Configuring FortiSIEM

Initial System Configuration

Before you can initiate discovery and monitoring of your IT infrastructure, you will need to configure several general settings, add users, and add organizations for multi-tenant deployments.

Setting Up the Email Gateway

Before you can set up notifications, you have to set up the email gateway that your system will use for all alerts and system notifications.

1. Log into your Supervisor node.
2. Go to Admin > General Settings > Email Settings.
3. Enter the Email Gateway Server.
4. Enter any additional account or connection information.
5. Click Save.

Setting Up Routing Information for Reports and Incident Notifications

Topics in this section describe how to set up email addresses to send alerts to when a scheduled report runs, and distribution information for notifications associated with incidents. You can also automate the sending of tickets to a Remedy system when an incident occurs. These are all general settings, in that you don’t need to have any rules or reports defined before you configure them. For information on configuring specific notification policies for rules and incidents, see Incident Notifications. For information on configuring Remedy to work with FortiSIEM notifications, see Configuring Remedy to Accept Incident Notifications from FortiSIEM.

Setting Up Email Alert Routing for Scheduled Reports

Setting Up SNMP Traps for Incident Notifications

Setting Up XML Message Routing for Incident Notifications

Setting Up Routing for Remedy Tickets

Related Links

Scheduling Reports

Incident Notifications

Configuring Remedy to Accept Incident Notifications from FortiSIEM

Setting Up Email Alert Routing for Scheduled Reports

You can schedule reports to run and send email notifications to specific individuals. This setting is for default email notifications that will be sent when any scheduled report completes.

1. Log into your Supervisor node.
2. Go to Admin > General Settings > Analytics.
3. Click +.

If you haven’t configured your email gateway yet, you will see an error message.

4. Select SMS or Email for the delivery method.
5. Enter the email address or SMS number.
6. Click OK.
7. Click Save All when you are done.

Sending Alerts to the Console

Select Send an alert to console if you also want to send alerts to the console. Alerts are always displayed in the Incidents tab, while the alerts sent to the console are immediately displayed but without any grouping by rule name, incident source, incident target, or other detail information.

Empty Reports

Sometimes a report may be empty because there are no matching events. If you don’t want to send empty reports to users, select Do not send scheduled emails if report is empty. If you are running a multi-tenant deployment, and you select this option while in the Super/Global view, this will apply only to Super/Global reports. If you want to suppress delivery of empty reports to individual organizations, you will have to configure this option in the organizational view.

Related Links

Setting Up the Email Gateway Scheduling Reports

Setting Up SNMP Traps for Incident Notifications

You can define SNMP traps that will be notified when an event triggers an incident.

1. Log in to your Supervisor node.
2. Go to Admin > General Settings > Analytics.
3. Enter the SNMP Trap IP Address.
4. Enter the SNMP Community String that will authorize sending the trap to the SNMP trap IP address.
5. Select the SNMP Trap Type.
6. Select a Protocol.
7. Click Test SNMP to check the connection.
8. Click Save All.

Related Links

Incident Notifications

Setting Up XML Message Routing for Incident Notifications

You can configure FortiSIEM to send an XML message over HTTP(s) when an a incident is triggered by a rule.

1. Log in to your Supervisor.
2. Go to Admin > General Settings > Analytics.
3. For HTTP(S) Server URL, enter the URL of the remote host where the message should be sent.
4. Enter the Username and Password to use when logging in to the remote host, and then Reconfirm the password.
5. Click Test HTTP to check the connection.
6. Click Save All.

Setting Up Routing for Remedy Tickets

You can set up Remedy to accept notifications from FortiSIEM and generate tickets from those notifications, as described in Configuring Remedy to Accept Incident Notifications from FortiSIEM. These instructions explain how to set up the routing to your Remedy server.

1. Log in to your Supervisor node.
2. Go to Admin > General Settings > Analytics.
3. For WSDL, enter the URL of the Remedy Server.
4. Enter the Username and Password associated with your Remedy server, and then Reconfirm the password.
5. Click Test Remedy to test the connection.
6. Click Save All.

Related Links

Configuring Remedy to Accept Incident Notifications from FortiSIEM

Setting Up User Roles

FortiSIEM has a wide operational scope – it provides performance, availability, and environmental alerts, as well as change and security monitoring for network devices, servers and applications. It is difficult for one admin to monitor across the entire spectrum of available information. In addition, devices may be in widely distributed geographical and administratively disjointed locations. Role-based access control provides a way to partition the FortiSIEM administrative reponsibilities across multiple admins.

A role defines two aspects of a user’s interaction with the FortiSIEM platform:

Which user interface elements a user can see and the ability to use the associated Read/Write/Execute permissions. As an example, the built-in Executive role can see only the dashboard, while the Server Admin role cannot see network devices. Role permissions can be defined to the attribute level in which, for example, a Tier1 Network Admin role can see network devices but not their configurations.

What data can the user see. For example, consider a Windows Admin role and a Unix Admin role. They both can run the same reports, but the Windows admins sees only logs from Windows devices. This definition can also be fine-grained, for example one Windows admin sub-role can be defined to see Windows performance metrics, while another Windows admin sub-role can see Windows authentication logs.

Topics in this section explain how to use the Default roles that come with FortiSIEM, and how to define new ones.

Default Roles

Creating Custom User Roles

Default Roles

To perform any action with FortiSIEM, a user must be assigned a role with the required permissions. The roles listed in this table are default roles. You can create custom roles and permissions by following the instructions in the topic Creating Custom User Roles.

Creating Custom User Roles

1. Log in to your Supervisor node.
2. Go to Admin > Role Management.
3. Click New.
4. Enter a Role Name and Role Description.
5. Enter the Data Conditions for this role.

This restricts access to the event/log data that is available to the user, and will be appended to any query that is submitted by users with this role. This applies to both Real-Time and Historical searches, as well as Report and Dashboard information.

6. Enter the CMDB Report Conditions for this role.

This restricts access to the reports for devices, users, and monitors that are available to the user with this role.

7. Select the UI Access Conditions for this role.

This defines the user interface elements that can be accessed by users with this role. By default, child nodes in the tree inherit the permissions of their immediate parent, however you can override those default permissions by explicitly editing the permission of the child node. Options for these settings are:

Adding Users for Enterprise Deployments

Adding users to enterprise deployments involves first deciding if you are going to use external authentication, or local authentication credentials defined within each user profile. You can then add users on an individual basis, or, if you are using LDAP authentication, you can discover users within Active Directory over LDAP. For mutt-tenant deployments you can add individual users to an organization as described in these topics, but if you need to add users who have a role in more than one organization (Global users), see the topics under Adding Users to Multi-Tenant Deployments.

Setting Up External Authentication

Adding a Single User

Adding Users from Active Directory via LDAP

Adding Users from Okta

Adding 2-factor Authentication via Duo Security

Setting Up External Authentication

You have three options for setting up external authentication for your FortiSIEM deployment. The first option, LDAP, is discussed in detail in Addin g Users from Active Directory via LDAP. The other options, RADIUS and Okta, follow the same authentication set up process.

2. Go to Admin > General Settings > External Authentication.
3. Click Add.
4. If you are setting up authentication for an organization within a multi-tenant deployment, select the Organization.
5. Select the Protocol.
6. Complete the protocol settings.

7. Click Test, and then enter credentials associated with the protocol you selected to make sure users can authenticate to your deployment.

You can now associate users to this authentication profile as described in Adding a Single User.

Configuring Okta Authentication

To use Okta authentication for your FortiSIEM deployment, you must set up a SAML 2.0 Application in Okta, and then use the certificate associated with that application when you configure external authentication.

1. Log into Okta.
2. In the Applications tab, create a new application using Template SAML 2.0 App.
3. Under General Settings, configure these settings:

4. Click Save.
5. In the Sign On tab, click View Setup Instructions.
6. Click Download Certificate.
7. Follow the instructions in Setting Up External Authentication and enter the downloaded certificate for Okta authentication.

Adding a Single User

1. Log in to your Supervisor node.
2. Go to CMDB > Users.
3. Click New.
4. Complete the User Name and user profile information.
5. For System Administrator, select Yes.
6. Select a Default Role for the user.

See the topic Default Roles for a list of default roles and permission. You can also create new roles as described in Creating Custom User Roles, which will be available in this menu after you create them.

7. For System Account Enabled, select Yes.
8. For Session Timeout, enter the number of minutes after which an inactive user will be logged out.
9. For User Lockout, enter the number of minutes the user will be unable to log into the system after three successive authentication failures.
10. For System Password Reset, enter the number of days after which a user’s current password for logging in to the system will automatically expire.

If left blank, the user’s password will never expire.

11. For Password, select Local or External.

If you select Local, enter and then reconfirm the user password. See Setting Up External Authentication for more information about using external authentication.

Multiple Authentication Profiles

If more than one authentication profile is associated with a user, then the servers will be contacted one-by-one until a connection to one of them is successful. Once a server has been contacted, if the authentication fails, the process ends, and the user is notified that the authentication failed.

12. Click Save.

Related Links

Default Roles

Creating Custom User Roles

Adding Users from Active Directory via LDAP

If you want to add users to your FortiSIEM deployment from an Active Directory server over LDAP, you must first add the login credentials for your server and associate them to an IP range, and then run the discovery process on the Active Directory server. If the server is discovered successfully, then all the users in that directory will be added to your deployment. You then need to set up an authentication profile, which will become an option you can associate with users as described in Adding a Single User.

Create Login Credentials and Associate with an IP Address

1. Log in to your Supervisor node.
2. Go to Admin > Setup Wizard > Credentials.
3. Enter a Name.
4. For Device Type, select Microsoft Windows.
5. Select your Access Protocol.

FortiSIEM supports these LDAP protocols:

6. For Used For, select Microsoft Active Directory.
7. For Base DN, be sure to enter the root of the LDAP user tree.
8. Enter the NetBIOS/Domain for your LDAP directory.
9. Enter the User Name for your LDAP directory.

For user discovery from OpenLDAP, specify the full DN as the user name. For Active Directory, use your server login name.

10. Enter and confirm the Password for your User Name.
11. Click Save.

Your LDAP credentials will be added to the list of Credentials.

12. Under Enter IP Range to Credential Associations, click Add.
13. Select your LDAP credentials from the list of Credentials.
14. Enter the IP range or host name for your Active Directory server.
15. Click OK.

Your LDAP credentials will appear in the list of credential/IP address associations.

16. Click Test Connectivity to make sure you can connect to the Active Directory server.

Discover the Active Directory Server and Users

1. Go to Admin > Discovery.
2. Click Add.
3. For Name, enter Active Directory.
4. For Include Range, enter the IP address or host name for your Active Directory server.
5. Leave all the default settings, but clear the Discover Routes
6. Click OK.

Active Directory will be added to the list of discoverable devices.

7. Select the Active Directory device and click Discover.
8. After discovery completes, go to CMDB > Users to view the discovered users.

You may need to click Refresh for the user tree hierarchy to load.

Adding Users from Okta

Create an Okta API Token

1. Log in to Okta using your Okta credentials.
2. Got to Administration > Security > API Tokens.
3. Click Create Token.

You will use this token when you set up the Okta login credentials in the next section. Note that this token will have the same permissions as the person who generated it.

Create Login Credentials and Associate Them with an IP Address

1. Log in to your Supervisor node.
2. Go to Admin > Setup Wizard > Credentials.
3. Enter a Name.
4. For Device Type, select com.
5. For Access Protocol, select Okta API.
6. Enter the NetBIOS/Domain associated with your Okta account.

For example, FortiSIEM.okta.com.

7. For Pull Interval, enter how often, in minutes, you want FortiSIEM to pull information from Okta.
8. Enter and reconfirm the Security Token you created.
9. Click Save.

Your LDAP credentials will be added to the list of Credentials.

10. Under Enter IP Range to Credential Associations, click Add.
11. Select your Okta credentials from the list of Credentials.
12. Enter the IP range or host name for your Okta account.
13. Click OK.

Your Okta credentials will appear in the list of credential/IP address associations.

14. Click Test Connectivity to make sure you can connect to the Active Directory server.

Discover Okta Users

1. Go to Admin > Discovery.
2. Click Add.
3. For Name, enter Okta.
4. For Include Range, enter the IP address or host name for your Active Directory server.
5. Leave all the default settings, but clear the Discover Routes
6. Click OK.

Okta will be added to the list of discoverable devices.

7. Select the Okta device and click Discover.
8. After discovery completes, go to CMDB > Users to view the discovered users.

You may need to click Refresh for the user tree hierarchy to load.

Adding 2-factor Authentication via Duo Security

Obtain keys for FortiSIEM to communicate with Duo Security

1. Sign up for a Duo Security account: This will be admin account for Duo Security.
2. Log in to Duo Security Admin Panel and navigate to Applications
3. Click Protect an Application. Locate Web SDK in the applications.
4. Get Duo Server Name, Integration key, Secret key from the page. You will need it when you configure FortiSIEM.
5. Generate Application key as a long string. This is a password that Duo Security will not know. You can choose any 40 character long string or generate it as follows using python

Create and Manage FortiSIEM users in Duo Security

This determines how the 2-factor authentication response page will look like in FortiSIEM and how user will respond to the second factor authentication challenge

1. Log in to Duo Security as admin user
2. Choose the Logo which will be shown to users as they log on
3. Choose the super set of 2-factor Authentication Methods.
4. Optional – you can create the specific users that will logon via FortiSIEM. If the users are not pre-created here, then user accounts will be created automatically when they attempt 2-factor authentication for the first time.

Add 2-factor authentication option for FortiSIEM users

1. Create a 2-factor authentication profile
   1. Go to Admin > General Settings > External Authentication. b. Click Add
      1. Enter Name
      2. Set Organization to be the scopre of the users who will be authenticated.
         1. For AO-VA, specify System.
         2. For AO-SP, specify System if this will be used globally. Else specify a specific organization

• Set Protocol as Duo

1. Set IP/Host as the host name of Duo Security Server from Step 4 in “Obtain keys for FortiSIEM to communicate with

Duo Security”

1. Set Integration key, Secret key from Step 4 in “Obtain keys for FortiSIEM to communicate with Duo Security”
2. Set Application key from Step 5 in “Obtain keys for FortiSIEM to communicate with Duo Security” vii. Click Save

2. Add the 2-factor authentication profile to an user
   1. Go to CMDB > User
   2. Select a specific user
   3. Check Second Factor checkbox
   4. Select the 2-factor authentication profile created in Step 1
   5. Click Save

Login to FortiSIEM using 2-factor authentication

Before logging in to FortiSIEM with 2-factor authentication, make sure that the three steps are completed.

