FortiSIEM Management Server/Appliance Configuration

Leave a reply

Management Server/Appliance Configuration

AccelOps supports these web servers for discovery and monitoring.

Cisco Application Centric Infrastructure (ACI) Configuration Fortinet FortiManager Configuration

Cisco Application Centric Infrastructure (ACI) Configuration

What is Discovered and Monitored

Protocol Information

Discovered

 Metrics Collected Used For
Cisco APIC

API (REST)

   Overall Health, Tenant Health, Node Health, Cluster Health, Application Health, EPG health, Fault

Record, Event record, Log Record, Configuration Change

 Availability and

Performance Monitoring

Event Types

Go to CMDB > Event Types and search for “Cisco_ACI”

Rules

Go to CMDB > Rules and search for “Cisco ACI”

Reports

Go to CMDB > Reports and search for “Cisco ACI”

Configuration

Cisco ACI Configuration

Please configure Cisco ACI Appliance so that FortiSIEM can access it via APIC API

FortiSIEM Configuration

  1. Go to Admin > Setup > Credentials
  2. Click New and create a credential as follows
    1. Name – enter a name
    2. Device Type – set to Cisco Cisco ACI
    3. Access Protocol – set to Cisco APIC API
    4. Password Configuration – set to Manual
    5. Set User Name and Password for the various REST API
    6. Click Save
  3. Create an IP to Credential Mapping
    1. IP – specify the IP address of the ACI Controller
    2. Credential – specify the Name as in 2a
  4. Test Connectivity – Run Test Connectivity with or without ping and make sure the test succeeds
  5. Check Pull Events tab to make sure that a event pulling entry is created

Sample Events

Overall Health Event

[Cisco_ACI_Overall_Health]: {“attributes”:{“childAction”:””,”cnt”:”29″,”dn”:”topology/HDfabricOveral lHealth5min0″,”healthAvg”:”82″,”healthMax”:”89″,”healthMin”:”0″,”healthS pct”:”0″,”healthThr”:””,”healthTr”:”1″,”index”:”0″,”lastCollOffset”:”290 “,”repIntvEnd”:”2016-09-05T08:13:53.232+00:00″,”repIntvStart”:”2016-09-0

5T08:09:03.128+00:00″,”status”:””}}

Tenant Health Event

 

[Cisco_ACI_Tenant_Health]: {“attributes”:{“childAction”:””,”descr”:””,”dn”:”uni/tn-CliQr”,”lcOwn”:” local”,”modTs”:”2016-09-05T07:56:27.164+00:00″,”monPolDn”:”uni/tn-common /monepg-default”,”name”:”CliQr”,”ownerKey”:””,”ownerTag”:””,”status”:””,

“uid”:”15374″},”children”:[{“healthInst”:{“attributes”:{“childAction”:”” ,”chng”:”0″,”cur”:”100″,”maxSev”:”cleared”,”prev”:”100″,”rn”:”health”,”s tatus”:””,”twScore”:”100″,”updTs”:”2016-09-05T08:27:03.584+00:00″}}}]

Nodes Health Event

[Cisco_ACI_Node_Health]:

{“attributes”:{“address”:”10.0.208.95″,”childAction”:””,”configIssues”:” “,”currentTime”:”2016-09-05T08:15:51.794+00:00″,”dn”:”topology/pod-1/nod e-101/sys”,”fabricId”:”1″,”fabricMAC”:”00:22:BD:F8:19:FF”,”id”:”101″,”in bMgmtAddr”:”0.0.0.0″,”inbMgmtAddr6″:”0.0.0.0″,”lcOwn”:”local”,”modTs”:”2 016-09-05T07:57:29.435+00:00″,”mode”:”unspecified”,”monPolDn”:”uni/fabri c/monfab-default”,”name”:”Leaf1″,”oobMgmtAddr”:”0.0.0.0″,”oobMgmtAddr6″: “0.0.0.0”,”podId”:”1″,”role”:”leaf”,”serial”:”TEP-1-101″,”state”:”in-ser vice”,”status”:””,”systemUpTime”:”00:00:27:05.000″},”children”:[{“health Inst”:{“attributes”:{“childAction”:””,”chng”:”-10″,”cur”:”90″,”maxSev”:” cleared”,”prev”:”100″,”rn”:”health”,”status”:””,”twScore”:”90″,”updTs”:” 2016-09-05T07:50:08.415+00:00″}}}]

Cluster Health Event

[Cisco_ACI_Cluster_Health]:

