Linux DHCP Configuration

What is Discovered and Monitored

Configure Linux DHCP to Forward Logs to Syslog Daemon

Configure Syslog to Forward to Accelops

Sample Syslog

Settings for Access Credentials

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “linux dhcp” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

1. Make sure that snmp libraries are installed.

AccelOps has been tested to work with net-snmp libraries.

2. Log in to your device with administrator credentials.
3. Modify the /etc/snmp/snmpd.conf file:
   1. Define the community string for AccelOps usage and permit snmp access from AccelOps IP.
   2. Allow AccelOps to (read-only) view the mib-2 tree.
   3. Open up the entire tree for read-only view.
4. Restart the snmpd deamon by issuing /etc/init.d/snmpd restart.
5. Add the snmpd daemon to start from boot by issuing chkconfig snmpd on.
6. Make sure that snmpd is running.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Syslog

Configure Linux DHCP to Forward Logs to Syslog Daemon

1. Edit conf and insert the line log-facility local7;.
2. Restart dhcpd by issuing /etc/init.d/dhcpd restart. Configure Syslog to Forward to Accelops
3. Edit conf and add a new line: Local7.* @<IP address of AccelOps server>.
4. Restart syslog daemon by issuing /etc/init.d/syslog restart. Sample Syslog

Microsoft DHCP (2003, 2008) Configuration

What is Discovered and Monitored

Enabling SNMP on Windows Server 2003

Enabling SNMP on Windows 7 or Windows Server 2008 R2

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Settings for Access Controls

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “microsoft dhcp” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

Enabling SNMP on Windows Server 2003

SNMP is typically enabled by default on Windows Server 2003, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you need to make sure that the SNMP Management tool has been enabled for your device.

1. In the Start menu, go to Administrative Tools > Services.
2. Go to Control Panel > Add or Remove Programs.
3. Click Add/Remove Windows Components.
4. Select Management and Monitoring Tools and click Details.

Make sure that Simple Network Management Tool is selected.

If it isn’t selected, select it, and then click Next to install.

5. Go to Start > Administrative Tools > Services.
6. Select and open SNMP Service.
7. Click the Security
8. Select Send authentication trap.
9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
10. Select Accept SNMP packets from these hosts.
11. Click
12. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
13. Click Add.
14. Click Apply.
15. Under SNMP Service, click Restart service.

Enabling SNMP on Windows 7 or Windows Server 2008 R2

SNMP is typically enabled by default on Windows Server 2008, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you should check that SNMP Services have been enabled for your server.

1. Log in to the Windows 2008 Server where you want to enable SNMP as an administrator.
2. In the Start menu, select Control Panel.
3. Under Programs, click Turn Windows features on/off.
4. Under Features, see if SNMP Services is installed.

If not, click Add Feature, then select SMNP Service and click Next to install the service.

5. In the Server Manager window, go to Services > SNMP Services.
6. Select and open SNMP Service.
7. Click the Security
8. Select Send authentication trap.
9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
10. Select Accept SNMP packets from these hosts.
11. Click
12. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
13. Click Add.
14. Click Apply.
15. Under SNMP Service, click Restart service.

WMI

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
2. Right-click Users and select Add User.
3. Create a user.
4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
5. In the Distributed COM Users Properties dialog, click Add.
6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

7. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
8. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account
9. Go to Start > Control Panel > Administrative Tools > Component Services.
10. Right-click My Computer, and then Properties.
11. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
12. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
13. Click OK.
14. Under Access Permissions, click EditDefault.
15. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
16. Click
17. Under Launch and Activation Permissions, click Edit Limits.
18. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
19. Click OK.
20. Under Launch and Activation Permissions, click Edit Defaults.
21. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
2. Right-click Users and select Add User.
3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

4. Go to Groups, right-click Administrators, and then click Add to Group.
5. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
6. For Enter the object names to select, enter the user you created in step 3.
7. Click OK to close the Domain Admins Properties dialog.
8. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

1. Go to Start > Control Panel > Administrative Tools > Component Services.
2. Right-click My Computer, and then select Properties.
3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
5. Click OK.
6. In the Com Security tab, under Access Permissions, click Edit Defaults.
7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
8. Click OK.
9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
2. Select WMI Control, and then right-click and select Properties.
3. Select the Security
4. Expand the Root directory and select CIMV2.
5. Click Security.
6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot e Enable.
7. Click Advanced.
8. Select the user you created for the monitoring account, and then click Edit.
9. In the Apply onto menu, select This namespace and subnamespaces.
10. Click OK to close the Permission Entry for CIMV2 dialog.
11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
12. In the left-hand navigation, under Services and Applications, select Services.
13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
14. In the Start menu, select Run.
15. Run msc.
16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
18. Select Windows Firewall: Allow remote administration exception.
19. Run exe and enter these commands:
20. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

1. Go to Control Panel > Windows Firewall.
2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
3. Select Windows Management Instrumentation, and the click OK.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Syslog

1. Log into your Microsoft DHCP server as an administrator.
2. Go to Start > Administrative Tools > DHCP.
3. Select the DHCP server you want to monitor, then right-click and select Properties.
4. Click the General tab, and then select Enable DHCP audit logging.
5. Click the DNS tab, and then select Dynamically update DNS A and PTR records only if requested by the DHCP clients and Discard A and PTR records when lease is deleted.
6. Click the Advanced
7. Set Audit log file path to C:\WINDOWS\system32\dhcp.
8. Set Database path to C:\\WINDOWS\system32\dhcp.
9. Set Backup path to C:\\WINDOWS\System32\dhcp\backup.
10. Clock OK to complete configuration.

Use the Windows Agent Manager to further configure sending syslogs from your device to AccelOps.

1. Sample Microsoft DHCP Syslog

<15>May 27 17:22:43 ADS-Pri.ACME.net WinDHCPLog 0

11,05/27/08,17:22:43,Renew,192.168.20.46,Lucy-XPS.ACME.net,009096F27636,

<15>Jun 20 12:20:58 ADS-Pri.ACME.net WinDHCPLog 0

10,06/20/08,12:20:58,Assign,192.168.20.35,mission.,000D5639076C,

<13>Mar 29 10:25:28 192.168.0.10 WinDHCPLog 0

30,03/29/10,10:25:27,DNS Update

Request,40.20.168.192,John-lap.ACME.net,,

<13>Mar 29 10:25:05 192.168.0.10 WinDHCPLog 0

32,03/29/10,10:25:01,DNS Update

Successful,192.168.20.32,Mary-laptop.ACME.net,,

<13>Jun  1 14:24:08 192.168.0.10 WinDHCPLog 0 31,06/01/10,14:24:08,DNS

Update Failed,192.168.26.31,Joe-LAPTOP.ACME.net,-1,  <13>Jun  1 14:24:08 192.168.0.10 WinDHCPLog 0 25,06/01/10,14:24:07,0 leases expired and 1 leases deleted,,,,

Microsoft DNS (2003, 2008) Configuration

What is Discovered and Monitored

Enabling SNMP on Windows Server 2003

Enabling SNMP on Windows 7 or Windows Server 2008 R2

Creating a Generic User Who Does Not Belong to the Local Administrator Group Creating a User Who Belongs to the Domain Administrator Group

Sample Windows DNS Syslog

Settings for Access Credentials

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “microsoft dans” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

Enabling SNMP on Windows Server 2003

SNMP is typically enabled by default on Windows Server 2003, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you need to make sure that the SNMP Management tool has been enabled for your device.

