Super for Enterprise version and Specific Organization for the Service Provider version)
   2. Select one or more Collectors belonging to the selected organization v. Click OK to Save

Register Windows Agent Manager to FortiSIEM Supervisor

1. Log on to Windows Agent Manager
2. Launch FortiSIEM Windows Agent Manager application
3. Log on to the FortiSIEM Windows Agent Manager application using User ID and Password created during setup
4. Register the Windows Agent Manager to FortiSIEM
   1. Enter Supervisor IP/Host
   2. Enter Agent Manager Name – this is defined in Step 2.b.i in Configure FortiSIEM Supervisor step
   3. Enter Organization Name – this is defined in Step 2.b.iv in Configure FortiSIEM Supervisor step
   4. Enter Organization User and Organization Password as the Organizations credentials defined when the Organization was created in Admin > Setup wizard.
5. Click Register. If registration is successful, then Windows Agent Manager Dashboard page is displayed. All the installed agents show up in this page with Current Status as Running.

Configure Windows Agent Manager

Collectors. Agents send events to any collector they choose. If a particular collector is not responsive, Agent will send to other available collectors. Before Release 2.1, Agents sent events to Collector(s) via Windows Agent Manager.

1. Go to Dashboard and make sure that it displays all Windows Servers with FortiSIEM agents installed.
2. Create a Monitoring Template
   1. Go to Template Settings. Click on + to expand the options.
   2. Click Create Template.
      1. Enter a template name and description. Click Settings. ii. Specify options for each monitoring category

Category	Description	Settings
File/Folder Changes	Monitor access and change to files and folders	Click New. Enter the full path of File/Folder to be modified Select Include Subfolder(s) if the folders under the main directory needs to be monitored. Narrow down the scope by either specify Include or Exclude files The chosen files/directories will be displayed (Note: To get User information, you have do some special configuration in Windows Agents as defined in Step 2 of Pre-requisites in Installing FortiSIEM Windows Agent)
Registry Changes	Monitor changes to the root keys of Windows Registry hive	Select the root keys (available keys are HK_CLASSES_ROOT, HKEY_CUR RENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS, and HKEY_CURRE NT_CONFIG) Set the time interval for how often the Agent will check for change. More CPU will be used for shorter time intervals
Installed Software	Monitor software install / uninstall on a Windows server	Select Product Name, Version and Vendor to be included in an event when a change is detected.
Logs	Collect System/Security/Application logs and specific application logs	Check System if you want to collect Windows System logs. Specify include/exclude event ids. Check Security if you want to collect Windows Security logs. Specify include/exclude event ids. Check DNS if you want to collect Windows DNS logs. Specify include/exclude event ids. Check DFS if you want to collect Windows DFS logs. Specify include/exclude event ids. Check Application if you want to collect Windows Application logs. Specify include/exclude event ids. Check IIS if you want to collect Windows IIS logs. Specify include/exclude event ids. Check DHCP if you want to collect Windows DHCP logs. Specify include/exclude event ids. Check User Logs and specify the file(s) you want to monitored. Any time, the file changes, a log will be generated,
WMI Classes	Run a WMI command and collect its output	Select Category and then select the class Select WMI Class Attributes Specify how often the command needs to run Note: you may need to write a parser in FortiSIEM to get accurate attribute based reporting
Powershell Script	Run Powershell command and send its output	Enter a Powershell script Specify how often the Powershell script needs to run Note: you may need to write a parser in FortiSIEM to get accurate attribute based reporting

iii.  Click Apply to save the template iv.  Click Save

3. Associate Windows Computers with proper license and one or more Templates (Starting with release 2.0) and one or more collectors (starting with release 2.1)
   1. Click Associate License / Templates.
   2. Click Search to find the list of computers to apply the license/templates to
      1. Choose Simple or Advanced
      2. For Simple mode
         1. Select the field to Search in. Possible choices are Computer, OS, License Type, Template Name.
         2. Type in the string to search for in the adjacent edit box.
         3. Click Find.
         4. The list of matched computers will be displayed in the area below the Search box.
         5. Select the Computers to which license/templates would be assigned
            1. Select the header checkbox to select/unselect all
            2. Individually select/unselect the computers if needed