{“attributes”:{“addr”:”10.0.0.1″,”adminSt”:”in-service”,”chassis”:”10220 833-ea00-3bb3-93b2-ef1e7e645889″,”childAction”:””,”cntrlSbstState”:”appr oved”,”dn”:”topology/pod-1/node-1/av/node-1″,”health”:”fully-fit”,”id”:” 1″,”lcOwn”:”local”,”mbSn”:”TEP-1-1″,”modTs”:”2016-09-05T08:00:46.797+00: 00″,”monPolDn”:””,”mutnTs”:”2016-09-05T07:50:19.570+00:00″,”name”:””,”no deName”:”apic1″,”operSt”:”available”,”status”:””,”uid”:”0″}

Application Health Event

[Cisco_ACI_Application_Health]:

{“attributes”:{“childAction”:””,”descr”:””,”dn”:”uni/tn-infra/ap-access”

,”lcOwn”:”local”,”modTs”:”2016-09-07T08:17:20.503+00:00″,”monPolDn”:”uni /tn-common/monepg-default”,”name”:”access”,”ownerKey”:””,”ownerTag”:””,” prio”:”unspecified”,”status”:””,”uid”:”0″},”children”:[{“healthInst”:{“a ttributes”:{“childAction”:””,”chng”:”0″,”cur”:”100″,”maxSev”:”cleared”,” prev”:”100″,”rn”:”health”,”status”:””,”twScore”:”100″,”updTs”:”2016-09-0 7T08:39:35.531+00:00″}}}]}

EPG Health Event

[Cisco_ACI_EPG_Health]: {“attributes”:{“childAction”:””,”configIssues”:””,”configSt”:”applied”,” descr”:””,”dn”:”uni/tn-infra/ap-access/epg-default”,”isAttrBasedEPg”:”no “,”lcOwn”:”local”,”matchT”:”AtleastOne”,”modTs”:”2016-09-07T08:17:20.503 +00:00″,”monPolDn”:”uni/tn-common/monepg-default”,”name”:”default”,”pcEn fPref”:”unenforced”,”pcTag”:”16386″,”prio”:”unspecified”,”scope”:”167771 99″,”status”:””,”triggerSt”:”triggerable”,”txId”:”5764607523034234882″,” uid”:”0″},”children”:[{“healthInst”:{“attributes”:{“childAction”:””,”chn g”:”0″,”cur”:”100″,”maxSev”:”cleared”,”prev”:”100″,”rn”:”health”,”status “:””,”twScore”:”100″,”updTs”:”2016-09-07T08:39:35.549+00:00″}}}]

Fault Record Event

[Cisco_ACI_Fault_Record]: ,”created”:”2016-09-05T08:00:41.313+00:00″,”delegated”:”no”,”delegatedFr om”:””,”descr”:”Controller3isunhealthybecause:DataLayerPartiallyDegraded Leadership”,”dn”:”subj-[topology/pod-1/node-1/av/node-3]/fr-4294967583″, “domain”:”infra”,”highestSeverity”:”critical”,”id”:”4294967583″,”ind”:”m odification”,”lc”:”soaking”,”modTs”:”never”,”occur”:”1″,”origSeverity”:” critical”,”prevSeverity”:”critical”,”rule”:”infra-wi-node-health”,”sever ity”:”critical”,”status”:””,”subject”:”controller”,”type”:”operational”}

Event Record Event

[Cisco_ACI_Event_Record]: {“attributes”:{“affected”:”topology/pod-1/node-2/lon/svc-ifc_dhcpd”,”cau se”:”state-change”,”changeSet”:”id:ifc_dhcpd,leCnnct:undefined,leNonOptC nt:undefined,leNotCnnct:undefined,name:ifc_dhcpd”,”childAction”:””,”code “:”E4204979″,”created”:”2016-09-05T07:57:37.024+00:00″,”descr”:”Allshard sofserviceifc_dhcpdhaveconnectivitytotheleaderreplicaintheCluster.”,”dn” :”subj-[topology/pod-1/node-2/lon/svc-ifc_dhcpd]/rec-8589934722″,”id”:”8 589934722″,”ind”:”state-transition”,”modTs”:”never”,”severity”:”info”,”s tatus”:””,”trig”:”oper”,”txId”:”18374686479671623682″,”user”:”internal”}

Log Record Event

[Cisco_ACI_Log_Record]: {“attributes”:{“affected”:”uni/userext/user-admin”,”cause”:”unknown”,”ch angeSet”:””,”childAction”:””,”clientTag”:””,”code”:”generic”,”created”:” 2016-09-05T07:56:25.825+00:00″,”descr”:”From-198.18.134.150-client-typeREST-Success”,”dn”:”subj-[uni/userext/user-admin]/sess-4294967297″,”id”:

“4294967297”,”ind”:”special”,”modTs”:”never”,”severity”:”info”,”status”:

“”,”systemId”:”1″,”trig”:”login,session”,”txId”:”0″,”user”:”admin”}

Configuration Change Event

[Cisco_ACI_Configuration_Chang]:

{“attributes”:{“affected”:”uni/tn-CliQr/out-CliQr-Prod-L3Out/instP-CliQr

-Prod-L3Out-EPG/rscustQosPol”,”cause”:”transition”,”changeSet”:””,”child Action”:””,”clientTag”:””,”code”:”E4206266″,”created”:”2016-09-05T07:56:

27.099+00:00″,”descr”:”RsCustQosPolcreated”,”dn”:”subj-[uni/tn-CliQr/out

-CliQr-Prod-L3Out/instP-CliQr-Prod-L3Out-EPG/rscustQosPol]/mod-429496730

8″,”id”:”4294967308″,”ind”:”creation”,”modTs”:”never”,”severity”:”info”, “status”:””,”trig”:”config”,”txId”:”7493989779944505526″,”user”:”admin”}

}

 

FortiSIEM Mail Server Configuration

Leave a reply

Mail Server Configuration

AccelOps supports these mail servers for discovery and monitoring.

Microsoft Exchange Configuration

Microsoft Exchange Configuration

What is Discovered and Monitored

Enabling SNMP on Windows Server 2003

Enabling SNMP on Windows 7 or Windows Server 2008 R2

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group  Settings for Access Credentials

What is Discovered and Monitored

Protocol Information discovered Metrics collected Used for
SNMP Application type Process level CPU and memory utilization for the various exchange server processes Performance

Monitoring
WMI Application type, service mappings Process level metrics: uptime, CPU utilization, Memory utilization, Read I/O KBytes/sec, Write I/O KBytes/sec for the various exchange server processes Performance

Monitoring
WMI   Exchange performance metrics (obtained from Win32_PerfRawData_MSExchangeIS_MSExchangeIS WMI class

): VM Largest Block size,  VM Large Free Block Size, VM Total Free Blocks,  RPC Requests, RPC Request Peak, RPC Average Latency, RPC Operations/sec, User count, Active user Count, Peak User Count, Active Connection Count, Max Connection Count

Exchange error metrics (obtained from Win32_PerfRawData_MSExchangeIS_MSExchangeIS WMI class): RPC

Success, RPC Failed, RPC Denied, RPC Failed – Server Busy, RPC Failed – Server Unavailable, Foreground RPC Failed, Backgorund RPC Failed

Exchange mailbox metrics (obtained from Win32_PerfRawData_MSExchangeIS_MSExchangeISMailbox and

Win32_PerfRawData_MSExchangeIS_MSExchangeISPublic WMI classes): Per Mailbox: Send Queue, Receive

Queue, Sent Message, Submitted Message, Delivered Message, Active User, Peak User

Exchange SMTP metrics (obtained from Win32_PerfRawData_SMTPSVC_SMTPServer WMI class):

Categorization Queue, Local Queue, Remote Queue, Inbound Connections, Outbound Connections, Sent Bytes/sec, Received Bytes/sec, Retry Count, Local Retry Queue, Remote Retry Queue

Exchange ESE Database (Win32_PerfFormattedData_ESE_MSExchangeDatabase):

Exchange Database Instances (Win32_PerfFormattedData_ESE_MSExchangeDatabaseInstances):

Exchange Mail Submission Metrics (Win32_PerfFormattedData_MSExchangeMailSubmission_MSExchangeMail Submission):

Exchange Store Interface Metrics (Win32_PerfFormattedData_MSExchangeStoreInterface_MSExchangeStoreInt erface):

Exchange Replication Metrics (Win32_PerfFormattedData_MSExchangeReplication_MSExchangeReplication):

Exchange Transport Queue Metrics (Win32_PerfFormattedData_MSExchangeTransportQueues_MSExchangeTr ansportQueues):

 Performance

Monitoring
WMI   Application Logs Security Monitoring and Compliance

Event Types

In CMDB > Event Types, search for “microsoft exchange” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “microsoft exchange” in the Name column to see the reports associated with this application or device. Configuration

SNMP

Enabling SNMP on Windows Server 2003

SNMP is typically enabled by default on Windows Server 2003, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you need to make sure that the SNMP Management tool has been enabled for your device.

  1. In the Start menu, go to Administrative Tools > Services.
  2. Go to Control Panel > Add or Remove Programs.
  3. Click Add/Remove Windows Components.
  4. Select Management and Monitoring Tools and click Details.

Make sure that Simple Network Management Tool is selected.

If it isn’t selected, select it, and then click Next to install.

  1. Go to Start > Administrative Tools > Services.
  2. Select and open SNMP Service.
  3. Click the Security
  4. Select Send authentication trap.
  5. Under Accepted communities, make sure there is an entry for public that is set to read-only.
  6. Select Accept SNMP packets from these hosts.
  7. Click
  8. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
  9. Click Add.
  10. Click Apply.
  11. Under SNMP Service, click Restart service.