Obtain keys for FortiSIEM to communicate with Duo Security

Create and Manage FortiSIEM users in Duo Security

Add 2-factor authentication option for FortiSIEM users

Follow these steps

1. Logon to FortiSIEM normally (first factor) using the credential defined in FortiSIEM – local or external in LDAP
2. If the 2-factor authentication is enabled, the user will now be redirected to the 2-factor step
   1. If the user is not created in Duo system (by Duo admin), a setup wizard will let you set some basic information like phone number and ask you download the Duo app.
   2. If the user already exists in FortiSIEM, then follow the authentication method and click Log in The user will be able to log in to FortiSIEM

Managing Organizations for Multi-Tenant Deployments

Organizations can be created with or without Collectors. If you are using Collectors in a clustered deployment that includes Workers, please make sure you have followed the instructions in Configuring Worker Settings before you have registered your Collectors with the Supervisor in order to make sure your Collectors properly upload information to the Workers.

1. Log in to your Supervisor node as a Super/Global users.
2. Go to Admin > Setup Wizard > Organization.
3. Click Add.
4. Enter information for the organization.
5. If your organization uses Collectors, click New under
6. Complete the Collector information.

For Guaranteed EPS, enter the events per second from this collector that FortiSIEM will accept. See the topic Dynamic Distribution of Events per Second (EPS) across Collectors for more information. For Start Time and End Time, enter the dates for which the Collector license is valid.

7. Click Save.
8. For Max Devices, enter the maximum number of devices discovered by this collector that the system will accept.
9. Click Save.

Deleting Organizations

1. Log into your Supervisor node as a Super/Global user.
2. Go to Admin > Setup Wizard > Organizations.
3. Write down the ID of the organization you want to delete.
4. Go to Admin > Collector Health.

Note the IP Address and Collector Name of any Collectors associated with the organization you want to delete.

5. Log out of your Supervisor node.
6. SSH into the Collector hosts for the organization as root.
7. Using phTools, stop the Collector processes.
8. Power down the Collector.
9. Log back into your Supervisor node as an Admin user for the organization you want to delete.
10. Go to CMDB > Devices.
11. Delete all devices in both the Device View and the VM View.
12. Go to CMDB > Device View > Users, and delete all users except for the default admin account under which you are currently logged in.
13. Go to Admin > Setup Wizard > Synthetic Transaction Monitoring and delete all STM tests.
14. Log out of your Supervisor node, and then log back in as the Super/Global user.
15. Go to Admin > Collector Health.
16. Delete the organization’s Collectors.

Issues with Deleting Collectors Because of In-Memory Processes

You may encounter issues with deleting Collectors if there are processes in memory on the Supervisor that are related to Collector status that are updated to the CMDB. If you encounter these issues, please contact FortiSIEM Support.

17. Delete the organization.
18. Log out of your Supervisor node.
19. SSH into the Supervisor host machine as root.
20. In the /data directory, delete the eventdb database for that organization.

Finding the Right EventDB Database

You can tell which EventDB belongs to the organization you want to delete based on the organization ID that you wrote down in Step 3. For example, if the organization ID is 2005, you would look for /data/eventdb/CUSTOMER_2005 as the database to delete. Be careful that you don’t delete the EventDB for a continuing organization.

Dynamic Distribution of Events per Second (EPS) across Collectors

In multi-tenant deployments, the service provider is licensed a certain amount of EPS. The service provider distributes these EPS among the various collectors during collector setup by setting the Guaranteed EPS. Because an organization can have multiple collectors, the guaranteed EPS for an organization is the sum total of guaranteed EPS for all collectors belonging to that organization. This total must be no more than the total EPS licensed to the service provider. The remaining EPS (the difference between the service provider EPS and the total EPS across all collectors), if any, is allocated to the super-local organization, the service provider’s core system, if that needs to be monitored. To monitor this system, FortiSIEM recommends creating a new organization to monitor the service’s own network, and to install another Collector to monitor that organization.

The redistribution algorithm uses three metrics for each Collector.

Each Collector periodically reports Incoming EPS to the Supervisor, which then determines the Allocated EPS and pushes this control down to the collectors. Allocated EPS is set to Guaranteed EPS initially, but if for some Collector, Incoming EPS is greater than Allocated EPS, the Supervisor examines all Collectors and determines excess capacity as sum total of max (0,Allocated – Incoming) for all Collectors. If there is a Collector with excess capacity, its Allocated EPS is reduced and the excess amount is given to the Collector that needs the excess EPS. If the collector that gave up EPS, that is, Allocated EPS is less than Guaranteed EPS, subsequently needs the EPS, then EPS is taken away from the collectors with Allocated greater than Guaranteed and given back. This continuous readjustment is centrally coordinated by the Supervisor node.

How Devices are Added to Organizations

When you initiate device discovery for organizations, the way in which those devices are added to organizations depends on whether you are using Collectors in your deployment.

For organizations with Collectors, discovery is carried out by the Collector, and the Collector assigns devices to the organization with which it is associated. If organizations have an overlapping IP range, deploying Collectors and assigning them to a specific IP range and organization will ensure that the device is added to the correct organization.

For organizations without Collectors, discovery is carried out by the Supervisor. In this case, the Include/Exclude IP Range you defined when you set up the organization is used to add the device to the organization.

If a device matches only one defined organization IP Range, then it is assigned to that organization

If a device matches multiple defined IP Ranges, then it is assigned to the Super organization

You can change a device’s assigned organization manually, and FortiSIEM will automatically update the Include/Exclude IP Range for that organization. This updated IP range definition will then be used in the next discovery process. However, this may create confusing IP range definitions for the organization, so you may want to re-define the organization’s IP range and rediscover devices.

Adding Users to Multi-Tenant Deployments

Two kinds of admin users can be added

users belonging to a specific organization or super-local users belonging to super-global

Adding specific organization users

This can be done from the specific organization admin account or from the super global account.

Logon as an appropriate administrator – two possibilities logon as admin user for that organization or

logon as super-global and then switch user to that organization

Follow the steps for AO-VA case described here. Note that for Active Directory based discovery, the Active Directory server has to belong to that specific organization. If the Active Directory server belongs to super-local, then the users also belong to super and would not be visible for that organization.

FortiSIEM provides a short-cut to add admin users for multiple organizations in one shot

Logon as super-global

Manually create the user as described in the manual user creation mode here.

Choose the Default role

Choose the permitted organizations and also override the default role for a specific organization if needed. In the example below, user1 is the Network Admin for every organization but System Admin for O-eng.

Adding super-global users

Super-global users are often need for managing multiple organizations, and can be created from the super-global account. There are two cases depending on whether organizations have collectors or not.

For the organizations-with-collector-only case, users must be created manually.

Logon as super-global

Manually create the user as described in the manual user creation mode here

Choose the Default role

Choose the permitted organizations. Override the default role for each specific organization, if needed. In the example below, user1 is the Network Admin for every organization but System Admin for O-eng.

For the organizations-without-collector case, if the Active Directory Server belongs to super-local, then the discovered users would be visible from the super-global view and any of these users can be made an FortiSIEM user. In this case the steps are

Logon as super-global

Create the user as described here – both manual and discovery-based approaches can be used

Choose the Default role

Choose the permitted organizations. And if needed, override the default role for specific organizations. In the example below, user1 is the Network Admin for every organization but System Admin for O-eng.

Adding Users to Organizations

Adding users to organizations for multi-tenant deployments follows the same processes described in Adding Users for Enterprise Deployments, though if you want to discover users in an Active Directory server over LDAP, the Active Directory server has to belong the organization where you want to add the user.

1. Log in to your Supervisor node either as the Admin user for the organization where you want to add the user, or log in as a Super/Global user to add the user to more than one organization.
2. Create the user as described in Adding a Single User, or follow the instructions in Adding Users from Active Directory via LDAP.
3. If you have logged in as the Super/Global user, select the organizations where you want to add the user, overriding any Default Roles for the organization as necessary.

Adding Super/Global Users to Organizations with Collectors

In multi-tenant deployments, you may need to create Super/Global users who have roles within multiple organizations. If your deployments include organizations with collectors, you must add add the users individually.

1. Log in to your Supervisor node as a Super/Global users.
2. Create the individual user as described in Adding a Single User, choosing the appropriate Default Role.
3. Select the Permitted Organizations the user is allowed to access, overriding any default role settings as necessary.
4. Click Save.

Adding Super/Global Users to Organizations without Collectors

For the organizations-without-collector case, if the Active Directory Server belongs to super-local, then the discovered users would be visible from the super-global view and any of these users can be made an FortiSIEM user. In this case the steps are

Logon as super-global

Create the user as described here – both manual and discovery-based approaches can be used

Choose the Default role

Choose the permitted organizations. And if needed, override the default role for specific organizations. In the example below, user1 is the Network Admin for every organization but System Admin for O-eng.

Configuring External Systems for Discovery, Monitoring and Log Collection

Ports Used by FortiSIEM for Discovery and Monitoring

These ports are used by FortiSIEM to discover devices, pull metrics and process event logs.

Supported Devices and Applications by Vendor

Configuring FortiSIEM Windows Agents

This section describes how to setup FortiSIEM Windows Agent and Agent Manager as part of FortiSIEM infrastructure.

Configure FortiSIEM Supervisor

Register Windows Agent Manager to FortiSIEM Supervisor

Configure Windows Agent Manager

License and Template Assignments in Agent Manager via Export/Import Verify Events in FortiSIEM

Sample logs generated by FortiSIEM Windows Agents

Windows System logs

Windows Application logs

Windows Security logs

Windows DNS logs

Windows DHCP logs

Windows IIS logs

Windows DFS logs

Windows file content monitoring logs

Windows File integrity monitoring logs

Windows Installed Software logs

Windows Registry change logs

Windows WMI logs

Windows Powershell logs

Procedure

Configure FortiSIEM Supervisor

1. Go to Admin > License Management and make sure that there are entries for Basic and Advanced Windows Agents.
2. Go to Admin > Setup Wizard and add Agent Managers
   1. Click on Windows Agents tab
   2. Click Add and enter information for an Windows Agent Manager. This information will be used by the Agent Manager to register to FortiSIEM
      1. Enter Agent Manager Name
      2. Enter the number of Basic Agents and Advanced Agents assigned to this Agent Manager

• Enter the Start Time and End Time for license validity

1. Choose Event Upload Destination – this is where the Agent Manager will upload events to.
   1. Select the Organization (Super for Enterprise version and Specific Organization for the Service Provider version)
   2. Select one or more Collectors belonging to the selected organization v. Click OK to Save

Register Windows Agent Manager to FortiSIEM Supervisor

1. Log on to Windows Agent Manager
2. Launch FortiSIEM Windows Agent Manager application
3. Log on to the FortiSIEM Windows Agent Manager application using User ID and Password created during setup
4. Register the Windows Agent Manager to FortiSIEM
   1. Enter Supervisor IP/Host
   2. Enter Agent Manager Name – this is defined in Step 2.b.i in Configure FortiSIEM Supervisor step
   3. Enter Organization Name – this is defined in Step 2.b.iv in Configure FortiSIEM Supervisor step
   4. Enter Organization User and Organization Password as the Organizations credentials defined when the Organization was created in Admin > Setup wizard.
5. Click Register. If registration is successful, then Windows Agent Manager Dashboard page is displayed. All the installed agents show up in this page with Current Status as Running.

Configure Windows Agent Manager

Collectors. Agents send events to any collector they choose. If a particular collector is not responsive, Agent will send to other available collectors. Before Release 2.1, Agents sent events to Collector(s) via Windows Agent Manager.

1. Go to Dashboard and make sure that it displays all Windows Servers with FortiSIEM agents installed.
2. Create a Monitoring Template
   1. Go to Template Settings. Click on + to expand the options.
   2. Click Create Template.
      1. Enter a template name and description. Click Settings. ii. Specify options for each monitoring category

iii.  Click Apply to save the template iv.  Click Save

3. Associate Windows Computers with proper license and one or more Templates (Starting with release 2.0) and one or more collectors (starting with release 2.1)
   1. Click Associate License / Templates.
   2. Click Search to find the list of computers to apply the license/templates to
      1. Choose Simple or Advanced
      2. For Simple mode
         1. Select the field to Search in. Possible choices are Computer, OS, License Type, Template Name.
         2. Type in the string to search for in the adjacent edit box.
         3. Click Find.
         4. The list of matched computers will be displayed in the area below the Search box.
         5. Select the Computers to which license/templates would be assigned
            1. Select the header checkbox to select/unselect all
            2. Individually select/unselect the computers if needed

• For Advanced mode
  1. For searching by computer names, type the search text next to Computer.
  2. For searching by OS names, type the search text next to OS.
  3. For searching by License Types, select the desired license type from the drop down 4. For searching by Template Names, do one of the following.
     1. For exact template name matches, set Templates to ‘Specified from‘ and select one or more templates from the next drop down and select the operator: AND or OR
     2. For searching template names, set Templates to ‘Specified in‘ and type the search string
  4. Click Find.
  5. The list of matched computers will be displayed in the area below the Search boxSelect a Template for a Computer.
  6. Select the Computers to which license/templates would be assigned
  7. Select the header checkbox to select/unselect all
  8. Individually select/unselect the computers if needed
  9. Make sure the list of computers in view are correct for the license/template assignment and are checked. d. Click Assign

1. License Assignment

Select License Type: Basic or Advanced or None

Click Assign

1. Template Assignment

Select Template(s) from drop down list

Click Validate

Click Assign. The display would reflect the assignment.

Click Unassign to remove the template from the computer. The display would reflect the modification.

• Collector Assignment

Select Collector and then choose a set of Collectors from the drop down

Click Associate to assign the collectors to the Computers. The display would reflect the assignment.

Click Dissociate to remove the template from the computer. The display would reflect the modification. Click Associate remaining to assign the remaining collectors to the Computers e.  Click Close

License and Template Assignments in Agent Manager via Export/Import

1. Logon to Agent Manager
2. Go to Dashboard and make sure that the Agents are showing up
3. Click Export – a list of Agents Computer name, Assigned license and Assigned template will be exported to a CSV formatted file named ‘ExportedAgentAssociation.csv’ in the directory ProgramData|AccelOps|
4. Edit the CSV file to associate the right license type and monitoring template to each computer. Do not add any new computer or edit computer. Every computer known to the Agent Manager will be present in the csv file.
5. Click Import and put the CSV file in the Open file Dialog
6. Once Import finishes, a dialog will tell you the number of records processed and successfully updated.
7. Click Assign Licenses to Computers to see the License assignments
8. Click Associate Computers with Templates to see Template assignments
9. Any warnings during import operations will be recorded in <CSVFilename>-<Date>-<Time>.log file in the directory ProgramData |AccelOps|

Verify Events in FortiSIEM

1. Log on to FortiSIEM
2. Go to Analytics > Historical Search.
3. Select Filter Criteria: Structured
4. Create the following condition: Raw Event Log CONTAIN AccelOps-WUA. Click Note that all event types for all Windows Server generated logs are prefixed by AccelOps-WUA.
5. Select the following Group By
   1. Reporting Device Name
   2. Reporting IP
6. Select the following Display Fields:
   1. Reporting Device Name ii. Reporting IP

iii.  COUNT(Matched Events)

1. Run the query for last 15 minutes
2. The Query will return all hosts that reported events in the last 15 minutes.
3. To drill down further, add Event Type to both Group By and Display Fields. Then rerun the query.