1. In the Start menu, go to Administrative Tools > Services.
2. Go to Control Panel > Add or Remove Programs.
3. Click Add/Remove Windows Components.
4. Select Management and Monitoring Tools and click Details.

Make sure that Simple Network Management Tool is selected.

If it isn’t selected, select it, and then click Next to install.

5. Go to Start > Administrative Tools > Services.
6. Select and open SNMP Service.
7. Click the Security
8. Select Send authentication trap.
9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
10. Select Accept SNMP packets from these hosts.
11. Click
12. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
13. Click Add.
14. Click Apply.
15. Under SNMP Service, click Restart service.

Enabling SNMP on Windows 7 or Windows Server 2008 R2

SNMP is typically enabled by default on Windows Server 2008, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you should check that SNMP Services have been enabled for your server.

1. Log in to the Windows 2008 Server where you want to enable SNMP as an administrator.
2. In the Start menu, select Control Panel.
3. Under Programs, click Turn Windows features on/off.
4. Under Features, see if SNMP Services is installed.

If not, click Add Feature, then select SMNP Service and click Next to install the service.

5. In the Server Manager window, go to Services > SNMP Services.
6. Select and open SNMP Service.
7. Click the Security
8. Select Send authentication trap.
9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
10. Select Accept SNMP packets from these hosts.
11. Click
12. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
13. Click Add.
14. Click Apply.
15. Under SNMP Service, click Restart service.

WMI

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
2. Right-click Users and select Add User.
3. Create a user.
4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
5. In the Distributed COM Users Properties dialog, click Add.
6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

7. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
8. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account
9. Go to Start > Control Panel > Administrative Tools > Component Services.
10. Right-click My Computer, and then Properties.
11. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
12. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
13. Click OK.
14. Under Access Permissions, click EditDefault.
15. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
16. Click
17. Under Launch and Activation Permissions, click Edit Limits.
18. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
19. Click OK.
20. Under Launch and Activation Permissions, click Edit Defaults.
21. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
2. Right-click Users and select Add User.
3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

4. Go to Groups, right-click Administrators, and then click Add to Group.
5. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
6. For Enter the object names to select, enter the user you created in step 3.
7. Click OK to close the Domain Admins Properties dialog.
8. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

1. Go to Start > Control Panel > Administrative Tools > Component Services.
2. Right-click My Computer, and then select Properties.
3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
5. Click OK.
6. In the Com Security tab, under Access Permissions, click Edit Defaults.
7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
8. Click OK.
9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
2. Select WMI Control, and then right-click and select Properties.
3. Select the Security
4. Expand the Root directory and select CIMV2.
5. Click Security.
6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot e Enable.
7. Click Advanced.
8. Select the user you created for the monitoring account, and then click Edit.
9. In the Apply onto menu, select This namespace and subnamespaces.
10. Click OK to close the Permission Entry for CIMV2 dialog.
11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
12. In the left-hand navigation, under Services and Applications, select Services.
13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
14. In the Start menu, select Run.
15. Run msc.
16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
18. Select Windows Firewall: Allow remote administration exception.
19. Run exe and enter these commands:
20. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

1. Go to Control Panel > Windows Firewall.
2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
3. Select Windows Management Instrumentation, and the click OK.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Syslog

Use the Windows Agent Manager to configure sending syslogs from your device to AccelOps. Sample Windows DNS Syslog

Directory Server Configuration

AccelOps supports these directory servers for discovery and monitoring.

Microsoft Active Directory Configuration

Microsoft Active Directory Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

WMI

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

What is Discovered and Monitored

Failed Windows DC Diagnostic Test

Reports

Successful Windows Domain Controller Diagnostic Tests

Failed Windows Domain Controller Diagnostic Tests Source Domain Controller Replication Status  Destination Domain Controller Replication Status

Configuration

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
2. Right-click Users and select Add User.
3. Create a user.
4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
5. In the Distributed COM Users Properties dialog, click Add.
6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

7. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
8. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account
9. Go to Start > Control Panel > Administrative Tools > Component Services.
10. Right-click My Computer, and then Properties.
11. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
12. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
13. Click OK.
14. Under Access Permissions, click EditDefault.
15. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
16. Click
17. Under Launch and Activation Permissions, click Edit Limits.
18. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
19. Click OK.
20. Under Launch and Activation Permissions, click Edit Defaults.
21. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
2. Right-click Users and select Add User.
3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

4. Go to Groups, right-click Administrators, and then click Add to Group.
5. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
6. For Enter the object names to select, enter the user you created in step 3.
7. Click OK to close the Domain Admins Properties dialog.
8. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

1. Go to Start > Control Panel > Administrative Tools > Component Services.
2. Right-click My Computer, and then select Properties.
3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
5. Click OK.
6. In the Com Security tab, under Access Permissions, click Edit Defaults.
7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
8. Click OK.
9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
2. Select WMI Control, and then right-click and select Properties.
3. Select the Security
4. Expand the Root directory and select CIMV2.
5. Click Security.
6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot e Enable.
7. Click Advanced.
8. Select the user you created for the monitoring account, and then click Edit.
9. In the Apply onto menu, select This namespace and subnamespaces.
10. Click OK to close the Permission Entry for CIMV2 dialog.
11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
12. In the left-hand navigation, under Services and Applications, select Services.
13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
14. In the Start menu, select Run.
15. Run msc.
16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
18. Select Windows Firewall: Allow remote administration exception.
19. Run exe and enter these commands:
20. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

1. Go to Control Panel > Windows Firewall.
2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
3. Select Windows Management Instrumentation, and the click OK.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Document Management Server Configuration

AccelOps supports these document management servers for discovery and monitoring.

Microsoft SharePoint Configuration

Microsoft SharePoint Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Installing and Configuring LOGbinder SP Agent

WMI

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “sharepoint” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “sharepoint” in the Name column to see the reports associated with this application or device.

Configuration

Microsoft SharePoint logs are supported via LOGbinder SP agent from Monterey Technology group. The agent needs to be installed on the SharePoint server. Configure the agent to write logs to Windows Security log. AccelOps simply reads the logs from windows security logs via WMI and categorizes the SharePoint specific events and parses SharePoint specific attributes.