Enabling SNMP on Windows 7 or Windows Server 2008 R2

SNMP is typically enabled by default on Windows Server 2008, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you should check that SNMP Services have been enabled for your server.

  1. Log in to the Windows 2008 Server where you want to enable SNMP as an administrator.
  2. In the Start menu, select Control Panel.
  3. Under Programs, click Turn Windows features on/off.
  4. Under Features, see if SNMP Services is installed.

If not, click Add Feature, then select SMNP Service and click Next to install the service.

  1. In the Server Manager window, go to Services > SNMP Services.
  2. Select and open SNMP Service.
  3. Click the Security
  4. Select Send authentication trap.
  5. Under Accepted communities, make sure there is an entry for public that is set to read-only.
  6. Select Accept SNMP packets from these hosts.
  7. Click
  8. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
  9. Click Add.
  10. Click Apply.
  11. Under SNMP Service, click Restart service.

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
  2. Right-click Users and select Add User.
  3. Create a user.
  4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
  5. In the Distributed COM Users Properties dialog, click Add.
  6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

  1. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
  2. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account
  3. Go to Start > Control Panel > Administrative Tools > Component Services.
  4. Right-click My Computer, and then Properties.
  5. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
  6. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
  7. Click OK.
  8. Under Access Permissions, click EditDefault.
  9. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
  10. Click
  11. Under Launch and Activation Permissions, click Edit Limits.
  12. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  13. Click OK.
  14. Under Launch and Activation Permissions, click Edit Defaults.
  15. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

  1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
  2. Right-click Users and select Add User.
  3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

  1. Go to Groups, right-click Administrators, and then click Add to Group.
  2. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
  3. For Enter the object names to select, enter the user you created in step 3.
  4. Click OK to close the Domain Admins Properties dialog.
  5. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

  1. Go to Start > Control Panel > Administrative Tools > Component Services.
  2. Right-click My Computer, and then select Properties.
  3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
  4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
  5. Click OK.
  6. In the Com Security tab, under Access Permissions, click Edit Defaults.
  7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
  8. Click OK.
  9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
  10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
  12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
  2. Select WMI Control, and then right-click and select Properties.
  3. Select the Security
  4. Expand the Root directory and select CIMV2.
  5. Click Security.
  6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot e Enable.
  7. Click Advanced.
  8. Select the user you created for the monitoring account, and then click Edit.
  9. In the Apply onto menu, select This namespace and subnamespaces.
  10. Click OK to close the Permission Entry for CIMV2 dialog.
  11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
  12. In the left-hand navigation, under Services and Applications, select Services.
  13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
  14. In the Start menu, select Run.
  15. Run msc.
  16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
  17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
  18. Select Windows Firewall: Allow remote administration exception.
  19. Run exe and enter these commands:
  20. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

  1. Go to Control Panel > Windows Firewall.
  2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
  3. Select Windows Management Instrumentation, and the click OK.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure. Settings for Access Credentials

FortiSIEM Document Management Server Configuration

Leave a reply

Document Management Server Configuration

AccelOps supports these document management servers for discovery and monitoring.

Microsoft SharePoint Configuration

Microsoft SharePoint Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Installing and Configuring LOGbinder SP Agent

WMI

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

What is Discovered and Monitored

Protocol Information discovered Metrics/Logs collected Used for
WMI   SharePoint logs – Audit trail integrity, Access control changes, Document updates, List updates, Container object updates, Object changes, Object Import/Exports, Document views, Information Management Policy changes Log analysis and compliance

Event Types

In CMDB > Event Types, search for “sharepoint” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “sharepoint” in the Name column to see the reports associated with this application or device.

Configuration

Microsoft SharePoint logs are supported via LOGbinder SP agent from Monterey Technology group. The agent needs to be installed on the SharePoint server. Configure the agent to write logs to Windows Security log. AccelOps simply reads the logs from windows security logs via WMI and categorizes the SharePoint specific events and parses SharePoint specific attributes.

