FortiSIEM General System Administration

General System Administration

Topics in this section contain information on monitoring the health of your FortiSIEM deployment, general system settings such as language, date format, and system logos, and how to add devices to a maintenance calendar.

 

 

FortiSIEM Backend Processes

This topic provides a brief description of FortiSIEM backend system processes, and the nodes (Supervisor, Collector, Worker) that use them.

Process Function Used by Supervisor Used by Worker Used by Collector
phMonitor Monitoring other processes X X X
phDiscover Pulling basic data from target X   X
phPerfMonitor Execute performance job X X X
phAgentManager Execute event pulling job X X X
phCheckpoint Execute checkpoint monitoring X X X
phEventPackage Uploading event/SVN file to Supervisor/Worker     X
phParser Parsing event to shared store (SS) X X X
phDataManager Save event from SS to Event DB X X  
phRuleMaster Determines if a rule should trigger X    
phRuleWorker Aggregates data for rules X X  
phQueryMaster Merges data from QueryWorker X    
phQueryWorker Executes a query task X X  
phReportMaster Merge data from ReportWorker X    
phReportWorker Aggregates data for reports X X  
phIPIdentityMaster Merges IP identity information X    
phIdentityWorker Collects IP identity information X X  
Apache Receives event/SVN files from the Collector X X  

 

 

Administrator Tools

This topic describes administration tools and scripts that are included with your FortiSIEM deployment, along with information on where to find and how to use them.

Tool Description How to Use It
phTools phTools is a simple tool for starting and stopping backend processes, and for getting change log information. When you upgrade your deployment, for example, you would use phTools to stop all backend processes. Log in to the FortiSIEM host machine as root.

Usage

[root@FortiSIEM]# phtools

Commands: –change-log, –st art, –stop, –stats

Target: ALL

–change-log also supports ERROR, T

RACE, INFO, DEBUG, CRITICAL

TestSegmentReader Test Segment Reader is used to quickly read data segments in the eventdb through the command line. You can use this to manually inspect data integrity and parsed event attributes. Log into the FortiSIEM host machine as root.

Usage

[root@FortiSIEM]# TestSegment

Reader <segmentDir>

 

phExportEvent Used to export event information to a CSV file See Exporting Events to Files
TestDBPurger A script to selectively delete event data per org and time interval You can find the script at /opt/phoeni x/bin/TestDBPurger. Run it in
  Use Only to Delete Data for a Single Date

You should only use this script to delete data for a single date and organization. If you try to delete data for multiple dates, the script will fail.

 

terminal mode and follow the instructions.
     
Managing User Activity

In the User Activity page you can view the users who are logged into your system, user query activity, and locked out users. You can also log users out of the system, stop active user queries, and lock or unlock users from being able to log in. Click the User Activity icon in the upper-right corner of the FortiSIEM web interface to access user activity information.

Managing Logged In Users

In the Logged In Users tab of the User Activity page you can see the users who are currently logged in to your system. You can also log users out of the system, with an option to lock them out as well.

  1. Log in to your Supervisor node.
  2. In the upper-right corner of the FortiSIEM web interface, click the User Activity

 

  1. Click the Logged In Users

You will see a list of all the users who are currently in your system.

  1. If you want to log a user out of the system, select the user and click Log Out.
  2. If you want to lock a user out of the system, select the user and click Log Out and Lock Out.
Managing Locked Out Users

In the Locked Users tab of the User Activity page you can see the users who are currently locked out of your system, and also unlock them.

  1. Log in to your Supervisor node.
  2. In the upper-right corner of the FortiSIEM web interface, click the User Activity
  3. Click the Locked Users

You will see a list of all users who are locked out of the system.

  1. To unlock a user, select the user and then click Unlock.
Managing Active User Queries

In the User Queries tab of the User Activity page you can see the user queries that are running in your system, and also stop queries.

  1. In the upper-right corner of the FortiSIEM web interface, click the User Activity
  2. Click the User Queries

You will see a list of all the queries that are currently running in your system.

  1. To stop a query, select it and then click Stop Query.
Creating Maintenance Window for Devices

You can add a device to a maintenance window. During this period, the device is not monitored, and alerts for the device are not triggered. If you have an FortiSIEM multi-tenant deployment and you log in as a Super/Global user, you can schedule maintenance events for single organizations, the Super/Global organization, or add devices from multiple organizations to the same maintenance event.

  1. Log in to your Supervisor node.
  2. Go to Admin > Maintenance Calendar.
  3. Click Add.
  4. Enter a Name and Description for the maintenance event.
  5. Set the Time Range and Date Range for the maintenance event.
  6. Under Groups and Devices, click Edit.
  7. If you have an FortiSIEM multi-tenant deployment, select the Organization that has the devices you want to add to the maintenance calendar.
  8. Add Folders or Items to the maintenance event by selecting them, and then using the Folder >> and Item >> buttons to move them into the selection pane.
  9. Click OK when you’re done selecting Folders and Items.
  10. Select Generate incidents for devices under active maintenance if you want incidents for devices that are part of this maintenance event to be triggered.
  11. Click OK.
  12. You will now see your maintenance event listed on the calendar. Mouse over any calendar entry to view details of the maintenance event.
Creating Maintenance Window for Synthetic Transaction Monitoring jobs

You can add a Synthetic Transaction Monitoring (STM) job to a maintenance event. During the maintenance event, the STM job is not executed and hence related alerts do not trigger.

If you have an FortiSIEM multi-tenant deployment and you log in as a Super/Global user, you can schedule maintenance events for single organizations, the Super/Global organization, or add devices from multiple organizations to the same maintenance event.

  1. Log in to your Supervisor node.
  2. Go to Admin > Maintenance Calendar.
  3. Click Add.
  4. Enter a Name and Description for the maintenance event.
  5. Set the Time Range and Date Range for the maintenance event.
  6. Under Groups and Devices, click Edit.
  7. If you have an FortiSIEM multi-tenant deployment, select the Organization that has the devices you want to add to the maintenance calendar.
  8. Click Synthetic Transaction Monitor (STM) to see all the STM jobs under Items in the windows below.
  9. Select the Items from the bottom left and then click Item >> to move them into the selection pane.
  10. Click OK to Save the configuration.
  11. Select Generate incidents for devices under active maintenance if you want incidents for devices that are part of this maintenance event to be triggered.
  12. Click OK.
  13. You will now see your maintenance event listed on the calendar. Mouse over any calendar entry to view details of the maintenance event.
Creating Reverse SSH Tunnels to Debug Collector Issues

Using SSH Tunnels to Connect to Managed Endpoints

Browser Plugins and Connectivity Protocol Support

Firewall Configuration

Using Role-Based Access Control to Limit Access to Tunnel Creation, Viewing, and Closing Related Links

Using SSH Tunnels to Connect to Managed Endpoints

When you want to quickly debug an issue, you often need to connect to a managed endpoint directly from a browser using protocols such as Telnet/SSH, RDP, or VNC to HTTP(S), depending on the operating system of the endpoint. However, in a multi-tenant deployment, the managed endpoint could be behind a firewall and across the Internet. To further complicate matters, the firewall may not permit an inbound connection for management protocols for security reasons, and also may not allow quick policy changes.

The FortiSIEM solution to this situation is to build a reverse SSH tunnel between the Collector and the Supervisor. The firewall already allows

HTTP(S) sessions from Collector to Supervisor. After also being configured to also allow SSH connections from Collector to Supervisor, FortiSIEM builds an on-demand reverse SSH Tunnel initiated by the Collector. You can then use the tunnel to open a remote management session from your browser to the remote managed endpoint. This blog post on The Geek Stuff describes the process for setting up reverse SSH tunnels on Linux, and provides some additional technical details.

If the managed endpoint is directly accessible from your browser, FortiSIEM can open a direct session. The devices have to be discovered first, and based on this information, FortiSIEM can determine whether to launch a direct or Collector-based session.

If the device is discovered by the Supervisor, then it opens a direct session

If the device is discovered by a Collector, then it opens a reverse SSH tunnel from the collector, and then initiates a session over this tunnel

FortiSIEM has several features for managing SSH tunnels, including:

You can define the port of the reverse SSH tunnel. By default it is set to 19999, but it can be changed to any port.

FortiSIEM automatically times out each tunnel after a day, although you can manually delete a tunnel at any time

FortiSIEM provides full tunnel management auditing, such as a reporting on who creates and deletes a tunnel

FortiSIEM supports a broad group of connectivity protocols protocols. You can can launch any connectivity application by specifying the port, and FortiSIEM will create the tunnel.

RBAC is supported at the Collector level – if the user can visit the Collector health page, then the user can open a remote collector tunnel.

Browser Plugins and Connectivity Protocol Support

Since FortiSIEM runs from a browser, some integrations are possible if certain browser plugins are installed. The best use case is:

Using the Firefox browser to connect to FortiSIEM

The FireSSH browser plugin is already installed in Firefox

You launch a remote session to the managed endpoint over SSH

FortiSIEM launches the FireSSH browser plugin and passes the managed endpoint IP

You type in your user name and password, and if the authentication succeeds, then the shell appears

This table lists the browsers, and the protocols supported by their plugins, that you can use to connect to the managed endpoint.

Always type the end host/device credentials for direct connections over a reverse tunnel even though the displayed IP/port belongs to the Supervisor.

Web

Browser

Connectivity

Protocol

Supported

Browser

Plugin

Integration
Firefox SSH FireSSH The plugin launches. You need to provide your user name and password for the end host/device
Telnet None A dialog shows the Supervisor’s port/tunnel endpoint to connect to. Use your favorite external telnet client to telnet to <Supervisor-IP> and the port.
HTTP(S) None

required

Another tab opens. You will need to provide your user name and password if the endpoint device requires it.
RDP None A dialog shows the Supervisor’s port/tunnel endpoint to connect to. Use your favorite external remote desktop client to connect to <Supervisor-IP> and the port.
VNC None A dialog shows the Supervisor’s port/tunnel endpoint to connect to. Use your favorite external VNC client to connect to <Supervisor-IP> and the port.
 
  Other None A dialog shows the Supervisor’s port/tunnel endpoint to connect to. Use your favorite external application client to connect to  <Supervisor-IP> and the port.
Chrome SSH FireSSH The plugin launches. You need to provide your user name and password for the end host/device.
Telnet None A dialog shows the Supervisor’s port/tunnel endpoint to connect to. Use your favorite external telnet client to telnet to <Supervisor-IP> and the port.
RDP Chrome

RDP

A dialog opens for the Chrome RDP plugin. Make sure your popup blocker is disabled, or that you allow popups from this site. Click Launch App to launch the plugin in a new tab. A dialog shows the Supervisor’s port/tunnel endpoint to connect to. Enter <Supervisor-IP>:<Supervisor Port> to connect. Alternatively, you can use your favorite RDP client.
HTTP(S) None

required

Another tab opens. You will need to provide your user name and password if the endpoint device requires it.
VNC None A dialog shows the Supervisor’s port/tunnel endpoint to connect to. Use your favorite external VNC client to connect to <Supervisor-IP> and the port.
Other None A dialog shows the Supervisor’s port/tunnel endpoint to connect to. Use your favorite external application client to connect to  <Supervisor-IP> and the port.
Safari (on

OSX only)

SSH Mac

Terminal

A new terminal window launches and connects via SSH to <Supervisor-IP> and <Supervisor-port>. Enter your user name and password for the end host/device.
Telnet Mac

Terminal

A new terminal window launches and connects via telnet to <Supervisor-IP> and <Supervisor-port>. Enter your user name and password for the end host/device.
RDP None A dialog opens for the Chrome RDP plugin. Make sure your popup blocker is disabled, or that you allow popups from this site. Click Launch App to launch the plugin in a new tab. A dialog shows the Supervisor’s port/tunnel endpoint to connect to. Enter <Supervisor-IP>:<Supervisor Port> to connect. Alternatively, you can use your favorite RDP client.
HTTP(S) None

required

Another tab opens. You will need to provide your user name and password if the endpoint device requires it.
VNC None A dialog shows the Supervisor’s port/tunnel endpoint to connect to. Use your favorite external VNC client to connect to <Supervisor-IP> and the port.
Other None A dialog shows the Supervisor’s port/tunnel endpoint to connect to. Use your favorite external application client to connect to  <Supervisor-IP> and the port.
Internet

Explorer

SSH, Telnet,

RDP,

HTTP(S),

VNC, Other

No plugin integration Create the tunnel and then connect to the <Supervisor-Port> that is displayed using an external application.
Firewall Configuration

If there is a firewall between the Collector and the Supervisor, the firewall needs to allow SSH from the Collector to the Supervisor. The default setting uses a non-standard port, 19999, so make sure you configure the firewall between the Collector and the Supervisor to allow outbound TCP connections on port 19999.

Using Role-Based Access Control to Limit Access to Tunnel Creation, Viewing, and Closing

For security and management reasons, you may want to limit the ability of users to create tunnels. The easiest way to do this is through user roles that have defined access capabilities. For example

To prevent the creation of any tunnels for a role, disallow access to the CMDB tab for that role, or disallow access to the particular device or device group. This second option lets you create fine-grained controls for tunnel creation, for example:

Admins who are able to view Network devices can only open tunnels to Network devices

Admins who are able to view Servers can only open tunnels to Servers

Admins who are able to view a custom-created device group can only open tunnel to that specific custom group

To prevent viewing and closing existing tunnels, disallow access to the Admin > Collector Health page

Related Links

Setting Up User Roles

 

Auditing the Creation and Deletion of SSH Tunnels

FortiSIEM includes a system-defined report that shows the SSH tunnel open/close history for the time range that you specify.

  1. Log in to your Supervisor node.
  2. Go to Analytics > Reports > System Audit.
  3. Select the SSH Tunnel Open/Close History
  4. Run the report as described in Running System and User-Defined Reports and Baseline Reports.
Creating a Remote Tunnel to a Device Monitored by a Collector

Prerequisites

You should review the browsers and plugins that are supported for the connectivity protocol you want to use to connect to the device.

Procedure

  1. Log in to your Supervisor node.
  2. Go to CMDB > Devices.
  3. Search for or browse to the device you want to establish the connection to.
  4. In the IP Address column for that device, click on the IP address associated with it to open the Options
  5. In the Options menu, select Connect To… .
  6. Enter the Protocol and Port you want to use to connect to the device.

For SSH this is Port 22.

  1. Select Create Tunnel.

A tunnel will be established between the Supervisor and the Collector that is monitoring the device.

  1. Use your browser and plugins to establish remote connectivity to the device as described in Creating Reverse SSH Tunnels to Debug Collector Issues.
Managing Remote Tunnels to Collector Devices

After you have created tunnels to collector devices, you can view and manage those tunnels in the Collector Health page.

  1. Log in to your Supervisor node.
  2. Go to Admin > Collector Health.
  3. Click Tunnels.

The existing tunnels will be displayed in a table with these columns:

Column

Name

Description
Host IP The IP address of the managed endpoint
Super

Port

Sessions are opened on this port on the Supervisor to connect to the managed endpoint. This ensures that the Supervisor will use the correct tunnel to reach the managed endpoint.
Protocol The protocol used to establish the connection to the endpoint
Collector The Collector that monitors the endpoint
PID The process ID of the tunnel. If you kill this process, it will kill the tunnel
Opened

Time

The time when the tunnel was opened
  1. You can close a tunnel by selecting it and then clicking Close, or you can close all tunnels at the same time by clicking Close All.
Managing System Date Format and Logos

The UI page under Admin > General Settings contains fields that you can use to change the date format for your FortiSIEM user interface, and to upload logos to be used within the user interface and on PDF reports.

  1. Log in to your Supervisor node.
  2. Go to Admin > General Settings > UI.
  3. Select the Date Format you want to use to display dates in the user interface, and then click Change.
  4. Click Change to choose a UI Logo that will be displayed alongside the main application tabs for your FortiSIEM deployment.

The logo file must be in in PNG format, and should not be more than 200 pixels wide or 60 pixels high (54 pixels is the ideal height).