• For Advanced mode
  1. For searching by computer names, type the search text next to Computer.
  2. For searching by OS names, type the search text next to OS.
  3. For searching by License Types, select the desired license type from the drop down 4. For searching by Template Names, do one of the following.
     1. For exact template name matches, set Templates to ‘Specified from‘ and select one or more templates from the next drop down and select the operator: AND or OR
     2. For searching template names, set Templates to ‘Specified in‘ and type the search string
  4. Click Find.
  5. The list of matched computers will be displayed in the area below the Search boxSelect a Template for a Computer.
  6. Select the Computers to which license/templates would be assigned
  7. Select the header checkbox to select/unselect all
  8. Individually select/unselect the computers if needed
  9. Make sure the list of computers in view are correct for the license/template assignment and are checked. d. Click Assign

1. License Assignment

Select License Type: Basic or Advanced or None

Click Assign

1. Template Assignment

Select Template(s) from drop down list

Click Validate

Click Assign. The display would reflect the assignment.

Click Unassign to remove the template from the computer. The display would reflect the modification.

• Collector Assignment

Select Collector and then choose a set of Collectors from the drop down

Click Associate to assign the collectors to the Computers. The display would reflect the assignment.

Click Dissociate to remove the template from the computer. The display would reflect the modification. Click Associate remaining to assign the remaining collectors to the Computers e.  Click Close

License and Template Assignments in Agent Manager via Export/Import

1. Logon to Agent Manager
2. Go to Dashboard and make sure that the Agents are showing up
3. Click Export – a list of Agents Computer name, Assigned license and Assigned template will be exported to a CSV formatted file named ‘ExportedAgentAssociation.csv’ in the directory ProgramData|AccelOps|
4. Edit the CSV file to associate the right license type and monitoring template to each computer. Do not add any new computer or edit computer. Every computer known to the Agent Manager will be present in the csv file.
5. Click Import and put the CSV file in the Open file Dialog
6. Once Import finishes, a dialog will tell you the number of records processed and successfully updated.
7. Click Assign Licenses to Computers to see the License assignments
8. Click Associate Computers with Templates to see Template assignments
9. Any warnings during import operations will be recorded in <CSVFilename>-<Date>-<Time>.log file in the directory ProgramData |AccelOps|

Verify Events in FortiSIEM

1. Log on to FortiSIEM
2. Go to Analytics > Historical Search.
3. Select Filter Criteria: Structured
4. Create the following condition: Raw Event Log CONTAIN AccelOps-WUA. Click Note that all event types for all Windows Server generated logs are prefixed by AccelOps-WUA.
5. Select the following Group By
   1. Reporting Device Name
   2. Reporting IP
6. Select the following Display Fields:
   1. Reporting Device Name ii. Reporting IP

iii.  COUNT(Matched Events)

1. Run the query for last 15 minutes
2. The Query will return all hosts that reported events in the last 15 minutes.
3. To drill down further, add Event Type to both Group By and Display Fields. Then rerun the query.

Sample logs generated by FortiSIEM Windows Agents

FortiSIEM Windows Agent Manager generates Windows logs in an easy to analyze “attribute=value” style without losing any information.

Windows System logs

#Win-System-Service-Control-Manager-7036

Thu May 07 02:13:42 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-WinLo

[monitorStatus]=”Success” [eventName]=”System”

[eventSource]=”Service Control Manager” [eventId]=”7036″

[eventType]=”Information” [domain]=”” [computer]=”WIN-2008-LAW-agent”

[user]=”” [userSID]=”” [userSIDAcctType]=”” [eventTime]=”May 07 2015

10:13:41″ [deviceTime]=”May 07 2015 10:13:41″

[msg]=”The Skype Updater service entered the running state.”