Installing and Configuring LOGbinder SP Agent

LOGbinder Install web link

LOGbinder Configuration web link – remember to configure LOGbinder SP agent to write to Windows security log

LOGbinder SP getting started document – remember to configure LOGbinder SP agent to write to Windows security log

WMI

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
  2. Right-click Users and select Add User.
  3. Create a user.
  4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
  5. In the Distributed COM Users Properties dialog, click Add.
  6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

  1. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
  2. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account
  3. Go to Start > Control Panel > Administrative Tools > Component Services.
  4. Right-click My Computer, and then Properties.
  5. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
  6. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
  7. Click OK.
  8. Under Access Permissions, click EditDefault.
  9. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
  10. Click
  11. Under Launch and Activation Permissions, click Edit Limits.
  12. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  13. Click OK.
  14. Under Launch and Activation Permissions, click Edit Defaults.
  15. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

  1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
  2. Right-click Users and select Add User.
  3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

  1. Go to Groups, right-click Administrators, and then click Add to Group.
  2. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
  3. For Enter the object names to select, enter the user you created in step 3.
  4. Click OK to close the Domain Admins Properties dialog.
  5. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

  1. Go to Start > Control Panel > Administrative Tools > Component Services.
  2. Right-click My Computer, and then select Properties.
  3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
  4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
  5. Click OK.
  6. In the Com Security tab, under Access Permissions, click Edit Defaults.
  7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
  8. Click OK.
  9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
  10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
  12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
  2. Select WMI Control, and then right-click and select Properties.
  3. Select the Security
  4. Expand the Root directory and select CIMV2.
  5. Click Security.
  6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot e Enable.
  7. Click Advanced.
  8. Select the user you created for the monitoring account, and then click Edit.
  9. In the Apply onto menu, select This namespace and subnamespaces.
  10. Click OK to close the Permission Entry for CIMV2 dialog.
  11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
  12. In the left-hand navigation, under Services and Applications, select Services.
  13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
  14. In the Start menu, select Run.
  15. Run msc.
  16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
  17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
  18. Select Windows Firewall: Allow remote administration exception.
  19. Run exe and enter these commands:
  20. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

  1. Go to Control Panel > Windows Firewall.
  2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
  3. Select Windows Management Instrumentation, and the click OK.

 

FortiSIEM Directory Server Configuration

Leave a reply

Directory Server Configuration

AccelOps supports these directory servers for discovery and monitoring.

Microsoft Active Directory Configuration

Microsoft Active Directory Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

WMI

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

What is Discovered and Monitored

Protocol Information discovered Metrics collected Used for
WMI   Win32_PerfRawData_NTDS_NTDS class: Directory Search Rate, Read Rate, Write Rate, Browse Rate, LDAP search rate, LDAP Bind Rate, New LDAP Connection Rate, Successful LDAP Bind Rate, LDAP Active Threads, LDAP Bind Time, LDAP Client Sessions Performance

Monitoring
WMI   “dcdiag -e” command output – detect successful and failed domain controller diagnostic tests  
WMI   “repadmin /replsummary” command output – detect replication statistics  

Failed Windows DC Diagnostic Test

Reports

Successful Windows Domain Controller Diagnostic Tests

Failed Windows Domain Controller Diagnostic Tests Source Domain Controller Replication Status  Destination Domain Controller Replication Status

Configuration

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
  2. Right-click Users and select Add User.
  3. Create a user.
  4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
  5. In the Distributed COM Users Properties dialog, click Add.
  6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

  1. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
  2. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account
  3. Go to Start > Control Panel > Administrative Tools > Component Services.
  4. Right-click My Computer, and then Properties.
  5. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
  6. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
  7. Click OK.
  8. Under Access Permissions, click EditDefault.
  9. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
  10. Click
  11. Under Launch and Activation Permissions, click Edit Limits.
  12. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  13. Click OK.
  14. Under Launch and Activation Permissions, click Edit Defaults.
  15. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

  1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
  2. Right-click Users and select Add User.
  3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

  1. Go to Groups, right-click Administrators, and then click Add to Group.
  2. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
  3. For Enter the object names to select, enter the user you created in step 3.
  4. Click OK to close the Domain Admins Properties dialog.
  5. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

  1. Go to Start > Control Panel > Administrative Tools > Component Services.
  2. Right-click My Computer, and then select Properties.
  3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
  4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
  5. Click OK.
  6. In the Com Security tab, under Access Permissions, click Edit Defaults.
  7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
  8. Click OK.
  9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
  10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
  12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
  2. Select WMI Control, and then right-click and select Properties.
  3. Select the Security
  4. Expand the Root directory and select CIMV2.
  5. Click Security.
  6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot e Enable.
  7. Click Advanced.
  8. Select the user you created for the monitoring account, and then click Edit.
  9. In the Apply onto menu, select This namespace and subnamespaces.
  10. Click OK to close the Permission Entry for CIMV2 dialog.
  11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
  12. In the left-hand navigation, under Services and Applications, select Services.
  13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
  14. In the Start menu, select Run.
  15. Run msc.
  16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
  17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
  18. Select Windows Firewall: Allow remote administration exception.
  19. Run exe and enter these commands:
  20. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

  1. Go to Control Panel > Windows Firewall.
  2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
  3. Select Windows Management Instrumentation, and the click OK.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

FortiSIEM WMI

Leave a reply

WMI

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
  2. Right-click Users and select Add User.
  3. Create a user.
  4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
  5. In the Distributed COM Users Properties dialog, click Add.
  6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