  1. Click Change to choose a Report Logo that will be used in the header of reports you export to PDF.

The logo file must be in SVG format, 160 pixels wide and 40 pixels high, or other dimensions with a 4:1 width/height ratio.

For  Service Provider installs, UI Logos can also be set on a per organization basis.

  1. SSH to Supervisor via root
  2. Change user to admin ‘su admin’
  3. Change directory by running ‘cd /opt/glassfish3/glassfish/domains/domain1/applications/phoenix/phoenix-web-1.0_war/resources/header’
  4. Create a logo per organization
    1. mkdir org
    2. cd org
    3. Create Organizations IDs as directories. Eg: ‘mkdir 2001’ (To find Org ids, Goto Admin > Setup Wizard > Organizations > ID)
  5. Copy PNG files to respected Organizations as logo.png. For example:

/opt/glassfish3/glassfish/domains/domain1/applications/phoenix/phoenix-web-1.0_war/resources/header/org/2001/logo.png

  1. Logon to Organization e.g: Org1 (id: 2001) and make sure that UI logo is updated

 

Viewing Cloud Health and System Information

The Admin > Cloud Health page shows you the status of the nodes in your deployment, as well as the processes running on them.

  1. Go to Admin > Cloud Health.
  2. Click on any node to view its Process Details.

See FortiSIEM Backend Processes for more information about the system role played by each process.

  1. You can access other information about your FortiSIEM deployment by clicking the Alert icon in the upper-right corner of the user interface, which will show you Alerts and Tasks for the system within the last 24 hours.
Viewing Collector Health

If your FortiSIEM deployment includes Collectors, you can monitor the status of the Collectors in the Admin > Collector Health page. You can also upgrade Collectors from this page, as described in Setting Up the Image Server for Collector Upgrades.

  1. Log in to your Supervisor node.
  2. Go to Admin > Collector Health.
  3. Select a Collector and click Show Processes to see the processes running on that Collector.

See FortiSIEM Backend Processes for more information about the processes that run on Collectors.

  1. You can also Stop or Start a Collector by selecting it and clicking the appropriate button.

Properties associated with Collector Health include:

Collector

Property

Description
Org Name Name of the organization to which the Collector belongs
Collector

Name

The name of the Collector
IP Address The IP address of the Collector
Status The status of the Collector as either Up or Down
Health Displays the health of the Collector based on the health of the modules running on it. If Health is Critical, it means that one of the modules is not running on the Collector.
Up Time Total time that the Collector has been up
Last

Performance

Data

The time when the collector last reported its performance status to the cloud
Last Status

Update

The time when the collector last reported its status to the cloud
Last Event

Data

The time when the collector last reported events to the cloud
CPU

Utilization

Overall CPU utilization of the Collector
Memory

Utilization

Overall memory utilization of the Collector
Version Which version of FortiSIEM the Collector is running on
Build Date The date on which the version of FortiSIEM the Collector is running on was built
Upgrade

Version

If the Collector has been upgraded, the version it was upgraded to
Install

Status

If you upgrade the Collector, the status of the upgrade is shown here as either Success or Failed
Download

Status

If an image was downloaded to the Collector as described in Setting Up the Image Server for Collector Upgrades, the status of the download is shown here as Success or Failed
Allocated

EPS

The number of events per second (EPS) dynamically allocated by the system to this collector. See Dynamic Distribution of Events per Second (EPS) across Collectors for more information about how EPS is allocated across Collectors.
Incoming

EPS

The EPS that the Collector is currently seeing

 

 

 

 

Viewing License Information and Adding Nodes to a License

The License Management page in the Admin tab shows information associated with your current FortiSIEM license, and allows you to add virtual appliances and Report Servers to your deployment as your license allows.

  1. Log in to your Supervisor node.
  2. Go to Admin > License Management.
  3. Under License Information you will see detailed information about both Allowed and Current Usage for the number of virtual appliances, EPS, number of devices, and other attributes associated with you FortiSIEM license.
  4. Under VA Information you will see the name and IP address of the virtual appliances, and their roles, in your FortiSIEM deployment. Click Add, and then enter an IP address for other nodes that you want to add to your license.
  5. Under Report Server Information you will see the IP address of any Report Servers in your deployment. Click Add, and then enter an IP address for other Report Servers that you want to add to your license.
Calculations for License Usage Statistics
Statistic Calculation Notes
EPS   AccelOps calculates the EPS for your system using a counter that records the total number of received events in a three minute time interval. Every second, a thread wakes up and checks the counter value. If the counter is less than 110% of the license limit (using the calculation 1.1 x EPS License x 180) , then AccelOps will continue to collect events. If you exceed 110% of your licensed EPS, events are dropped for the remainder of the three minute window, and an email notification is triggered. At the end of the three minute window the counter resets and resumes receiving events.
Number

of

Devices

  Each entry in CMDB > Devices counts as one device. Exceptions to this are:

Mobile Devices VoIP Phones

These devices are not counted against the number of devices that are licensed for your deployment.

 

 

Using Beaconing to Communicate with AccelOps Support

Your FortiSIEM virtual appliance includes a beaconing feature that periodically transmits information about the functioning of your FortiSIEM deployment to FortiSIEM support. This information includes the health of your FortiSIEM virtual appliances, performance data, and summary information about the configuration of your deployment. This information is used exclusively by FortiSIEM support for forensic analysis of your system, and is never shared with anyone.

The basic version of the beaconing feature is included with your FortiSIEM license, but you can opt out of the service at any time by going to Adm in > License Management and clearing the Enable Beaconing Data Upload option. You can also purchase the advanced version of the beaconing service, which includes added support services. Contact FortiSIEM Sales or Support for more information.

To find the level of beaconing support on your deployment, go to the License Information table under Admin > License Management, and scroll down the License Attribute column to look for the row labeled Beaconing Support.

Basic Beaconing Support

Advanced Beaconing Support

Basic Beaconing Support

Basic Beaconing periodically uploads health and usage information from FortiSIEM instance. This includes

Customer Name

Organization Name (for Service Provider installations)

Organization Collector Name

Number of devices discovered by category (Network, Server, Storage) and their types

Performance Monitoring Jobs and their status

Discovery Error Types, Event parsing errors, Operational errors

Incident names, severity and count

Event rate

Event Type

FortiSIEM system incidents and license issues

IP address and host name are not transmitted to the cloud.

For specific details, see these rules and reports which contain data periodic sent to the cloud.

Beaconing Reports and Rules Summary Information Uploaded
CMDB > CMDB Reports > Beaconing 1.  CMDB Device Types

2.  CMDB Network Device Count

3.  CMDB Server Count

4.  CMDB Storage Device Count

5.  PING Monitored Device Count

6.  Performance Monitor Status

Analytics > Reports > Beaconing Reports > Beaconing

Customer

1.    Beaconing Customer: System Operational Errors

2.    Beaconing Customer: Discovery Errors

3.    Beaconing Customer: Event Parsing Errors

4.    Beaconing Customer: Failed or falling behind monitoring jobs

5.    Beaconing Customer: Incidents By Severity, Count

6.    Beaconing Customer: Incidents Dropped

7.    Beaconing Customer: System Event Processing Statistics

8.    Beaconing Customer: Top CMDB Device Types By Count

9.    Beaconing Customer: Top Customers, Collectors By Unknown Event Types

10.  Beaconing Customer: Top Event Types By Count

11.  Beaconing Customer: Top Internal Modules By Log Count

Analytics > Rules > Beaconing 1.    FortiSIEM Report Server license about to expire

2.    FortiSIEM Report Server license expired

3.    Device License Exceeded – Device Not Added To CMDB

4.    Excessive Clock Skew Between Collector and Supervisor nodes

5.    Excessive External Event Dropped By License

6.    System Collector Down

7.    System Collector Event Delayed

8.    System License Warning: Max Number of Devices Exceeded License

9.    System Report Server Down

10.  System Worker Down

Advanced Beaconing Support

In advanced beaconing support, system logs and audit logs from your FortiSIEM deployment are uploaded to FortiSIEM support in addition to the information listed under basic beaconing support. This allows FortiSIEM support to closely monitor your FortiSIEM deployment for errors and problems remotely without the risk of system log rollover, and to provide an accelerated path to problem resolution.

Advanced beaconing support can be enabled via a license change. You will need to re-register your FortiSIEM deployment after FortiSIEM Sales has enabled advanced beaconing on the license server. During re-registration, FortiSIEM services will continue to run except for a restart of the p hMonitor service.

AccelOps Event Categories and Handling

This topic provides a brief description of various types of event categories in FortiSIEM

Event Categories
System Event

Category

Description Counted in

EPS License

phstatus -a outout Stored in DB?
0 External events and not flow events (e.g. syslog, SNMP Trap, Event pulling) Yes EPS Yes
1 Incidents (events that begin with PH_RULE) No EPS INTERNAL Yes
2 FortiSIEM Audit Events (events that begin with PH_AUDIT) No EPS INTERNAL Yes
3 FortiSIEM Internal system logs, free format No EPS INTERNAL Yes
4 External flow events (Netflow, Sflow) Yes EPS Yes
5 FortiSIEM Internal health events for summary dashboards         No EPS INTERNAL Yes
6 FortiSIEM Performance Monitoring events (events that begin with PH_DEV_MON) Yes EPS PERF Yes
7 AO Beaconing events No EPS INTERNAL         Yes
8 FortiSIEM Real Time Performance Probe Events No EPS INTERNAL         No
99 FortiSIEM Internal Rule Engine No EPS INTERNAL         No
Event handling at various nodes

Running “phstatus -a” command at various nodes provides the events handled by that node.The output shows the statistics at 3min, 15min and 30 min averages.

If you run “phstatus -a” at a Supervisor, you get the aggregated view across all nodes

Reported EPS by events

The following events report eps which includes EPS (EXTERNAL) and EPS PERF – to be measured against license

  1. PH_SYSTEM_EVENTS_PER_SEC: this reports eps at a organization level
  2. PH_SYSTEM_PERF_EVENTS_PER_SEC: this reports performance monitoring related eps (counted against license)
  3. PH_SYSTEM_INTERNAL_EVENTS_PER_SEC: this reports internal eps (not counted against license)
  4. PH_SYSTEM_IP_EVENTS_PER_SEC: this reports eps reported by a device level
  5. PH_SYSTEM_DEVAPP_EVENTS_PER_SEC: his reports eps reported by a device level but also has vendor, model info
Changing Dashboard Theme

The UI page under Admin > General Settings contains fields that you can use to change the theme for widget dashboards

My Dashboard

Availability/Performance > Avail/Perf Widgets

Biz Svc Dashboard

Dashboards By Function

To do this

  1. Log in to your Supervisor node.
  2. Go to Admin > General Settings > UI.
  3. Select the Dashboard Theme you want to use, and then click Change.
  4. Refresh the browser.

 

 

 

Installing OS Security Patches

You may want to install OS level security patches to fix some recently found vulnerabilities.

First check whether the CVEs you are interested in have already been patched by the current FortiSIEM version. You can do this by running the following command.

To upgrade OS packages on Super, Worker, or Collectors, run the following command as root

We use a headless chrome browser for STM but chrome is not supported by Google on CentOS6 or 7 platforms. To upgrade that package to the latest version, we use a third party system.

Run the following commands as root on Super/Worker/Collector

FortiSIEM Configuring Event Handling

Configuring Event Handling

This section describes certain event handling operations that happen at the moment events are received in AccelOps.

Event Dropping

Event Forwarding

Event Organization Mapping Multi-line Syslog Handling

Event Dropping

Some devices and applications generate a significant number of logs, which may be very verbose, contain little valuable information, and consume storage resources. You can configure Event Dropping rules that will drop events just after they have been received by FortiSIEM, preventing these event logs from being collected and processed. Implementing these rules may require some thought to accurately set the event type, reporting device type, and event regular expression match, for example. However, dropped events do not count towards licensed Events per Second (EPS), and are not stored in the Event database. Dropped event also do not appear in reports, and do not trigger rules. You can also specify that events should be dropped but stored, so event information will be available for searches and reports, but will not trigger rules. And example of an event type that you might want to store but not have trigger any rules would be an IPS event that is a false positive.

Procedure
  1. Log in to your Supervisor node.

For multi-tenant deployments you should log in to the Super/Global account if you want to set a system-wide event dropping rule. If you want to set an event-dropping rule for a specific organization, either log in as an administrator for that organization, or or log in using the Super/Global Account and then select the organization to which the rule should apply when you are creating it.

  1. Go to Admin > General Settings > Event Handling.
  2. Under Event Dropping Rule, click Add.
  3. Next to Reporting Device, click Edit, and use the CMDB Browser to find device group or individual device that you want to create the rule for.
  4. Next to Event Type, click Edit, and use the Event Type Browser to find the group of event types, or a specific event type, that you want to create the rule for.
  5. If the event type you select has an Source IP or Destination IP attribute, you can enter specific IP addresses to which the rule should apply.
  6. For Regex Filter, enter any regular expressions you want to use to filter the log files.

If any matches are made against your regular expression, then the event will be dropped.

  1. For multi-tenant deployments, select the Organization to which the rule should apply.
  2. Select the Action that should be taken when the event dropping rule is triggered.
  3. Enter any Description for the rule.
  4. Click Save.

Implementation Notes

  1. All matching rules are implemented by FortiSIEM, and inter-rule order is not important. If you create a duplicate of an event dropping rule, the first rule is in effect.
  2. If you leave a rule definition field blank, then that field is not evaluated. For example, leaving Event Type left blank is the same as selecting All Event Types.
  3. FortiSIEM drops the event at the first entry point. If your deployment uses Collectors, events are dropped by the Collectors. If your deployment doesn’t use Collectors, then the event will be droppedby the Worker or Supervisor where the event is received.
  4. You can use the report System Event Processing Statistics to view the statistics for dropped events. When you run the report, select AVG(Policy Dropped Event Rate(/sec) as one of the dimensions for Chart For to see events that have been dropped to this policy.
Event Forwarding

n systems management, many servers may need access to forward logs, traps and Netflows from network devices and servers, but it is often resource intensive for network devices and servers to forward logs, traps and netflows to multiple destinations. For example, most Cisco routers can forward Netflow to two locations at most. However, FortiSIEM can forward/relay specific logs, traps and Netflows to one or more destinations. If you want to send a log to multiple destinations, you can send it to FortiSIEM, which will use an event forwarding rule to send it to the desired locations.

  1. Log in to your Supervisor node.
  2. Go to Admin > General Settings > Event Handling.
  3. Under Event Forwarding Rule, for multi-tenant deployments, select the organization for which the rule will apply.
  4. Click Add.
  5. For Sender IP, enter the IP address of the device that will be sending the logs. The syntax can be one of the following a. a single IP address
    1. an IP address range e.g. 10.1.1.1-10.1.1.10
    2. CIDR notation e.g. 10.1.1.0/8
    3. a combination of the above separated by comma, e.g. 10.1.1.1,10.1.1.3,20.1.1.1-20.1.1.10,30.1.1.0/24
  6. For Severity, select an operator and enter a severity level that must match for the log to be forwarded.
  7. Select the Traffic Type to which the rule should apply.

The Forward To > Port field will be populated based on your selection here.

  1. For Forward to > IP, enter the IP address to which the event should be forwarded.
  2. Click OK.
Event Organization Mapping

FortiSIEM can handle reporting devices that are themselves multi-tenant and hence have organization names in events that they send. This section describes how you can map organization names in external events to those on FortiSIEM so that those events have the correct FortiSIEM organizations.

Adding Organization Mapping Rules
  1. Go to Admin > General Settings > Event Handling > Event Organization Handling 2. Click Add to add a rule
  2. Select Enabled if this rule is to be enforced
  3. Select the Device Type of the sender. This has to be a device that FortiSIEM understands and able to parse events.
  4. Select the Event Attribute that contains the external organization name. FortiSIEM will map the value in this field to an FortiSIEM organization.
  5. Select the Collectors that are going to receive the events. By default any collectors would be able to do this but it is possible to scope down if needed. This field is optional.
  6. Specify the Reporting IP/Range of the multi-tenant devices that are sending events. Format of this field is a comma separated list of IP addresses intermixed with IP ranges, e.g. 10.1.1.1,10.1.1.2,10.10.1.1-10.10.1.250.
  7. Specify the Org Mapping.
    1. Click Edit
    2. Select the System (FortiSIEM) organization on the left column
    3. Click the Event Organization and enter the external Organization name corresponding to the System Organization on the left column
  8. Click OK to Save.