 

Thu May 07 02:13:48 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-WinLo

[monitorStatus]=”Success” [eventName]=”System”

[eventSource]=”Service Control Manager” [eventId]=”7036″

[eventType]=”Information” [domain]=”” [computer]=”WIN-2008-LAW-agent”

[user]=”” [userSID]=”” [userSIDAcctType]=”” [eventTime]=”May 07 2015

10:13:47″ [deviceTime]=”May 07 2015 10:13:47″

[msg]=”The Skype Updater service entered the stopped state.”

Windows Application logs

#Win-App-MSExchangeServiceHost-2001

Thu May 07 03:05:42 2015 WIN-2008-249.ersijiu.com 10.1.2.249

AccelOps-WUA-WinLog [monitorStatus]=”Success” [eventName]=”Application”

[eventSource]=”MSExchangeServiceHost” [eventId]=”2001″

[eventType]=”Information” [domain]=”” [computer]=”WIN-2008-249.ersijiu.co

[user]=”” [userSID]=”” [userSIDAcctType]=”” [eventTime]=”May 07 2015

11:05:42″ [deviceTime]=”May 07 2015 11:05:42″

[msg]=”Loading servicelet module

Microsoft.Exchange.OABMaintenanceServicelet.dll”

 

#MSSQL

#Win-App-MSSQLSERVER-17137

Thu May 07 03:10:16 2015 WIN-2008-249.ersijiu.com 10.1.2.249

AccelOps-WUA-WinLog [monitorStatus]=”Success” [eventName]=”Application”

[eventSource]=”MSSQLSERVER” [eventId]=”17137″ [eventType]=”Information”

[domain]=”” [computer]=”WIN-2008-249.ersijiu.com” [user]=””

[userSID]=”” [userSIDAcctType]=”” [eventTime]=”May 07 2015 11:10:16″

[deviceTime]=”May 07 2015 11:10:16″

[msg]=”Starting up database ‘model’.”

Windows Security logs

#Win-Security-4624(Windows logon success)

Thu May 07 02:23:58 2015 WIN-2008-249.ersijiu.com 10.1.2.249

AccelOps-WUA-WinLog [monitorStatus]=”Success” [eventName]=”Security”

[eventSource]=”Microsoft-Windows-Security-Auditing” [eventId]=”4624″

[eventType]=”Audit Success” [domain]=””

[computer]=”WIN-2008-249.ersijiu.com” [user]=”” [userSID]=””

[userSIDAcctType]=”” [eventTime]=”May 07 2015 10:23:56″ [deviceTime]=”May 07 2015 10:23:56″ [msg]=”An account was successfully logged on.” [[Subject]][Security ID]=”S-1-0-0″ [Account Name]=”” [Account Domain]=”” [Logon ID]=”0x0″ [Logon Type]=”3″ [[New

Logon]][Security ID]=”S-1-5-21-3459063063-1203930890-2363081030-500″

[Account Name]=”Administrator” [Account Domain]=”ERSIJIU” [Logon

ID]=”0xb9bd3″ [Logon GUID]=”{00000000-0000-0000-0000-000000000000}” [[Process Information]][Process ID]=”0x0″ [Process Name]=”” [[Network

Information]][Workstation Name]=”SP171″ [Source Network

Address]=”10.1.2.171″

[Source Port]=”52409″ [[Detailed Authentication Information]][Logon Process]=”NtLmSsp” [Authentication Package]=”NTLM” [Transited

Services]=””

[Package Name (NTLM only)]=”NTLM V2″ [Key Length]=”128″ [details]=””

Windows DNS logs

#DNS Debug Logs

#AO-WUA-DNS-Started

Thu May 07 02:35:43 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DNS

[monitorStatus]=”Success”

[msg]=”5/7/2015 10:34:05 AM 20BC EVENT   The DNS server has started.”

 

#AO-WUA-DNS-ZoneDownloadComplete

Thu May 07 02:35:43 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DNS

[monitorStatus]=”Success” [msg]=”5/7/2015 10:34:05 AM 20BC EVENT The DNS server has finished the background loading of zones. All zones ar now available for DNS updates and zone transfers, as allowed by their individual zone configuration.”