  1. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
  2. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account
  3. Go to Start > Control Panel > Administrative Tools > Component Services.
  4. Right-click My Computer, and then Properties.
  5. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
  6. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
  7. Click OK.
  8. Under Access Permissions, click EditDefault.
  9. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
  10. Click
  11. Under Launch and Activation Permissions, click Edit Limits.
  12. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  13. Click OK.
  14. Under Launch and Activation Permissions, click Edit Defaults.
  15. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

  1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
  2. Right-click Users and select Add User.
  3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

  1. Go to Groups, right-click Administrators, and then click Add to Group.
  2. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
  3. For Enter the object names to select, enter the user you created in step 3.
  4. Click OK to close the Domain Admins Properties dialog.
  5. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

  1. Go to Start > Control Panel > Administrative Tools > Component Services.
  2. Right-click My Computer, and then select Properties.
  3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
  4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
  5. Click OK.
  6. In the Com Security tab, under Access Permissions, click Edit Defaults.
  7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
  8. Click OK.
  9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
  10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
  12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
  2. Select WMI Control, and then right-click and select Properties.
  3. Select the Security
  4. Expand the Root directory and select CIMV2.
  5. Click Security.
  6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot e Enable.
  7. Click Advanced.
  8. Select the user you created for the monitoring account, and then click Edit.
  9. In the Apply onto menu, select This namespace and subnamespaces.
  10. Click OK to close the Permission Entry for CIMV2 dialog.
  11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
  12. In the left-hand navigation, under Services and Applications, select Services.
  13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
  14. In the Start menu, select Run.
  15. Run msc.
  16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
  17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
  18. Select Windows Firewall: Allow remote administration exception.
  19. Run exe and enter these commands:
  20. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

  1. Go to Control Panel > Windows Firewall.
  2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
  3. Select Windows Management Instrumentation, and the click OK.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Syslog

Use the Windows Agent Manager to configure sending syslogs from your device to AccelOps. Sample Windows DNS Syslog

FortiSIEM Microsoft DNS (2003, 2008) Configuration

Leave a reply
Microsoft DNS (2003, 2008) Configuration

What is Discovered and Monitored

Enabling SNMP on Windows Server 2003

Enabling SNMP on Windows 7 or Windows Server 2008 R2

Creating a Generic User Who Does Not Belong to the Local Administrator Group Creating a User Who Belongs to the Domain Administrator Group

Sample Windows DNS Syslog

Settings for Access Credentials

What is Discovered and Monitored

Protocol Information discovered Metrics collected Used for
SNMP Application type Process level CPU utilization, Memory utilization Performance

Monitoring
WMI Application type, service mappings Process level metrics (Win32_Process, Win32_PerfRawData_PerfProc_Process): uptime, CPU utilization, Memory utilization, Read I/O, Write I/O

DNS metrics (Win32_PerfFormattedData_DNS_DNS): DNS requests received, DNS responses sent, WINS requests received, WINS responses sent, Recursive DNS queries received, Recursive DNS queries failed, Recursive DNS queries timeout, Dynamic DNS updates received, Dynamic DNS updates failed, Dynamic DNS updates timeout, Secure DNS update received, Secure DNS update failed, Full DNS Zone Transfer requests sent, Full DNS Zone Transfer requests received, Incremental DNS Zone Transfer requests sent, ncremental DNS Zone

Transfer requests received

 Performance

Monitoring
Syslog Application type DNS name resolution activity: DNS Query Success and Failure by type Security

Monitoring

Event Types

In CMDB > Event Types, search for “microsoft dans” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

Enabling SNMP on Windows Server 2003

SNMP is typically enabled by default on Windows Server 2003, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you need to make sure that the SNMP Management tool has been enabled for your device.

  1. In the Start menu, go to Administrative Tools > Services.
  2. Go to Control Panel > Add or Remove Programs.
  3. Click Add/Remove Windows Components.
  4. Select Management and Monitoring Tools and click Details.

Make sure that Simple Network Management Tool is selected.

If it isn’t selected, select it, and then click Next to install.

  1. Go to Start > Administrative Tools > Services.
  2. Select and open SNMP Service.
  3. Click the Security
  4. Select Send authentication trap.
  5. Under Accepted communities, make sure there is an entry for public that is set to read-only.
  6. Select Accept SNMP packets from these hosts.
  7. Click
  8. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
  9. Click Add.
  10. Click Apply.
  11. Under SNMP Service, click Restart service.

Enabling SNMP on Windows 7 or Windows Server 2008 R2

SNMP is typically enabled by default on Windows Server 2008, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you should check that SNMP Services have been enabled for your server.