 

 

 

Multi-line Syslog Handling

Often applications generate a single syslog in multiple lines. For analysis purposes, the multiple lines need to put together into a single log. This feature enables you to do that.

User can write multiple multi-line syslog combining rules based on reporting IP and begin and ending patterns. All matching syslog within the begin and ending pattern are combined into a single log.

To create a multi-line syslog rule,

  1. Go to Admin > General Settings > Event Handling
  2. Scroll down to Multiline syslog section
  3. Click Add
  4. Enter the following information
    1. Enabled – check this if the rule needs to be effective
    2. Sender IP – the source of the syslog – format is a single IP, IP range, CIDR and a combination of the above separated by comma c. Protocol – TCP or UDP since syslog can come via either of these protocols
    3. Organization – syslog from devices belonging to this organization will be combined into one line
    4. Begin Pattern – combining syslog starts when the regular expression specified here is encountered
    5. End Pattern – combining syslog stops when the regular expression specified here is encountered
  5. Click Save

Example 1 – Syslog over UDP

In this case, Begin Pattern is required and End Pattern is optional.

If a packet matches the Begin Pattern, FortiSIEM will hold it in memory and wait for the next packet.

If the 2nd packet also matches the Begin Pattern, continue waiting.

If the 3rd packet doesn’t match the Begin Pattern, flush out the 2 events (1+2 and 3).

If any packet matches the End Pattern, flush out.

The Begin Pattern is in each packet of a multiline syslog. Remove them except the 1st packet.

For example, the receiver gets these packets:

<syslog header> I come to

<syslog header> work

<syslog header> every day

If you set the Begin Pattern to a regular expression to match the <syslog header> and leave the End Pattern to be empty, then the three syslogs are combined into a single syslog

<syslog header> I come to work every day

If you set the Begin Pattern to a regular expression to match the <syslog header> and leave the End Pattern to match work, then the first two syslogs are combined into a single syslog, while the third one is left alone.

<syslog header> I come to work

<syslog header> work

Example 2 – Syslog over TCP – octet counting

Octet counting means that there is a header that specifies the length of the syslog. In this case, syslog is not combined. There is no need to combine, since the source can send large syslog messages.

Example 3 – syslog over TCP – non-transparent framing

In non-transparent framing, two syslogs sent over a TCP stream is delineated by the “\n” character. In this case, either Begin Pattern or End Pattern is required. Both can be present as well.

If the Begin Pattern is matched in the TCP stream, a multi-line syslog combination begins

If the End Pattern is matched in the TCP stream, multi-line syslog combination ends

If the Begin Pattern is again matched in the TCP stream, the previous multi-line syslog combination ends

TCP syslog stream: id=0,name=<1>name=a,id=1<2>name=b,id=2<3>

Begin pattern is <\d+> and end pattern is id=\d+. This results in 3 syslogs id=0,name=

<1>name=a,id=1

<2>name=b,id=2

And <3> will be held for next packet.

If the Begin pattern is <\d+> and end pattern is empty, this also results in 3 syslogs as before.

Managing FortiSIEM

FortiSIEM Custom Configuration Change Monitoring

Custom Configuration Change Monitoring

This features provides a way for collecting configuration files for any device and monitoring changes.

Define a new vendor, model (Optional)

If the device vendor and model is not yet defined in FortiSIEM, then the new definition needs to be added.

To check whether you device is already defined

  1. Go to Admin > Device Support > Device/App Types
  2. In the Search area, type in the vendor name and see if it exists.

To add a new device type

  1. Go to Admin > Device Support > Device/App Types
  2. Click New
  3. Fill in the following information
    1. Vendor: Type in the name of the Vendor (e.g. Fortinet or Cisco)
    2. Model: Type in the model – be very generic – preferable software model e.g. FortiOS, IOS – do not enter hardware model for appliances
    3. Version: Most of the time ANY
    4. Device/App Group: Select the CMDB Group to which the new device will belong
    5. Business Service Group: Define the Business Service Group to which the new device will belong f. Description: Add description
  4. Click Save
Create a valid access method
  1. Go to Admin > Setup > Credentials (Step 1)
  2. Click Add.
  3. Create an SSH credential
    1. Device Type – Select your device
    2. Access Protocol – Set to SSH
    3. Define User Name and Password
  4. Click Save
  5. Go to Admin > Setup > Step 2: IP Range to Credentials
  6. Click Add
  7. Enter the following information for IP Range to Credential Mapping
    1. IP/Range – the access IP of the device
    2. Credentials – pick the credential in Step 3
    3. Click OK
  8. Select the entry and Click Test Connectivity or Test Connectivity without Ping
  9. Make sure Test Connectivity
Create a Performance Object
  1. Go to Admin > Device Support > Performance Monitoring
  2. Under Enter Performance Object are, Click New
  3. Enter the following information to create a new Performance Object
    1. Name – enter a name for reference
    2. Type – set to System
    3. Method – set to LOGIN
    4. Used For – set to Configuration Monitoring
    5. Expect Script – Click Upload to store a configuring pulling expect script in FortiSIEM
    6. Polling Frequency – determines how often configuration will be pulled – recommended 30 minutes
  4. Click Save
Create Device Type to Performance Object association
  1. Go to Admin > Device Support > Performance Monitoring
  2. Under Enter Device Type to Performance Object Association, Click New
  3. Enter the following information to create an association
    1. Name – enter a name for reference
    2. Device Types – select the relevant device type for custom configuration polling
    3. Perf Objects – Select the performance object created in previous step 4. Click Save
Discover the device
  1. Go to Admin > Setup > Discovery
  2. Click Add
  3. In Include Range, enter the IP address of the device
  4. Click OK
  5. Select the entry and then click Discover
Validation Check

The expect script will be executed and configuration will be discovered.

  1. Go to Admin > Setup > Monitor Change/Performance. Search for the device and check the configuration monitoring task under Syste m Monitor
  2. Go to Search for the device and check for the configuration under Configuration tab for the selected device.

FortiSIEM Agent-less Target File Monitoring

Agent-less Target File Monitoring

You can use target file monitoring to make sure that a specific file, for example a device configuration file, is always identical in content to a gold standard target file that you import into FortiSIEM. When you enable a target file monitor, it will:

  1. Pre-compute the checksum of the gold standard target file imported into FortiSIEM.
  2. Periodically, log in to the system using SSH and compute the checksum of the file.
  3. Create an event when the content of the monitored file is different than the gold standard target file.

Supported Servers

Example Events

Adding the File Integrity Monitoring Performance Object

Performance Object Configuration for File Integrity Monitoring

Associating Device Types to Performance Objects

Testing the Performance Monitor

Enabling the Performance Monitor

Checking the Difference between Versions of Monitored Files

Supported Servers

Target file monitoring is supported for these servers:

Linux variants

Unix variants

Windows (with Unix tools installed that allow SSH)

Example Events

Two events that are generated by FortiSIEM when the target file is modified.

File Monitors and Event Types

Unlike other custom monitors, you don’t need to set the event type to associate with the monitor. When you select File Monitor for the Used For option, this automatically associates the event types with the file or directory you specify for monitoring. These examples include the event type associated with each monitoring event.

Event Type: PH_DEV_MON_CUST_TARGET_FILE_CHANGE

This indicates that content of the target file has changed. You can see that the values for prehash and hash are different.

This indicates what was changed, as you can see with theaddedItem, deletedItem, oldSVNVersion, and newSVNVersion attributes.

<14>Mar 27 14:02:28 VA223_TestaThon phPerfMonitor[3740]:

[PH_DEV_MON_CUST_TARGET_FILE_DELTA]:[eventSeverity]=PHL_INFO,

[procName]=phPerfMonitor,[fileName]=phSvnUpdate.cpp,[lineNumber]=205,[ph

CustId]=1,[hostName]=CO228SP222,

[hostIpAddr]=192.168.64.228,[fileName]=/home/admin/TargetFileMon/tartget

1.txt,[oldSVNVersion]=15,[newSVNVersion]=20,

[deletedItem]=(none),[addedItem]=newline;,[phLogDetail]=

Adding the File Integrity Monitoring Performance Object

In multi-tenant deployments, the performance object should be created by the Super/Global account, and will apply to all organizations. For both multi-tenant and enterprise deployments, the performance object can be created for an organization by any user who has access to the Admin ta b.

In this case, you will create one performance object in which you will upload the gold target file and enter the path to the file you want to monitor. You don’t need to create a new event type or event attribute type, as these are automatically associated with the performance object when you select File Monitoring for the Used For field.

Performance Object Configuration for File Integrity Monitoring

Field Setting
Name LinuxTargetFileMon
Type Application
Method Login
Used For File Monitor
File Path home/admin/FileMon/file.txt
Target File Click Upload and browse to the location of the file that you want to use as the gold target

Associating Device Types to Performance Objects

You should associate the performance object to the Linux, Unix, or SSH-capable Windows device type that contains the file or directory path you want to monitor.

Testing the Performance Monitor

Before testing the monitor, make sure you have defined the access credentials for the device, created the IP address to credentials mapping, and tested connectivity.

  1. Go to Admin > Device Support > Performance Monitoring.
  2. Select the performance monitor you created, and then click Test.
  3. For IP, enter the address of the device, and select either the Supervisor or Collector node that will retrieve the information for this monitor.
  4. Click Test.

You should see succeed under Result, and the parsed event attributes in the test result pane.

  1. When the test succeeds, click Close, and then click Apply to register the new monitor with the backend module.

Enabling the Performance Monitor

  1. Discover or re-discover the device you want to monitor.
  2. Once the device is successfully discovered, make sure that the monitor is enabled and pulling metrics.

Checking the Difference between Versions of Monitored Files

When the monitor detects a difference between the files, it will trigger the rule Audited target file content modified, and the rule will continue to trigger and generate incidents until the checksums of the files match. You can compare the original monitored file against the new version in the CMDB.

  1. Go to CMDB > Devices.
  2. Select the device where the monitored filed is located
  3. Click the Configuration

In the left pane you will see a list of all the files, and their versions, on the device.

  1. To compare files, select one, CNTRL/select the other, and then click Diff.

FortiSIEM Agent-less File-Integrity Monitoring

Agent-less File-Integrity Monitoring

You can use file integrity monitoring to make sure that critical files and directories on servers are not modified. When you enable a file integrity monitor for a specific file or directory, the monitor will:

  1. Log in to the system using SSH.
  2. Compute the checksums of the files or a directory, including all files in the directory.
  3. Periodically verify the computed checksums.
  4. Create an event when a change to the checksums is detected.

Supported Servers

Example Events

A Directory is Modified by Adding a File

A Specific File is Modified

A Specific File is Deleted

Permissions or Ownership of a Specific File or Any File in a Directory is Changed File Scan Event

Adding the File Integrity Monitoring Performance Object

Performance Object Configuration for File Integrity Monitoring

Performance Object Configuration for Directory Integrity Monitoring

Associating Device Types to Performance Objects

Testing the Performance Monitor

Enabling the Performance Monitor

Writing Queries for the Performance Metrics

Change: Audited File Added/Deleted

Change: Audited File Content Modifications

Change: Audited File Attribute Modifications

Supported Servers

File and directory integrity monitoring is supported for these servers:

Linux variants

Unix variants

Windows (with Unix tools installed that allow SSH)

Example Events

These are examples of events that are generated by FortiSIEM when a file or directory is modified, deleted, or has its permissions changed.

File Monitors and Event Types

Unlike other custom monitors, you don’t need to set the event type to associate with the monitor. When you select File Monitor for the Used For option, this automatically associates the event types with the file or directory you specify for monitoring. These examples include the event type associated with each monitoring event.

A Directory is Modified by Adding a File

Event Type: PH_DEV_MON_CUST_FILE_CHANGE_CONTENT

A Specific File is Deleted

Permissions or Ownership of a Specific File or Any File in a Directory is Changed

Event Type: PH_DEV_MON_CUST_FILE_CHANGE_ATTRIB.

For permissions changes, look for the preaccess and access attributes.

For ownership changes, look for the preuser, user, pregroup, and group attributes.

File Scan Event

Event Type: PH_DEV_MON_CUST_FILE_SCAN

When FortiSIEM scans a file or a directory, this event is generated and can be reported against.

Adding the File Integrity Monitoring Performance Object

In multi-tenant deployments, the performance object should be created by the Super/Global account, and will apply to all organizations. For both multi-tenant and enterprise deployments, the performance object can be created for an organization by any user who has access to the Admin ta b.

In this case, you will create one performance object for each file or directory you want to monitor. You don’t need to create a new event type or event attribute type, as these are automatically associated with the performance object when you select File Monitoring for the Used For field. Performance Object Configuration for File Integrity Monitoring

Field Setting
Name LinuxFileMon
Type Application
Method Login
Used For File Monitor
File Path home/admin/FileMon/file.txt
Polling Frequency 30 seconds

Performance Object Configuration for Directory Integrity Monitoring

Field Setting
Name LinuxDirMon
Type Application
Method Login
Used For File Monitor
File Path home/admin/DirectoryMon
Polling Frequency 30 seconds

Associating Device Types to Performance Objects

You should associate the performance object to the Linux, Unix, or SSH-capable Windows device type that contains the file or directory path you want to monitor.

Testing the Performance Monitor

Before testing the monitor, make sure you have defined the access credentials for the device, created the IP address to credentials mapping, and tested connectivity.

  1. Go to Admin > Device Support > Performance Monitoring.
  2. Select the performance monitor you created, and then click Test.
  3. For IP, enter the address of the device, and select either the Supervisor or Collector node that will retrieve the information for this monitor.
  4. Click Test.

You should see succeed under Result, and the parsed event attributes in the test result pane.

  1. When the test succeeds, click Close, and then click Apply to register the new monitor with the backend module.

Enabling the Performance Monitor

  1. Discover or re-discover the device you want to monitor.
  2. Once the device is successfully discovered, make sure that the monitor is enabled and pulling metrics.

Writing Queries for the Performance Metrics

You can now use a simple query to make sure that that the metrics are pulled correctly.

Change: Audited File Added/Deleted

Create a structured historical search with these settings:

Filter Criteria Display

Columns

Time For

Organizations

Structured

Event Type IN (“PH_DEV_MON_CUST_FILE_CREATE”,”PH_DEV_MON_CUST_FILE_DELETE”)

Group by:[None]

Event Receive

Time

Last 1

Day

All

Change: Audited File Content Modifications

Create a structured historical search with these settings:

Filter Criteria Display Columns Time For Organizations
Structured

Event Type =”PH_DEV_MON_CUST_FILE_DELTA” Group by:[None]

Event Receive Time, Host Last 1 Day All

Change: Audited File Attribute Modifications Create a structured historical search with these settings:

Filter Criteria Display Columns Time For Organizations
Structured

Event Type =”PH_DEV_MON_CUST_FILE_CHANGE_ATTRIB” Group by:[None]

Event Receive Time, Host Last 1 Day All

 

 

FortiSIEM Custom Command Output Monitor

Custom Command Output Monitor

You may already have commands or scripts for your devices that collect important metrics or perform some useful function. By creating a custom command output monitor, you can import the output of those commands into the AccelOps event database, where it can be used to create reports , write rules to alert against anomolies, or trigger the execution of scripts. Creating a custom command output monitor involves collecting a sample output from the command, and then creating a performance object that uses regex to parse the command output, maps the output event attributes to AccelOps event attribute types, and then associates those to an event type.