Installing and Configuring LOGbinder SP Agent

LOGbinder Install web link

LOGbinder Configuration web link – remember to configure LOGbinder SP agent to write to Windows security log

LOGbinder SP getting started document – remember to configure LOGbinder SP agent to write to Windows security log

WMI

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
2. Right-click Users and select Add User.
3. Create a user.
4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
5. In the Distributed COM Users Properties dialog, click Add.
6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

7. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
8. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account
9. Go to Start > Control Panel > Administrative Tools > Component Services.
10. Right-click My Computer, and then Properties.
11. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
12. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
13. Click OK.
14. Under Access Permissions, click EditDefault.
15. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
16. Click
17. Under Launch and Activation Permissions, click Edit Limits.
18. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
19. Click OK.
20. Under Launch and Activation Permissions, click Edit Defaults.
21. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
2. Right-click Users and select Add User.
3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

4. Go to Groups, right-click Administrators, and then click Add to Group.
5. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
6. For Enter the object names to select, enter the user you created in step 3.
7. Click OK to close the Domain Admins Properties dialog.
8. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

1. Go to Start > Control Panel > Administrative Tools > Component Services.
2. Right-click My Computer, and then select Properties.
3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
5. Click OK.
6. In the Com Security tab, under Access Permissions, click Edit Defaults.
7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
8. Click OK.
9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
2. Select WMI Control, and then right-click and select Properties.
3. Select the Security
4. Expand the Root directory and select CIMV2.
5. Click Security.
6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot e Enable.
7. Click Advanced.
8. Select the user you created for the monitoring account, and then click Edit.
9. In the Apply onto menu, select This namespace and subnamespaces.
10. Click OK to close the Permission Entry for CIMV2 dialog.
11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
12. In the left-hand navigation, under Services and Applications, select Services.
13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
14. In the Start menu, select Run.
15. Run msc.
16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
18. Select Windows Firewall: Allow remote administration exception.
19. Run exe and enter these commands:
20. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

1. Go to Control Panel > Windows Firewall.
2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
3. Select Windows Management Instrumentation, and the click OK.

Mail Server Configuration

AccelOps supports these mail servers for discovery and monitoring.

Microsoft Exchange Configuration

Microsoft Exchange Configuration

What is Discovered and Monitored

Enabling SNMP on Windows Server 2003

Enabling SNMP on Windows 7 or Windows Server 2008 R2

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group  Settings for Access Credentials

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “microsoft exchange” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “microsoft exchange” in the Name column to see the reports associated with this application or device. Configuration

SNMP

Enabling SNMP on Windows Server 2003

SNMP is typically enabled by default on Windows Server 2003, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you need to make sure that the SNMP Management tool has been enabled for your device.

1. In the Start menu, go to Administrative Tools > Services.
2. Go to Control Panel > Add or Remove Programs.
3. Click Add/Remove Windows Components.
4. Select Management and Monitoring Tools and click Details.

Make sure that Simple Network Management Tool is selected.

If it isn’t selected, select it, and then click Next to install.

5. Go to Start > Administrative Tools > Services.
6. Select and open SNMP Service.
7. Click the Security
8. Select Send authentication trap.
9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
10. Select Accept SNMP packets from these hosts.
11. Click
12. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
13. Click Add.
14. Click Apply.
15. Under SNMP Service, click Restart service.

Enabling SNMP on Windows 7 or Windows Server 2008 R2

SNMP is typically enabled by default on Windows Server 2008, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you should check that SNMP Services have been enabled for your server.

1. Log in to the Windows 2008 Server where you want to enable SNMP as an administrator.
2. In the Start menu, select Control Panel.
3. Under Programs, click Turn Windows features on/off.
4. Under Features, see if SNMP Services is installed.

If not, click Add Feature, then select SMNP Service and click Next to install the service.

5. In the Server Manager window, go to Services > SNMP Services.
6. Select and open SNMP Service.
7. Click the Security
8. Select Send authentication trap.
9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
10. Select Accept SNMP packets from these hosts.
11. Click
12. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
13. Click Add.
14. Click Apply.
15. Under SNMP Service, click Restart service.

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
2. Right-click Users and select Add User.
3. Create a user.
4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
5. In the Distributed COM Users Properties dialog, click Add.
6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

7. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
8. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account
9. Go to Start > Control Panel > Administrative Tools > Component Services.
10. Right-click My Computer, and then Properties.
11. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
12. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
13. Click OK.
14. Under Access Permissions, click EditDefault.
15. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
16. Click
17. Under Launch and Activation Permissions, click Edit Limits.
18. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
19. Click OK.
20. Under Launch and Activation Permissions, click Edit Defaults.
21. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
2. Right-click Users and select Add User.
3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

4. Go to Groups, right-click Administrators, and then click Add to Group.
5. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
6. For Enter the object names to select, enter the user you created in step 3.
7. Click OK to close the Domain Admins Properties dialog.
8. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

1. Go to Start > Control Panel > Administrative Tools > Component Services.
2. Right-click My Computer, and then select Properties.
3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
5. Click OK.
6. In the Com Security tab, under Access Permissions, click Edit Defaults.
7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
8. Click OK.
9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
2. Select WMI Control, and then right-click and select Properties.
3. Select the Security
4. Expand the Root directory and select CIMV2.
5. Click Security.
6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot e Enable.
7. Click Advanced.
8. Select the user you created for the monitoring account, and then click Edit.
9. In the Apply onto menu, select This namespace and subnamespaces.
10. Click OK to close the Permission Entry for CIMV2 dialog.
11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
12. In the left-hand navigation, under Services and Applications, select Services.
13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
14. In the Start menu, select Run.
15. Run msc.
16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
18. Select Windows Firewall: Allow remote administration exception.
19. Run exe and enter these commands:
20. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

1. Go to Control Panel > Windows Firewall.
2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
3. Select Windows Management Instrumentation, and the click OK.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure. Settings for Access Credentials

Management Server/Appliance Configuration

AccelOps supports these web servers for discovery and monitoring.

Cisco Application Centric Infrastructure (ACI) Configuration Fortinet FortiManager Configuration

Cisco Application Centric Infrastructure (ACI) Configuration

What is Discovered and Monitored

Event Types

Go to CMDB > Event Types and search for “Cisco_ACI”

Rules

Go to CMDB > Rules and search for “Cisco ACI”

Reports

Go to CMDB > Reports and search for “Cisco ACI”

Configuration

Cisco ACI Configuration

Please configure Cisco ACI Appliance so that FortiSIEM can access it via APIC API

FortiSIEM Configuration

1. Go to Admin > Setup > Credentials
2. Click New and create a credential as follows
   1. Name – enter a name
   2. Device Type – set to Cisco Cisco ACI
   3. Access Protocol – set to Cisco APIC API
   4. Password Configuration – set to Manual
   5. Set User Name and Password for the various REST API
   6. Click Save
3. Create an IP to Credential Mapping
   1. IP – specify the IP address of the ACI Controller
   2. Credential – specify the Name as in 2a
4. Test Connectivity – Run Test Connectivity with or without ping and make sure the test succeeds
5. Check Pull Events tab to make sure that a event pulling entry is created

Sample Events

Overall Health Event

[Cisco_ACI_Overall_Health]: {“attributes”:{“childAction”:””,”cnt”:”29″,”dn”:”topology/HDfabricOveral lHealth5min0″,”healthAvg”:”82″,”healthMax”:”89″,”healthMin”:”0″,”healthS pct”:”0″,”healthThr”:””,”healthTr”:”1″,”index”:”0″,”lastCollOffset”:”290 “,”repIntvEnd”:”2016-09-05T08:13:53.232+00:00″,”repIntvStart”:”2016-09-0