  1. Log in to the Windows 2008 Server where you want to enable SNMP as an administrator.
  2. In the Start menu, select Control Panel.
  3. Under Programs, click Turn Windows features on/off.
  4. Under Features, see if SNMP Services is installed.

If not, click Add Feature, then select SMNP Service and click Next to install the service.

  1. In the Server Manager window, go to Services > SNMP Services.
  2. Select and open SNMP Service.
  3. Click the Security
  4. Select Send authentication trap.
  5. Under Accepted communities, make sure there is an entry for public that is set to read-only.
  6. Select Accept SNMP packets from these hosts.
  7. Click
  8. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
  9. Click Add.
  10. Click Apply.
  11. Under SNMP Service, click Restart service.

FortiSIEM Microsoft DHCP (2003, 2008) Configuration

Leave a reply
Microsoft DHCP (2003, 2008) Configuration

What is Discovered and Monitored

Enabling SNMP on Windows Server 2003

Enabling SNMP on Windows 7 or Windows Server 2008 R2

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Settings for Access Controls

What is Discovered and Monitored

Protocol Information discovered Metrics collected Used for
SNMP Process details Process level CPU utilization, Memory utilization Performance Monitoring
WMI Process details,

process to service mappings

 Process level metrics (Win32_Process, Win32_PerfRawData_PerfProc_Process): uptime, CPU utilization, Memory utilization, Read I/O, Write I/O

DHCP metrics (Win32_PerfFormattedData_DHCPServer_DHCPServer): DHCP request rate, release rate, decline rate, Duplicate Drop rate, Packet Rate, Active Queue length, DHCP response time, Conflict queue length

 Performance Monitoring
Syslog Application type DHCP address release/renew events that are used by AccelOps for Identity and location:

attributes include IP Address, MAC address, Host Name

 Security and compliance (associate machines to IP addresses)

Event Types

In CMDB > Event Types, search for “microsoft dhcp” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

Enabling SNMP on Windows Server 2003

SNMP is typically enabled by default on Windows Server 2003, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you need to make sure that the SNMP Management tool has been enabled for your device.

  1. In the Start menu, go to Administrative Tools > Services.
  2. Go to Control Panel > Add or Remove Programs.
  3. Click Add/Remove Windows Components.
  4. Select Management and Monitoring Tools and click Details.

Make sure that Simple Network Management Tool is selected.

If it isn’t selected, select it, and then click Next to install.

  1. Go to Start > Administrative Tools > Services.
  2. Select and open SNMP Service.
  3. Click the Security
  4. Select Send authentication trap.
  5. Under Accepted communities, make sure there is an entry for public that is set to read-only.
  6. Select Accept SNMP packets from these hosts.
  7. Click
  8. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
  9. Click Add.
  10. Click Apply.
  11. Under SNMP Service, click Restart service.

Enabling SNMP on Windows 7 or Windows Server 2008 R2

SNMP is typically enabled by default on Windows Server 2008, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you should check that SNMP Services have been enabled for your server.

  1. Log in to the Windows 2008 Server where you want to enable SNMP as an administrator.
  2. In the Start menu, select Control Panel.
  3. Under Programs, click Turn Windows features on/off.
  4. Under Features, see if SNMP Services is installed.

If not, click Add Feature, then select SMNP Service and click Next to install the service.

  1. In the Server Manager window, go to Services > SNMP Services.
  2. Select and open SNMP Service.
  3. Click the Security
  4. Select Send authentication trap.
  5. Under Accepted communities, make sure there is an entry for public that is set to read-only.
  6. Select Accept SNMP packets from these hosts.
  7. Click
  8. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
  9. Click Add.
  10. Click Apply.
  11. Under SNMP Service, click Restart service.

WMI

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
  2. Right-click Users and select Add User.
  3. Create a user.
  4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
  5. In the Distributed COM Users Properties dialog, click Add.
  6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

  1. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
  2. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account
  3. Go to Start > Control Panel > Administrative Tools > Component Services.
  4. Right-click My Computer, and then Properties.
  5. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
  6. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
  7. Click OK.
  8. Under Access Permissions, click EditDefault.
  9. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
  10. Click
  11. Under Launch and Activation Permissions, click Edit Limits.
  12. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  13. Click OK.
  14. Under Launch and Activation Permissions, click Edit Defaults.
  15. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

  1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
  2. Right-click Users and select Add User.
  3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

  1. Go to Groups, right-click Administrators, and then click Add to Group.
  2. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
  3. For Enter the object names to select, enter the user you created in step 3.
  4. Click OK to close the Domain Admins Properties dialog.
  5. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