Creating a Custom SSH Command Output Monitor

Creating a Custom Multi-Line SSH Command Output Monitor

Creating a Custom WINEXE Command Output Monitor

Device Types Supported for Custom SSH Command Output Monitors

Linux variants

Unix variants – IBM AIX, HP UX

Microsoft Windows (with Cygwin tools installed that allows SSH)

Cisco IOS, NX-OS, ASA, CatOS

Juniper JunOS, SSG, ISG

PaloAlto PANOS

Fortinet FortiGate

HP Procurve, H3C

Extreme Ntwork XOS

Foundry BigIron

Avaya ERS

Device Types Supported for Custom WINEXE Command Output Monitors

Microsoft Windows

 

Creating a Custom SSH Command Output Monitor

Mapping SSH Command Outputs to FortiSIEM Event Attribute Types

Creating New Event Attribute Types and Event Types

Event Attributes

Event Types

Adding the iostat Command Output Performance Object

Performance Object Configuration for Event Type PH_DEV_MON_CUST_CMD

Associating Device Types to Performance Objects

Testing the Performance Monitor

Enabling the Performance Monitor

Writing Queries for the Performance Metrics

In this example, the regular expression is used to parse a single line of the command output.

Planning

Mapping SSH Command Outputs to FortiSIEM Event Attribute Types

In this example, you want to monitor the output of the iostat command. On a Linux machine, the output would look similar to this:

 

From this example, you can see that to create a monitor for the iostat command output, you would need to:

  1. Create the event attribute types readBytes,readRate, tps, writtenBytes, writtenRate, and diskName, to correspond to Blk_ read, Blk_read/s, tps, Blk_wrtn, Blk_wrtn/s, and Device from the command output.
  2. Create an event type, PH_DEV_MON_CUST_CMD, that will contain the event attribute types readBytes, readRate, tps, writtenByte s, writtenRate, and diskName,
  3. Create a performance object containing the regular expression that will parse the command output and match value positions to event attribute types, and then associate those event attribute types and values to PH_DEV_MON_CUST_CMD.

Creating New Event Attribute Types and Event Types

Event Attributes

Create these event attribute types:

Name Display Name Value Type Display Format Type
diskName Disk Name Rawvalue  STRING
tps Transactions/s Rawvalue DOUBLE
readRate Read Rate Rawvalue DOUBLE
readBytes Read Bytes Rawvalue INTEGER
writtenBytes Written Bytes Rawvalue INTEGER
writtenRate Written Rate Rawvalue DOUBLE

Event Types

Create this event type:

Name Device Type Severity
PH_DEV_MON_CUST_CMD Centos IOS Low
Adding the iostat Command Output Performance Object

In this case, you will create one performance object that will use a regular expression to parse the command output, match value positions in the command output against FortiSIEM event attributes, and then associate those with the event type PH_DEV_MON_CUST_CMD.

Performance Object Configuration for Event Type PH_DEV_MON_CUST_CMD

Field Setting
Name cmd-iostat
Type Application
Method Login
Used For Command Output Monitoring
Command iostat
Regular

Expression

(^[^]+)\s+([0-9]+\.?[0-9]+|\d+)\s+([0-9]+\.?[0-9]+|\d+)\s+([0-9]+\.?[0-9]+|\d+)\s+([0-9]+\?[0-9]+|\d+)\s+([0
Matched Attribute

Count

6
List of

Attributes

 
Matched Position Format Type Event Attribute  
1 STRING RawValue diskName
2 DOUBLE RawValue tps
3 DOUBLE RawValue readRate
5 INTEGER RawValue readBytes
6 INTEGER RawValue writtenBytes
4 DOUBLE RawValue writtenRate
 
Event Type PH_DEV_MON_CUST_CMD
Polling

Frequency

60 seconds
Associating Device Types to Performance Objects
Field Settings
Name cmd-iostat
Device Types  Centos Linux
Perf Objects  cmd-iostat(SSH)- Default Interval:1mins
Testing the Performance Monitor

Before testing the monitor, make sure you have defined the access credentials for the D-Link device, created the IP address to credentials mapping, and tested connectivity.

  1. Go to Admin > Device Support > Performance Monitoring.
  2. Select the performance monitor you created, and then click Test.
  3. For IP, enter the address of the device, and select either the Supervisor or Collector node that will retrieve the information for this monitor.
  4. Click Test.

You should see succeed under Result, and the parsed event attributes in the test result pane.

  1. When the test succeeds, click Close, and then click Apply to register the new monitor with the backend module.
Enabling the Performance Monitor
  1. Discover or re-discover the device you want to monitor.
  2. Once the device is successfully discovered, make sure that the monitor is enabled and pulling metrics.
Writing Queries for the Performance Metrics

You can now use a simple query to make sure that that the metrics are pulled correctly. The search results should display the metrics for the event attributes you defined.

Create a structured historical search with these settings:

Filter Criteria Display Columns Time For

Organizations

Structured

Reporting IP IN <IP Range> AND Event Type

=”PH_DEV_MON_CUST_CM”; Group by:[None]

Disk Name,Transactions/s,Read Rate,Read Bytes,

Written Bytes,Written Rate

Last 10

Minutes

All
Creating a Custom Multi-Line SSH Command Output Monitor

In some cases, the output from a command may run over several lines. An example, as shown in the code block below, is the show interfaces command for Cisco IOS routers. Here the information for each interface, such as Vlan1, Vlan2, etc., needs to be consolidated into a single FortiSIEM event. This topic will show you how to configure a performance object for multi-line SSH command outputs, including an example of the regular expression you would use to parse the example output.

Planning

Mapping a Multi-Line SSH Command Output to FortiSIEM Event Attribute Types

Creating New Event Attribute Types and Event Types Event Types

Adding the show interfaces Command Output Performance Object

Performance Object Configuration for Event Type PH_DEV_MON_CUST_SHOW_INTF

Associating Device Types to Performance Objects

Testing the Performance Monitor

Enabling the Performance Monitor

Writing Queries for the Performance Metrics

Planning

Mapping a Multi-Line SSH Command Output to FortiSIEM Event Attribute Types

In this example, you want to monitor the output of the ‘show interfaces’ command, which would look similar to this for a Cisco IOS router:

Vlan1 is up, line protocol is up

Hardware is EtherSVI, address is 00d0.055b.5000 (bia 00d0.055b.5000)

Description: DevNet

Internet address is 192.168.20.1/22   MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,      reliability 255/255, txload 1/255, rxload 1/255   Encapsulation ARPA, loopback not set

Keepalive not supported

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:00, output 00:00:00, output hang never

Last clearing of “show interface” counters never   Input queue: 1/75/12681/0 (size/max/drops/flushes); Total output drops: 0   Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 3583000 bits/sec, 1726 packets/sec

5 minute output rate 3118000 bits/sec, 1064 packets/sec   L2 Switched: ucast: 2060202231 pkt, 586057481378 bytes – mcast:

62824587 pkt, 9271104426 bytes   L3 in Switched: ucast: 43940778993 pkt, 16358818361299 bytes – mcast:

0 pkt, 0 bytes mcast   L3 out Switched: ucast: 37329069590 pkt, 18769383194932 bytes mcast: 0 pkt, 0 bytes      44460046444 packets input, 16420615020121 bytes, 0 no buffer

Received 52655932 broadcasts (0 IP multicasts)

0 runts, 0 giants, 146 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored      37746681819 packets output, 18872504999045 bytes, 0 underruns

0 output errors, 0 interface resets

0 output buffer failures, 0 output buffers swapped out

Vlan2 is up, line protocol is up

Hardware is EtherSVI, address is 00d0.055b.5000 (bia 00d0.055b.5000)

Description: ServerNet

Internet address is 192.168.0.1/24   MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,      reliability 255/255, txload 1/255, rxload 1/255   Encapsulation ARPA, loopback not set

Keepalive not supported

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:00, output 00:00:01, output hang never

Last clearing of “show interface” counters never

Input queue: 0/75/16/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 1652000 bits/sec, 367 packets/sec

5 minute output rate 258000 bits/sec, 177 packets/sec   L2 Switched: ucast: 3422947811 pkt, 2275729058787 bytes – mcast:

4291290 pkt, 528654887 bytes   L3 in Switched: ucast: 17926721335 pkt, 14810495462969 bytes – mcast:

0 pkt, 0 bytes mcast   L3 out Switched: ucast: 13822525718 pkt, 7788778830975 bytes mcast: 0 pkt, 0 bytes      19067733427 packets input, 15044884652941 bytes, 0 no buffer

Received 4283101 broadcasts (0 IP multicasts)

0 runts, 0 giants, 2 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

13850959642 packets output, 7791605865261 bytes, 0 underruns

0 output errors, 0 interface resets

0 output buffer failures, 0 output buffers swapped out

Vlan3 is up, line protocol is up

Hardware is EtherSVI, address is 00d0.055b.5000 (bia 00d0.055b.5000)

Description: newbuildnet

Internet address is 192.168.24.1/24   MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,      reliability 255/255, txload 1/255, rxload 1/255   Encapsulation ARPA, loopback not set

Keepalive not supported

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:04, output 00:00:01, output hang never

Last clearing of “show interface” counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 23000 bits/sec, 1 packets/sec

5 minute output rate 1000 bits/sec, 1 packets/sec   L2 Switched: ucast: 319623039 pkt, 321540971691 bytes – mcast: 6427637 pkt, 563598014 bytes   L3 in Switched: ucast: 9237477530 pkt, 10166398798345 bytes – mcast: 0 pkt, 0 bytes mcast   L3 out Switched: ucast: 5881512921 pkt, 4457997315264 bytes mcast: 0 pkt, 0 bytes

9289735817 packets input, 10171188457635 bytes, 0 no buffer

Received 6427548 broadcasts (0 IP multicasts)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

From this example, you can see that to create a monitor for the ‘show interfaces’ command output, you would need to:

  1. Create an event type, PH_DEV_MON_CUST_SHOW_INTF, that will contain the event attribute types intfName, recvBitsPerSec, rec vPacketsPerSec, sentBitsPerSec, and sentPacketsPerSec, all of which are already contained in the FortiSIEM event attribute types library.
  2. Create a performance object containing the regular expression that will parse the command output and match values against the event attribute types, and then associate those event attribute types and values to PH_DEV_MON_CUST_CMD. Creating New Event Attribute Types and Event Types

Event Types

Create this event type:

Name Device Type Severity
PH_DEV_MON_CUST_SHOW_INTF Cisco IOS Low
Adding the show interfaces Command Output Performance Object

In this case, you will create one performance object that will use a regular expression to parse the command output, match value positions in the command output against FortiSIEM event attributes, and then associate those with the event type PH_DEV_MON_CUST_SHOW_INTF.

Performance Object Configuration for Event Type PH_DEV_MON_CUST_SHOW_INTF

Field Setting
Name ssh-multiline-CiscoIOS
Type System
Method Login
Used For Command Output Monitoring
Command show interfaces
Regular

Expression

\n(\S*?) is [administratively down|up|down](?!\n\S.)*5 minute input rate\s+(\d+)\s+bits\/sec.*?5 minute output rate\s+(\d+)\s+bits\/sec,\s+(\d+)\s+packets\/sec
Matched

Attribute Count

5
List of

Attributes

 
Matched Position Format Type Event Attribute  
1 STRING RawValue intfName
2 INTEGER RawValue recvBitsPerSec
3 INTEGER RawValue recvPacketsPerSec
4 INTEGER RawValue sentBitsPerSec
5 INTEGER RawValue sentPacketsPerSec
 
Event Type PH_DEV_MON_CUST_SHOW_INTF
Polling

Frequency

60 seconds
Associating Device Types to Performance Objects
Field Settings
Name ssh-Cisco-Intf-Status
Device Types  Cisco IOS
Perf Objects  ssh-multiline-CiscoIOS(SSH)-Default Interval:1mins
Testing the Performance Monitor

Before testing the monitor, make sure you have defined the access credentials for the Cisco IOS device, created the IP address to credentials mapping, and tested connectivity.

  1. Go to Admin > Device Support > Performance Monitoring.
  2. Select the performance monitor you created, and then click Test.
  3. For IP, enter the address of the device, and select either the Supervisor or Collector node that will retrieve the information for this monitor.
  4. Click Test.

You should see succeed under Result, and the parsed event attributes in the test result pane.

  1. When the test succeeds, click Close, and then click Apply to register the new monitor with the backend module.
Enabling the Performance Monitor
  1. Discover or re-discover the device you want to monitor.
  2. Once the device is successfully discovered, make sure that the monitor is enabled and pulling metrics.
Writing Queries for the Performance Metrics

You can now use a simple query to make sure that that the metrics are pulled correctly. The search results should display the metrics for the event attributes you defined.

Create a structured historical search with these settings:

Filter Criteria Display Columns Time For Organizations
Structured

Event Type = “PH_DEV_MON_CUST_SHOW_INTF”; Group by:[None]

Event Receive Last 10 Minutes All
Creating a Custom WINEXE Command Output Monitor

There may be times when you want the output of a PowerShell command from a Microsoft server as an input for FortiSIEM. Because PowerShell commands can’t be sent via SSH, you need to configure a WINEXE performance object to send the command, parse the output, and associate values to FortiSIEM event attribute types.

Often there is a need to have powershell command output from Microsoft servers into FortiSIEM. These commands cannot be run on Windows systems via SSH. The equivalent way of remotely running a command on Windows systems is Winexe. FortiSIEM will run the Winexe command on Windows systems, collect the output and parse the output into fields for use in FortiSIEM analytics.

Planning

For this example, assume you want to monitor disabled users in Microsoft Active Directory. You would use this command:

which would have an output similar to this:

From this example, you can see that to create a monitor for the iostat command output, you would need to:

  1. Create an event type, PH_DEV_MON_CUST_DISABLED_USERS, that will contain the event attribute types distName, samAccount, and sid, all of which are already contained in the FortiSIEM event attribute types library, and which match to DistinguishedName, S amAccountName, and SID in the command output.
  2. Create a performance object containing the regular expression that will parse the command output and match values against the event attribute types, and then associate those event attribute types and values to PH_DEV_MON_CUST_CMD.

After enabling the WIINEXE output monitor, you should see an event similar to this in FortiSIEM:

Creating New Event Attribute Types and Event Types

Event Types

Create this event type:

Name Device Type Severity
PH_DEV_MON_CUST_DISABLED_USERS Cisco IOS Low
Adding the show interfaces Command Output Performance Object

In this case, you will create one performance object that will use a regular expression to parse the command output, match value positions in the command output against FortiSIEM event attributes, and then associate those with the event type PH_DEV_MON_CUST_DISABLED_USERS. Performance Object Configuration for Event Type PH_DEV_MON_CUST_DISABLED_USERS

Name WINEXE-AD-Disabled-Users-Output
Type System
Method WINEXE
Used For Command Output Monitoring
Command Import-Module ActiveDirectory:Get-ADUser

-LDAPFilter{(useraccountcontrol:1.2.840.113556.1.4.803:2)}

Regular Expression \nDistinguishedName\s+:\s+(.*?)\n.*?SamAccountName\s+:\s+(.*?)\nSID\s+(.*?)\n
Matched Attribute

Count

3
List of Attributes  
Matched Position Format Type Event Attribute  
1 STRING RawValue disName
2 STRING RawValue samAccount
3 STRING RawValue sid
 
Event Type PH_DEV_MON_CUST_DISABLED_USERS
Polling Frequency 60 seconds
Associating Device Types to Performance Objects
Field Settings
Name DiscoverDisabledUsers
Device Types MIcrosoft Windows Server 2008

MIcrosoft Windows Server 2008 R2

MIcrosoft Windows Server 2012

MIcrosoft Windows Server 2012 R2

Perf Objects  WINEXE-AD-Disabled-Users-Output(WINEXE)-Default Interval:1mins
Testing the Performance Monitor

Before testing the monitor, make sure you have defined the access credentials for the D-Link device, created the IP address to credentials mapping, and tested connectivity.

  1. Go to Admin > Device Support > Performance Monitoring.
  2. Select the performance monitor you created, and then click Test.
  3. For IP, enter the address of the device, and select either the Supervisor or Collector node that will retrieve the information for this monitor.
  4. Click Test.