Sample logs generated by FortiSIEM Windows Agents

FortiSIEM Windows Agent Manager generates Windows logs in an easy to analyze “attribute=value” style without losing any information.

Windows System logs

#Win-System-Service-Control-Manager-7036

Thu May 07 02:13:42 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-WinLo

[monitorStatus]=”Success” [eventName]=”System”

[eventSource]=”Service Control Manager” [eventId]=”7036″

[eventType]=”Information” [domain]=”” [computer]=”WIN-2008-LAW-agent”

[user]=”” [userSID]=”” [userSIDAcctType]=”” [eventTime]=”May 07 2015

10:13:41″ [deviceTime]=”May 07 2015 10:13:41″

[msg]=”The Skype Updater service entered the running state.”

Thu May 07 02:13:48 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-WinLo

[monitorStatus]=”Success” [eventName]=”System”

[eventSource]=”Service Control Manager” [eventId]=”7036″

[eventType]=”Information” [domain]=”” [computer]=”WIN-2008-LAW-agent”

[user]=”” [userSID]=”” [userSIDAcctType]=”” [eventTime]=”May 07 2015

10:13:47″ [deviceTime]=”May 07 2015 10:13:47″

[msg]=”The Skype Updater service entered the stopped state.”

Windows Application logs

#Win-App-MSExchangeServiceHost-2001

Thu May 07 03:05:42 2015 WIN-2008-249.ersijiu.com 10.1.2.249

AccelOps-WUA-WinLog [monitorStatus]=”Success” [eventName]=”Application”

[eventSource]=”MSExchangeServiceHost” [eventId]=”2001″

[eventType]=”Information” [domain]=”” [computer]=”WIN-2008-249.ersijiu.co

[user]=”” [userSID]=”” [userSIDAcctType]=”” [eventTime]=”May 07 2015

11:05:42″ [deviceTime]=”May 07 2015 11:05:42″

[msg]=”Loading servicelet module

Microsoft.Exchange.OABMaintenanceServicelet.dll”

#MSSQL

#Win-App-MSSQLSERVER-17137

Thu May 07 03:10:16 2015 WIN-2008-249.ersijiu.com 10.1.2.249

AccelOps-WUA-WinLog [monitorStatus]=”Success” [eventName]=”Application”

[eventSource]=”MSSQLSERVER” [eventId]=”17137″ [eventType]=”Information”

[domain]=”” [computer]=”WIN-2008-249.ersijiu.com” [user]=””

[userSID]=”” [userSIDAcctType]=”” [eventTime]=”May 07 2015 11:10:16″

[deviceTime]=”May 07 2015 11:10:16″

[msg]=”Starting up database ‘model’.”

Windows Security logs

#Win-Security-4624(Windows logon success)

Thu May 07 02:23:58 2015 WIN-2008-249.ersijiu.com 10.1.2.249

AccelOps-WUA-WinLog [monitorStatus]=”Success” [eventName]=”Security”

[eventSource]=”Microsoft-Windows-Security-Auditing” [eventId]=”4624″

[eventType]=”Audit Success” [domain]=””

[computer]=”WIN-2008-249.ersijiu.com” [user]=”” [userSID]=””

[userSIDAcctType]=”” [eventTime]=”May 07 2015 10:23:56″ [deviceTime]=”May 07 2015 10:23:56″ [msg]=”An account was successfully logged on.” [[Subject]][Security ID]=”S-1-0-0″ [Account Name]=”” [Account Domain]=”” [Logon ID]=”0x0″ [Logon Type]=”3″ [[New

Logon]][Security ID]=”S-1-5-21-3459063063-1203930890-2363081030-500″

[Account Name]=”Administrator” [Account Domain]=”ERSIJIU” [Logon

ID]=”0xb9bd3″ [Logon GUID]=”{00000000-0000-0000-0000-000000000000}” [[Process Information]][Process ID]=”0x0″ [Process Name]=”” [[Network

Information]][Workstation Name]=”SP171″ [Source Network

Address]=”10.1.2.171″

[Source Port]=”52409″ [[Detailed Authentication Information]][Logon Process]=”NtLmSsp” [Authentication Package]=”NTLM” [Transited

Services]=””

[Package Name (NTLM only)]=”NTLM V2″ [Key Length]=”128″ [details]=””

Windows DNS logs

#DNS Debug Logs

#AO-WUA-DNS-Started

Thu May 07 02:35:43 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DNS

[monitorStatus]=”Success”

[msg]=”5/7/2015 10:34:05 AM 20BC EVENT   The DNS server has started.”

#AO-WUA-DNS-ZoneDownloadComplete

Thu May 07 02:35:43 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DNS

[monitorStatus]=”Success” [msg]=”5/7/2015 10:34:05 AM 20BC EVENT The DNS server has finished the background loading of zones. All zones ar now available for DNS updates and zone transfers, as allowed by their individual zone configuration.”

#AO-WUA-DNS-A-Query-Success

Thu May 07 02:48:25 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DNS

[monitorStatus]=”Success” [msg]=”5/7/2015

10:47:13 AM 5D58 PACKET  0000000002B74600 UDP Rcv 10.1.20.232  0002   Q

[0001   D   NOERROR] A      (8)testyjyj(4)yjyj(3)com(0)”

Thu May 07 02:48:25 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DNS

[monitorStatus]=”Success” [msg]=”5/7/2015

10:47:13 AM 5D58 PACKET  0000000002B74600 UDP Snd 10.1.20.232     0002 R

[8085 A DR  NOERROR] A      (8)testyjyj(4)yjyj(3)com(0)”

#AO-WUA-DNS-PTR-Query-Success

Thu May 07 02:48:25 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DNS

[monitorStatus]=”Success” [msg]=”5/7/2015

10:47:22 AM 5D58 PACKET  00000000028AB4B0 UDP Rcv 10.1.20.232 0002   Q [0

D   NOERROR] PTR

(3)223(3)102(3)102(3)102(7)in-addr(4)arpa(0)”

Thu May 07 02:48:25 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DNS

[monitorStatus]=”Success” [msg]=”5/7/2015

10:47:22 AM 5D58 PACKET  00000000028AB4B0 UDP Snd 10.1.20.232     0002 R

[8085 A DR  NOERROR] PTR

(3)223(3)102(3)102(3)102(7)in-addr(4)arpa(0)”

#DNS System Logs

#Win-App-DNS-2(DNS Server started)

Thu May 07 02:39:17 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-WinLo

[monitorStatus]=”Success”

[eventName]=”DNS Server” [eventSource]=”DNS” [eventId]=”2″

[eventType]=”Information” [domain]=”” [computer]=”WIN-2008-LAW-agent”

[user]=”” [userSID]=”” [userSIDAcctType]=”” [eventTime]=”May 07 2015

10:39:17″ [deviceTime]=”May 07 2015 10:39:17″

[msg]=”The DNS server has started.”

#Win-App-DNS-3(DNS Server shutdown)

Thu May 07 02:39:16 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-WinLo

Windows DHCP logs

AO-WUA-DHCP-Generic

Thu May 07 05:44:44 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DHCP

[monitorStatus]=”Success” [ID]=”00″ [Date]=”05/07/15″

[Time]=”13:44:08″ [Description]=”Started” [IP Address]=”” [Host Name]=””

[MAC Address]=”” [User Name]=”” [ TransactionID]=”0″

[ QResult]=”6″ [Probationtime]=”” [ CorrelationID]=”” [Dhcid.]=””

#AO-WUA-DHCP-IP-ASSIGN

Thu May 07 05:56:41 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DHCP

[monitorStatus]=”Success” [ID]=”10″ [Date]=”05/07/15″

[Time]=”13:56:37″ [Description]=”Assign” [IP Address]=”10.1.2.124″ [Host

Name]=”Agent-247.yj” [MAC Address]=”000C2922118E”

[User Name]=”” [ TransactionID]=”2987030242″ [ QResult]=”0″

[Probationtime]=”” [ CorrelationID]=”” [Dhcid.]=””

#AO-WUA-DHCP-Generic(Release)

Thu May 07 05:56:41 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DHCP

[monitorStatus]=”Success” [ID]=”12″ [Date]=”05/07/15″

[Time]=”13:56:33″ [Description]=”Release” [IP Address]=”10.1.2.124″

[Host Name]=”Agent-247.yj” [MAC Address]=”000C2922118E”

[User Name]=”” [ TransactionID]=”2179405838″ [ QResult]=”0″

[Probationtime]=”” [ CorrelationID]=”” [Dhcid.]=””

#AO-WUA-DHCP-IP-LEASE-RENEW

Wed Feb 25 02:53:28 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-DHCP

[monitorStatus]=”Success” [ID]=”11″ [Date]=”02/25/15″

[Time]=”10:53:19″ [Description]=”Renew” [IP Address]=”10.1.2.123″ [Host

Name]=”WIN-2008-249.yj” [MAC Address]=”0050568F1B5D”

[User Name]=”” [ TransactionID]=”1136957584″ [ QResult]=”0″

[Probationtime]=”” [ CorrelationID]=”” [Dhcid.]=””

Windows IIS logs

#AO-WUA-IIS-Web-Request-Success

Thu May 07 03:49:23 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-IIS

[monitorStatus]=”Success” [date]=”2015-05-07″

[time]=”03:44:28″ [s-sitename]=”W3SVC1″

[s-computername]=”WIN-2008-LAW-AG” [s-ip]=”10.1.2.242″ [cs-method]=”GET”

[cs-uri-stem]=”/welcome.png” [cs-uri-query]=”-” [s-port]=”80″

[cs-username]=”-” [c-ip]=”10.1.20.232″ [cs-version]=”HTTP/1.1″

[cs(User-Agent)]=”Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36

+(KHTML,+like+Gecko)+Chrome/42.0.2311.135+Safari/537.36″

[cs(Cookie)]=”-” [cs(Referer)]=”http://10.1.2.242/”

[cs-host]=”10.1.2.242″ [sc-status]=”200″ [sc-substatus]=”0″

[sc-win32-status]=”0″

[sc-bytes]=”185173″ [cs-bytes]=”324″ [time-taken]=”78″ [site]=”Default

Web Site” [format]=”W3C”

#AO-WUA-IIS-Web-Client-Error

Thu May 07 03:49:23 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-IIS

[monitorStatus]=”Success” [date]=”2015-05-07″ [time]=”03:44:37″

[s-sitename]=”W3SVC1″ [s-computername]=”WIN-2008-LAW-AG”

[s-ip]=”10.1.2.242″ [cs-method]=”GET” [cs-uri-stem]=”/wrongpage”

[cs-uri-query]=”-”

[s-port]=”80″ [cs-username]=”-” [c-ip]=”10.1.20.232″

[cs-version]=”HTTP/1.1″

[cs(User-Agent)]=”Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36

+(KHTML,+like+Gecko)+Chrome/42.0.2311.135+Safari/537.36″

[cs(Cookie)]=”-” [cs(Referer)]=”-” [cs-host]=”10.1.2.242″

[sc-status]=”404″

[sc-substatus]=”0″ [sc-win32-status]=”2″ [sc-bytes]=”1382″

[cs-bytes]=”347″ [time-taken]=”0″ [site]=”Default Web Site”

[format]=”W3C”

#AO-WUA-IIS-Web-Forbidden-Access-Denied

Thu May 07 03:30:39 2015 WIN-2008-249.ersijiu.com 10.1.2.249

AccelOps-WUA-IIS [monitorStatus]=”Success” [date]=”2015-05-07″

[time]=”03:30:15″

[s-ip]=”10.1.2.249″ [cs-method]=”POST”

[cs-uri-stem]=”/AOCACWS/AOCACWS.svc” [cs-uri-query]=”-” [s-port]=”80″

[cs-username]=”-”

[c-ip]=”10.1.2.42″ [cs(User-Agent)]=”-” [sc-status]=”403″ [sc-substatus]=”4″ [sc-win32-status]=”5″ [time-taken]=”1″

[site]=”Default Web Site”

[format]=”W3C”

Windows DFS logs

#Win-App-DFSR-1002

Thu May 07 03:01:12 2015 WIN-2008-LAW-agent 10.1.2.242

AccelOps-WUA-WinLog [monitorStatus]=”Success” [eventName]=”DFS

Replication”

[eventSource]=”DFSR” [eventId]=”1002″ [eventType]=”Information”

[domain]=”” [computer]=”WIN-2008-LAW-agent” [user]=”” [userSID]=””

[userSIDAcctType]=”” [eventTime]=”May 07 2015 11:01:12″ [deviceTime]=”May 07 2015 11:01:12″ [msg]=”The DFS Replication service is starting.”

#Win-App-DFSR-1004

Thu May 07 03:01:12 2015 WIN-2008-LAW-agent 10.1.2.242

AccelOps-WUA-WinLog [monitorStatus]=”Success” [eventName]=”DFS

Replication”

[eventSource]=”DFSR” [eventId]=”1004″ [eventType]=”Information”

[domain]=”” [computer]=”WIN-2008-LAW-agent” [user]=”” [userSID]=””

[userSIDAcctType]=”” [eventTime]=”May 07 2015 11:01:12″ [deviceTime]=”May 07 2015 11:01:12″ [msg]=”The DFS Replication service has started.”

#Win-App-DFSR-1006

Thu May 07 03:01:10 2015 WIN-2008-LAW-agent 10.1.2.242

AccelOps-WUA-WinLog [monitorStatus]=”Success” [eventName]=”DFS

Replication”

[eventSource]=”DFSR” [eventId]=”1006″ [eventType]=”Information”

[domain]=”” [computer]=”WIN-2008-LAW-agent” [user]=”” [userSID]=””

[userSIDAcctType]=”” [eventTime]=”May 07 2015 11:01:10″ [deviceTime]=”May 07 2015 11:01:10″ [msg]=”The DFS Replication service is stopping.”

#Win-App-DFSR-1008

Thu May 07 03:01:11 2015 WIN-2008-LAW-agent 10.1.2.242

AccelOps-WUA-WinLog [monitorStatus]=”Success” [eventName]=”DFS

Replication”

[eventSource]=”DFSR” [eventId]=”1008″ [eventType]=”Information”

[domain]=”” [computer]=”WIN-2008-LAW-agent” [user]=”” [userSID]=””

[userSIDAcctType]=”” [eventTime]=”May 07 2015 11:01:11″ [deviceTime]=”May 07 2015 11:01:11″ [msg]=”The DFS Replication service has stopped.”