#AO-WUA-DNS-A-Query-Success

Thu May 07 02:48:25 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DNS

[monitorStatus]=”Success” [msg]=”5/7/2015

10:47:13 AM 5D58 PACKET  0000000002B74600 UDP Rcv 10.1.20.232  0002   Q

[0001   D   NOERROR] A      (8)testyjyj(4)yjyj(3)com(0)”

Thu May 07 02:48:25 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DNS

[monitorStatus]=”Success” [msg]=”5/7/2015

10:47:13 AM 5D58 PACKET  0000000002B74600 UDP Snd 10.1.20.232     0002 R

[8085 A DR  NOERROR] A      (8)testyjyj(4)yjyj(3)com(0)”

 

#AO-WUA-DNS-PTR-Query-Success

Thu May 07 02:48:25 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DNS

[monitorStatus]=”Success” [msg]=”5/7/2015

10:47:22 AM 5D58 PACKET  00000000028AB4B0 UDP Rcv 10.1.20.232 0002   Q [0

D   NOERROR] PTR

(3)223(3)102(3)102(3)102(7)in-addr(4)arpa(0)”

Thu May 07 02:48:25 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DNS

[monitorStatus]=”Success” [msg]=”5/7/2015

10:47:22 AM 5D58 PACKET  00000000028AB4B0 UDP Snd 10.1.20.232     0002 R

[8085 A DR  NOERROR] PTR

(3)223(3)102(3)102(3)102(7)in-addr(4)arpa(0)”

 

#DNS System Logs

#Win-App-DNS-2(DNS Server started)

Thu May 07 02:39:17 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-WinLo

[monitorStatus]=”Success”

[eventName]=”DNS Server” [eventSource]=”DNS” [eventId]=”2″

[eventType]=”Information” [domain]=”” [computer]=”WIN-2008-LAW-agent”

[user]=”” [userSID]=”” [userSIDAcctType]=”” [eventTime]=”May 07 2015

10:39:17″ [deviceTime]=”May 07 2015 10:39:17″

[msg]=”The DNS server has started.”

#Win-App-DNS-3(DNS Server shutdown)

Thu May 07 02:39:16 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-WinLo

Windows DHCP logs

AO-WUA-DHCP-Generic

Thu May 07 05:44:44 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DHCP

[monitorStatus]=”Success” [ID]=”00″ [Date]=”05/07/15″

[Time]=”13:44:08″ [Description]=”Started” [IP Address]=”” [Host Name]=””

[MAC Address]=”” [User Name]=”” [ TransactionID]=”0″

[ QResult]=”6″ [Probationtime]=”” [ CorrelationID]=”” [Dhcid.]=””

 

#AO-WUA-DHCP-IP-ASSIGN

Thu May 07 05:56:41 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DHCP

[monitorStatus]=”Success” [ID]=”10″ [Date]=”05/07/15″

[Time]=”13:56:37″ [Description]=”Assign” [IP Address]=”10.1.2.124″ [Host

Name]=”Agent-247.yj” [MAC Address]=”000C2922118E”

[User Name]=”” [ TransactionID]=”2987030242″ [ QResult]=”0″

[Probationtime]=”” [ CorrelationID]=”” [Dhcid.]=””

 

#AO-WUA-DHCP-Generic(Release)

Thu May 07 05:56:41 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DHCP

[monitorStatus]=”Success” [ID]=”12″ [Date]=”05/07/15″

[Time]=”13:56:33″ [Description]=”Release” [IP Address]=”10.1.2.124″

[Host Name]=”Agent-247.yj” [MAC Address]=”000C2922118E”

[User Name]=”” [ TransactionID]=”2179405838″ [ QResult]=”0″

[Probationtime]=”” [ CorrelationID]=”” [Dhcid.]=””

 

#AO-WUA-DHCP-IP-LEASE-RENEW

Wed Feb 25 02:53:28 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DHCP

[monitorStatus]=”Success” [ID]=”11″ [Date]=”02/25/15″

[Time]=”10:53:19″ [Description]=”Renew” [IP Address]=”10.1.2.123″ [Host

Name]=”WIN-2008-249.yj” [MAC Address]=”0050568F1B5D”