You should see succeed under Result, and the parsed event attributes in the test result pane.

  1. When the test succeeds, click Close, and then click Apply to register the new monitor with the backend module.
Enabling the Performance Monitor
  1. Discover or re-discover the device you want to monitor.
  2. Once the device is successfully discovered, make sure that the monitor is enabled and pulling metrics.
Writing Queries for the Performance Metrics

You can now use a simple query to make sure that that the metrics are pulled correctly. The search results should display the metrics for the event attributes you defined.

Create a structured historical search with these settings:

Filter Criteria Display Columns Time For Organizations
Structured

Event Type = PH_DEV_MON_CUST_DISABLED_USERS; Group by:[None]

Event Receive Last 10 Minutes All
Custom File Monitor

You can create custom file monitors to monitor changes to directories and specific files, and also to trigger incidents when the content of a monitored file is changed from a target gold file.

Agent-less File-Integrity Monitoring Agent-less Target File Monitoring

FortiSIEM Custom Performance Monitors

Custom Performance Monitors

Creating a custom performance monitor involves creating a performance object that specifies the monitoring access protocol to use, maps event attributes available for that protocol to FortiSIEM event attribute types, and then associates those attributes to an event type. You can use system or user-defined device types, event attribute types, and event types when creating the performance object.

Creating a Custom Performance Monitor

Monitoring Protocol Configuration Settings

JDBC Configuration Settings

JMX Configuration Settings

SNMP Configuration Settings for Custom Performance Monitors

Importing OID Definitions from a MIB File

WMI Configuration Settings for Custom Performance Monitors

Mapping Monitoring Protocol Objects to Event Attributes

Exporting a Custom Performance Monitor

Importing a Custom Performance Monitor

Examples of Custom Performance Monitors

Custom JDBC Performance Monitor for a Custom Table

Custom JMX Monitor for IBM Websphere

Custom SNMP Monitor for D-Link HostName and SysUpTime Custom SNMP Monitor for D-Link Interface Network Statistics

Custom WMI Monitor for Windows Domain and Physical Registry

Creating a Custom Performance Monitor

You create custom performance monitors by defining the performance object that you want to monitor, including the relationship between the performance object and FortiSIEM events and event attributes, and then associating the performance object to a device type.

Prerequisites

You should review the configuration settings for the monitoring protocols that you will use in your monitor, and be ready to provide the appropriate OIDs, classes, or database table attributes for the access protocol.

You should have created any new device/application types, event attribute types, or event types that you want to use in your performance monitor

You should have the IP address and access credentials for a device that you can use to test the monitor

Procedure

Creating the Performance Object and Applying it to a Device

  1. Go to Admin > Device Support > Performance Monitoring.
  2. Click New.
  3. Enter a Name for the performance monitor.
  4. For Type, select either System or Application.
  5. For Method, select the monitoring protocol for the performance monitor.

See the topics under Monitoring Protocol Configuration Settings for more information about the configuration settings for each type of monitoring protocol.

  1. Click New next to List of Attributes, and create the mapping between the performance object and FortiSIEM event attributes. Note that the Method you select will determine the name of this mapping and the configuration options that are available. See Mapping Monitoring Protocol Objects to Event Attributes for more information.
  2. Select the Event Type that will be monitored.
  3. Enter the Polling Frequency for the monitor.
  4. Enter a Description.
  5. Click Save.
  6. In Admin > Device Support > Performance Monitoring, under Enter Device Type to Performance Object Mapping, click New.
  7. Enter a Name for the mapping.
  8. In the top pane of the dialog, select the Device Type to which you want to apply the monitor.

Whenever a device belonging to the selected device type is discovered, FortiSIEM will attempt to apply the performance monitor to it.

  1. In the bottom pane of the dialog, select the custom performance monitor.
  2. Click Save.

Testing the Performance Monitor

  1. Go to Admin > Device Support > Performance Monitoring.
  2. Select the performance monitor.
  3. Click Test.
  4. For IP, enter the IP address of the device that you want to use to test the monitor.
  5. Click Test.

If the test succeeds, click Close, and then click Apply to register the new monitor with the backend module.

After you have successfully tested and applied the performance monitor, you should initiate discovery of the device that it will monitor, and then make sure that the new monitor is enabled as described in Managing Monitoring of System and Application Metrics for Devices.

 

 

 

 

 

Monitoring Protocol Configuration Settings

These topics describe the configuration settings for monitoring protocols such as SNMP, WMI, and JDBC that are used for creating custom performance monitors.

JDBC Configuration Settings

JMX Configuration Settings

SNMP Configuration Settings for Custom Performance Monitors

Importing OID Definitions from a MIB File

WMI Configuration Settings for Custom Performance Monitors

JDBC Configuration Settings

When configuring JDBC as the access protocol for a custom performance monitor, use these settings. You may also want to review the topic Cust om JDBC Performance Monitor for a Custom Table as example of how to set up a custom performance monitor using JDBC.

Field Setting/Notes
Method JDBC
Database

Type

Select the type of database to connect to
SQL

Query

The SQL Query to execute when connecting
List of

Columns

This creates the mapping between columns in the database and AccelOps event attributes. See Mapping Monitoring Protocol Objects to Event Attributes for more information.
Where

Clauses

This indicates whether the database table being queried has a fixed set of rows, or whether it is growing over time. An example of this would be a table containing logs, in which case AccelOps would keep track of the last entry and only pull the new ones. There are three options here:

1.  There is a fixed set of rows and all rows are needed.

Leave all options cleared.

2.  There is a fixed set of rows and a fixed number of rows are needed.

Select Fixed Records and enter the number of required rows.

3.  The table is growing and only new values are needed.

Select Retrieve all new values since last retrieve time of column, and enter the name of the column that represents time in the database. AccelOps will keep track of the largest value in this column and only pull entries greater than that value during the next polling interval.

 

 

JMX Configuration Settings

When configuring JMX as the monitoring protocol for a custom performance monitor, use these settings. You may also want to review the topic C ustom JMX Monitor for IBM Websphere as an example of creating a custom JMX performance monitor.

Field Setting/Notes
Method JMX
MBean Enter the MBean interface that you want to monitor, or click the downward arrow to browse the JMX tree and select it. Note that the option you select here will determine the objects that are available when you select an Object Attribute for the List of Attributes. See the next section in this topic for information on how to find

Identifying MBean Names and Attributes for Custom Applications

This section discusses how to get MBean names and attributes for custom J2EE based applications.

  1. Launch JConsole on your workstation and connect to the application.
  2. Select the MBeans
  3. Browse to the application you want to monitor, and select it.
  4. In the right pane you will see the MBeanInfo. Note the ObjectName, while the attributes for the application will be listed in the tree view.

SNMP Configuration Settings for Custom Performance Monitors

When configuring SNMP as the access protocol for a custom performance monitor, use these settings. You may also want to review the topics Cu stom SNMP Monitor for D-Link Interface Network Statistics and Custom SNMP Monitor for D-Link HostName and SysUpTime as example of how to set up a custom performance monitor using SNMP.

Field Settings/Notes
Method SNMP
Parent

OID

The parent Object Identifier (OID) is used to optimize the number of SNMP GETs required for pulling the various individual OIDs. You can enter this directly, or click the downward arrow to select it from an MIB file. Several different MIB files are available to select from, see Importing OID Definitions from a MIB File for more information.
Parent

ID is table

Select is table if the OIDs you want to monitor are in a table with at least one row. An example would be interface metrics, such as i fInOctets and ifOutOctets, since there is an interface metric for each interface.
List of

OIDs

The OIDs you want to monitor mapped to AccelOps event attributes. The selection you make for Parent OID determines the options available in the OID menu when you select New.

 

 

Importing OID Definitions from a MIB File

Many devices include MIB files that you can then use to create a custom performance monitor for the device. This involves creating a

configuration file based on information in the MIB file, using that file as input for the mib2xml executable, and then placing the resulting output file in the /data/mibXml directory of your Supervisor. Once placed in this directory, you can select the file from the MIB File List menu to select the parent OID, which will then also affect which OIDs you can select for the OID to event attribute mapping.

Procedure

  1. Collect the device OID files you want to use and place them in a directory where the mib2XML
  2. Create the input config file with these fields, and name it with the .cfg file designation.

See the attached alcatel.cfg  file for an example.

Field Description
group This is the number of MIB file group. MIB files need to be analyzed as a group because of cross-references within them. The group attribute specifies an ID for each group and needs to be unique for every group.
mibFile The name of the MIB file being analyzed. There can be multiple entries. Be sure to specify the path to the MIB files.
vendor The name of the device vendor for the MIB file
model The model name or number for the device
evtPrefix As SNMP trap notification definitions in the MIB file are parsed, an event file is generated for each SNMP trap. This field specifies the event type prefix.
enterpriseId The enterprise ID number for this vendor, which is used for generating the SNMP trap parser

 

  1. Run mib2XML <filename>.cfg.
  2. Move the resulting .mib.xml file to the /data/mibXml directory of your Supervisor.

Example

In this example, a set of MIB files from an Alcatel 7×50 device are used to generate the XML output file.

  1. Sample MIB files:

TIMETRA-CHASSIS-MIB.mib

TIMETRA-GLOBAL-MIB.mib

TIMETRA-SYSTEM-MIB.mib

TIMETRA-TC-MIB.mib

  1. Information in these files, and the paths to them, are then used to create this config file. cfg
  2. Running mib2xml alcatel.cfg generates both an output and an mib2XML file.

alcatel.out

TIMETRA-TC-MIB.mib.xml

WMI Configuration Settings for Custom Performance Monitors

When configuring WMI as the monitoring protocol for a custom performance monitor, use these settings. You may also want to review the topic C ustom WMI Monitor for Windows Domain and Physical Registry as example of how to set up a custom performance monitor using WMI.

Field Settings
Method WMI
Parent

Class

WMI metrics are defined in the form of a parent class having multiple attributes. For example, the parent class Win32_ComputerSy stem has the attributes Domain and TotalPhysicalMemory.
Is Table If the parent WMI class is a table with one or more rows, select this option.

 

 

Mapping Monitoring Protocol Objects to Event Attributes

When you select a monitoring protocol for your custom performance monitor, you must also establish the relationship between the objects used by that protocol and event attributes in FortiSIEM. For example, creating a performance monitor that uses SNMP to monitor a device requires that you create a mapping between the SNMP OIDs that you want to monitor, and set of event attributes. This topic describes the configuration settings that you will use to create these object-to-event attribute relationships.

Procedure
  1. When creating your custom performance monitor, after you have selected the Method, click New next to List of Attributes.

Depending on the monitoring protocol that you select, this table may be named List of OIDs (SNMP), or List of Columns (JDBC).

  1. In the first field, enter or select the monitoring protocol object that you want to map to an FortiSIEM event attribute.

Your options depend on the monitoring protocol you selected for Method.

Monitoring

Protocol

Field

Name

Settings/Notes
SNMP OID Select an MIB file from the MIB File List, and then select the OID that you want to create the mapping for.
WMI Attribute Enter an attribute of the WMI class you entered for Parent Class.
JMX Object

Attribute

The MBean you select determines the attributes you can select. You will also have to enter a Name a nd Private Key for the MBean attribute.
JDBC Column

Name

Enter the name of the column in the SQL Query that you are using to monitor the database.
  1. Select the Format for the object attribute.

Your options will depend on the monitoring protocol you selected for Method.

  1. For Type, select Raw Value or Counter.
  2. For Event Attribute, select the FortiSIEM event attribute that the monitoring protocol object should map to.

If you need to create a new event attribute, see Creating Event Attribute Types.

  1. Create any Transforms of the values returned for the monitoring protocol object.

See the next section for more information how to configure transforms.

  1. Click Save when you are done creating the mappings, and then complete the configuration of your custom performance monitor.

Creating Transforms

You can use a transform to convert the value returned for your monitoring project object into a more physically meaningful or usable metric. You an create multiple transforms, and they will be evaluated in the order shown in the table. Multiple transforms can be selected – they are evaluated in sequential order as shown in the display table

  1. Next to Transforms, click New.
  2. For Type, select System or Custom.
  3. For Formula, either select a system-defined transformation formula from the menu if you selected System for Type, or enter a formula if you selected Custom.
  4. Click Save.

Exporting a Custom Performance Monitor

To export a parser, you must also export XML files for the device/app types, event attribute types, event types, and then the monitor.

  1. Go to Admin > Device Support > Device/App Types.
  2. Select the device/application types used in your monitor, and then click Export.
  3. Go to Admin > Device Support > Event Attribute Types.
  4. Select the event attribute types used in your monitor, and then click Export.
  5. Go to Admin > Device Support > Event Types.
  6. Select the event types used in your monitor, and then click Export.
  7. Go to Admin > Device Support > Performance Monitoring.
  8. Select the monitor, and then click Export.

Importing a Custom Performance Monitor

Importing a custom performance monitor involves importing four XML files: the XML files containing any device/app types, event attribute types, or event types that you have created for this parser, followed by the custom performance monitor file.

  1. For each device/app type, event attribute type, or event type XML file that is required for your monitor, go to the appropriate tab in Admin > Device Support, and then click Import.
  2. Browse to the location of your XML file, and then click Upload.
  3. Go to Admin > Device Support > Performance Monitors, and then click Import.
  4. Browse to the location of your performance monitor file, and then click Upload.
  5. Follow the instructions in Creating a Custom Performance Monitor to test and apply your performance monitor.

Examples of Custom Performance Monitors

Custom JDBC Performance Monitor for a Custom Table

Custom JMX Monitor for IBM Websphere

Custom SNMP Monitor for D-Link HostName and SysUpTime Custom SNMP Monitor for D-Link Interface Network Statistics

Custom WMI Monitor for Windows Domain and Physical Registry

Custom JDBC Performance Monitor for a Custom Table

Planning

Examining the Table Structure

Creating New Device Types, Event Attribute Types, and Event Types Event Types

Adding New JDBC Performance Objects

Performance Object Configuration for Static Table HEALTH_STATIC_DEMO

Performance Object Configuration for Dynamic Table HEALTH_DYNAMIC_DEMO

Associating Device Types to Performance Objects Edit Device to Performance Object

Testing the Performance Monitor

Enabling the Performance Monitor

Writing Queries for the Performance Metrics

Planning

Examining the Table Structure

For this example, consider two custom Oracle tables that you want to monitor.

  • A table called HEALTH_STATIC_DEMO that does not have time stamp as a column. The table does not grow with time, and the HEALTH c olumn is updated by the application.
  1. A table called HEALTH_DYNAMIC_DEMO that has a time-stamp in the column create_time. Only records with a more recent time-stamp than previous ones have to be pulled in, and every time a new record is written, it includes a time stamp.

Creating New Device Types, Event Attribute Types, and Event Types

In this case, you only need to create two new event types to handle the contents of the two tables.

Event Types

Name Device Type Severity
PH_DEV_MON_CUST_JDBC_PERFORMANCE_STATIC Generic Low
PH_DEV_MON_CUST_JDBC_PERFORMANCE_DYNAMIC Generic Low

Adding New JDBC Performance Objects

Each table requires its own performance object for monitoring.

Performance Object Configuration for Static Table HEALTH_STATIC_DEMO

Field Setting
Name jdbc_static_perfObj
Type Application
Method JDBC
Database Type Oracle Database Server
SQL Query select * from health_static_demo
List of Columns  
Column Name Name Format Event Attribute  
host_name   STRING hostName
health   STRING health
 
Where Clauses Not applicable, since the table doesn’t grow over time
Event Type PH_DEV_MON_CUST_JDBC_PERFORMANCE_STATIC
Polling Frequency 180 seconds

Performance Object Configuration for Dynamic Table HEALTH_DYNAMIC_DEMO

Field Setting
Name jdbc_dynamic_perfObj
Type Application
Method JDBC
Database Type Oracle Database Server
SQL Query select * from health_dynamic_demo
List of Columns  
Column Name Name Format Event Attribute  
host_name   STRING hostName
cpu_util   DOUBLE cpuUtil
mem_util   DOUBLE memUtil
create_time   STRING createTime
 
Where Clauses retrieve all new values since last retrieve time of column create_time
Event Type PH_DEV_MON_CUST_JDBC_PERFORMANCE_STATIC
Polling Frequency 180 seconds

Associating Device Types to Performance Objects

In this example, the Oracle database runs on Microsoft Windows, so you would need to associate Microsoft Windows device types to the two performance objects. Because the discovered device type has to exactly match one of device types in this association in order for the discovery module to initiate monitoring, you would need to add other device types, such as Linux, if you also wanted to monitor Oracle databases over JDBC on those devices.