Windows file content monitoring logs

Windows File integrity monitoring logs

#AO-WUA-FileMon-Added

Thu May 07 05:30:59 2015 WIN-2008-LAW-agent 10.1.2.242

AccelOps-WUA-FileMon [monitorStatus]=”Success” [userId]=”Administrator”

[eventTime]=”May 07 2015 05:30:58″ [fileName]=”C:\\test\\New Text

Document.txt” [osObjAction]=”Added”

[hashCode]=”d41d8cd98f00b204e9800998ecf8427e”

[msg]=””

#AO-WUA-FileMon-Renamed-New-Name

Thu May 07 05:31:02 2015 WIN-2008-LAW-agent 10.1.2.242

AccelOps-WUA-FileMon [monitorStatus]=”Success” [userId]=”Administrator”

[eventTime]=”May 07 2015 05:30:58″ [fileName]=”C:\\test\\test.txt”

[osObjAction]=”Renamed [New Name]”

[hashCode]=”d41d8cd98f00b204e9800998ecf8427e”

[msg]=””

#AO-WUA-FileMon-Renamed-Old-Name

Thu May 07 05:31:02 2015 WIN-2008-LAW-agent 10.1.2.242

AccelOps-WUA-FileMon [monitorStatus]=”Success” [userId]=”Administrator”

[eventTime]=”May 07 2015 05:31:01″ [fileName]=”C:\\test\\New Text

Document.txt” [osObjAction]=”Renamed [Old Name]” [hashCode]=””

[msg]=””

#AO-WUA-FileMon-Modified

Thu May 07 05:31:14 2015 WIN-2008-LAW-agent 10.1.2.242

AccelOps-WUA-FileMon [monitorStatus]=”Success” [userId]=”Administrator”

[eventTime]=”May 07 2015 05:31:13″ [fileName]=”C:\\test\\test.txt”

[osObjAction]=”Modified” [hashCode]=”23acb5410a432f14b141656c2e70d104″

[msg]=””

#AO-WUA-FileMon-Removed

Thu May 07 05:31:29 2015 WIN-2008-LAW-agent 10.1.2.242

AccelOps-WUA-FileMon [monitorStatus]=”Success” [userId]=”Administrator”

[eventTime]=”May 07 2015 05:31:27″ [fileName]=”C:\\test\\test.txt”

[osObjAction]=”Removed” [hashCode]=”” [msg]=””

Windows Installed Software logs

Windows Registry change logs

#AO-WUA-Registry-Modified

Thu May 07 04:01:58 2015 WIN-2008-249.ersijiu.com 10.1.2.249

AccelOps-WUA-Registry [monitorStatus]=”Success”

[regKeyPath]=”HKLM\\SOFTWARE\\Microsoft\\ExchangeServer\\v14\\ContentInde

CatalogHealth\\{0d2a342a-0b15-4995-93db-d18c3df5860d}”

[regValueName]=”TimeStamp” [regValueType]=”1″

[osObjAction]=”Modified”

[oldRegValue]=”MgAwADEANQAtADAANQAtADAANwAgADAAMwA6ADQAOQA6ADQANwBaAAAA” [newRegValue]=”MgAwADEANQAtADAANQAtADAANwAgADAANAA6ADAAMQA6ADQAOABaAAAA”

#AO-WUA-Registry-Removed

Thu May 07 05:25:09 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-Regis

[monitorStatus]=”Success”

[regKeyPath]=”HKLM\\SOFTWARE\\RegisteredApplications” [regValueName]=”Sky

[regValueType]=”1″ [osObjAction]=”Removed”

[oldRegValue]=”UwBPAEYAVABXAEEAUgBFAFwAQwBsAGkAZQBuAHQAcwBcAEkAbgB0AGUAcg

GUAdAAgAEMAYQBsAGwAXABTAGsAeQBwAGUAXABDAGEAcABhAGIAaQBsAGkAdABpAGUAcwBkAG

ABoAGQAaABkAGgAZABoAGQAAAA=” [newRegValue]=””

Windows WMI logs

#AO-WUA-WMI-Win32_Processor

Thu May 07 03:53:33 2015 WIN-2008-LAW-agent 10.1.2.242 AccelOps-WUA-WMI

[monitorStatus]=”Success”  [__CLASS]=”Win32_Processor”

[AddressWidth]=”64″ [Architecture]=”9″ [Availability]=”3″ [Caption]=”Inte

Family 6 Model 26 Stepping 5″ [ConfigManagerErrorCode]=””

[ConfigManagerUserConfig]=”” [CpuStatus]=”1″

[CreationClassName]=”Win32_Processor” [CurrentClockSpeed]=”2266″

[CurrentVoltage]=”33″

[DataWidth]=”64″ [Description]=”Intel64 Family 6 Model 26 Stepping 5″

[DeviceID]=”CPU0″ [ErrorCleared]=”” [ErrorDescription]=””

[ExtClock]=”” [Family]=”12″ [InstallDate]=”” [L2CacheSize]=”0″

[L2CacheSpeed]=”” [L3CacheSize]=”0″ [L3CacheSpeed]=”0″

[LastErrorCode]=”” [Level]=”6″ [LoadPercentage]=”8″

[Manufacturer]=”GenuineIntel” [MaxClockSpeed]=”2266″

[Name]=”Intel(R) Xeon(R) CPU           E5520  @ 2.27GHz” [NumberOfCores]=

[NumberOfLogicalProcessors]=”1″

[OtherFamilyDescription]=”” [PNPDeviceID]=””

[PowerManagementCapabilities]=”” [PowerManagementSupported]=”0″

[ProcessorId]=”0FEBFBFF000106A5″ [ProcessorType]=”3″ [Revision]=”6661″

[Role]=”CPU” [SocketDesignation]=”CPU socket #0″

[Status]=”OK” [StatusInfo]=”3″ [Stepping]=””

[SystemCreationClassName]=”Win32_ComputerSystem”

[SystemName]=”WIN-2008-LAW-AG”

UniqueId]=”” [UpgradeMethod]=”4″ [Version]=”” [VoltageCaps]=”2″

Windows Powershell logs

Configuring Applications

This section describes how to configure applications for discovery and for providing information to AccelOps.

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “tomcat” in the Device Type and Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “tomcat” in the Name column to see the reports associated with this application or device. Configuration

JMX

1. Add the necessary parameters to the Tomcat startup script.

Windows

Modify the file ${CATALINA_BASE}\bin\catalina.bat by adding these arguments for JVM before the comment rem

—-Execute The Requested Command ——

Linux

Modify the file ${CATALINA_BASE}/bin/catalina.sh by adding these arguments for JVM before the comment # —-Execute

3. Edit the password file password.

The first column is user name and the second column is password). AccelOps only needs monitor access.

4. In Linux, set permissions for the access and jmxremote.password files so that they are read-only and accessible only by the Tomcat operating system user.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Sample Event for Tomcat Metrics

<134>Jan 22 01:57:32 10.1.2.16 java:

[PH_DEV_MON_TOMCAT_CPU]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.16,

[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=9218,[app

Version]=Apache

Tomcat/7.0.27,[appServerState]=STARTED,[sysUpTime]=2458304,[cpuUtil]=0

<134>Jan 22 01:57:32 10.1.2.16 java:

[PH_DEV_MON_TOMCAT_MEMORY]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2. 16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=9218,[ appVersion]=Apache Tomcat/7.0.27,[appServerState]=STARTED,[freeMemKB]=116504,[freeSwapMemKB

]=2974020,[memTotalMB]=4095,[swapMemTotalMB]=8189,[virtMemCommitKB]=1699 00,[memUtil]=98,[swapMemUtil]=65,[heapUsedKB]=18099,[heapMaxKB]=932096,[ heapCommitKB]=48896,[heapUtil]=37,[nonHeapUsedKB]=22320,[nonHeapMaxKB]=1 33120,[nonHeapCommitKB]=24512,[nonHeapUtil]=91

<134>Jan 22 01:57:33 10.1.2.16 java:

[PH_DEV_MON_TOMCAT_SERVLET]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2

.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=9218,

[appVersion]=Apache

Tomcat/7.0.27,[webAppName]=//localhost/host-manager,[servletName]=HTMLHo stManager,[countAllocated]=0,[totalRequests]=0,[reqErrors]=0,[loadTime]= 0,[reqProcessTimeAvg]=0,[maxInstances]=20,[servletState]=STARTED

<134>Jan 22 01:57:33 10.1.2.16 java:

[PH_DEV_MON_TOMCAT_SESSION]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2

.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=9218,

[appVersion]=Apache Tomcat/7.0.27,[webContextPath]=/host-manager,[activeSessionsPeak]=0,[act iveSessions]=0,[duplicateSession]=0,[expiredSession]=0,[rejectedSession] =0,[sessionLifetimeAvg]=0,[sessionLifetimePeak]=0,[sessionProcessTimeMs] =0,[sessionCreateRate]=0,[sessionExpireRate]=0,[webAppState]=STARTED,[pr ocessExpiresFrequency]=6,[maxSessionLimited]=-1,[maxInactiveInterval]=18 00

<134>Jan 22 01:57:33 10.1.2.16 java: [PH_DEV_MON_TOMCAT_DB]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.16,[ hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=9218,[appV ersion]=Apache Tomcat/7.0.27,[webContextPath]=/host-manager,[dataSource]=”jdbc/postgres 1″,[dbDriver]=org.postgresql.Driver,[activeSessionsPeak]=20,[activeSessi ons]=0,[idleSessionsPeak]=10,[idleSessions]=0

<134>Jan 22 01:57:33 10.1.2.16 java:

[PH_DEV_MON_TOMCAT_THREAD_POOL]:[eventSeverity]=PHL_INFO,[destIpAddr]=10

.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=9

218,[appVersion]=Apache Tomcat/7.0.27,[threadPoolName]=ajp-apr-18009,[appPort]=18009,[totalThrea ds]=0,[busyThreads]=0,[keepAliveThreads]=0[maxThreads]=200,[threadPriori ty]=5,[threadPoolIsDaemon]=true

<134>Jan 22 01:57:33 10.1.2.16 java: [PH_DEV_MON_TOMCAT_REQUEST_PROCESSOR]:[eventSeverity]=PHL_INFO,[destIpAd dr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevP ort]=9218,[appVersion]=Apache

IBM WebSphere Configuration

What is Discovered and Monitored

Install the perfServletApp Application

Configure Security for the Application

Start the Application

Settings for Access Credentials

Event Types

In CMDB > Event Types, search for “websphere” in the Description column to see the event types associated with this device.

PH_DEV_MON_WEBSPHERE_CPU (from HTTPS)

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “websphere” in the Name column to see the reports associated with this device.

Configuration

HTTP(S)

Install the perfServletApp Application

• Log in to your Websphere administration console.

2. Go to Applications > Application Types > WebSphere enterprise application.
3. Click Install.
4. Select Remote file system and browse to {WebSphere_Home}/AppServer/installableApps/PerfServletApp.ear.
5. Click Next.

The Context Root for the application will be set to /wasPerfTool, but you can edit this during installation.  Configure Security for the Application

1. Go to Security > Global Security.
2. Select Enable application security.
3. Go to Applications > Application Types > Websphere Enterprise Applications.
4. Select perfServletApp.
5. Click Security role to user/group mapping.
6. Click Map Users/Groups.

7. Use the Search feature to find and select the AccelOps user you want to provide with access to the application,
8. Click Map Special Subjects.
9. Select All Authenticated in Application’s Realm.
10. Click OK.

Start the Application

1. Go to Applications > Application Types > WebSphere enterprise application.
2. Select perfServletApp.
3. Click Start.
4. In a web browser, launch the application by going to http://<ip>:<port>/wasPerfTool/servlet/perfservlet.

JMX

Configuring the Default JMX Port

By default, your Websphere application server uses port 8880 for JMX. You can change this by logging in to your application server console and going to Application servers > {Server Name} > Ports > SOAP_CONNECTOR_ADDRESS. The username and password for JMX are the same as the credentials logging into the console.

To configure JMX communications between your Websphere application server and AccelOps, you need to copy several files from your application server to the Websphere configuration directory for each AccelOps virtual appliance that will be used for discovery and performance monitoring jobs. AccelOps does not include these files because of licensing restrictions.

1. Copy these files to the directory /opt/phoenix/config/websphere/ for each Supervisor, Worker, and Collector in your AccelOps deployment.

2. Install IBM JDK 1.6 or higher in the location /opt/phoenix/config/websphere/java for each Supervisor, Worker, and Collector in your AccelOps deployment.

You can now configure AccelOps to communicate with your IBM Websphere device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

You can now configure AccelOps to communicate with your IBM Websphere device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Microsoft ASP.NET Configuration

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

Enable DCOM Permissions for the Monitoring Account

Creating a User Who Belongs to the Domain Administrator Group

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

Enable the Monitoring Account to Access the Monitored Device

Enable DCOM Permissions for the Monitoring Account

Enable Account Privileges in WMI

Allow WMI to Connect Through the Windows Firewall (Windows 2003)

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

Sample Event for ASP.NET Metrics

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “asp.net” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “asp.net” in the Name column to see the reports associated with this application or device.

Configuration

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
2. Right-click Users and select Add User.
3. Create a user.
4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
5. In the Distributed COM Users Properties dialog, click Add.
6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

7. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
8. Repeat steps 4 through 7 for the Performance Monitor Users group.

Enable DCOM Permissions for the Monitoring Account

1. Go to Start > Control Panel > Administrative Tools > Component Services.
2. Right-click My Computer, and then Properties.
3. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
4. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
5. Click OK.
6. Under Access Permissions, click EditDefault.
7. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
8. Click
9. Under Launch and Activation Permissions, click Edit Limits.
10. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
11. Click OK.
12. Under Launch and Activation Permissions, click Edit Defaults.
13. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
2. Right-click Users and select Add User.
3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

4. Go to Groups, right-click Administrators, and then click Add to Group.
5. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
6. For Enter the object names to select, enter the user you created in step 3.
7. Click OK to close the Domain Admins Properties dialog.
8. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

1. Go to Start > Control Panel > Administrative Tools > Component Services.
2. Right-click My Computer, and then select Properties.
3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
5. Click OK.
6. In the Com Security tab, under Access Permissions, click Edit Defaults.
7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
8. Click OK.
9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
2. Select WMI Control, and then right-click and select Properties.
3. Select the Security
4. Expand the Root directory and select CIMV2.
5. Click Security.
6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot e Enable.
7. Click Advanced.
8. Select the user you created for the monitoring account, and then click Edit.
9. In the Apply onto menu, select This namespace and subnamespaces.
10. Click OK to close the Permission Entry for CIMV2 dialog.
11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
12. In the left-hand navigation, under Services and Applications, select Services.
13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
14. In the Start menu, select Run.
15. Run msc.
16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
18. Select Windows Firewall: Allow remote administration exception.
19. Run exe and enter these commands:
20. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

1. Go to Control Panel > Windows Firewall.
2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
3. Select Windows Management Instrumentation, and the click OK.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Sample Event for ASP.NET Metrics

Oracle GlassFish Server Configuration

JMX

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “glassfish” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “glassfish” in the Name column to see the reports associated with this application or device. Configuration

JMX

1. The default JMX port used by Oracle GlassFish is 8686. If you want to change it, modify the node jmx-connector of the file ${GlassF ish_Home}\domains\${Domain_Name}\config\domain.xml.
2. The username and password for JMX are the same as the web console.

You can now configure AccelOps to communicate with your Oracle GlassFish device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure. Settings for Access Credentials

<134>Jan 22 02:00:29 10.1.2.201 java:

[PH_DEV_MON_GLASSFISH_APP]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.