  1. Go to Start > Control Panel > Administrative Tools > Component Services.
  2. Right-click My Computer, and then select Properties.
  3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
  4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
  5. Click OK.
  6. In the Com Security tab, under Access Permissions, click Edit Defaults.
  7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
  8. Click OK.
  9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
  10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
  12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
  2. Select WMI Control, and then right-click and select Properties.
  3. Select the Security
  4. Expand the Root directory and select CIMV2.
  5. Click Security.
  6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot e Enable.
  7. Click Advanced.
  8. Select the user you created for the monitoring account, and then click Edit.
  9. In the Apply onto menu, select This namespace and subnamespaces.
  10. Click OK to close the Permission Entry for CIMV2 dialog.
  11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
  12. In the left-hand navigation, under Services and Applications, select Services.
  13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
  14. In the Start menu, select Run.
  15. Run msc.
  16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
  17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
  18. Select Windows Firewall: Allow remote administration exception.
  19. Run exe and enter these commands:
  20. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

  1. Go to Control Panel > Windows Firewall.
  2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
  3. Select Windows Management Instrumentation, and the click OK.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Syslog

  1. Log into your Microsoft DHCP server as an administrator.
  2. Go to Start > Administrative Tools > DHCP.
  3. Select the DHCP server you want to monitor, then right-click and select Properties.
  4. Click the General tab, and then select Enable DHCP audit logging.
  5. Click the DNS tab, and then select Dynamically update DNS A and PTR records only if requested by the DHCP clients and Discard A and PTR records when lease is deleted.
  6. Click the Advanced
  7. Set Audit log file path to C:\WINDOWS\system32\dhcp.
  8. Set Database path to C:\\WINDOWS\system32\dhcp.
  9. Set Backup path to C:\\WINDOWS\System32\dhcp\backup.
  10. Clock OK to complete configuration.

Use the Windows Agent Manager to further configure sending syslogs from your device to AccelOps.

  1. Sample Microsoft DHCP Syslog

<15>May 27 17:22:43 ADS-Pri.ACME.net WinDHCPLog 0

11,05/27/08,17:22:43,Renew,192.168.20.46,Lucy-XPS.ACME.net,009096F27636,

<15>Jun 20 12:20:58 ADS-Pri.ACME.net WinDHCPLog 0

10,06/20/08,12:20:58,Assign,192.168.20.35,mission.,000D5639076C,

<13>Mar 29 10:25:28 192.168.0.10 WinDHCPLog 0

30,03/29/10,10:25:27,DNS Update

Request,40.20.168.192,John-lap.ACME.net,,

<13>Mar 29 10:25:05 192.168.0.10 WinDHCPLog 0

32,03/29/10,10:25:01,DNS Update

Successful,192.168.20.32,Mary-laptop.ACME.net,,

<13>Jun  1 14:24:08 192.168.0.10 WinDHCPLog 0 31,06/01/10,14:24:08,DNS

Update Failed,192.168.26.31,Joe-LAPTOP.ACME.net,-1,  <13>Jun  1 14:24:08 192.168.0.10 WinDHCPLog 0 25,06/01/10,14:24:07,0 leases expired and 1 leases deleted,,,,

FortiSIEM Linux DHCP Configuration

Leave a reply
Linux DHCP Configuration

What is Discovered and Monitored

Configure Linux DHCP to Forward Logs to Syslog Daemon

Configure Syslog to Forward to Accelops

Sample Syslog

Settings for Access Credentials

What is Discovered and Monitored

Protocol Information discovered Metrics collected Used for
SNMP Application type Process level CPU utilization, Memory utilization Performance Monitoring
Syslog Application type DHCP address release/renew events that are used by AccelOps for Identity and location: attributes include IP Address, MAC address, Host Name Security and compliance (associate machines to IP addresses)

Event Types

In CMDB > Event Types, search for “linux dhcp” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

  1. Make sure that snmp libraries are installed.

AccelOps has been tested to work with net-snmp libraries.

  1. Log in to your device with administrator credentials.
  2. Modify the /etc/snmp/snmpd.conf file:
    1. Define the community string for AccelOps usage and permit snmp access from AccelOps IP.
    2. Allow AccelOps to (read-only) view the mib-2 tree.
    3. Open up the entire tree for read-only view.
  3. Restart the snmpd deamon by issuing /etc/init.d/snmpd restart.
  4. Add the snmpd daemon to start from boot by issuing chkconfig snmpd on.
  5. Make sure that snmpd is running.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Syslog

Configure Linux DHCP to Forward Logs to Syslog Daemon

  1. Edit conf and insert the line log-facility local7;.
  2. Restart dhcpd by issuing /etc/init.d/dhcpd restart. Configure Syslog to Forward to Accelops
  3. Edit conf and add a new line: Local7.* @<IP address of AccelOps server>.
  4. Restart syslog daemon by issuing /etc/init.d/syslog restart. Sample Syslog