Edit Device to Performance Object

Field Settings
Name windows_oracle_perf_association
Device Types Microsoft Windows

Microsoft Windows 7

Microsoft Windows 98

Microsoft Windows ME

Microsoft Windows NT

Microsoft Windows Server 2000 Microsoft Windows Server 2003

Microsoft Windows Server 2008

Microsoft Windows Vista

Microsoft Windows XP

Perf Objects jdbc_static_perfObj(JDBC) – Default Interval:3mins jdbc_dynamic_perfObj(JDBC) – Default Interval:3mins

Testing the Performance Monitor

Before testing the monitor, make sure you have defined the access credentials for the database server, created the IP address to credentials mapping, and tested connectivity to the server.

  1. Go to Admin > Device Support > Performance Monitoring.
  2. Select one of the performance monitors you created, and then click Test.
  3. For IP, enter the address of the Oracle database server, and select either the Supervisor or Collector node that will retrieve the information for this monitor.
  4. Click Test.

You should see succeed under Result, and a parsed event attributes in the test result pane.

  1. When the test succeeds, click Close, and then click Apply to register the new monitor with the backend module.

Enabling the Performance Monitor

  1. Discover or re-discover the device you want to monitor.
  2. Once the device is successfully discovered, make sure that the monitor is enabled and pulling metrics.

Writing Queries for the Performance Metrics

You can now use a simple query to make sure that that the metrics are pulled correctly. The search results should display the metrics for the event attributes you defined.

  1. Create a structured historical search, and in the Filter Criteria, enter Event Type =

“PH_DEV_MON_CUST_JDBC_PERFORMANCE_STATIC”; Group by: [None] This should show the entries in the HEALTH_STATIC_DEMO table

  1. Create a structured historical search, and in the Filter Criteria, enter Event Type =

“PH_DEV_MON_CUST_JDBC_PERFORMANCE_SDynamic”; Group by: [None] This should show the entries in the HEALTH_DYNAMIC_DEMO table .

Custom JMX Monitor for IBM Websphere

Creating New Device Types, Event Attribute Types, and Event Types

Event Attribute Types

Event Types

Adding New IBM WebSphere Performance Objects

Performance Object Configuration for Event Type PH_DEV_MON_CUST_WEBSPHERE_HEAPMEMORY

Performance Object Configuration for Event Type PH_DEV_MON_CUST_WEBSPHERE_THREAD

Transform Formula for websphere_threadPCT Event Attribute

Performance Object Configuration for Event Type PH_DEV_MON_CUST_WEBSPHERE_NON_HEAPMEMORY Associating Device Types to Performance Objects Edit Device to Performance Object

Testing the Performance Monitor

Enabling the Performance Monitor

Writing Queries for the Performance Metrics

This example illustrates how to write a custom performance monitor for retrieving IBM Websphere thread, heap memory, and non-heap memory metrics.

Planning

Creating New Device Types, Event Attribute Types, and Event Types

In this case, the IBM Websphere device type is already supported by FortiSIEM, but you need to create new event attributes and event types for the metrics you want to retrieve.

Event Attribute Types

Name Display Name Value Type Display Format Type
websphere_heapPCT WebSphere HeapPct INT64  
websphere_numThreads WebSphere NumThreads INT64  
websphere_maxThreads WebSphere MaxThreads INT64  
websphere_threadPct WebSphere ThreadPct INT64  
websphere_numClass WebSphere NumClass INT64  
websphere_heapUsed WebSphere HeapUsed INT64 Bytes
websphere_heapMax WebSphere HeapMax INT64 Bytes
websphere_heapCommitted WebSphere HeapCommitted INT64 Bytes
websphere_nonHeapUsed WebSphere NonHeapUsed INT64 Bytes
websphere_nonHeapMax WebSphere NonHeapMax INT64 Bytes
websphere_nonHeapCommitted WebSphere NonHeapCommitted INT64 Bytes

Event Types

Name Device Type Severity
PH_DEV_MON_CUST_WEBSPHERE_HEAPMEMORY IBM WebSphere App Server Low
PH_DEV_MON_CUST_WEBSPHERE_NON_HEAPMEMORY IBM WebSphere App Server Low
PH_DEV_MON_CUST_WEBSPHERE_THREAD IBM WebSphere App Server Low

Adding New IBM WebSphere Performance Objects

Each of the event types requires creating a performance object for monitoring.

Performance Object Configuration for Event Type PH_DEV_MON_CUST_WEBSPHERE_HEAPMEMORY

Field Setting  
Name websphere_heapMemory_perfObj  
Type Application  
Method JMX  
MBean java.lang:type=Memory  
List of Attributes    
Object Attribute Private Key Name Format Event Attribute
HeapMemoryUsage committed committed Long websphere_heapCommitted
HeapMemoryUsage used used Long websphere_heapUsed
HeapMemoryUsage max max Long websphere_heapMax
      Long websphere_heapPCT
   
Event Type PH_DEV_MON_CUST_WEBSPHERE_HEAPMEMORY  
Polling Frequency 180 seconds  

Performance Object Configuration for Event Type PH_DEV_MON_CUST_WEBSPHERE_THREAD

For the webSphere_threadPct Event Attribute, you will enter a transform as shown in the second table.

Field Setting    
Name websphere_thread_perfObj    
Type Application    
Method JMX    
MBean java.lang:type=Threading    
List of Attributes      
Object Attribute Private Key Name Format Event Attribute
ThreadCount   ThreadCount Long websphere_numThreads
PeakThreadCount   PeakThreadCount Long websphere_maxThreads
      Long websphere_threadPCT
     
Event Type PH_DEV_MON_CUST_WEBSPHERE_THREAD    
Polling Frequency 180 seconds    

Transform Formula for websphere_threadPCT Event Attribute

Click New next to Transforms in the dialog to enter the formula.

Field Settings
Object Attribute <blank>
Name <blank>
Private Key <blank>
Format Long
Event Attribute websphere_threadPct
Transforms  

Type Formula
custom ThreadCount*100/PeakThreadcount

Performance Object Configuration for Event Type PH_DEV_MON_CUST_WEBSPHERE_NON_HEAPMEMORY

Field Setting
Name websphere_nonHeapMemory_perfObj
Type Application
Method JMX
MBean java.lang:type=Memory
List of Attributes  
Object Attribute Private Key Name Format Event Attribute  
NonHeapMemoryUsage  used   Long websphere_nonHeapUsed
NonHeapMemoryUsage  committed   Long websphere_nonHeapCommitted
 NonHeapMemoryUsage  max   Long websphere_nonHeapMax
 
Event Type PH_DEV_MON_CUST_WEBSPHERE_NON_HEAPMEMORY
Polling Frequency 180 seconds

Associating Device Types to Performance Objects

In this example, IBM WebSphere runs on Microsoft Windows, so you would need to associate Microsoft Windows device types to the three performance objects. Because the discovered device type has to exactly match one of device types in this association in order for the discovery module to initiate these monitors, you would need to add other device types, such as Linux, if you also wanted to monitor IBM Websphere over JMX on those devices.

Edit Device to Performance Object

Field Settings
Name windows_oracle_perf_association
Device Types Microsoft Windows

Microsoft Windows 7

Microsoft Windows 98

Microsoft Windows ME

Microsoft Windows NT

Microsoft Windows Server 2000

Microsoft Windows Server 2003

Microsoft Windows Server 2008

Microsoft Windows Vista

Microsoft Windows XP

Perf Objects websphere_thread_perfObj(JMX) – Default Interval:3mins websphere_thread_perfObj(JMX) – Default Interval:3mins websphere_nonHeapMemory_perfObj(JMX) – Default Interval:3mins

 

Testing the Performance Monitor

Before testing the monitor, make sure you have defined the access credentials for the server, created the IP address to credentials mapping, and tested connectivity.

  1. Go to Admin > Device Support > Performance Monitoring.
  2. Select one of the performance monitors you created, and then click Test.
  3. For IP, enter the address of the Oracle database server, and select either the Supervisor or Collector node that will retrieve the information for this monitor.
  4. Click Test.

You should see succeed under Result, and the parsed event attributes in the test result pane.

  1. When the test succeeds, click Close, and then click Apply to register the new monitor with the backend module.

Enabling the Performance Monitor

  1. Discover or re-discover the device you want to monitor.
  2. Once the device is successfully discovered, make sure that the monitor is enabled and pulling metrics.

Writing Queries for the Performance Metrics

You can now use a simple query to make sure that that the metrics are pulled correctly. The search results should display the metrics for the event attributes you defined.

Create a structured historical search with these settings:

Filter Criteria Display Columns Time For

Organizations

Structured

Reporting IP IN <IP Range> AND Event Type CONTAIN

“ph_dev_mon_cust_web”; Group by: [None]

Event Receive Time,Reporting

IP, Event

Last 60

Minutes

All

 

 

Custom SNMP Monitor for D-Link HostName and SysUpTime

Although D-link switches and routers are not supported in this release of AccelOps, you can still use the custom monitor feature to create a system uptime event that will collect basic performance metrics like hostName and SysUpTime.

Planning

Mapping SNMP OIDs to AccelOps Event Attribute Types

If you run the command snmpwalk -v 1 -c <community> <ip> .1.3.6.1.2.1.1 against the D-Link switch, you should see an output similar to this:

From these outputs you can see that if you want to create a performance monitor for D-Link switch uptime, you need to:

  1. Create a new device type, since D-Link switches are not supported in this release
  2. Create an event type, PH_DEV_MON_CUST_DLINK_UPTIME, that will contain the event attribute types hostName and SysUpTime, which are already part of the AccelOps event attribute type library.
  3. Create the mapping between the SNMP OIDs and the event attributes:
    1. OID .1.3.6.1.2.1.1.5 and hostName.
    2. OID .1.3.6.1.2.1.1.5 and SysUpTime.

Creating New Device Types, Event Attribute Types, and Event Types

Device Type

Create a new device type with these attributes:

Field Setting
Vendor D-Link
Model DGS
Version Any
Device/App Group Devices > Network Devices > Router Switch
Biz Service Group <no selection>
Description D-Link Switch

Event Attribute Types and Event Types

Both sysUptime and hostName are included in the Event Attribute Types, so you only need to create a new event type, PH_DEV_MON_CUST_ DLINK_UPTIME, that will contain them.

Name Device Type Severity Description
PH_DEV_MON_CUST_DLINK_UPTIME D-Link DGS 0 – Low D-Link Uptime

Adding the D-Link SNMP Performance Object

In this case, you will create one performance object that will map the SNMP OIDs to the AccelOps event attribute types hostName and SysUpti me, and then associate them with the PH_DEV_MON_CUST_DLINK_UPTIME event type. When you create the SysUpTime mapping you will also a dd a transform to convert system time to centiseconds to seconds as shown in the second table.

Performance Object Configuration for Event Type PH_DEV_MON_CUST_DLINK_UPTIME

Field Setting    
Name D-LinkUptime    
Type System    
Method SNMP    
Parent OID .1.3.6.1.1.2.1.1    
Parent OID is Table <left cleared>    
List of OIDs      
Object Attribute Name Format Type Event Attribute  
.1.3.6.1.1.2.1.1.5 Host Name String RawValue hostName
.1.3.6.1.1.2.1.1.3 Uptime Timeticks RawValue SysUpTime
     
Event Type PH_DEV_MON_CUST_DLINK_UPTIME    
Polling Frequency 10 seconds    

Transform Formula for SysUptime Event Attribute

Type Formula
custom uptime/100

Associating Device Types to Performance Objects

In this case you would only need to make one association with the D-Link DGS device you created.

Field Settings
Name D-LinkPerfObj
Device Types  D-Link DGS
Perf Objects  D-LinkUptime(SNMP) – Default Interval:0.17mins

Testing the Performance Monitor

Before testing the monitor, make sure you have defined the access credentials for the D-Link device, created the IP address to credentials mapping, and tested connectivity.

  1. Go to Admin > Device Support > Performance Monitoring.
  2. Select the performance monitor you created, and then click Test.
  3. For IP, enter the address of the device, and select either the Supervisor or Collector node that will retrieve the information for this monitor.
  4. Click Test.

You should see succeed under Result, and the parsed event attributes in the test result pane.

  1. When the test succeeds, click Close, and then click Apply to register the new monitor with the backend module.

Enabling the Performance Monitor

  1. Discover or re-discover the device you want to monitor.
  2. Once the device is successfully discovered, make sure that the monitor is enabled and pulling metrics.

Writing Queries for the Performance Metrics

You can now use a simple query to make sure that that the metrics are pulled correctly. The search results should display the metrics for the event attributes you defined.

Create a structured historical search with these settings:

Filter Criteria Display

Columns

Time For

Organizations

Structured

Reporting IP IN <IP Range> AND Event Type = “PH_DEV_MON_CUST_DLINK_UPTIME”;

Group by: [None]

Event Last 10

Minutes

All

 

 

Custom SNMP Monitor for D-Link Interface Network Statistics

This example shows how to create a custom performance monitor for network interface statistics for D-link switches. In this case, the result is a table, with one set of metrics for each interface.

Planning

Matching SNMP OIDs to AccelOps Event Attribute Types

Creating New Device Types, Event Attributes, and Event Types

Device Type

Event Attribute Types

Event Types

Adding the D-Link SNMP Performance Object

Performance Object Configuration for Event Type PH_DEV_MON_CUST_INTF_STAT

Transform Formula for recvBitsPerSec and sentBitsPerSec Event Attributes

Associating Device Types to Performance Objects

Testing the Performance Monitor

Enabling the Performance Monitor

Writing Queries for the Performance Metrics

Planning

Matching SNMP OIDs to AccelOps Event Attribute Types

If you run the command snmpwalk -v 1 -c <community> <ip> .1.3.6.1.2.1.2.2.1 against the D-Link switch, you should see an output similar to this:

To get interface queue length (the outQLen event attribute in AccelOps), you would run snmpwalk -v 1 -c <community> <ip>

To get interface speed, you would run snmpwalk -v 1 -c <community> <ip> .1.3.6.1.2.1.2.2.1.5:

To get received bytes (the recvBitsPerSec event attribute in AccelOps), you would run snmpwalk -v 1 -c <community> <ip>

Finall,y to get sent bytes (the sentBitsPerSec event attribute in AccelOps ), you would  run snmpwalk -v 1 -c <community> <ip>

From these outputs you can see that if you want to create a performance monitor for D-Link switch uptime, you need to:

  1. Create a new device type, since D-Link switches are not supported in this release.
  2. Create an event type, PH_DEV_MON_CUST_DLINK_INTF_STAT, that will contain the event attribute types outQLen, recvBitsPerSec, and sentBitsPerSec, which are already part of the AccelOps event attribute library, and hostNameSnmpIndx and intfSpeed, which you need to create.
  3. Create the mapping between the SNMP OIDs and the event attributes:
    1. OID .1.3.6.1.2.1.2.2.1.1 and hostNameSnmpIndx
    2. OID .1.3.6.1.2.1.2.2.1.5 and intfSpeed
    3. OID .1.3.6.1.2.1.2.2.1.21 and outQLen
    4. OID .1.3.6.1.2.1.2.2.1.10 and recvBitsPerSec
    5. OID .1.3.6.1.2.1.2.2.1.16 and sentBitsPerSec

Creating New Device Types, Event Attributes, and Event Types

Device Type

Create a new device type with these attributes:

Field Setting
Vendor D-Link
Model DGS
Version Any
Device/App Group Devices > Network Devices > Router Switch
Biz Service Group <no selection>
Description D-Link Switch

Event Attribute Types

Create these event attribute types:

Name Display Name Value Type Display Format Type
hostSnmpIndex Host Interface SNMP Index INT64  <left blank>
intfSpeed Interface Speed in bits/sec INT64  <left blank>
Name Device Type Severity
PH_DEV_MON_CUST_INTF_STAT D-Link DGS Low

Adding the D-Link SNMP Performance Object

In this case, you will create one performance object that will map the SNMP OIDs to the AccelOps event attribute types, and then associate them with the PH_DEV_MON_CUST_INTF_STAT event type. When you create the recvBitsPerSec and sentBitsPerSec mapping you will also add a sequential transform to convert the cumulative metric to a rate, and then convert bytes per second to bits per second. .