201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201,[destDevPort]=868

6,[appVersion]=Sun Java System Application Server 9.1_02,[webContextRoot]=,[webAppState]=RUNNING,[cacheMaxSize]=10240,[cac heTTL]=5000,[reqProcessTimeAvg]=0,[startTime]=1358755971,[cookiesAllowed ]=true,[cachingAllowed]=false,[linkingAllowed]=false,[crossContextAllowe d]=true  <134>Jan 22 02:00:29 10.1.2.201 java:

[PH_DEV_MON_GLASSFISH_CPU]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.

201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201,[destDevPort]=868

6,[appVersion]=Sun Java System Application Server

9.1_02,[sysUpTime]=35266,[cpuUtil]=60

<134>Jan 22 02:00:29 10.1.2.201 java:

[PH_DEV_MON_GLASSFISH_MEMORY]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1

.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201,[destDevPort]=

8686,[appVersion]=Sun Java System Application Server 9.1_02,[freeMemKB]=479928,[freeSwapMemKB]=6289280,[memTotalMB]=16051,[me mUtil]=98,[swapMemUtil]=1,[swapMemTotalMB]=6142,[virtMemCommitKB]=402586 4,[heapUsedKB]=1182575,[heapMaxKB]=3106432,[heapCommitKB]=3106432,[heapU til]=38,[nonHeapUsedKB]=193676,[nonHeapMaxKB]=311296,[nonHeapCommitKB]=2 77120,[nonHeapUtil]=69

<134>Jan 22 02:00:29 10.1.2.201 java:

[PH_DEV_MON_GLASSFISH_SESSION]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.

1.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201,[destDevPort]

=8686,[appVersion]=Sun Java System Application Server 9.1_02,[webContextPath]=/__JWSappclients,[activeSessionsPeak]=0,[duplica teSession]=0,[activeSessions]=0,[expiredSession]=0,[rejectedSession]=0,[ sessionProcessTimeMs]=85,[sessionLifetimeAvg]=0,[sessionLifetimePeak]=0, [maxSessionLimited]=-1,[maxInactiveInterval]=1800

<134>Jan 22 02:00:29 10.1.2.201 java:

[PH_DEV_MON_GLASSFISH_SERVLET]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.

1.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201,[destDevPort]

=8686,[appVersion]=Sun Java System Application Server

9.1_02,[webAppName]=phoenix,[webAppState]=RUNNING,[servletName]=DtExport

Servlet,[totalRequests]=0,[reqErrors]=0,[reqProcessTimeAvg]=0

<134>Jan 22 02:00:29 10.1.2.201 java:

[PH_DEV_MON_GLASSFISH_CONN_STAT]:[eventSeverity]=PHL_INFO,[destIpAddr]=1 0.1.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201,[destDevPor t]=8686,[appVersion]=Sun Java System Application Server 9.1_02,[reqProcessorName]=http8181,[httpStatusCode]=304,[httpTotalAccess es]=0

<134>Jan 22 02:00:29 10.1.2.201 java:

[PH_DEV_MON_GLASSFISH_EJB]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.

201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201,[destDevPort]=868

6,[appVersion]=Sun Java System Application Server 9.1_02,[ejbComponentName]=phoenix-domain-1.0.jar,[ejbState]=RUNNING,[sta rtTime]=1358755963,  <134>Jan 22 02:00:29 10.1.2.201 java:

[PH_DEV_MON_GLASSFISH_JMS]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.

201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201,[destDevPort]=868

6,[appVersion]=Sun Java System Application Server

9.1_02,[jmsSource]=jms/RequestQueue

<134>Jan 22 02:00:29 10.1.2.201 java: [PH_DEV_MON_GLASSFISH_REQUEST_PROCESSOR]:[eventSeverity]=PHL_INFO,[destI pAddr]=10.1.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201,[de stDevPort]=8686,[appVersion]=Sun Java System Application Server 9.1_02,[reqProcessorName]=http4848,[recvBytes]=0,[sentBytes]=0,[totalReq uests]=0,[reqRate]=0,[reqProcessTimeAvg]=0,[reqProcessTimeMax]=0,[maxOpe nConnections]=0,[lastRequestURI]=null,[lastRequestMethod]=null,[lastRequ estCompletionTime]=0,[openConnectionsCount]=0,[reqErrors]=0

<134>Jan 22 02:00:29 10.1.2.201 java:

[PH_DEV_MON_GLASSFISH_THREAD_POOL]:[eventSeverity]=PHL_INFO,[destIpAddr] =10.1.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201,[destDevP ort]=8686,[appVersion]=Sun Java System Application Server 9.1_02,[liveThreads]=106,[liveThreadsMax]=138

<134>Jan 22 02:06:29 10.1.2.201 java:

[PH_DEV_MON_GLASSFISH_DB_POOL]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.

Oracle WebLogic Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “WebLogic in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “WebLogic” in the Name column to see the reports associated with this application or device.

Configuration

JMX

Enable and Configure Internet Inter-ORB Protocol (IIOP)

1. Log into the administration console of your WebLogic application server.
2. In the Change Center of the administration console, click Lock & Edit.
3. In the left-hand navigation, expand Environment and select Servers.
4. Click the Protocols tab, then select IIOP.
5. Select Enable IIOP.
6. Expand the Advanced
7. For Default IIOP Username and Default IIOP Password, enter the username and password that you will use as the access credentials when configuring AccelOps to communicate with your application server.

Enable IIOP Configuration Changes

1. Go to the Change Center of the administration console.
2. Click Activate Changes.

You can now configure AccelOps to communicate with your IBM Websphere device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Sample Event for WebLogic Metrics

<134>Jan 22 02:12:20 10.1.2.16 java:

[PH_DEV_MON_WEBLOGIC_GEN]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.1 6,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=7001,[a ppVersion]=WebLogic Server 10.3  Fri Jul 25 16:30:05 EDT 2008 1137967 ,[appServerInstance]=examplesServer,[appServerState]=RUNNING,[sysUpTime]

=1358476145,[appPort]=7001,[sslListenPort]=7002,[listenPortEnabled]=true

,[sslListenPortEnabled]=true

<134>Jan 22 02:12:20 10.1.2.16 java:

[PH_DEV_MON_WEBLOGIC_MEMORY]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.

2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=7001

,[appVersion]=WebLogic Server 10.3  Fri Jul 25 16:30:05 EDT 2008 1137967

,[appServerInstance]=examplesServer,[appServerState]=RUNNING,[heapUsedKB ]=153128,[heapCommitKB]=262144,[heapFreeKB]=109015,[heapUtil]=59,[heapMa xKB]=524288,[usedMemKB]=4086224,[freeMemKB]=107624,[memTotalMB]=4095,[me mUtil]=97,[nurserySizeKB]=88324  <134>Jan 22 02:12:22 10.1.2.16 java:

[PH_DEV_MON_WEBLOGIC_SERVLET]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1

.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=700

1,[appVersion]=WebLogic Server 10.3  Fri Jul 25 16:30:05 EDT 2008

1137967 ,[appServerInstance]=examplesServer,[appName]=consoleapp,[webAppName]=ex amplesServer_/console,[servletName]=/framework/skeletons/wlsconsole/plac eholder.jsp,[webContextRoot]=/console,[invocationCount]=1094,[servletExe cutionTimeMs]=63

<134>Jan 22 02:15:24 10.1.2.16 java:

[PH_DEV_MON_WEBLOGIC_DB_POOL]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1

.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=700

1,[appVersion]=WebLogic Server 10.3  Fri Jul 25 16:30:05 EDT 2008

1137967 ,[appServerInstance]=examplesServer,[appName]=examples-demoXA-2,[dataSou rce]=examples-demoXA-2,[activeConns]=0,[connLimit]=1,[leakedConns]=0,[re serveRequests]=0,[waitForConnReqs]=0  <134>Jan 22 02:12:20 10.1.2.16 java:

[PH_DEV_MON_WEBLOGIC_THREAD_POOL]:[eventSeverity]=PHL_INFO,[destIpAddr]=

10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]

=7001,[appVersion]=WebLogic Server 10.3  Fri Jul 25 16:30:05 EDT 2008

1137967 ,[appServerInstance]=examplesServer,[completedRequests]=14066312,[execut eThreads]=7,[pendingRequests]=0,[standbyThreads]=5,[totalThreads]=43  <134>Jan 22 02:12:20 10.1.2.16 java:

[PH_DEV_MON_WEBLOGIC_EJB]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.1 6,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=7001,[a ppVersion]=WebLogic Server 10.3  Fri Jul 25 16:30:05 EDT 2008 1137967 ,[appServerInstance]=examplesServer,[ejbComponentName]=ejb30,[ejbIdleBea ns]=0,[ejbUsedBeans]=0,[ejbPooledBeans]=0,[ejbWaiter]=0,[ejbCommitTransa ctions]=0,[ejbTimedOutTransactions]=0,[ejbRolledBackTransactions]=0,[ejb Activations]=0,[ejbPassivations]=0,[ejbCacheHits]=0,[ejbCacheMisses]=0,[ ejbCacheAccesses]=0,[ejbCacheHitRatio]=0

<134>Jan 22 02:12:23 10.1.2.16 java:

[PH_DEV_MON_WEBLOGIC_APP]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.1 6,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=7001,[a ppVersion]=WebLogic Server 10.3  Fri Jul 25 16:30:05 EDT 2008 1137967

,[appServerInstance]=examplesServer,[appName]=webservicesJwsSimpleEar,[w ebAppName]=examplesServer_/jws_basic_simple,[webContextRoot]=/jws_basic_ simple,[activeSessions]=0,[activeSessionsPeak]=0,[activeSessionTotal]=0,

[numServlet]=4,[singleThreadedServletPool]=5

Redhat JBOSS Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

JMX

Configuring JMX on the JBOSS Application Server

Configuring AccelOps to Use the JMX Protocol with JBOSS Application Server

Settings for Access Credentials

Sample Event for JBOSS Metrics

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “boss” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for jobs” in the Name column to see the reports associated with this application or device. Configuration

JMX

1. Enable authentication security check. Open the file ${JBoss_Home}\server\default\deploy\jmx-jboss-beans.xml, find the J MXConnector bean, and uncomment the securityDomain
2. Modify the file ${JBoss_Home}\server\default\conf\props\jmx-console-roles.properties to configure the JMX administrator role.
3. Modify the file ${JBoss_Home}\server\default\conf\props\jmx-console-users.properties to configure the username and password for JMX.
4. Configure DNS resolution for the JBOSS application server in your AccelOps Supervsior, Workers, and Collectors by adding the IP address and DNS name of the JBOSS application server to their /etc/hosts If DNS is already configured to resolve the JBOSS application server name, you can skip this step.
5. Start JBoss.

Configuring AccelOps to Use the JMX Protocol with JBOSS Application Server

To configure JMX communications between your JBOSS application server and AccelOps, you need to copy several files from your application server to the JBOSS configuration directory for each AccelOps virtual appliance that will be used for discovery and performance monitoring jobs. AccelOps does not include these files because of licensing restrictions.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

<134>Feb 06 11:38:35 10.1.2.16 java: [PH_DEV_MON_JBOSS_CPU]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.16,[ hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=1090,[appV ersion]=6.1.0.Final “Neo”,[appServerState]=STARTED,[sysUpTime]=6202359,[cpuUtil]=2

<134>Feb 06 11:38:36 10.1.2.16 java:

[PH_DEV_MON_JBOSS_MEMORY]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.1 6,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=1090,[a ppVersion]=6.1.0.Final “Neo”,[appServerState]=STARTED,[freeMemKB]=264776,[freeSwapMemKB]=142786

4,[memTotalMB]=4095,[memUtil]=94,[swapMemUtil]=83,[swapMemTotalMB]=8189, [virtMemCommitKB]=1167176,[heapUsedKB]=188629,[heapMaxKB]=466048,[heapCo mmitKB]=283840,[heapUtil]=66,[nonHeapUsedKB]=106751,[nonHeapMaxKB]=31129 6,[nonHeapCommitKB]=107264,[nonHeapUtil]=99 <134>Feb 06 11:38:36 10.1.2.16 java: [PH_DEV_MON_JBOSS_APP]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.16,[ hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=1090,[appV ersion]=6.1.0.Final “Neo”,[webContextRoot]=//localhost/,[webAppState]=RUNNING,[cacheMaxSize]

=10240,[cacheTTL]=5000,[reqProcessTimeAvg]=10472,[startTime]=1353919592, [cookiesAllowed]=true,[cachingAllowed]=true,[linkingAllowed]=false,[cros sContextAllowed]=true

<134>Feb 06 11:38:36 10.1.2.16 java:

[PH_DEV_MON_JBOSS_SERVLET]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2. 16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=1090,[ appVersion]=6.1.0.Final “Neo”,[webAppName]=//localhost/admin-console,[servletName]=Faces

Servlet,[totalRequests]=6,[reqErrors]=0,[loadTime]=0,[reqProcessTimeAvg]

=10610

<134>Feb 06 11:38:36 10.1.2.16 java:

[PH_DEV_MON_JBOSS_DB_POOL]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2. 16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=1090,[ appVersion]=6.1.0.Final “Neo”,[dataSource]=DefaultDS,[dataSourceState]=Started

<134>Feb 06 11:38:36 10.1.2.16 java: [PH_DEV_MON_JBOSS_REQUEST_PROCESSOR]:[eventSeverity]=PHL_INFO,[destIpAdd r]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPo rt]=1090,[appVersion]=6.1.0.Final “Neo”,[reqProcessorName]=ajp-0.0.0.0-8009,[recvBytes]=0,[sentBytes]=0,[r eqProcessTimeAvg]=0,[reqProcessTimeMax]=0,[totalRequests]=0,[reqRate]=0, [reqErrors]=0

<134>Feb 06 11:38:36 10.1.2.16 java: [PH_DEV_MON_JBOSS_EJB]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.16,[ hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=1090,[appV ersion]=6.1.0.Final “Neo”,[ejbComponentName]=ejbjar.jar,[ejbBeanName]=HelloWorldBeanRemote,[ ejbAvailCount]=0,[ejbCreateCount]=0,[ejbCurrCount]=0,[ejbMaxCount]=0,[ej bRemovedCount]=0,[ejbInstanceCacheCount]=null,[ejbPassivations]=null,[ej bTotalInstanceCount]=null

<134>Feb 06 11:38:36 10.1.2.16 java:

[PH_DEV_MON_JBOSS_THREAD_POOL]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.

1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=10

90,[appVersion]=6.1.0.Final

Authentication Server Configuration

AccelOps supports these authentication servers for discovery and monitoring.