[User Name]=”” [ TransactionID]=”1136957584″ [ QResult]=”0″

[Probationtime]=”” [ CorrelationID]=”” [Dhcid.]=””

Windows IIS logs

 

#AO-WUA-IIS-Web-Request-Success

Thu May 07 03:49:23 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-IIS

[monitorStatus]=”Success” [date]=”2015-05-07″

[time]=”03:44:28″ [s-sitename]=”W3SVC1″

[s-computername]=”WIN-2008-LAW-AG” [s-ip]=”10.1.2.242″ [cs-method]=”GET”

[cs-uri-stem]=”/welcome.png” [cs-uri-query]=”-” [s-port]=”80″

[cs-username]=”-” [c-ip]=”10.1.20.232″ [cs-version]=”HTTP/1.1″

[cs(User-Agent)]=”Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36

+(KHTML,+like+Gecko)+Chrome/42.0.2311.135+Safari/537.36″

[cs(Cookie)]=”-” [cs(Referer)]=”http://10.1.2.242/”

[cs-host]=”10.1.2.242″ [sc-status]=”200″ [sc-substatus]=”0″

[sc-win32-status]=”0″

[sc-bytes]=”185173″ [cs-bytes]=”324″ [time-taken]=”78″ [site]=”Default

Web Site” [format]=”W3C”

 

#AO-WUA-IIS-Web-Client-Error

Thu May 07 03:49:23 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-IIS

[monitorStatus]=”Success” [date]=”2015-05-07″ [time]=”03:44:37″

[s-sitename]=”W3SVC1″ [s-computername]=”WIN-2008-LAW-AG”

[s-ip]=”10.1.2.242″ [cs-method]=”GET” [cs-uri-stem]=”/wrongpage”

[cs-uri-query]=”-”

[s-port]=”80″ [cs-username]=”-” [c-ip]=”10.1.20.232″

[cs-version]=”HTTP/1.1″

[cs(User-Agent)]=”Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36

+(KHTML,+like+Gecko)+Chrome/42.0.2311.135+Safari/537.36″

[cs(Cookie)]=”-” [cs(Referer)]=”-” [cs-host]=”10.1.2.242″

[sc-status]=”404″

[sc-substatus]=”0″ [sc-win32-status]=”2″ [sc-bytes]=”1382″

[cs-bytes]=”347″ [time-taken]=”0″ [site]=”Default Web Site”

[format]=”W3C”

 

#AO-WUA-IIS-Web-Forbidden-Access-Denied

Thu May 07 03:30:39 2015 WIN-2008-249.ersijiu.com 10.1.2.249

AccelOps-WUA-IIS [monitorStatus]=”Success” [date]=”2015-05-07″

[time]=”03:30:15″

[s-ip]=”10.1.2.249″ [cs-method]=”POST”

[cs-uri-stem]=”/AOCACWS/AOCACWS.svc” [cs-uri-query]=”-” [s-port]=”80″

[cs-username]=”-”

[c-ip]=”10.1.2.42″ [cs(User-Agent)]=”-” [sc-status]=”403″ [sc-substatus]=”4″ [sc-win32-status]=”5″ [time-taken]=”1″

[site]=”Default Web Site”

[format]=”W3C”

Windows DFS logs

#Win-App-DFSR-1002

Thu May 07 03:01:12 2015 WIN-2008-LAW-agent 10.1.2.242

AccelOps-WUA-WinLog [monitorStatus]=”Success” [eventName]=”DFS

Replication”

[eventSource]=”DFSR” [eventId]=”1002″ [eventType]=”Information”

[domain]=”” [computer]=”WIN-2008-LAW-agent” [user]=”” [userSID]=””

[userSIDAcctType]=”” [eventTime]=”May 07 2015 11:01:12″ [deviceTime]=”May 07 2015 11:01:12″ [msg]=”The DFS Replication service is starting.”