Performance Object Configuration for Event Type PH_DEV_MON_CUST_INTF_STAT

Field Setting      
Name D-LinkIntStat      
Type System      
Method SNMP      
Parent OID .1.3.6.1.2.1.2.2.1      
Parent OID is Table Selected      
List of OIDs        
Object Attribute Name Format Type Event Attribute  
.1.3.6.1.1.2.1.2.2.1.1 IntfIndex INTEGER RawValue hostSnmpIndex
.1.3.6.1.1.2.1.1.2.1.5 intfSpeed Gauge32 RawValue intfSpeed
.1.3.6.1.1.2.1.1.2.1.10 recvBitsPerSec Counter32 Counter recvBitsPerSec
.1.3.6.1.1.2.1.1.2.1.16 sentBitsPerSect Counter32 Counter sentBitsPerSect
.1.3.6.1.1.2.1.1.2.1.21 outInftQ Gauge32 RawValue OutQLen
       
Event Type PH_DEV_MON_CUST_INTF_STAT      
Polling Frequency 60 seconds      

Transform Formula for recvBitsPerSec and sentBitsPerSec Event Attributes

Type Formula
system toRate
system BytesPerSecToBitsPerSec

Associating Device Types to Performance Objects

In this case you would only need to make one association with the D-Link DGS device you created.

Field Settings
Name D-LinkPerfObj
Device Types  D-Link DGS
Perf Objects  D-LinkIntfStat(SNMP) – Default Interval:1mins

Testing the Performance Monitor

Before testing the monitor, make sure you have defined the access credentials for the D-Link device, created the IP address to credentials mapping, and tested connectivity.

  1. Go to Admin > Device Support > Performance Monitoring.
  2. Select the performance monitor you created, and then click Test.
  3. For IP, enter the address of the device, and select either the Supervisor or Collector node that will retrieve the information for this monitor.
  4. Click Test.

You should see succeed under Result, and the parsed event attributes in the test result pane.

  1. When the test succeeds, click Close, and then click Apply to register the new monitor with the backend module.

Enabling the Performance Monitor

  1. Discover or re-discover the device you want to monitor.
  2. Once the device is successfully discovered, make sure that the monitor is enabled and pulling metrics.

Writing Queries for the Performance Metrics

You can now use a simple query to make sure that that the metrics are pulled correctly. The search results should display the metrics for the event attributes you defined.

Create a structured historical search with these settings:

Filter Criteria Display Columns Time For

Organizations

Structured

Reporting IP IN <IP Range> AND Event Type =”PH_DEV_

MON_CUST_INTF_STAT”; Group by: Host Name, Host Interface

Host Name,Host Interface SNMP Index,MAX(Out Intf

Queue), AVG(Intf Speed), AVG(Sent Bit Rate),

AVG(Received Bit Rate)

Last 10

Minutes

All
Custom WMI Monitor for Windows Domain and Physical Registry

Planning

Mapping Windows WMI Classes to FortiSIEM Event Attribute Types

If you run the command wmic -U <domain>/<user>%<pwd> //<ip> “select * from Win32_ComputerSystem against a Windows server, you will see an output similar to this:

CLASS: Win32_ComputerSystem AdminPasswordStatus::SEP::AutomaticManagedPagefile::SEP::AutomaticResetB ootOption::SEP::AutomaticResetCapability::SEP::BootOptionOnLimit::SEP::B ootOptionOnWatchDog::SEP::BootROMSupported::SEP::BootupState::SEP::Capti on::SEP::ChassisBootupState::SEP::CreationClassName::SEP::CurrentTimeZon e::SEP::DaylightInEffect::SEP::Description::SEP::DNSHostName::SEP::Domai n::SEP::DomainRole::SEP::EnableDaylightSavingsTime::SEP::FrontPanelReset Status::SEP::InfraredSupported::SEP::InitialLoadInfo::SEP::InstallDate::

SEP::KeyboardPasswordStatus::SEP::LastLoadInfo::SEP::Manufacturer::SEP:: Model::SEP::Name::SEP::NameFormat::SEP::NetworkServerModeEnabled::SEP::N umberOfLogicalProcessors::SEP::NumberOfProcessors::SEP::OEMLogoBitmap::S EP::OEMStringArray::SEP::PartOfDomain::SEP::PauseAfterReset::SEP::PCSyst emType::SEP::PowerManagementCapabilities::SEP::PowerManagementSupported: :SEP::PowerOnPasswordStatus::SEP::PowerState::SEP::PowerSupplyState::SEP ::PrimaryOwnerContact::SEP::PrimaryOwnerName::SEP::ResetCapability::SEP: :ResetCount::SEP::ResetLimit::SEP::Roles::SEP::Status::SEP::SupportConta ctDescription::SEP::SystemStartupDelay::SEP::SystemStartupOptions::SEP:: SystemStartupSetting::SEP::SystemType::SEP::ThermalState::SEP::TotalPhys icalMemory::SEP::UserName::SEP::WakeUpType::SEP::Workgroup

1::SEP::True::SEP::True::SEP::True::SEP::3::SEP::3::SEP::True::SEP::Norm al

boot::SEP::WIN2008-ADS::SEP::3::SEP::Win32_ComputerSystem::SEP::-420::SE P::True::SEP::AT/AT

COMPATIBLE::SEP::WIN2008-ADS::SEP::FortiSIEM.net::SEP::5::SEP::True::SEP ::3::SEP::False::SEP::NULL::SEP::(null)::SEP::3::SEP::(null)::SEP::VMwar e, Inc.::SEP::VMware Virtual Platform::SEP::WIN2008-ADS::SEP::(null)::SEP::True::SEP::1::SEP::1::SEP:

:NULL::SEP::([MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7],

Welcome to the Virtual

Machine)::SEP::True::SEP::3932100000::SEP::0::SEP::NULL::SEP::False::SEP

::0::SEP::0::SEP::3::SEP::(null)::SEP::Windows User::SEP::1::SEP::-1::SEP::-1::SEP::(LM_Workstation,LM_Server,Primary_D omain_Controller,Timesource,NT,DFS)::SEP::OK::SEP::NULL::SEP::0::SEP::NU LL::SEP::0::SEP::X86-based PC::SEP::3::SEP::4293496832::SEP::FortiSIEM\Administrator::SEP::6::SEP::

(null)

From this output you can see that the Win32_ComputerSystem WMI class has two attributes: 1.  Domain

  1. TotalPhysicalMemory

From these outputs you can see that if you want to create a performance monitor for Windows Domain and Physical Registry, you need to

  1. Create an event type, PH_DEV_MON_CUST_WIN_MEM, that will contain the event attribute types Domain and memTotalMB, both of which are already contained in the FortiSIEM event attribute types library.
  2. Create the mapping between the WMI class attributes and the FortiSIEM event attribute types:
    1. WMI class attribute Domain and Domain.
    2. WMI class attribute TotalPhysicalMemory (Bytes) and memTotalMB (type INT64). Because TotalPhysicalMemory return s in bytes, and memTotalMB is in INT64, a transform will be required to convert the metrics.

Creating New Device Types, Event Attributes, and Event Types

Device Type

Since Microsoft Windows is supported by FortiSIEM, you don’t need to create a new device type. Event Attribute Types and Event Types

Both Domain and memTotalMB are included in the FortiSIEM event attribute type library, so you only need to create a new event type, PH_DEV_ MON_CUST_WIN_MEM, that will contain them.

Name Device Type Severity Description
PH_DEV_MON_CUST_WIN_MEM Microsoft Windows 0 – Low Windows Domain and Memory

Adding the Microsoft Windows WMI Performance Object

In this case, you will create one performance object that will map the WMI Class attributes to the FortiSIEM event attribute types Domain and mem

TotalMB, and then associate them with the PH_DEV_MON_CUST_WIN_MEM event type. When you create the memTotalMB mapping you will also add a transform to convert bytes to INT64 as shown in the second table.

Performance Object Configuration for Event Type PH_DEV_MON_CUST_DLINK_UPTIME

Field Setting  
Name WinMem  
Type System  
Method WMI  
Parent Class Win32_ComputerSystem  
Parent Class is Table <left cleared>  
List of Attributes    
Attribute Format Type Event Attribute  
Domain String RawValue domain
TotalPhysicalMemory Integer RawValue memTotalMB
   
Event Type PH_DEV_MON_CUST_WIN_MEM  
Polling Frequency 20 seconds  

Transform Formula for TotalPhysicalMemory Event Attribute Type

Type Formula
custom TotalPhysicalMemory/1024/1024

Associating Device Types to Performance Objects

In this example, you would need to associate Microsoft Windows device types to the performance object. Edit Device to Performance Object

Field Settings
Name WinMisc
Device Types Microsoft Windows

Microsoft Windows NT

Microsoft Windows Server 2000

Microsoft Windows Server 2003

Microsoft Windows Server 2008

Microsoft Windows Vista

Microsoft Windows XP

Perf Objects  WinMem(WMI) – DefaultInterval:0.33mins

Testing the Performance Monitor

Before testing the monitor, make sure you have defined the access credentials for the server, created the IP address to credentials mapping, and tested connectivity.

  1. Go to Admin > Device Support > Performance Monitoring.
  2. Select one of the performance monitors you created, and then click Test.
  3. For IP, enter the address of the Microsoft Windows server, and select either the Supervisor or Collector node that will retrieve the information for this monitor.
  4. Click Test.

You should see succeed under Result, and the parsed event attributes in the test result pane.

  1. When the test succeeds, click Close, and then click Apply to register the new monitor with the backend module.

Enabling the Performance Monitor

  1. Discover or re-discover the device you want to monitor.
  2. Once the device is successfully discovered, make sure that the monitor is enabled and pulling metrics.

Writing Queries for the Performance Metrics

You can now use a simple query to make sure that that the metrics are pulled correctly. The search results should display the metrics for the event attributes you defined.

Create a structured historical search with these settings:

Filter Criteria Display Columns Time For

Organizations

Host IP = <IP> AND Event Type = “PH_DEV_MON_CUST_WIN_MEM

“;Group by:[None]

Event Receive Time,Reporting IP,Domain,Total

Memory (MB)

Last 10

Minutes

All

FortiSIEM Custom Parsers

Custom Parsers

To start creating a custom parser for device logs, you should begin by reviewing the Event Parser XML Specification. Writing the XML specification is the primary task in creating a custom parser.

Event Parser XML Specification

Custom Parser XML Specification Template

Parser Name Specification

Device or Application Type Specification

Format Recognizer Specification

Pattern Definition Specification

Parsing Instructions Specification

Creating a Custom Parser

Deleting or Disabling a Parser

Exporting a Custom Parser

Importing a Custom Parser

Parser Examples

Cisco IOS Syslog Parser

 

Event Parser XML Specification

FortiSIEM uses an XML-based parser framework to parse events. These topics describe the parser syntax and include examples of XML parser specifications.

Custom Parser XML Specification Template

Parser Name Specification

Device or Application Type Specification

Format Recognizer Specification

Pattern Definition Specification

Parsing Instructions Specification

Custom Parser XML Specification Template

The basic template for a custom parser XML specification includes five sections. Click on the name of any section for more information.

Section Description
Parser Name Specification Name of the parser file
Device Type The type of device or application associated with the parser
Format Recognizer Specification Patterns that determine whether an event will be parsed by this parser
Pattern Definition Specification Defines the parsing patterns that are iterated over by the parsing instructions
Parsing Instructions Specification Instructions on how to parse events that match the format recognizer patterns

Custom Parser XML Specification Template

Parser Name Specification

This section specifies the name of the parser, which is used only for readability and identifying the device type associated with the parser.

Device or Application Type Specification

This section specifies the device or the application to which this parser applies. The device and application definitions enable FortiSIEM to detect the device and application type for a host from the received events. This is called log-based discovery in FortiSIEM. Once a received event is successfully parsed by this file, a CMDB entry is created with the device and application set from this file. FortiSIEM discovery may further refine the device.

There are two separate subsections for device and application. In each section, vendor, model and version can be specified, but version is not typically needed.

Examples of Specifications for Types of Device and Applications

Hardware Appliances

In this case, the type of event being parsed specifies the device type, for example Cisco IOS, Cisco ASA, etc.

Software Operating Systems that Specify the Device Type

In this case, the type of events being parsed specifies the device type, for example Microsoft Windows etc. In this case the device type section looks like

Applications that Specify Both Device Type and Application

In this case, the  events being parsed specify the device and application types because Microsoft SQL Server can only run on Microsoft Windows OS.

Applications that Specify the Application Type but Not the Device Type

Consider the example of an Oracle database server, which can run on both Windows and Linux operating systems. In this case, the device type is set to Generic but the application is specific. FortiSIEM depends on discovery to identify the device type.

Format Recognizer Specification

In many cases, events associated with a device or application will contain a unique pattern. You can enter a regular expression in the Format Recognizer section of the parser XML file to search for this pattern, which, if found, will then parse the events according to the parser instructions. After the first match, the event source IP to parser file map is cached, and only that parser file is used for all events from that source IP. A notable exception is when events from disparate sources are received via a syslog server, but that case is handled differently.

While not a required part of the parser specification, a format recognizer can speed up event parsing, especially when one parsing pattern file among many pattern files must be chosen. Only one pattern check can determine whether the parsing file must be used or not. The other less efficient option would be to examine patterns in every file. At the same time, the format recognizer must be carefully chosen so that it is not so broad to misclassify events into wrong files, and at the same time, not so narrow that it fails at classifying the right file.

Format Recognizer Syntax

The specification for the format recognizer section is:

In the regexpattern block, a pattern can be directly specified using regex or a previously defined pattern (in the pattern definition section in this file or in the GeneralPatternDefinitions.xml file) can be referenced.

Example Format Recognizers

Cisco IOS

All Cisco IOS events have a %module name pattern.

Cisco ASA

All Cisco ASA events have the pattern ASA-severity-id pattern, for example ASA-5-12345.

Palo Alto Networks Log Parser

In this case, there is no unique keyword, so the entire message structure from the beginning to a specific point in the log must be considered.

Event

<14>May 6 15:51:04 1,2010/05/06 15:51:04,0006C101167,TRAFFIC,start,1,2010/05/06

15:50:58,192.168.28.21,172.16.255.78,::172.16.255.78,172.16.255.78,rule3,,,icmp,vsys1,untrust,untrust,ether net1/1,ethernet1/1,syslog-172.16.20.152,2010/05/06

15:51:04,600,2,0,0,0,0,0×40,icmp,allow,196,196,196,2,2010/05/06 15:50:58,0,any,0

Pattern Definition Specification

In this section of the parser XML specification, you set the regular expression patterns that that FortiSIEM will iterate through to parse the device logs.

You can also write a long pattern definition in multiple lines and indicate their order as shown in this example. The value of the list attribute should be begin in first line and end in last line. If there are more than two lines, the attribute should be set to continue for the other lines.

Parsing Instructions Specification

This section is the heart of the parser, which attempts to recognize patterns in a log message and populate parsed event attributes.

In most cases, parsing involves applying a regular expression to the log, picking up values, and setting them to event attributes. Sometimes the processing is more involved, for example when attributes need to be stored as local variables and compared before populating the event attributes. There are three key components that are used in parsing instructions: Event attributes and variables, inbuilt functions that perform operations on event attributes and variables, and switch and choose branching constructs for logical operations. Values can be collected from both unstructured and structured strings in log messages.