5T08:09:03.128+00:00″,”status”:””}}

Tenant Health Event

[Cisco_ACI_Tenant_Health]: {“attributes”:{“childAction”:””,”descr”:””,”dn”:”uni/tn-CliQr”,”lcOwn”:” local”,”modTs”:”2016-09-05T07:56:27.164+00:00″,”monPolDn”:”uni/tn-common /monepg-default”,”name”:”CliQr”,”ownerKey”:””,”ownerTag”:””,”status”:””,

“uid”:”15374″},”children”:[{“healthInst”:{“attributes”:{“childAction”:”” ,”chng”:”0″,”cur”:”100″,”maxSev”:”cleared”,”prev”:”100″,”rn”:”health”,”s tatus”:””,”twScore”:”100″,”updTs”:”2016-09-05T08:27:03.584+00:00″}}}]

Nodes Health Event

[Cisco_ACI_Node_Health]:

{“attributes”:{“address”:”10.0.208.95″,”childAction”:””,”configIssues”:” “,”currentTime”:”2016-09-05T08:15:51.794+00:00″,”dn”:”topology/pod-1/nod e-101/sys”,”fabricId”:”1″,”fabricMAC”:”00:22:BD:F8:19:FF”,”id”:”101″,”in bMgmtAddr”:”0.0.0.0″,”inbMgmtAddr6″:”0.0.0.0″,”lcOwn”:”local”,”modTs”:”2 016-09-05T07:57:29.435+00:00″,”mode”:”unspecified”,”monPolDn”:”uni/fabri c/monfab-default”,”name”:”Leaf1″,”oobMgmtAddr”:”0.0.0.0″,”oobMgmtAddr6″: “0.0.0.0”,”podId”:”1″,”role”:”leaf”,”serial”:”TEP-1-101″,”state”:”in-ser vice”,”status”:””,”systemUpTime”:”00:00:27:05.000″},”children”:[{“health Inst”:{“attributes”:{“childAction”:””,”chng”:”-10″,”cur”:”90″,”maxSev”:” cleared”,”prev”:”100″,”rn”:”health”,”status”:””,”twScore”:”90″,”updTs”:” 2016-09-05T07:50:08.415+00:00″}}}]

Cluster Health Event

[Cisco_ACI_Cluster_Health]:

{“attributes”:{“addr”:”10.0.0.1″,”adminSt”:”in-service”,”chassis”:”10220 833-ea00-3bb3-93b2-ef1e7e645889″,”childAction”:””,”cntrlSbstState”:”appr oved”,”dn”:”topology/pod-1/node-1/av/node-1″,”health”:”fully-fit”,”id”:” 1″,”lcOwn”:”local”,”mbSn”:”TEP-1-1″,”modTs”:”2016-09-05T08:00:46.797+00: 00″,”monPolDn”:””,”mutnTs”:”2016-09-05T07:50:19.570+00:00″,”name”:””,”no deName”:”apic1″,”operSt”:”available”,”status”:””,”uid”:”0″}

Application Health Event

[Cisco_ACI_Application_Health]:

{“attributes”:{“childAction”:””,”descr”:””,”dn”:”uni/tn-infra/ap-access”

,”lcOwn”:”local”,”modTs”:”2016-09-07T08:17:20.503+00:00″,”monPolDn”:”uni /tn-common/monepg-default”,”name”:”access”,”ownerKey”:””,”ownerTag”:””,” prio”:”unspecified”,”status”:””,”uid”:”0″},”children”:[{“healthInst”:{“a ttributes”:{“childAction”:””,”chng”:”0″,”cur”:”100″,”maxSev”:”cleared”,” prev”:”100″,”rn”:”health”,”status”:””,”twScore”:”100″,”updTs”:”2016-09-0 7T08:39:35.531+00:00″}}}]}

EPG Health Event

[Cisco_ACI_EPG_Health]: {“attributes”:{“childAction”:””,”configIssues”:””,”configSt”:”applied”,” descr”:””,”dn”:”uni/tn-infra/ap-access/epg-default”,”isAttrBasedEPg”:”no “,”lcOwn”:”local”,”matchT”:”AtleastOne”,”modTs”:”2016-09-07T08:17:20.503 +00:00″,”monPolDn”:”uni/tn-common/monepg-default”,”name”:”default”,”pcEn fPref”:”unenforced”,”pcTag”:”16386″,”prio”:”unspecified”,”scope”:”167771 99″,”status”:””,”triggerSt”:”triggerable”,”txId”:”5764607523034234882″,” uid”:”0″},”children”:[{“healthInst”:{“attributes”:{“childAction”:””,”chn g”:”0″,”cur”:”100″,”maxSev”:”cleared”,”prev”:”100″,”rn”:”health”,”status “:””,”twScore”:”100″,”updTs”:”2016-09-07T08:39:35.549+00:00″}}}]

Fault Record Event

[Cisco_ACI_Fault_Record]: ,”created”:”2016-09-05T08:00:41.313+00:00″,”delegated”:”no”,”delegatedFr om”:””,”descr”:”Controller3isunhealthybecause:DataLayerPartiallyDegraded Leadership”,”dn”:”subj-[topology/pod-1/node-1/av/node-3]/fr-4294967583″, “domain”:”infra”,”highestSeverity”:”critical”,”id”:”4294967583″,”ind”:”m odification”,”lc”:”soaking”,”modTs”:”never”,”occur”:”1″,”origSeverity”:” critical”,”prevSeverity”:”critical”,”rule”:”infra-wi-node-health”,”sever ity”:”critical”,”status”:””,”subject”:”controller”,”type”:”operational”}

Event Record Event

[Cisco_ACI_Event_Record]: {“attributes”:{“affected”:”topology/pod-1/node-2/lon/svc-ifc_dhcpd”,”cau se”:”state-change”,”changeSet”:”id:ifc_dhcpd,leCnnct:undefined,leNonOptC nt:undefined,leNotCnnct:undefined,name:ifc_dhcpd”,”childAction”:””,”code “:”E4204979″,”created”:”2016-09-05T07:57:37.024+00:00″,”descr”:”Allshard sofserviceifc_dhcpdhaveconnectivitytotheleaderreplicaintheCluster.”,”dn” :”subj-[topology/pod-1/node-2/lon/svc-ifc_dhcpd]/rec-8589934722″,”id”:”8 589934722″,”ind”:”state-transition”,”modTs”:”never”,”severity”:”info”,”s tatus”:””,”trig”:”oper”,”txId”:”18374686479671623682″,”user”:”internal”}

Log Record Event

[Cisco_ACI_Log_Record]: {“attributes”:{“affected”:”uni/userext/user-admin”,”cause”:”unknown”,”ch angeSet”:””,”childAction”:””,”clientTag”:””,”code”:”generic”,”created”:” 2016-09-05T07:56:25.825+00:00″,”descr”:”From-198.18.134.150-client-typeREST-Success”,”dn”:”subj-[uni/userext/user-admin]/sess-4294967297″,”id”:

“4294967297”,”ind”:”special”,”modTs”:”never”,”severity”:”info”,”status”:

“”,”systemId”:”1″,”trig”:”login,session”,”txId”:”0″,”user”:”admin”}

Configuration Change Event

[Cisco_ACI_Configuration_Chang]:

{“attributes”:{“affected”:”uni/tn-CliQr/out-CliQr-Prod-L3Out/instP-CliQr

-Prod-L3Out-EPG/rscustQosPol”,”cause”:”transition”,”changeSet”:””,”child Action”:””,”clientTag”:””,”code”:”E4206266″,”created”:”2016-09-05T07:56:

27.099+00:00″,”descr”:”RsCustQosPolcreated”,”dn”:”subj-[uni/tn-CliQr/out

-CliQr-Prod-L3Out/instP-CliQr-Prod-L3Out-EPG/rscustQosPol]/mod-429496730

8″,”id”:”4294967308″,”ind”:”creation”,”modTs”:”never”,”severity”:”info”, “status”:””,”trig”:”config”,”txId”:”7493989779944505526″,”user”:”admin”}

}

Fortinet FortiManager Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

What is Discovered and Monitored

Event Types

Regular monitoring events

PH_DEV_MON_SYS_CPU_UTIL

PH_DEV_MON_SYS_MEM_UTIL PH_DEV_MON_SYS_DISK_UTIL

PH_DEV_MON_NET_INTF_UTIL

Rules

Regular monitoring rules

Reports

Regular monitoring reports

Configuration

Please configure the device so that AccelOps can access it via SNMP.

Configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Remote Desktop Configuration

AccelOps supports these remote desktop applications for discovery and monitoring.

Citrix Receiver (ICA) Configuration

Citrix Receiver (ICA) Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

WMI

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “citrix ICA” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “citrix ICA” in the Name column to see the reports associated with this application or device. Configuration

WMI

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
2. Right-click Users and select Add User.
3. Create a user.
4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
5. In the Distributed COM Users Properties dialog, click Add.
6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

7. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
8. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account
9. Go to Start > Control Panel > Administrative Tools > Component Services.
10. Right-click My Computer, and then Properties.
11. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
12. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
13. Click OK.
14. Under Access Permissions, click EditDefault.
15. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
16. Click
17. Under Launch and Activation Permissions, click Edit Limits.
18. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
19. Click OK.
20. Under Launch and Activation Permissions, click Edit Defaults.
21. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
2. Right-click Users and select Add User.
3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

4. Go to Groups, right-click Administrators, and then click Add to Group.
5. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
6. For Enter the object names to select, enter the user you created in step 3.
7. Click OK to close the Domain Admins Properties dialog.
8. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

1. Go to Start > Control Panel > Administrative Tools > Component Services.
2. Right-click My Computer, and then select Properties.
3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
5. Click OK.
6. In the Com Security tab, under Access Permissions, click Edit Defaults.
7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
8. Click OK.
9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
2. Select WMI Control, and then right-click and select Properties.
3. Select the Security
4. Expand the Root directory and select CIMV2.
5. Click Security.
6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot

e Enable.

7. Click Advanced.
8. Select the user you created for the monitoring account, and then click Edit.
9. In the Apply onto menu, select This namespace and subnamespaces.
10. Click OK to close the Permission Entry for CIMV2 dialog.
11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
12. In the left-hand navigation, under Services and Applications, select Services.
13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
14. In the Start menu, select Run.
15. Run msc.
16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
18. Select Windows Firewall: Allow remote administration exception.
19. Run exe and enter these commands:
20. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

1. Go to Control Panel > Windows Firewall.
2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
3. Select Windows Management Instrumentation, and the click OK.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Unified Communication Server Configuration

AccelOps supports these VoIP servers for discovery and monitoring.

Avaya Call Manager Configuration

Cisco Call Manager Configuration

Cisco Contact Center Configuration

Cisco Presence Server Configuration

Cisco Tandeberg Telepresence Video Communication Server (VCS) Configuration

Cisco Telepresence Multipoint Control Unit (MCU) Configuration

Cisco Telepresence Video Communication Server Configuration

Cisco Unity Connection Configuration

Avaya Call Manager Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP

SFTP

Configure AccelOps to Receive CDR Records from Cisco Call Manager

Configure Avaya Call Manager to Send CDR Records to AccelOps  Settings for Access Credentials

What is Discovered and Monitored

Event Types

Avaya-CM-CDR: Avaya CDR Records

Rules

None

Reports None.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

SFTP

SFTP is used to send Call Description Records (CDRs) to AccelOps.

Configure AccelOps to Receive CDR Records from Cisco Call Manager

1. Log in to your AccelOps virtual appliance as root over SSH.
2. Change the directory.
3. Create an FTP account for user ftpuser with the home directory /opt/phoenix/cache/avayaCM/<call-manager-ip>. If this is the first time you have created a Call Manager definition, you will be prompted for the ftpuser password. When you create subsequent Call Manager definitions, the same password will be used, and you will see a Success message when the definition is created.
4. The CDR records do not have field definitions, they only have values. Field definitions are needed to properly interpret the values. Make sure that the CDR fields definitions matches the default one supplied by AccelOps in /opt/phoenix/config/AvayaCDRConfig.csv. AccelOps will interpret the CDR record fields according to the field definitions specified in /opt/phoenix/config/AvayaCDRConfig.csv and generate events like the following.

Wed Feb  4 14:37:41 2015 1.2.3.4 AccelOps-FileLog-AvayaCM [Time of day-hours]=”11″ [Time of day-minutes]=”36″ [Duration-hours]=”0″ [Duration-minutes]=”00″ [Duration-tenths of minutes]=”5″ [Condition code]=”9″ [Dialed number]=”5908″ [Calling number]=”2565522011″ [FRL]=”5″ [Incoming circuit ID]=”001″ [Feature flag]=”0″ [Attendant console]=”8″ [Incoming TAC]=”01 1″ [INS]=”0″ [IXC]=”00″ [Packet count]=”12″ [TSC flag]=”1″

Configure Avaya Call Manager to Send CDR Records to AccelOps

1. Log in to Avaya Call Manager.
2. Send CDR records to AccelOps by using this information

Cisco Call Manager Configuration

What is Discovered and Monitored

Configuration

Settings for Access Credentials

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “cisco_uc” and “cisco_uc_rtmt” in the Display Name column to see the event types associated with this device.