Cisco Access Control Server (ACS) Configuration

Microsoft Internet Authentication Server (IAS) Configuration

Juniper Networks Steel-Belted RADIUS Configuration

Vasco DigiPass Configuration

CyberArk Password Vault Configuration

Cisco Access Control Server (ACS) Configuration

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

Enable DCOM Permissions for the Monitoring Account

Creating a User Who Belongs to the Domain Administrator Group

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

Enable the Monitoring Account to Access the Monitored Device

Enable DCOM Permissions for the Monitoring Account

Enable Account Privileges in WMI

Allow WMI to Connect Through the Windows Firewall (Windows 2003)

Allow WMI through Windows Firewall (Windows Server 2008, 2012) Syslog

Settings for Access Credentials

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “cisco secure acs” in the Device Type and Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

1. Log into the device you want to enable SNMP for as an administrator.
2. Go to Control Panel >Program and Features.
3. Click Turn Windows features on or off .
4. If you are installing on a Windows 7 device, select Simple Network Management Protocol (SNMP).

If you are installing on a Windows 2008 device, in the Server Manager window, go to Features > Add features > SNMP Services.

5. If necessary, select SNMP to enable the service.
6. Go to Programs > Administrative Tools > Services.
7. to set the SNMP community string and include AccelOps in the list of hosts that can access this server via SNMP.
8. Select SNMP Service and right-click Properties.
9. Set the community string to public.
10. Go to the Security tab and enter the AccelOps IP Address.
11. Restart the SNMP service.

WMI

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
2. Right-click Users and select Add User.
3. Create a user.
4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
5. In the Distributed COM Users Properties dialog, click Add.
6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

7. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
8. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account
9. Go to Start > Control Panel > Administrative Tools > Component Services.
10. Right-click My Computer, and then Properties.
11. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
12. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
13. Click OK.
14. Under Access Permissions, click EditDefault.
15. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
16. Click
17. Under Launch and Activation Permissions, click Edit Limits.
18. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
19. Click OK.
20. Under Launch and Activation Permissions, click Edit Defaults.
21. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
2. Right-click Users and select Add User.
3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

4. Go to Groups, right-click Administrators, and then click Add to Group.
5. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
6. For Enter the object names to select, enter the user you created in step 3.
7. Click OK to close the Domain Admins Properties dialog.
8. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

1. Go to Start > Control Panel > Administrative Tools > Component Services.
2. Right-click My Computer, and then select Properties.
3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
5. Click OK.
6. In the Com Security tab, under Access Permissions, click Edit Defaults.
7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
8. Click OK.
9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
2. Select WMI Control, and then right-click and select Properties.
3. Select the Security
4. Expand the Root directory and select CIMV2.
5. Click Security.
6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot e Enable.
7. Click Advanced.
8. Select the user you created for the monitoring account, and then click Edit.
9. In the Apply onto menu, select This namespace and subnamespaces.
10. Click OK to close the Permission Entry for CIMV2 dialog.
11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
12. In the left-hand navigation, under Services and Applications, select Services.
13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
14. In the Start menu, select Run.
15. Run msc.
16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.

• Select Windows Firewall: Allow remote administration exception.

6. Run exe and enter these commands:
7. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

1. Go to Control Panel > Windows Firewall.
2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
3. Select Windows Management Instrumentation, and the click OK.

Syslog

1. Log in to your Cisco Access Controls Server as an administrator.
2. Go to Start > All Programs > CiscoSecure ACS v4.1 > ACS Admin.
3. In the left-hand navigation, click System Configuration, then click Logging.
4. Select Syslog for Failed Attempts, Passed Authentication, and RADIUS Accounting to send these reports to AccelOps.
5. For each of these reports, click Configure under CSV, and select the following attributes to include in the CSV output.

6. For each of these reports, click Configure under Syslog, and for Syslog Server, enter the IP address of the AccelOps virtual appliance that will receive the syslogs as the syslog server, enter 514 for Port, and set Max message length to 1024.
7. To make sure your changes take effect, go to System Configuration > Service Control, and click Restart ACS.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure. Settings for Access Credentials

Microsoft Internet Authentication Server (IAS) Configuration

What is Discovered and Monitored

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group Syslog

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “microsoft isa” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

WMI

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
2. Right-click Users and select Add User.
3. Create a user.
4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
5. In the Distributed COM Users Properties dialog, click Add.
6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

7. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
8. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account
9. Go to Start > Control Panel > Administrative Tools > Component Services.
10. Right-click My Computer, and then Properties.
11. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
12. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
13. Click OK.
14. Under Access Permissions, click EditDefault.
15. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
16. Click
17. Under Launch and Activation Permissions, click Edit Limits.
18. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
19. Click OK.
20. Under Launch and Activation Permissions, click Edit Defaults.
21. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
2. Right-click Users and select Add User.
3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

4. Go to Groups, right-click Administrators, and then click Add to Group.
5. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
6. For Enter the object names to select, enter the user you created in step 3.
7. Click OK to close the Domain Admins Properties dialog.
8. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

1. Go to Start > Control Panel > Administrative Tools > Component Services.
2. Right-click My Computer, and then select Properties.
3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
5. Click OK.
6. In the Com Security tab, under Access Permissions, click Edit Defaults.
7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
8. Click OK.
9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
2. Select WMI Control, and then right-click and select Properties.
3. Select the Security
4. Expand the Root directory and select CIMV2.
5. Click Security.
6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot e Enable.
7. Click Advanced.
8. Select the user you created for the monitoring account, and then click Edit.
9. In the Apply onto menu, select This namespace and subnamespaces.
10. Click OK to close the Permission Entry for CIMV2 dialog.
11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
12. In the left-hand navigation, under Services and Applications, select Services.
13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
14. In the Start menu, select Run.
15. Run msc.
16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
18. Select Windows Firewall: Allow remote administration exception.
19. Run exe and enter these commands:
20. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

1. Go to Control Panel > Windows Firewall.
2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
3. Select Windows Management Instrumentation, and the click OK.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Syslog

You need to configure your Microsoft Internet Authentication Server to save logs, and then you can use the Windows Agent Manager to configure the type of log information you want sent to AccelOps.

1. Log in to your server as an administrator.
2. Go to Start > Administrative Tools > Internet Authentication Service.
3. In the left-hand navigation, select Remote Access Logging, then select Local File.
4. Right-click on Local File to open the Properties menu, and then select Log File.
5. For Directory, enter C:\WINDOWS\system32\LogFiles\IAS.
6. Click OK.

You can now use Windows Agent Manager to configure what information will be sent to AccelOps.

Juniper Networks Steel-Belted RADIUS Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “Juniper Steel-Belted RADIUS” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Syslog

1. Login as administrator
2. Install and configure Epilog application to convert log files written by Steelbelted RADIUS server into syslogs for sending to AccelOps
   1. Download Epilog from Epilog download site and install it on your Windows Server.
   2. Launch Epilog from StartAll ProgramsInterSect AllianceEpilog for windows

1. Configure Epilog application as follows
   1. Select Log Configuration on left hand panel, click Add button to add log files whose content needs to be sent to AccelOps. These log files are written by the Steelbelted RADIUS server and their paths are correct. Also make sure the Log Type is SteelbeltedLog.

1. Select Network Configuration on left hand panel. On the right, set the destination address to that of AccelOps server, port to 514 and make sure that syslog header is enabled. Then click Change Configuration button.

• Click the “Apply the latest audit configuration” link on the left hand side to apply the changes to Epilog applications. DHCP logs will now sent to AccelOps in real time.

Vasco DigiPass Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “Vasco DigiPass” in the Device Type column to see the event types associated with this device. Some important ones are

Vasco-DigiPass-KeyServer-AdminLogon-Success

Vasco-DigiPass-KeyServer-UserAuth-Success

Vasco-DigiPass-KeyServer-UserAuth-Failed

Vasco-DigiPass-KeyServer-AccountLocked

Vasco-DigiPass-KeyServer-AccountUnlocked

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Configure the Vasco DigiPass management Console to send syslog to AccelOps. AccelOps is going to parse the logs automatically. Make sure the syslog format is as follows.

May 16 18:21:50 vascoservername ikeyserver[3575]: {Success}, {Administration}, {S-001003}, {A command of type [User] [Unlock] was successful.}, {0xA46B6230BA60B240CE48011B0C30D393}, {Source Location:10.1.2.3}, {Client Location:10.1.2.3}, {User ID:flast}, {Domain:company.com}, {Input Details: {User ID : flast} {Domain Name : company.com}}, {Output Details: {User ID : flast} {Password : ********} {Created Time : 2013/05/13 19:06:52} {Modified Time : 2013/05/16 18:21:49} {Has Digipass : Unassigned} {Status : 0} {Domain Name : company.com} {Local Authentication : Default} {Back-end Authentication : Default} {Disabled : no} {Lock Count : 0} {Locked : no} {Last Password Set Time : 2013/05/13 19:06:52} {Static Password History : d0NdVMhSdvdNEQJkkKTWmiq8iB4K1dWreMf5FQlZM7U=} {Key ID : SSMINSTALLSENSITIVEKEY}}, {Object:User}, {Command:Unlock}, {Client

Type:Administration Program}

May 15 20:27:35 vascoservername ikeyserver[3575]: {Success},

{Administration}, {S-004001}, {An administrative logon was successful.},

{0x25AB20F3222F554A96CFFD2886AE4C71}, {Source Location:10.1.2.3},

{Client Location:10.1.2.3}, {User ID:admin}, {Domain:company.com},

{Client Type:Administration Program}

May 17 18:43:22 vascoservername ikeyserver[3582]: {Info}, {Initialization}, {I-002010}, {The SOAP protocol handler has been initialized successfully.}, {0x0E736D24D54E717E6F5DA6C09E89F8EE}, {Version:3.4.7.115}, {Configuration Details:IP-Address: 10.1.2.3, IP-Port: 8888, Supported-Cipher-Suite: HIGH, Server-Certificate:

/var/identikey/conf/certs/soap-custom.pem, Private-Key-Password:

********, CA-Certificate-Store:

/var/identikey/conf/certs/soap-ca-certificate-store.pem,

Client-Authentication-Method: none, Reverify-Client-On-Reconnect: False,

DPX-Upload-Location: /var/dpx/}

CyberArk Password Vault Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “CyberArk-Vault” in the Device Type column to see close to 400 event types associated with this device.

Rules

In Analytics > Rules, search for “CyberArk”:

CyberArk Vault Blocked Failure

CyberArk Vault CPM Password Disables

CyberArk Vault Excessive Failed PSM Connections

CyberArk Vault Excessive Impersonations

CyberArk Vault Excessive PSM Keystroke Logging Failure

CyberArk Vault Excessive PSM Session Monitoring Failure

CyberArk Vault Excessive Password Release Failure

CyberArk Vault File Operation Failure

CyberArk Vault Object Content Validation Failure

CyberArk Vault Unauthorized User Stations

CyberArk Vault User History Clear

Reports

In Analytics > Reports, search for “CyberArk”:

CyberArk Blocked Operations

CyberArk CPM Password Disables

CyberArk CPM Password Retrieval

CyberArk File Operation Failures

CyberArk Impersonations

CyberArk Object Content Validation Failures

CyberArk PSM Monitoring Failures

CyberArk Password Resets

CyberArk Privileged Command Operations

CyberArk Provider Password Retrieval

CyberArk Trusted Network Area Updates

CyberArk Unauthorized Stations

CyberArk User History Clears

CyberArk User/Group Modification Activity

CyberArk Vault CPM Password Reconcilations

CyberArk Vault CPM Password Verifications

CyberArk Vault Configuration Changes

CyberArk Vault Failed PSM connections

CyberArk Vault Modification Activity

CyberArk Vault PSM Keystore Logging Failures

CyberArk Vault Password Changes from CPM

CyberArk Vault Password Release Failures

CyberArk Vault Successful PSM Connections

Top CyberArk Event Types

Top CyberArk Safes, Folders By Activity

Top CyberArk Users By Activity

CyberArk Configuration for sending syslog in a specific format

1. Open \PrivateArk\Server\DBParm.ini file and edit the SYSLOG section:
   1. SyslogServerIP – Specify AccelOps supervisor, workers and collectors separated by commas.
   2. SyslogServerProtocol – Set to the default value of UDP.
   3. SyslogServerPort – Set to the default value of 514.
   4. SyslogMessageCodeFilter – Set to the default range 0-999.
   5. SyslogTranslatorFile – Set to Syslog\AccelOps.xsl.
   6. UseLegacySyslogFormat – Set to the default value of No.
2. Copy the relevant XSL translator file to the Syslog subfolder specified in the SyslogTranslatorFile parameter in DBParm.ini.
3. Stop and Start Vault (Central Server Administration) for the changes to take effect.

Make sure the syslog format is as follows.

<5>1 2016-02-02T17:24:42Z SJCDVVWCARK01 CYBERARK: Product=”Vault”;Version=”9.20.0000″;MessageID=”295″;Message=”Retrieve password”;Issuer=”Administrator”;Station=”10.10.110.11″;File=”Root\snmpC ommunity”;Safe=”TestPasswords”;Reason=”Test”;Severity=”Info” <30>Mar 22 20:13:42 VA461_1022 CyberArk AIM[2453]: APPAP097I Connection to the Vault has been restored <27>Mar 22 20:10:50 VA461_1022 CyberArk AIM[2453]: APPAP289E Connection to the Vault has failed. Further attempts to connect to the Vault will be avoided for [1] minutes. <27>Mar 24 23:41:58 VA461_1022 CyberArk AIM[2453]: APPAU002E Provider

[Prov_VA461_1022] has failed to fetch password with query [Safe=TestPutta;Object=Telnet91] for application [AccelOps]. Fetch reason: [APPAP004E Password object matching query

Database Server Configuration

AccelOps supports these database servers for discovery and monitoring.

IBM DB2 Server Configuration

Microsoft SQL Server Configuration

Microsoft SQL Server Scripts

SQL Server Database Level Event Creation Script (PH_Database_Level_Events.sql)

SQL Server DDL Event Creation Script (PH_DDL_Server_Level_Events.sql)

SQL Server Table Creation Script (PH_EventDB_Tables_Create.sql)

SQL Server Trigger Creation Script (PH_LogonEventsTrigger.sql)

MySQL Server Configuration

Oracle Database Server Configuration

IBM DB2 Server Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “db2” in the Device Type and Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Configuring IBM DB2 Audit on Linux – DB2 side

1. Log in to IBM Installation Manager.
2. Click the Databases tab, and click the + icon to create a new Database Connection.
3. Enter these settings.