#Win-App-DFSR-1004

Thu May 07 03:01:12 2015 WIN-2008-LAW-agent 10.1.2.242

AccelOps-WUA-WinLog [monitorStatus]=”Success” [eventName]=”DFS

Replication”

[eventSource]=”DFSR” [eventId]=”1004″ [eventType]=”Information”

[domain]=”” [computer]=”WIN-2008-LAW-agent” [user]=”” [userSID]=””

[userSIDAcctType]=”” [eventTime]=”May 07 2015 11:01:12″ [deviceTime]=”May 07 2015 11:01:12″ [msg]=”The DFS Replication service has started.”

#Win-App-DFSR-1006

Thu May 07 03:01:10 2015 WIN-2008-LAW-agent 10.1.2.242

AccelOps-WUA-WinLog [monitorStatus]=”Success” [eventName]=”DFS

Replication”

[eventSource]=”DFSR” [eventId]=”1006″ [eventType]=”Information”

[domain]=”” [computer]=”WIN-2008-LAW-agent” [user]=”” [userSID]=””

[userSIDAcctType]=”” [eventTime]=”May 07 2015 11:01:10″ [deviceTime]=”May 07 2015 11:01:10″ [msg]=”The DFS Replication service is stopping.”

#Win-App-DFSR-1008

Thu May 07 03:01:11 2015 WIN-2008-LAW-agent 10.1.2.242

AccelOps-WUA-WinLog [monitorStatus]=”Success” [eventName]=”DFS

Replication”

[eventSource]=”DFSR” [eventId]=”1008″ [eventType]=”Information”

[domain]=”” [computer]=”WIN-2008-LAW-agent” [user]=”” [userSID]=””

[userSIDAcctType]=”” [eventTime]=”May 07 2015 11:01:11″ [deviceTime]=”May 07 2015 11:01:11″ [msg]=”The DFS Replication service has stopped.”

Windows file content monitoring logs

Windows File integrity monitoring logs

#AO-WUA-FileMon-Added

Thu May 07 05:30:59 2015 WIN-2008-LAW-agent 10.1.2.242

AccelOps-WUA-FileMon [monitorStatus]=”Success” [userId]=”Administrator”

[eventTime]=”May 07 2015 05:30:58″ [fileName]=”C:\\test\\New Text

Document.txt” [osObjAction]=”Added”

[hashCode]=”d41d8cd98f00b204e9800998ecf8427e”

[msg]=””

 

#AO-WUA-FileMon-Renamed-New-Name

Thu May 07 05:31:02 2015 WIN-2008-LAW-agent 10.1.2.242

AccelOps-WUA-FileMon [monitorStatus]=”Success” [userId]=”Administrator”

[eventTime]=”May 07 2015 05:30:58″ [fileName]=”C:\\test\\test.txt”

[osObjAction]=”Renamed [New Name]”

[hashCode]=”d41d8cd98f00b204e9800998ecf8427e”

[msg]=””

 

#AO-WUA-FileMon-Renamed-Old-Name

Thu May 07 05:31:02 2015 WIN-2008-LAW-agent 10.1.2.242

AccelOps-WUA-FileMon [monitorStatus]=”Success” [userId]=”Administrator”

[eventTime]=”May 07 2015 05:31:01″ [fileName]=”C:\\test\\New Text

Document.txt” [osObjAction]=”Renamed [Old Name]” [hashCode]=””

[msg]=””

 

#AO-WUA-FileMon-Modified

Thu May 07 05:31:14 2015 WIN-2008-LAW-agent 10.1.2.242

AccelOps-WUA-FileMon [monitorStatus]=”Success” [userId]=”Administrator”

[eventTime]=”May 07 2015 05:31:13″ [fileName]=”C:\\test\\test.txt”

[osObjAction]=”Modified” [hashCode]=”23acb5410a432f14b141656c2e70d104″

[msg]=””

 