Rules

In Analytics > Rules, search for “cisco call manager” in the Name column to see the rules associated with this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

WMI (for Call Manager installed under Windows)

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
2. Right-click Users and select Add User.
3. Create a user.
4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
5. In the Distributed COM Users Properties dialog, click Add.
6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

7. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
8. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account
9. Go to Start > Control Panel > Administrative Tools > Component Services.
10. Right-click My Computer, and then Properties.
11. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
12. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
13. Click OK.
14. Under Access Permissions, click EditDefault.
15. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
16. Click
17. Under Launch and Activation Permissions, click Edit Limits.
18. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
19. Click OK.
20. Under Launch and Activation Permissions, click Edit Defaults.
21. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
2. Right-click Users and select Add User.
3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

4. Go to Groups, right-click Administrators, and then click Add to Group.
5. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
6. For Enter the object names to select, enter the user you created in step 3.
7. Click OK to close the Domain Admins Properties dialog.
8. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

1. Go to Start > Control Panel > Administrative Tools > Component Services.
2. Right-click My Computer, and then select Properties.
3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
5. Click OK.
6. In the Com Security tab, under Access Permissions, click Edit Defaults.
7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
8. Click OK.
9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
2. Select WMI Control, and then right-click and select Properties.
3. Select the Security
4. Expand the Root directory and select CIMV2.
5. Click Security.
6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot e Enable.
7. Click Advanced.
8. Select the user you created for the monitoring account, and then click Edit.
9. In the Apply onto menu, select This namespace and subnamespaces.
10. Click OK to close the Permission Entry for CIMV2 dialog.
11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
12. In the left-hand navigation, under Services and Applications, select Services.
13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
14. In the Start menu, select Run.
15. Run msc.
16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
18. Select Windows Firewall: Allow remote administration exception.
19. Run exe and enter these commands:
20. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

1. Go to Control Panel > Windows Firewall.
2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
3. Select Windows Management Instrumentation, and the click OK.

SFTP

SFTP is used to send Call Description Records (CDRs) to AccelOps.

Configure AccelOps to Receive CDR Records from Cisco Call Manager

1. Log in to your Accelops virtual appliance as root over SSH.
2. Change the directory.

This creates an FTP account  for user ftpuser with the home directory /opt/phoenix/cache/ccm/<call-manager-ip>. If this is the first time you have created a Call Manager definition, you will be prompted for the ftpuser password. When you create subsequent Call Manager definitions, the same password will be used, and you will see a Success message when the definition is created.

4. Switch user to admin by issuing “su – admin”
5. Modify phoenix_config.txt entry
6. Restart phParser by issuing “killall -9 phParser”

Configure Cisco Call Manager to Send CDR Records to AccelOps

1. Log in to Cisco Call Manager.
2. Go to Tools > CDR Management Configuration.

The CDR Management Configuration window will open.

3. Click Add New.
4. Enter this information.

5. Click Save.

Cisco Contact Center Configuration

What is Discovered and Monitored

Event Types

There are no event types defined specifically for this device.

Rules

In Analytics > Rules, search for “cisco contact center” in the Name column to see the rules associated with this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Cisco Presence Server Configuration

What is Discovered and Monitored

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Cisco Tandeberg Telepresence Video Communication Server (VCS) Configuration

What is Discovered and Monitored

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Cisco Telepresence Multipoint Control Unit (MCU) Configuration

What is Discovered and Monitored

The following protocols are used to discover and monitor various aspects of Cisco Tandeberg VCS

Event Types

In CMDB > Event Types, search for “cisco telepresence” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device. .

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Cisco Telepresence Video Communication Server Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “Cisco-TVCS” in the Description column to see the event types associated with this device.

Rules

There are no predefined reports for this device.

Reports

There are no predefined reports for this device.

Cisco Unity Connection Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “cisco unity” in the Description column to see the event types associated with this device.

Rules

In Analytics > Rules, search for “cisco unity” in the Name column to see the rules associated with this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Web Server Configuration

AccelOps supports these web servers for discovery and monitoring.

Apache Web Server Configuration

Microsoft IIS for Windows 2000 and 2003 Configuration

Microsoft IIS for Windows 2008 Configuration Nginx Web Server Configuration

Apache Web Server Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP

HTTPS

Syslog

Define the Apache Log Format

Apache Syslog Log Format

Settings for Access Credentials

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “apache” in the Device Type and Description column to see the event types associated with this device.

Rules here are no predefined rules for this device.

Reports

In Analytics > Reports, search for “apache” in the Name column to see the reports associated with this device. Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

HTTPS

To communicate with AccelOps over HTTPS, you need to configure the mod_status module in your Apache web server.

1. Log in to your web server as an administrator.
2. Open the configuration file /etc/Httpd.conf.
3. Modify the file as shown in these code blocks, depending on whether you are connecting over HTTP without authentication, or over HTTPS with authentication.
4. If you are using authentication, you will have to add user authentication credentials.
   1. Go to /etc/httpd, and if necessary, create an account
   2. In the account directory, create two files, users and groups.
   3. In the groups file, enter admin:admin.
   4. Create a password for the admin user.
5. Reload Apache.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Syslog

Install and configure Epilog application to send syslog to AccelOps

1. Download Epilog from Epilog download site and install it on your Windows Server.
2. For Windows, launch Epilog from StartAll ProgramsInterSect AllianceEpilog for windows
3. For Linux, type http://<yourApacheServerIp>:6162
4. Configure Epilog application as follows
   1. Go to Log Configuration. Click Add button and add the following log files to be sent to AccelOps

/etc/httpd/logs/access_log /etc/httpd/logs/ssl_access_log

1. Go to Network Configuration
   10. Set AO System IP(all-in-1 or collector) in Destination Server address (10.1.2.20 here);
   11. Set 514 in Destination Port text area

• Click Change Configuration to save the configuration

1. Apply the Latest Audit Configuration. Apache logs will now sent to AccelOps in real time.

Define the Apache Log Format

You need to define the format of the logs that Apache will send to AccelOps.

1. Open the file /etc/httpd/conf.d/ssl.conf for editing.

<142>Sep 17 13:27:37 SJ-Dev-S-RH-VMW-01.prospecthills.net ApacheLog

192.168.20.35 – – [17/Sep/2009:13:27:37 -0700] “GET

/icons/apache_pb2.gif HTTP/1.1” 200 2414 “http://192.168.0.30/”

“Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)”

<134>Mar  4 17:08:04 137.146.28.68 httpd: [ID 702911 local0.info]

192.168.20.38 – – [04/Mar/2010:16:35:21 -0800] “GET /bugzilla-3.0.4/ HTTP/1.1” 200 10791 “-” “Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 GTB6”

<142>Sep 17 13:27:37 135.134.33.23 HTTP: [ID 702911 local0.info]

192.168.20.38 – – [04/Mar/2010:16:35:21 -0800] “GET /bugzilla-3.0.4/ HTTP/1.1” 200 10791 “-” “Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 GTB6”

Microsoft IIS for Windows 2000 and 2003 Configuration

What is Discovered and Monitored

Enabling SNMP on Windows Server 2003

Enabling SNMP on Windows 7 or Windows Server 2008 R2

Creating a Generic User Who Does Not Belong to the Local Administrator Group Creating a User Who Belongs to the Domain Administrator Group

Sample IIS Syslog

Settings for Access Credentials

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “microsoft is” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

Enabling SNMP on Windows Server 2003

SNMP is typically enabled by default on Windows Server 2003, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you need to make sure that the SNMP Management tool has been enabled for your device.

1. In the Start menu, go to Administrative Tools > Services.
2. Go to Control Panel > Add or Remove Programs.
3. Click Add/Remove Windows Components.
4. Select Management and Monitoring Tools and click Details.

Make sure that Simple Network Management Tool is selected.

If it isn’t selected, select it, and then click Next to install.

5. Go to Start > Administrative Tools > Services.
6. Select and open SNMP Service.
7. Click the Security
8. Select Send authentication trap.
9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
10. Select Accept SNMP packets from these hosts.
11. Click
12. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
13. Click Add.
14. Click Apply.
15. Under SNMP Service, click Restart service.