4. In the Job Manager tab, click Add Job.
5. For Name, enter audit.
6. For Type, select DB2 CLP Script.
7. Click OK.
8. Add script.
9. Add schedule detail to audit task.
10. Add database to audit task.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Configuring IBM DB2 Audit on Windows – DB2 side

1. Create a non-admin user on Windows, for example “AoAuditUser” , and set password
2. Login DB2 task center, add the user to DB Users, connect it to database 3. Grant Permission (use Administrator), use commands below
3. Create Catalog with db2admin
4. Create task in DB2 user Administrator:
   1. Open DB2 task center, create a task like below
   2. Add schedule
   3. Add task

IBMDB2_CHECKING_OBJECT <134>May 14 13:57:39 10.1.2.68 java: [IBMDB2_CHECKING_OBJECT]:[eventSeverity]=PHL_INFO,[objName]=TABLES,[srcI pAddr]=127.0.0.1,[srcApp]=DB2HMON,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.44.41.085567 ,[user]=db2inst1,[eventCategory]=CHECKING,[dbRetCode]=0

IBMDB2_CHECKING_FUNCTION <134>May 14 13:57:39 10.1.2.68 java: [IBMDB2_CHECKING_FUNCTION]:[eventSeverity]=PHL_INFO,[objName]=CHECKING,[ srcIpAddr]=127.0.0.1,[srcApp]=DB2HMON,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.44.40.739649 ,[user]=db2inst1,[eventCategory]=CHECKING,[dbRetCode]=0

IBMDB2_STATEMENT <134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_STATEMENT]:[eventSeverity]=PHL_INFO,[srcIpAddr]=127.0.0.1,[srcAp p]=db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.48.59.433204 ,[user]=db2inst1,[eventCategory]=EXECUTE,[dbRetCode]=0

IBMDB2_COMMIT <134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_COMMIT]:[eventSeverity]=PHL_INFO,[srcIpAddr]=10.1.2.81,[srcApp]= db2jcc_application,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.51.30.447924 ,[srcName]=SP81,[user]=db2inst1,[eventCategory]=EXECUTE,[dbRetCode]=0

IBMDB2_ROLLBACK <134>May 14 13:57:40 10.1.2.68 java:

[IBMDB2_ROLLBACK]:[eventSeverity]=PHL_INFO,[srcIpAddr]=127.0.0.1,[srcApp ]=db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.43.43.827986 ,[user]=db2inst1,[eventCategory]=EXECUTE,[dbRetCode]=0

IBMDB2_CONNECT <134>May 14 13:57:40 10.1.2.68 java:

[IBMDB2_CONNECT]:[eventSeverity]=PHL_INFO,[srcIpAddr]=127.0.0.1,[srcApp] =DB2HMON,[dbName]=SAMPLE,[appVersion]=DB2

v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.44.39.991288 ,[user]=db2inst1,[eventCategory]=EXECUTE,[dbRetCode]=0

IBMDB2_CONNECT_RESET <134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_CONNECT_RESET]:[eventSeverity]=PHL_INFO,[srcIpAddr]=127.0.0.1,[s rcApp]=db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.43.43.829149 ,[user]=db2inst1,[eventCategory]=EXECUTE,[dbRetCode]=0

IBMDB2_CREATE_OBJECT <134>May 14 13:57:40 10.1.2.68 java:

[IBMDB2_CREATE_OBJECT]:[eventSeverity]=PHL_INFO,[objName]=CAN_MONITOR=CA

N_MONITOR_FUNC,[srcIpAddr]=10.1.2.68,[srcApp]=DS_ConnMgt_,[dbName]=SAMPL E,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.30.14.827242 ,[srcName]=10.1.2.68,[user]=db2inst1,[eventCategory]=OBJMAINT,[dbRetCode

]=0

IBMDB2_JDBC_PULL_STAT <134>May 14 13:57:39 10.1.2.68 java:

[IBMDB2_JDBC_PULL_STAT]:[eventSeverity]=PHL_INFO,[reptModel]=DB2,[dbName ]=SAMPLE,[instanceName]=db2inst1,[reptVendor]=IBM,[rptIp]=10.1.2.68,[aud itEventCount]=30,[relayIp]=10.1.2.68,[dbEventCategory]=db2inst1.AUDIT,[a ppGroupName]=IBM DB2 Server IBMDB2_ARCHIVE <134>May 14 13:57:39 10.1.2.68 java:

[IBMDB2_ARCHIVE]:[eventSeverity]=PHL_INFO,[srcIpAddr]=127.0.0.1,[srcApp] =db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.43.44.002046 ,[user]=db2inst1,[eventCategory]=AUDIT,[dbRetCode]=0

IBMDB2_EXTRACT <134>May 14 13:57:39 10.1.2.68 java:

[IBMDB2_EXTRACT]:[eventSeverity]=PHL_INFO,[srcIpAddr]=127.0.0.1,[srcApp] =db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.38.45.865016 ,[user]=db2inst1,[eventCategory]=AUDIT,[dbRetCode]=0

IBMDB2_LIST_LOGS <134>May 14 14:03:39 10.1.2.68 java:

[IBMDB2_LIST_LOGS]:[eventSeverity]=PHL_INFO,[srcIpAddr]=127.0.0.1,[srcAp

Microsoft SQL Server Configuration

What is Discovered and Monitored

Enabling SNMP on Windows Server 2003

Enabling SNMP on Windows 7 or Windows Server 2008 R2

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

JDBC for Performance Monitoring

Create a Read-Only User to Access System Tables

JDBC for Database Audit Trail Collection

Create a Read-Only User to Access System Tables

Settings for Access Credentials

Sample Events

Per Instance Performance Metrics

Per Instance, per Database Performance Metrics

Generic Info

Config Info

Locking Info

Blocking Info

Error Log

Logon Events

DDL Events – Create Database

DDL Events – Create index

Supported Versions

SQL Server 2005

SQL Server 2008

SQL Server 2008 R2

SQL Server 2012

SQL Server 2014

What is Discovered and Monitored

The following protocols are used to discover and monitor various aspects of Microsoft SQL server.

Event Types

In CMDB > Event Types, search for “sql server” in the Device Name and Description column to see the event types associated with this device.

Rules

In Analytics > Rules, search for ” sql server” in the Name column to see the rules associated with this application or device.

Reports

In Analytics > Reports, search for “sql server” in the Name column to see the reports associated with this application or device. Configuration

SNMP

Enabling SNMP on Windows Server 2003

SNMP is typically enabled by default on Windows Server 2003, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you need to make sure that the SNMP Management tool has been enabled for your device.

1. In the Start menu, go to Administrative Tools > Services.
2. Go to Control Panel > Add or Remove Programs.
3. Click Add/Remove Windows Components.
4. Select Management and Monitoring Tools and click Details.

Make sure that Simple Network Management Tool is selected.

If it isn’t selected, select it, and then click Next to install.

5. Go to Start > Administrative Tools > Services.
6. Select and open SNMP Service.
7. Click the Security
8. Select Send authentication trap.
9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
10. Select Accept SNMP packets from these hosts.
11. Click
12. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
13. Click Add.
14. Click Apply.
15. Under SNMP Service, click Restart service.

Enabling SNMP on Windows 7 or Windows Server 2008 R2

SNMP is typically enabled by default on Windows Server 2008, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you should check that SNMP Services have been enabled for your server.

1. Log in to the Windows 2008 Server where you want to enable SNMP as an administrator.
2. In the Start menu, select Control Panel.
3. Under Programs, click Turn Windows features on/off.
4. Under Features, see if SNMP Services is installed.

If not, click Add Feature, then select SMNP Service and click Next to install the service.

5. In the Server Manager window, go to Services > SNMP Services.
6. Select and open SNMP Service.
7. Click the Security
8. Select Send authentication trap.
9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
10. Select Accept SNMP packets from these hosts.
11. Click
12. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
13. Click Add.
14. Click Apply.
15. Under SNMP Service, click Restart service.

WMI

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
2. Right-click Users and select Add User.
3. Create a user.
4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
5. In the Distributed COM Users Properties dialog, click Add.
6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

7. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
8. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account
9. Go to Start > Control Panel > Administrative Tools > Component Services.
10. Right-click My Computer, and then Properties.
11. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
12. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
13. Click OK.
14. Under Access Permissions, click EditDefault.
15. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
16. Click
17. Under Launch and Activation Permissions, click Edit Limits.
18. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
19. Click OK.
20. Under Launch and Activation Permissions, click Edit Defaults.
21. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
2. Right-click Users and select Add User.
3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

4. Go to Groups, right-click Administrators, and then click Add to Group.
5. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
6. For Enter the object names to select, enter the user you created in step 3.
7. Click OK to close the Domain Admins Properties dialog.
8. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

1. Go to Start > Control Panel > Administrative Tools > Component Services.
2. Right-click My Computer, and then select Properties.
3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
5. Click OK.
6. In the Com Security tab, under Access Permissions, click Edit Defaults.
7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
8. Click OK.
9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
2. Select WMI Control, and then right-click and select Properties.
3. Select the Security
4. Expand the Root directory and select CIMV2.
5. Click Security.
6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot e Enable.
7. Click Advanced.
8. Select the user you created for the monitoring account, and then click Edit.
9. In the Apply onto menu, select This namespace and subnamespaces.
10. Click OK to close the Permission Entry for CIMV2 dialog.
11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
12. In the left-hand navigation, under Services and Applications, select Services.
13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
14. In the Start menu, select Run.
15. Run msc.
16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
18. Select Windows Firewall: Allow remote administration exception.
19. Run exe and enter these commands:
20. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

1. Go to Control Panel > Windows Firewall.
2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
3. Select Windows Management Instrumentation, and the click OK.

JDBC for Performance Monitoring

Creating an User for SQL Server Monitoring

A regular Windows account cannot be used for SQL Server monitoring. AccelOps runs on Linux and certain windows libraries needed to do so are not available on Linux. You have to create a separate user with read-only privileges.

Create a Read-Only User to Access System Tables

1. Log in to your SQL Server with an sa account, and then create a read-only user to access system tables.
2. Log in with your newly created read-only account and run these commands.

Check to see if you get the same results with your read-only account as you do with your sa account.

3. The following additional configuration steps should be performed for the collection of Logon Failures.
   1. For Server 2012 – https://technet.microsoft.com/en-us/library/ms175850(v=sql.110).aspx
   2. For Server 2014 – https://technet.microsoft.com/sr-latn-rs/library/ms175850(v=sql.120)
   3. For Server 2016 – https://msdn.microsoft.com/en-us/library/ms175850.aspx

JDBC for Database Audit Trail Collection

Creating a User for SQL Server Monitoring

A regular Windows account cannot be used for SQL Server monitoring. AccelOps runs on Linux and certain windows libraries needed to do so are not available on Linux. You have to create a separate user with read-only privileges.

Create a Read-Only User to Access System Tables

1. Log in to your SQL Server with an sa account, and then create a read-only user to access system tables.

1. Save the four SQL Server Scripts attached to this topic to My Documents > SQL Server Management Studio > Projects as four separate files.
2. Login to SQL Server Management Studio with an sa account.
3. Browse to and execute the Database and Table Creation script to create the database and tables.
4. Browse to and execute the Logon Trigger Creation script to create triggers.

SQL Server introduced Logon Trigger in SQL Server 2005 SP2, so the database version must be greater than 2005 SP2 for logon trigger creation to succeed.

5. Browse to and execute the DDL Server Level Trigger Creation script to create database events.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure. Settings for Access Credentials

Creating a Database Truncate Script

Since audit tables grow after time, it is often a good idea to create a database truncate script that can run as a maintenance task and keep the table size under control.  it is often necessary to create a database truncate procedure as follows

1. Log into Microsoft SQL Management Studio and connect to the DB instance.
2. Under Management, go to Maintenance Plans, and create a new plan with the name
3. For Subplan, enter TRUNCATE, and for Description, enter TRUNCATE TABLE.
4. Click the Calendar icon to create a recurring, daily task starting at 12:00AM and running every 30 minutes until 11:59:59PM.
5. Go to View > Tool Box > Execute T-SQL Statement.

A T-SQL box will be added to the subplan.

6. In the T-SQL box, enter this command.
7. Click OK.
8. You will be able to see the history of this script’s actions by right-clicking on the maintenance task, and then selecting View History.

Sample Events

Per Instance Performance Metrics

<134>Apr 16 10:17:56 172.16.22.100 java:

[PH_DEV_MON_PERF_MSSQL_SYS|PH_DEV_MON_PERF_MSSQL_SYS]:[eventSeverity]=PH

L_INFO,[hostIpAddr]=172.16.22.100,[hostName]=wwwin.accelops.net,

[appGroupName]=Microsoft SQL Server,[dbDataFileSizeKB]=13149056,[dbLogFileUsedKB]=26326,[dbLogGrowthC ount]=4,[dbLogShrinkCount]=0,[dbLogFlushPerSec]=1.69,[dbTransPerSec]=4.4 4, [dbDeadLocksPerSec]=0,[dbLogCacheHitRatio]=60.01,[dbUserConn]=16,[dbTarg etServerMemoryKB]=1543232,[dbTotalServerMemoryKB]=1464760,[dbPageSplitsP erSec]=0.45, [dbPageWritesPerSec]=0.01,[dbLatchWaitsPerSec]=0.77,[dbPageReadsPerSec]= 0.01,[dbFullScansPerSec]=1.83,[dbBufferCacheHitRatio]=100,[dbCount]=8,[d bUserCount]=25, [dbLoggedinUserCount]=2,[dbPagesInBufferPool]=116850,[dbPagesFreeInBuffe rPool]=2336,[dbAverageWaitTimeMs]=239376, [appVersion]=Microsoft SQL Server 2008 R2 (RTM) – 10.50.1600.1

(X64),[serverName]=WIN-08-VCENTER,[instanceName]=MSSQLSERVER,[appPort]=1

433

Per Instance, per Database Performance Metrics

[PH_DEV_MON_PERF_MSSQL_PERDB]:[eventSeverity]=PHL_INFO,[hostIpAddr]=172. 16.22.100,[hostName]=wwwin.accelops.net,[dbName]=tempdb,[appGroupName]=M icrosoft SQL Server, [dbDataFileSizeKB]=109504,[dbLogFileUsedKB]=434,[dbLogGrowthCount]=4,[db LogShrinkCount]=0,[dbTransPerSec]=0.96,[dbLogFlushPerSec]=0.01,[dbLogCac heHitRatio]=44.44, [appVersion]=Microsoft SQL Server 2008 R2 (RTM) – 10.50.1600.1

(X64),[serverName]=WIN-08-VCENTER,[instanceName]=MSSQLSERVER,[appPort]=1

433

Generic Info

[PH_DEV_MON_PERF_MSSQL_GEN_INFO]:[eventSeverity]=PHL_INFO,[dbName]= tempdb,[dbSize]= 3.0,[dbowner]= sa,[dbId]= 2,[dbcreated]= 1321545600, [dbstatus]= Status=ONLINE; Updateability=READ_WRITE;

UserAccess=MULTI_USER; Recovery=SIMPLE; Version=655;

Collation=SQL_Latin1_General_CP1_CI_AS; SQLSortOrder=52;

IsAutoCreateStatistics; IsAutoUpdateStatistics,

[dbcompatibilityLevel]= 100,[spaceAvailable]= 0.9,[appVersion]=

Microsoft SQL Server 2008 (RTM) – 10.0.1600.22 (Intel X86),[serverName]=

WIN03MSSQL\SQLEXPRESS

Config Info

Locking Info

Blocking Info

[PH_DEV_MON_PERF_MSSQL_BLOCKBY_INFO]:[eventSeverity]=PHL_INFO,[blockedSp Id]= 51,[blockedLoginUser]= WIN03MSSQL\Administrator,[blockedDbName]= msdb, [blockedCommand]= UPDATE,[blockedProcessName]= Microsoft SQL Server