#AO-WUA-FileMon-Removed

Thu May 07 05:31:29 2015 WIN-2008-LAW-agent 10.1.2.242

AccelOps-WUA-FileMon [monitorStatus]=”Success” [userId]=”Administrator”

[eventTime]=”May 07 2015 05:31:27″ [fileName]=”C:\\test\\test.txt”

[osObjAction]=”Removed” [hashCode]=”” [msg]=””

 

Windows Installed Software logs

Windows Registry change logs

#AO-WUA-Registry-Modified

Thu May 07 04:01:58 2015 WIN-2008-249.ersijiu.com 10.1.2.249

AccelOps-WUA-Registry [monitorStatus]=”Success”

[regKeyPath]=”HKLM\\SOFTWARE\\Microsoft\\ExchangeServer\\v14\\ContentInde

CatalogHealth\\{0d2a342a-0b15-4995-93db-d18c3df5860d}”

[regValueName]=”TimeStamp” [regValueType]=”1″

[osObjAction]=”Modified”

[oldRegValue]=”MgAwADEANQAtADAANQAtADAANwAgADAAMwA6ADQAOQA6ADQANwBaAAAA” [newRegValue]=”MgAwADEANQAtADAANQAtADAANwAgADAANAA6ADAAMQA6ADQAOABaAAAA”

 

#AO-WUA-Registry-Removed

Thu May 07 05:25:09 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-Regis

[monitorStatus]=”Success”

[regKeyPath]=”HKLM\\SOFTWARE\\RegisteredApplications” [regValueName]=”Sky

[regValueType]=”1″ [osObjAction]=”Removed”

[oldRegValue]=”UwBPAEYAVABXAEEAUgBFAFwAQwBsAGkAZQBuAHQAcwBcAEkAbgB0AGUAcg

GUAdAAgAEMAYQBsAGwAXABTAGsAeQBwAGUAXABDAGEAcABhAGIAaQBsAGkAdABpAGUAcwBkAG

ABoAGQAaABkAGgAZABoAGQAAAA=” [newRegValue]=””

Windows WMI logs

#AO-WUA-WMI-Win32_Processor

Thu May 07 03:53:33 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-WMI

[monitorStatus]=”Success”  [__CLASS]=”Win32_Processor”

[AddressWidth]=”64″ [Architecture]=”9″ [Availability]=”3″ [Caption]=”Inte

Family 6 Model 26 Stepping 5″ [ConfigManagerErrorCode]=””

[ConfigManagerUserConfig]=”” [CpuStatus]=”1″

[CreationClassName]=”Win32_Processor” [CurrentClockSpeed]=”2266″

[CurrentVoltage]=”33″

[DataWidth]=”64″ [Description]=”Intel64 Family 6 Model 26 Stepping 5″

[DeviceID]=”CPU0″ [ErrorCleared]=”” [ErrorDescription]=””

[ExtClock]=”” [Family]=”12″ [InstallDate]=”” [L2CacheSize]=”0″

[L2CacheSpeed]=”” [L3CacheSize]=”0″ [L3CacheSpeed]=”0″

[LastErrorCode]=”” [Level]=”6″ [LoadPercentage]=”8″

[Manufacturer]=”GenuineIntel” [MaxClockSpeed]=”2266″

[Name]=”Intel(R) Xeon(R) CPU           E5520  @ 2.27GHz” [NumberOfCores]=

[NumberOfLogicalProcessors]=”1″

[OtherFamilyDescription]=”” [PNPDeviceID]=””

[PowerManagementCapabilities]=”” [PowerManagementSupported]=”0″

[ProcessorId]=”0FEBFBFF000106A5″ [ProcessorType]=”3″ [Revision]=”6661″

[Role]=”CPU” [SocketDesignation]=”CPU socket #0″

[Status]=”OK” [StatusInfo]=”3″ [Stepping]=””

[SystemCreationClassName]=”Win32_ComputerSystem”

[SystemName]=”WIN-2008-LAW-AG”

UniqueId]=”” [UpgradeMethod]=”4″ [Version]=”” [VoltageCaps]=”2″

Windows Powershell logs