Enabling SNMP on Windows 7 or Windows Server 2008 R2

SNMP is typically enabled by default on Windows Server 2008, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you should check that SNMP Services have been enabled for your server.

1. Log in to the Windows 2008 Server where you want to enable SNMP as an administrator.
2. In the Start menu, select Control Panel.
3. Under Programs, click Turn Windows features on/off.
4. Under Features, see if SNMP Services is installed.

If not, click Add Feature, then select SMNP Service and click Next to install the service.

5. In the Server Manager window, go to Services > SNMP Services.
6. Select and open SNMP Service.
7. Click the Security
8. Select Send authentication trap.
9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
10. Select Accept SNMP packets from these hosts.
11. Click
12. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
13. Click Add.
14. Click Apply.
15. Under SNMP Service, click Restart service.

WMI

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
2. Right-click Users and select Add User.
3. Create a user.
4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
5. In the Distributed COM Users Properties dialog, click Add.
6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

7. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
8. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account
9. Go to Start > Control Panel > Administrative Tools > Component Services.
10. Right-click My Computer, and then Properties.
11. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
12. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
13. Click OK.
14. Under Access Permissions, click EditDefault.
15. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
16. Click
17. Under Launch and Activation Permissions, click Edit Limits.
18. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
19. Click OK.
20. Under Launch and Activation Permissions, click Edit Defaults.
21. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
2. Right-click Users and select Add User.
3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

4. Go to Groups, right-click Administrators, and then click Add to Group.
5. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
6. For Enter the object names to select, enter the user you created in step 3.
7. Click OK to close the Domain Admins Properties dialog.
8. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

1. Go to Start > Control Panel > Administrative Tools > Component Services.
2. Right-click My Computer, and then select Properties.
3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
5. Click OK.
6. In the Com Security tab, under Access Permissions, click Edit Defaults.
7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
8. Click OK.
9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
2. Select WMI Control, and then right-click and select Properties.
3. Select the Security
4. Expand the Root directory and select CIMV2.
5. Click Security.
6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot e Enable.
7. Click Advanced.
8. Select the user you created for the monitoring account, and then click Edit.
9. In the Apply onto menu, select This namespace and subnamespaces.
10. Click OK to close the Permission Entry for CIMV2 dialog.
11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
12. In the left-hand navigation, under Services and Applications, select Services.
13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
14. In the Start menu, select Run.
15. Run msc.
16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
18. Select Windows Firewall: Allow remote administration exception.
19. Run exe and enter these commands:
20. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

1. Go to Control Panel > Windows Firewall.
2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
3. Select Windows Management Instrumentation, and the click OK.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Syslog

Use Windows Agent Manager to configure the sending of syslogs from this device.

Sample IIS Syslog

<13>Oct  9 12:19:05 ADS-Pri.ACME.net IISWebLog              0

2008-10-09 19:18:43 W3SVC1 ADS-PRI 192.168.0.10 GET /iisstart.htm – 80 –

192.168.20.80 HTTP/1.1

Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.0.3)+Gecko/200809

2417+Firefox/3.0.3 – – 192.168.0.10 200 0 0 2158 368 156

<46>Mar 29 12:21:03 192.168.0.40 FTPSvcLog 0 2010-03-29 19:20:32

127.0.0.1 – MSFTPSVC1 FILER 127.0.0.1 21 [1]PASS IEUser@ – 530 1326 0 0

0 FTP – – – –

Microsoft IIS for Windows 2008 Configuration

What is Discovered and Monitored

Enabling SNMP on Windows Server 2003

Enabling SNMP on Windows 7 or Windows Server 2008 R2

Creating a Generic User Who Does Not Belong to the Local Administrator Group Creating a User Who Belongs to the Domain Administrator Group

Sample IIS Syslog

Setting Access Credentials

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “microsoft is” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

Enabling SNMP on Windows Server 2003

SNMP is typically enabled by default on Windows Server 2003, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you need to make sure that the SNMP Management tool has been enabled for your device.

1. In the Start menu, go to Administrative Tools > Services.
2. Go to Control Panel > Add or Remove Programs.
3. Click Add/Remove Windows Components.
4. Select Management and Monitoring Tools and click Details.

Make sure that Simple Network Management Tool is selected.

If it isn’t selected, select it, and then click Next to install.

5. Go to Start > Administrative Tools > Services.
6. Select and open SNMP Service.
7. Click the Security
8. Select Send authentication trap.
9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
10. Select Accept SNMP packets from these hosts.
11. Click
12. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
13. Click Add.
14. Click Apply.
15. Under SNMP Service, click Restart service.

Enabling SNMP on Windows 7 or Windows Server 2008 R2

SNMP is typically enabled by default on Windows Server 2008, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you should check that SNMP Services have been enabled for your server.

1. Log in to the Windows 2008 Server where you want to enable SNMP as an administrator.
2. In the Start menu, select Control Panel.
3. Under Programs, click Turn Windows features on/off.
4. Under Features, see if SNMP Services is installed.

If not, click Add Feature, then select SMNP Service and click Next to install the service.

5. In the Server Manager window, go to Services > SNMP Services.
6. Select and open SNMP Service.
7. Click the Security
8. Select Send authentication trap.
9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
10. Select Accept SNMP packets from these hosts.
11. Click
12. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
13. Click Add.
14. Click Apply.
15. Under SNMP Service, click Restart service.

WMI

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
2. Right-click Users and select Add User.
3. Create a user.
4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
5. In the Distributed COM Users Properties dialog, click Add.
6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

7. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
8. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account
9. Go to Start > Control Panel > Administrative Tools > Component Services.
10. Right-click My Computer, and then Properties.
11. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
12. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
13. Click OK.
14. Under Access Permissions, click EditDefault.
15. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
16. Click
17. Under Launch and Activation Permissions, click Edit Limits.
18. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
19. Click OK.
20. Under Launch and Activation Permissions, click Edit Defaults.
21. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
2. Right-click Users and select Add User.
3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

4. Go to Groups, right-click Administrators, and then click Add to Group.
5. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
6. For Enter the object names to select, enter the user you created in step 3.
7. Click OK to close the Domain Admins Properties dialog.
8. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

1. Go to Start > Control Panel > Administrative Tools > Component Services.
2. Right-click My Computer, and then select Properties.
3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
5. Click OK.
6. In the Com Security tab, under Access Permissions, click Edit Defaults.
7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
8. Click OK.
9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
2. Select WMI Control, and then right-click and select Properties.
3. Select the Security
4. Expand the Root directory and select CIMV2.
5. Click Security.
6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot e Enable.
7. Click Advanced.
8. Select the user you created for the monitoring account, and then click Edit.
9. In the Apply onto menu, select This namespace and subnamespaces.
10. Click OK to close the Permission Entry for CIMV2 dialog.
11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
12. In the left-hand navigation, under Services and Applications, select Services.
13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
14. In the Start menu, select Run.
15. Run msc.
16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
18. Select Windows Firewall: Allow remote administration exception.
19. Run exe and enter these commands:
20. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

1. Go to Control Panel > Windows Firewall.
2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
3. Select Windows Management Instrumentation, and the click OK.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Syslog

Use the Windows Agent Manager to configure sending syslogs from your device to AccelOps.