Event Attributes and Variables

Setting an Event Attribute to a Constant

Setting an Event Attribute from Another Variable

Inbuilt Functions

Combining Two or More Strings to Produce a Final String

Normalize MAC Address

Compare Interface Security Level

Convert Hex Number to Decimal Number

Convert TCP/UDP Protocol String to Port Number

Convert Protocol String to Number

Convert Decimal IP to String

Convert Host Name to IP

Add Two Numbers

Divide Two Numbers

Scale Function

Extract Host from Fully Qualified Domain Name

Replace a String Using a Regular Expression

Replace String in String

Resolve DNS Name

Convert to UNIX Time

Trim Attribute

Branching Constructs

Choose Construct

Switch Construct

Collecting Values from Unstructured Strings

Collecting Fields from Structured Strings

Key=Value Structured Data

Value List Structured Data

Event Attributes and Variables

The dictionary of event attributes are defined in FortiSIEM database and any member not belonging to that list is considered a local variable. For readability, local variables should begin with an _, although this is not enforced.

Setting an Event Attribute to a Constant

Setting an Event Attribute from Another Variable

The $ symbol is used to specify the content of a variable. In the example below, attribute hostMACAddr gets the value stored in the local variable

Combining Two or More Strings to Produce a Final String

This is accomplished by using the combineMsgId function. Here _evIdPrefix is the prefix, _evIdSuffix is the suffix, and the output will be s tring1-_evIdPrefix-_evIdSuffix.

Normalize MAC Address

This is accomplished by using the normalizeMAC function. The output will be six groups of two nibbles separated by a colon, for example AA:BB

This is accomplished by using the compIntfSecVal function. This primarily applies to Cisco ASA and PIX firewalls. The results returned are:

This is accomplished by using the convertHexStrToInt function.

Convert TCP/UDP Protocol String to Port Number

This is accomplished by using the convertStrToIntIpPort function.

Convert Protocol String to Number

This is accomplished by the using the convertStrToIntIpProto function.

Convert Decimal IP to String

This is accomplished by using the converIpDecimalToStr function.

Convert Host Name to IP

This is accomplished by using the convertHostNameToIp function.

Add Two Numbers

This is accomplished by using the add function.

Divide Two Numbers

This is accomplished by using the divide function.

Scale Function

This is accomplished by using the scale function.

Extract Host from Fully Qualified Domain Name

This is accomplished by using the extractHostFromFQDN function. If _fqdn` contains a . , get the string before the first .,  otherwise, get the whole string.

Replace a String Using a Regular Expression

This is accomplished by using the replaceStringByRegex function.

Replace String in String

This is accomplished by using the replaceStrInStr function.

Resolve DNS Name

This is accomplished by using the resolveDNSName function, which converts DNS name to IP address.

Convert to UNIX Time

This is accomplished by using the toDateTime function.

Trim Attribute

This is accomplished by using the trimAttribute function. In the example below, it is used to trim the leading and trailing dots in destName.

Branching Constructs

Choose Construct

The format is:

Switch Construct The format is:

Collecting Values from Unstructured Strings

From a string input source, a regex match is applied and variables are set. The variables can be event attributes or local variables. The input will be a local variable or the default raw message variable. The syntax is:

The regexpattern is specified by a list of variables and sub-patterns embedded within a larger pattern. Each variable and sub-pattern pair are enclosed within <>.

Consider an example in which the local variable _body is set to list 130 permitted eigrp 172.16.34.4(Serial1 ) > 172.16.34.3, 1 packet. From this sting we need to set the values to local variables and event attributes.

Value Set To Type
130  _aclName Local Variable
permitted _action Local Variable
eigrp _proto Local Variable
172.16.34.4 srcIpAddr Event Attribute
Serial1 srcIntfName Event Attribute
172.16.34.3 destIpAddr Event Attribute
1 totPkts Event Attribute

This is achieved by using this XML. Note that you can use both the collectAndSetAttrByRegex and collectFieldsByRegex functions to collect values from fields.

Collecting Fields from Structured Strings

The are usually two types of structured strings in device logs:

Key=value structured

Value list structured

In each case, two simpler specialized parsing constructs than are provided

Key=Value Structured Data

Certain logs, such as SNMP traps, are structured as Key1 = value1 <separator> Key2 = value2,…. These can be parsed using the col lectAndSetAttrByKeyValuePair XML attribute tag with this syntax.

When a key1 match is found, then the entire string following key1 up to the separatorString is parsed out and stored in the attribute variab leOrEventAttribute1.

As an example, consider this log fragment.

_body =

SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.60 = Hex-STRING: 07 D8 06 0B

13 15 00 00 2D 07 00    SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.11.0

= Hex-STRING: 00 16 B6 DB 12 22

SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.12.0 = Hex-STRING: 00 21 55

4D 66 B0  SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.13.0 = INTEGER: 36

SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.1.0 = Hex-STRING: 00 1A 1E C0

60 7A  SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.56.0 = INTEGER: 2   SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.17.0 = STRING:

“00:1a:1e:c0:60:7a”

The corresponding parser fragment is:

After parsing, the attribute values are set:

Value Attribute
00 16 B6 DB 12 22 srcMACAddr
00 21 55 4D 66 B0 destMacAddr
2 wlanRadioId
00:1a:1e:c0:60:7a apMac

Value List Structured Data

Certain application logs, such as those from Microsoft IIS, are structured as a list of values with a separator. These can be parsed using the coll ectAndSetAttrByPos XML attribute tag following this syntax.

When the position offset1 is encountered, the subsequent values up to the separatorString is stored in variableOrEventAttribute1.

As an example, consider this log fragment.

The parser fragment is:

<collectAndSetAttrByPos src=”$_body” sep=’  ‘>

<attrPosMap attr=”srvInstName” pos=’1’/>

<attrPosMap attr=”destName” pos=’2’/>

<attrPosMap attr=”relayDevIpAddr” pos=’2’>

<attrPosMap attr=”destIpAddr” pos=’3’/>

<attrPosMap attr=”httpMethod” pos=’4’/>

<attrPosMap attr=”uriStem” pos=’5’/>

<attrPosMap attr=”uriQuery” pos=’6’/>

<attrPosMap attr=”destIpPort” pos=’7’/>

<attrPosMap attr=”user” pos=’8’/>

<attrPosMap attr=”srcIpAddr” pos=’9’/>

<attrPosMap attr=”httpVersion” pos=’10’/>

<attrPosMap attr=”httpUserAgent” pos=’11’/>

<attrPosMap attr=”httpReferrer” pos=’13’/>

<attrPosMap attr=”httpStatusCode” pos=’15’/>

<attrPosMap attr=”httpSubStatusCode” pos=’16’/>

<attrPosMap attr=”httpWin32Status” pos=’17’/>

<attrPosMap attr=”recvBytes” pos=’18’/>

<attrPosMap attr=”sentBytes” pos=’19’/>

<attrPosMap attr=”durationMSec” pos=’20’/>

</collectAndSetAttrByPos>

For structured strings, techniques in this section are more efficient than in the previous section since, the expression is simpler and ONE tag can be used to parse regardless of the order in which the keys or values appear in the string.

 

 

Creating a Custom Parser

Prerequisites

You should have examples of the logs that you want to parse

You should have created any new device/application types, event attribute types, or event types that you want to use in your XML specification

You should already have written the XML specification for your parser

You should have prepared a test event that you can use to validate the parser

Parsers Applied in Order

Parsers are applied in the order they are listed in Admin > Device Support > Parsers, so it is important to add your custom parser to the list in relation to any other parsers that may be applied to your device logs. If you click Fix Order, this will arrange the parsers with system-defined parsers at the top of the list in their original order, and user-defined parsers at the bottom. By sure to click Apply to make sure the change in order is picked up by the back-end module.

Procedure

  1. Go to Admin > Device Support > Parsers.
  2. Select a parser that is above the location in the list where you want to add your parser, and then click New.
  3. Enter a Name for the parser.
  4. Select a Device Type to which the parser should apply.

If the device type doesn’t appear in the menu, you should create a new device type

  1. Enter a Test Event containing an example of an event that you want to use to validate the parser.
  2. Enter the Parser XML.
  3. Click Validate.

This will validate the XML.

  1. Click Test.

This will send the test event to the parser to make sure it is parsed correctly, and will also test the parsers above and below yours in the list to make sure they continue to parse logs correctly.

  1. If the XML for your parser validates and the test event is correctly parsed, select Enable.

If you need to continue working on your parser, you can Save it without selecting Enable.

  1. Click Save.
  2. Click Apply to have the backend module pick up your parser and begin applying it to device logs.

You should now validate that events are being parsed by creating some activity that will cause a log to be generated, and then run a query against the new device IP address and validate the parsed results.

 

 

 

Deleting or Disabling a Parser
  1. Go to Admin > Device Support > Parsers.
  2. Select the parser you want to delete or disable.
  3. Click Delete or Disable.
  4. Click Yes to confirm that you want to delete or disable the parser.
Exporting a Custom Parser

To export a parser, you must also export XML files for the device/app types, event attribute types, event types, and then the parser specification file used by your parser.

  1. Go to Admin > Device Support > Device/App Types.
  2. Select the device/application types used in your parser, and then click Export.
  3. Go to Admin > Device Support > Event Attribute Types.
  4. Select the event attribute types used in your parser, and then click Export.
  5. Go to Admin > Device Support > Event Types.
  6. Select the event types used in your parser, and then click Export.
  7. Go to Admin > Device Support > Parsers.
  8. Select the parser specification for your parser, and then click Export.
Importing a Custom Parser

Importing a custom parser involves importing four XML files: the XML files containing any device/app types, event attribute types, or event types that you have created for this parser, followed by the parser specification XML file.

  1. For each device/app type, event attribute type, or event type XML file that is required for your parser, go to the appropriate tab in Admin > Device Support, and then click Import.
  2. Browse to the location of your XML file, and then click Upload.
  3. Go to Admin > Device Support > Parsers, and then click Import.
  4. Browse to the location of your parser specification XML file, and then click Upload.
  5. Follow the instruction in Creating a Custom Parser to validate your XML and test the parser, and to make sure it appears in the correct position in the list of parsers.
Parser Examples

Cisco IOS Syslog Parser

Cisco IOS Syslog Parser

Add Device Type

Create a file CiscoIOSParser.xml with this content.

Create the Parser Specification and Add Local Patterns

Create the parser XML file with this content, and add the pattern definition patCiscoIOSMod for detecting IOS modules such as SEC.

 

Define the Format Recognizer

Add this format recognizer for detecting %SEC-6-IPACCESSLOGP, which is a signature of Cisco IOS syslog messages.

Parse the Syslog Header

A syslog message consists of a syslog header, and a body. For better organization, we first parse the syslog header and event type. Subsequent code will include event type specific parsing, which is why event type is extracted in this step. In this example, the header is in boldface.

<190>91809: Jan 9 02:38:47.872: %SEC-6-IPACCESSLOGP: list testlog permitted tcp 192.168.20.33(3438) -> 69.147.86.184(80), 1 packet

The XML code for parsing the header does the following:

  1. Matches the pattern <190>91809: Jan 9 02:38:47.872: %SEC-6-IPACCESSLOGP:
  2. Sets the eventType attribute to IOS-SEC- IPACCESSLOGP.
  3. Sets deviceTime.
  4. Sets event severity (1-7 scale in Cisco IOS, 1=> most severe, to normalized 1-10 scale in FortiSIEM where 10=>most severe)
  5. Saves the event list testlog permitted tcp 192.168.20.33(3438) -> 69.147.86.184(80), 1 packet in a temporary variable _body.

Note that the patterns gPatSyslogPRI, gPatMon, gPatDay, gPatTime, gPatInt, gPatmesgBody are global patterns that are defined in the GeneralPatternDefinitions.xml file:

This parser file XML fragment for parsing the example syslog message looks like this:

 

Parse the Syslog Body

The parsing is done on an eventType by eventType basis, since the formats are eventType specific. Parsing the syslog body involves three steps:

  1. Parsing the action string. Based on the action staring value (permit or denied), modify the eventType by appending the action string value at the end, and also modify the eventSeverity
  2. Parsing the protocol, source and destination IP, port, and totalPackets.
  3. Converting the protocol string to a protocol integer.

 

Final Parser

</patternDefinitions>

<parsingInstructions>

<!—parse header –>

<collectFieldsByRegex src=”$_rawmsg”>

 

<regex><![CDATA[<:gPatSyslogPRI>?<:gPatMon>\s+<:gPatDay>\s+<:gPatTime>

%<_evIdPrefix:patCiscoIOSMod>-<_severity:gPatInt>-<_evIdSuffix:patStrEnd

Colon>: <_body:gPatMesgBody>]]></regex>

</collectFieldsByRegex>

<setEventAttribute attr=”eventType”>combineMsgId(“IOS-“,

$_evIdPrefix, “-“, $_evIdSuffix)</setEventAttribute>

<choose>

<when test=’$_severity IN “6, 7″‘>             <setEventAttribute attr=”eventSeverity”>1</setEventAttribute>         </when>

<when test=’$_severity = “1”‘>            <setEventAttribute attr=”eventSeverity”>10</setEventAttribute>         </when>

<when test=’$_severity = “2”‘>

<setEventAttribute attr=”eventSeverity”>8</setEventAttribute>

</when>

<when test=’$_severity IN “3, 4″‘>

<setEventAttribute attr=”eventSeverity”>5</setEventAttribute>

</when>

<when test=’$_severity = “5”‘>

<setEventAttribute attr=”eventSeverity”>2</setEventAttribute>

</when>

</choose>

<!—parse body –>

<choose>

<when test=’$eventType IN “IOS-SEC-IPACCESSLOGP,

IOS-SEC-IPACCESSLOGDP, IOS-SEC-IPACCESSLOGRP”‘>

<collectAndSetAttrByRegex src=”$_body”>

<regex><![CDATA[list

<_aclName:gPatStr>\s+<_action:gPatWord>\s+<_proto:gPatWord>\s+<srcIpAddr

:gPatIpV4Dot>\(<srcIpPort:gPatInt>\)<:gPatMesgBody>->\s+<destIpAddr:gPat

IpV4Dot>\(<destIpPort:gPatInt>\),\s+<totPkts:gPatInt> <:gPatMesgBody>]]>

</regex>           </collectAndSetAttrByRegex>

<choose>

<when test=’$_action = “permitted”‘>                  <setEventAttribute

attr=”eventType”>combineMsgId(“IOS-“, $_evIdPrefix, “-“, $_evIdSuffix, “-PERMITTED”)</setEventAttribute>           <setEventAttribute attr=”eventSeverity”>1</setEventAttribute>

</when>

<when test=’$_action = “denied”‘>

<setEventAttribute attr=”eventType”>combineMsgId(“IOS-“, $_evIdPrefix, “-“, $_evIdSuffix, “-DENIED”)</setEventAttribute>                  <setEventAttribute attr=”eventSeverity”>3</setEventAttribute>               </when>

</choose>           <setEventAttribute attr=”ipProto”>convertStrToIntIpProto($_proto)</setEventAttribute>

Parsed Output Input syslog:

<190>91809: Jan 9 02:38:47.872: %SEC-6-IPACCESSLOGP: list testlog permitted tcp 192.168.20.33(3438) ->

69.147.86.184(80), 1 packet

Parsed fields:

  1. phRecvTime: the time at which the event was received by FortiSIEM
  2. phDeviceTime: Jan 9 02:38:47 2010
  3. eventType: SEC-IPACCESSLOGP-PERMITTED
  4. eventSeverity: 3
  5. eventSeverityCategory: LOW
  6. aclName: testlog
  7. ipProto: 6
  8. srcIpAddr: 192.168.20.33
  9. destIpAddr: 69.147.86.184
  10. srcIpPort: 3438
  11. destIpPort: 80
  12. totPkts: 1

The master list of event attributes supported by FortiSIEM is here