Management Studio – Query,[blockingSpId]= 54,[blockingLoginUser]=

WIN03MSSQL\Administrator,

[blockingDbName]= msdb,[blockingCommand]= AWAITING

COMMAND,[blockingProcessName]= Microsoft SQL Server Management Studio –

Query,[blockedDuration]= 5180936,

[appVersion]= Microsoft SQL Server 2008 (RTM) – 10.0.1600.22 (Intel

X86),[serverName]= WIN03MSSQL\SQLEXPRESS

Error Log

Logon Events

134>Feb 08 02:55:34 10.1.2.54 java:

[MSSQL_Logon_Success]:[eventSeverity]=PHL_INFO, [eventTime]=2014-02-08 02:54:00.977, [rptIp]=10.1.2.54, [relayIp]=10.1.2.54, [srcName]=<local machine>, [user]=NT SERVICE\ReportServer$MSSQLSERVEJIANFA, [srcApp]=Report Server, [instanceName]=MSSQLSERVEJIANFA, [procId]=52,

[loginType]=Windows (NT) Login,

[securityId]=AQYAAAAAAAVQAAAALJAZf5XMbcLh8PUDY31LioZ3Uwo=, [isPooled]=1,

[destName]=WIN-S2EDLFIUPQK, [destPort]=1437,

DDL Events – Create Database

<134>Sep 29 15:34:48 10.1.2.54 java:

[MSSQL_Create_database]:[eventSeverity]=PHL_INFO, [eventTime]=2013-09-29

15:34:05.687, [rptIp]=10.1.2.54, [relayIp]=10.1.2.54,

[user]=WIN-S2EDLFIUPQK\Administrator, [dbName]=JIANFA,

[instanceName]=MSSQLSERVER, [objName]=, [procId]=59, [command]=CREATE

DATABASE JIANFA, [destName]=WIN-S2EDLFIUPQK, [destPort]=1433,

DDL Events – Create index

<134>Sep 29 15:34:48 10.1.2.54 java:

[MSSQL_Create_index]:[eventSeverity]=PHL_INFO, [eventTime]=2013-09-29

15:30:40.557, [rptIp]=10.1.2.54, [relayIp]=10.1.2.54,

[user]=WIN-S2EDLFIUPQK\Administrator, [dbName]=master,

[instanceName]=MSSQLSERVER, [objName]=IndexTest, [procId]=58,

[command]=create index IndexTest on dbo.MSreplication_options(optname);,

[schemaName]=dbo, [objType]=INDEX, [destName]=WIN-S2EDLFIUPQK,

[destPort]=1433

Microsoft SQL Server Scripts

SQL Server Database Level Event Creation Script (PH_Database_Level_Events.sql)

SQL Server DDL Event Creation Script (PH_DDL_Server_Level_Events.sql)

CREATE TRIGGER PH_DDL_Server_Level_Events

ON ALL SERVER

FOR DDL_ENDPOINT_EVENTS, DDL_LOGIN_EVENTS, DDL_GDR_SERVER_EVENTS,

DDL_AUTHORIZATION_SERVER_EVENTS,

CREATE_DATABASE, ALTER_DATABASE, DROP_DATABASE

/**FOR DDL_SERVER_LEVEL_EVENTS**/

AS

DECLARE @eventData AS XML;

SET @eventData = EVENTDATA(); /**declare @eventData as XML; set @eventData = EVENTDATA();**/

insert into PH_Events.dbo.DDLEvents(EventTime, EventType, SPID, ServerName, LoginName, ObjectName, ObjectType, SchemaName, DatabaseName, CommandText, XMLEvent) values(cast(@eventData.query(‘data(//PostTime)’) as varchar(64)),        cast(@eventData.query(‘data(//EventType)’) as varchar(128)),        cast(@eventData.query(‘data(//SPID)’) as varchar(128)),        cast(@eventData.query(‘data(//ServerName)’) as varchar(128)),        cast(@eventData.query(‘data(//LoginName)’) as varchar(128)),        cast(@eventData.query(‘data(//ObjectName)’) as varchar(128)),        cast(@eventData.query(‘data(//ObjectType)’) as varchar(128)),        cast(@eventData.query(‘data(//SchemaName)’) as varchar(128)),        cast(@eventData.query(‘data(//DatabaseName)’) as varchar(64)),        cast(@eventData.query(‘data(//TSQLCommand/CommandText)’) as varchar(128)),      /**  DB_NAME(),**/

@eventData);

SQL Server Table Creation Script (PH_EventDB_Tables_Create.sql)

SQL Server Trigger Creation Script (PH_LogonEventsTrigger.sql)

This script is to create a server level trigger called PH_LoginEvents. It will record all logon events when a user establishes a session to the database server. The trigger locates at the database server > Server Objects > Triggers.

MySQL Server Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

SNMP

JDBC for Database Auditing – MySQL Server

Settings for Access Credentials

Sample events

System Level Performance Metrics

Table Space Performance Metrics

System Level Performance Metrics

Logon/Logoff Events

Database CREATE/DELETE/MODIFY Events

Table CREATE/DELETE/MODIFY Events

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “mysql” in the Device Type and Description columns to see the event types associated with this device.

Rules

In Analytics > Rules, search for “mysql” in the Name column to see the rules associated with this application or device.

Reports

In Analytics > Reports, search for “”mysql” in the Name and Description columns to see the reports associated with this application or device. Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

JDBC for Database Auditing – MySQL Server

You need to configure your MySQL Server to write audit logs to a database table. This topic in the MySQL documentation explains more about how to set the destination tables for log outputs.

1. Start MySQL server with TABLE output enabled.
2. Login to mysql, run the following SQL commands to enable general.log in MyISAM.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure. Settings for Access Credentials

System Level Performance Metrics

Table Space Performance Metrics

<134>Apr 29 10:06:07 172.16.22.227 java: [PH_DEV_MON_PERF_MYSQLDB_TABLESPACE]: [eventSeverity]=PHL_INFO,

[appGroupName]=MySQL Database Server,

[instanceName]=mysql, [tablespaceName]=general_log, [tablespaceType]=PERMANENT, [tablespaceUsage]=0.01,

[tablespaceFreeSpace]=4193886,

[dbEngine]=MyISAM, [tableVersion]=10, [tableRowFormat]=dynamic,

[tableRows]=124, [tableAvgRowLength]=80, [tableIndexLength]=1024,

[tableCreateTime]=2013-04-29 15:12:30, [tableUpdateTime]=2013-04-29

12:35:46, [tableCollation]=utf8_general_ci

System Level Performance Metrics

Logon/Logoff Events

<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_ Logon_Success]:

[eventSeverity]=PHL_INFO, [eventTime]=2013-04-29 15:14:54,

[rptIp]=172.16.22.227,

[srcIp]=172.16.22.227, [user]=admin, [logonTime]=2013-04-29 15:14:54,

[logoffTime]=, [actionName]=Connect, [msg]=admin@172.16.22.227 on

<134>Apr 10 14:29:22 abc-desktop java:

[MYSQL_Logoff]:[eventSeverity]=PHL_INFO, [eventTime]=2013-04-10

14:29:22, [rptIp]=172.16.22.227,

[srcIp]=172.16.22.227, [user]=admin, [logonTime]=,

[logoffTime]=2014-04-10 14:29:22, [actionName]=quit, [msg]=

<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_ Logon_Fail]:

[eventSeverity]=PHL_WARN, [eventTime]=2013-04-29 15:14:54,

[rptIp]=172.16.22.227,

[srcIp]=172.16.22.227, [user]=admin, [logonTime]=2013-04-29 15:14:54,

[logoffTime]=, [actionName]=Connect, [msg]=Access denied for user ‘admin’@’172.16.22.227’ (using password:

YES)

Database CREATE/DELETE/MODIFY Events

Table CREATE/DELETE/MODIFY Events

<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_Create_table]:

[eventSeverity]=PHL_INFO, [eventTime]=2013-04-29 15:14:54,

[rptIp]=172.16.22.227,

[srcIp]=172.16.22.227, [user]=admin, [actionName]=Query, [msg]=CREATE TABLE tutorials_tbl(     tutorial_id INT NOT NULL AUTO_INCREMENT, tutorial_title VARCHAR(100) NOT NULL,     tutorial_author VARCHAR(40) NOT NULL,     submission_date DATE,     PRIMARY KEY ( tutorial_id )    )

<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_Delete_table]:

[eventSeverity]=PHL_INFO, [eventTime]=2013-04-29 15:14:54,

[rptIp]=172.16.22.227,

[srcIp]=172.16.22.227, [user]=admin, [actionName]=Query, [msg]=DELETE FROM tutorials_tbl WHERE tutorial_id=2NOT NULL,

tutorial_author VARCHAR(40) NOT NULL,     submission_date DATE,    PRIMARY KEY ( tutorial_id )

<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_Insert_table]: [eventSeverity]=PHL_INFO, [eventTime]=2013-04-29 15:14:54,

[rptIp]=172.16.22.227,

[srcIp]=172.16.22.227, [user]=admin, [actionName]=Query, [msg]=INSERT INTO tutorials_tbl       (tutorial_title, tutorial_author, submission_date)      VALUES      (“Learn Java”, “John Smith”, NOW())

<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_Drop_table]:

[eventSeverity]=PHL_INFO, [eventTime]=2013-04-29 15:14:54,

[rptIp]=172.16.22.227, [srcIp]=172.16.22.227, [user]=admin, [actionName]=Query, [msg]=DROP table sliutable

Oracle Database Server Configuration

Supported Versions

What is Discovered and Monitored

Event Types

Rules

Reports

SNMP

JDBC for Database Performance Monitoring – Oracle Database Server

JDBC for Database Auditing – Oracle Database Server

Configuring listener log and error log via SNARE – Oracle side

Settings for Access Credentials

Sample Events

System Level Database Performance Metrics

Table Space Performance Metrics

Oracle Audit Trail (AccelOps Generated Events)

Oracle Audit Log

Oracle Listener Log

Oracle Alert Log

Supported Versions

Oracle Database 10g

Oracle Database 11g

Oracle Database 12c

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “oracle database” in the Description column to see the event types associated with this device.

Rules

In Analytics > Rules, search for “oracle database” in the Description column to see the rules associated with this application or device.

Reports

In Analytics > Reports, search for “oracle database” in the Name column to see the reports associated with this application or device. Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

JDBC for Database Performance Monitoring – Oracle Database Server

To configure your Oracle Database Server for performance monitoring by AccelOps, you need to create a read-only user who has select permissions for the database. This is the user you will use to create the access credentials for AccelOps to communicate with your database server.

1. Open the SQLPlus application.
2. Log in with a system-level account.

Verify the permissions.

JDBC for Database Auditing – Oracle Database Server

2. Enable auditing by modifying the Oracle instance initialization file init<SID>.ora.

This is typically located in $ORACLE_BASE/admin/<SID>/pfile where DIS is the Oracle instance

Configuring listener log and error log via SNARE – Oracle side

1. Install and configure Epilog application to send syslog to AccelOps
2. Download Epilog from Epilog download site and install it on your Windows Server.
3. Launch Epilog from StartAll ProgramsInterSect AllianceEpilog for windows

1. Configure Epilog application as follows
   1. Select Log Configuration on left hand panel, click Add button to add Oracle Listener log file to be sent to AccelOps. Also make sure the Log Type is OracleListenerLog.
   2. Click Add button to add Oracle Alert log file to be sent to AccelOps. Also make sure the Log Type is OracleAlertLog.

• After adding both the files, SNARE Log Configuration will show both the files included as follows

1. Select Network Configuration on left hand panel. On the right, set the destination address to that of AccelOps server, port to 514 and make sure that syslog header is enabled. Then click Change Configuration button.
2. Click the “Apply the latest audit configuration” link on the left hand side to apply the changes to Epilog applications.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

System Level Database Performance Metrics

[PH_DEV_MON_PERF_ORADB]:[eventSeverity]=PHL_INFO, [hostIpAddr]=10.1.2.8,

[hostName]=Host-10.1.2.8, [appGroupName]=Oracle Database Server,

[appVersion]=Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 –

Production, [instanceName]=orcl, [instanceStatus]=OPEN,

[charSetting]=ZHS16GBK, [archiveEnabled]=FALSE,

[lastBackupDate]=1325566287,

[listenerStatus]=OPEN,[dbBufferCacheHitRatio]=100,[dbMemorySortsRatio]=1

00,[dbUserTransactionPerSec]=0.13,[dbPhysicalReadsPerSec]=0,

[dbPhysicalWritesPerSec]=0.48,[dbHostCpuUtilRatio]=0,[dbNetworkKBytesPer

Sec]=0.58,[dbEnqueueDeadlocksPerSec]=0,[dbCurrentLogonsCount]=32,[dbWait

TimeRatio]=7.13,[dbCpuTimeRatio]=92.87, [dbRowCacheHitRatio]=100,[dbLibraryCacheHitRatio]=99.91,[dbSharedPoolFre eRatio]=18.55,[dbSessionCount]=40,[dbIOKBytesPerSec]=33.26,[dbRequestsPe rSec]=3.24, [dbSystemTablespaceUsage]= 2.88,[dbTempTablespaceUsage]=

0,[dbUsersTablespaceUsage]= 0.01,[dbUserCount]=

2,[dbInvalidObjectCount]= 4

Table Space Performance Metrics

Oracle Audit Trail (AccelOps Generated Events)

Oracle Audit Log

<172>Oracle Audit[25487]: LENGTH : ‘153’ ACTION :[004] ‘bjn’ DATABASE

USER:[9] ‘user’ PRIVILEGE :[4] ‘NONE’ CLIENT USER:[9] ‘user’ CLIENT

TERMINAL:[14] ‘terminal’ STATUS:[1] ‘0’]

<172>Oracle Audit[6561]: LENGTH : ‘158’ ACTION :[6] ‘COMMIT’ DATABASE

USER:[8] ‘user’ PRIVILEGE :[6] ‘SYSDBA’ CLIENT USER:[6] ‘user’ CLIENT

TERMINAL:[0] ” STATUS:[1] ‘0’ DBID:[9] ‘200958341’

<172>Oracle Audit[28061]: LENGTH: 265 SESSIONID:[9] 118110747

ENTRYID:[5] 14188 STATEMENT:[5] 28375 USERID:[8] user ACTION:[3] 100 RETURNCODE:[1] 0 COMMENT$TEXT:[99] Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=10.90.217.247)(PORT=4566)) PRIV$USED:[1] 5

Oracle Listener Log

Oracle Alert Log

DHCP and DNS Server Configuration

AccelOps supports these DHCP and DNS servers for discovery and monitoring.

Infoblox DNS/DHCP Configuration

ISC BIND DNS Configuration

Linux DHCP Configuration

Microsoft DHCP (2003, 2008) Configuration Microsoft DNS (2003, 2008) Configuration

Infoblox DNS/DHCP Configuration

What is Discovered and Monitored