Sample IIS Syslog

<13>Oct  9 12:19:05 ADS-Pri.ACME.net IISWebLog              0

2008-10-09 19:18:43 W3SVC1 ADS-PRI 192.168.0.10 GET /iisstart.htm – 80 –

192.168.20.80 HTTP/1.1

Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.0.3)+Gecko/200809

2417+Firefox/3.0.3 – – 192.168.0.10 200 0 0 2158 368 156

<46>Mar 29 12:21:03 192.168.0.40 FTPSvcLog 0 2010-03-29 19:20:32

127.0.0.1 – MSFTPSVC1 FILER 127.0.0.1 21 [1]PASS IEUser@ – 530 1326 0 0

0 FTP – – – –

Nginx Web Server Configuration

Event Types

Rules

Reports

Configuration

SNMP

Syslog

Settings for Access Credentials

The following protocols are used to discover and monitor various aspects of Nginx webserver.

Event Types

In CMDB > Event Types, search for “nginx” in the Device Type and Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Example nginx Syslog

<29>Jun 15 07:59:03 ny-n1-p2 nginx: “200.158.115.204”,”-“,”Mozilla/5.0

(Windows NT 5.1 WOW64; rv:9.0.1) Gecko/20100178 Firefox/9.0.1″,”/images/design/header-2-logo.jpg”,”GET”,”http://wm-cente r.com/images/design/header-2-logo.jpg”,”200″,”0″,”/ypf-cookie_auth/index .html”,”0.000″,”877″,”-“,”10.4.200.203″,”80″,”wm-center.com”,”no-cache, no-store, must-revalidate”,”-“,”1.64″,”_”,”-“,”-”

Settings for Access Credentials

SNMP Access Credentials for All Devices

When setting the Access Method Definition for allowing AccelOps to communicate with your device over SNMP, use these settings.

Configuring Blade Servers

AccelOps supports these blade servers for discovery and monitoring.

Cisco UCS Server Configuration

HP BladeSystem Configuration

Cisco UCS Server Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

UCS XML API

Settings for Access Credentials

Sample Cisco UCS Events

Power Supply Status Event

Processor Status Event

Chassis Status Event

Memory Status Event

Fan Status Event

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “cisco us” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “cisco us” in the Name column to see the reports associated with this application or device.

Configuration

UCS XML API

AccelOps uses Cisco the Cisco UCS XML API to discover Cisco UCS and to collect hardware statistics. See the Cisco UCS documentation for information on how to configure your device to connect to AccelOps over the API.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Settings for Access Credentials

Sample Cisco UCS Events

Power Supply Status Event

[PH_DEV_MON_UCS_HW_PSU_STAT]:[eventSeverity]=PHL_INFO,[hostName]=machine

,[hostIpAddr]=10.1.2.36,[hwComponentName]=sys/chassis-1/psu-2, [envTempdDegC]=47.764706,[envTempAvgDegC]=36.176472,[envTempMaxDegC]=47.

764706,[envTempMinDegC]=25.529411,[input210Volt]=214.294113, [input210AvgVolt]=210.784317,[input210MaxVolt]=214.294113,[input210MinVo lt]=207.823532,[ouput12Volt]=12.188235,[ouput12AvgVolt]=12.109803, [ouput12MaxVolt]=12.376471,[ouput12MinVolt]=11.905882,[ouput3V3Volt]=3.1

41176,[ouput3V3AvgVolt]=3.374510,[ouput3V3MaxVolt]=3.458823, [ouput3V3MinVolt]=3.141176,[outputCurrentAmp]=15.686275,[outputCurrentAv gAmp]=20.261436,[outputCurrentMaxAmp]=24.509804, [outputCurrentMinAmp]=15.686275,[outputPowerWatt]=191.188004,[outputPowe rAvgWatt]=245.736252,[outputPowerMaxWatt]=303.344879, [outputPowerMinWatt]=191.188004

Processor Status Event

[PH_DEV_MON_UCS_HW_PROCESSOR_STAT]:[eventSeverity]=PHL_INFO,

[hostName]=machine,[hostIpAddr]=10.1.2.36,

[hwComponentName]=sys/chassis-1/blade-3/board/cpu-2,

[inputCurrentAmp]=101.101959,[inputCurrentAvgAmp]=63.420914,

[inputCurrentMaxAmp]=101.101959,[inputCurrentMinAmp]=44.580391, [envTempdDegC]=5.788235,[envTempAvgDegC]=6.216993,[envTempMaxDegC]=6.431

373,[envTempMinDegC]=5.788235,

Chassis Status Event

[PH_DEV_MON_UCS_HW_CHASSIS_STAT]:[eventSeverity\]=PHL_INFO,[hostName]=ma chine,[hostIpAddr]=10.1.2.36,[hwComponentName]=sys/chassis-1, [inputPowerWatt]=7.843137,[inputPowerAvgWatt]=7.843137,[inputPowerMaxWat t]=7.843137,[inputPowerMinWatt]=7.843137,

outputPowerWatt]=0.000000,[outputPowerAvgWatt]=0.000000,[outputPowerMaxW att]=0.000000,[outputPowerMinWatt]=0.000000

Memory Status Event

Fan Status Event

HP BladeSystem Configuration

What is Discovered and Monitored

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover the HP BladeSystem and collect hardware statistics. See the instructions on configuring SNMP in your Bladesystem documentation to enable communications with AccelOps.

After you have configured SNMP on your BladeSystem blade server, you can configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discover ing Infrastructure.

Configuring Cloud Applications

AccelOps supports these cloud applications for monitoring.

AWS Access Key IAM Permissions and IAM Policies

AWS CloudTrail API Configuration

AWS EC2 CloudWatch API Configuration

AWS RDS Configuration

Box.com Configuration

Cisco FireAMP Cloud Configuration

Google Apps Audit Configuration

Microsoft Azure AuditTrail Configuration

Microsoft Office365 Audit Configuration

Okta Configuration

Salesforce CRM Audit Configuration

AWS Access Key IAM Permissions and IAM Policies

In order to monitor AWS resources in AccelOps, an access key and a corresponding secret access key is needed. Prior to the availability of AWS IAM users, the recommendation was to create an access key at the level of root AWS account. This practice has been deprecated since the availability of AWS IAM users as you can read from the AWS Security Credentials best practice guide. If you were monitoring AWS using such access keys, the first step is to delete such keys and create keys based on a standalone IAM user dedicated for monitoring purposes in AccelOps. This document explains how to create such a user, and what permissions and policies to add to allow AccelOps to monitor your AWS environment.

Create IAM user for AccelOps monitoring

1. Login to the IAM Console – Users Tab.
2. Click Create Users
3. Type in a username, e.g. aomonitoring under Enter User Names.
4. Leave the checkbox Generate an access key for each user selected or select it if it is not selected
5. Click Download Credentials and click on Close button
6. The downloaded CSV file contains the Access Key ID and Secret Access Key that you can use in AccelOps to monitor various AWS services. You will need to add permissions before you can actually add them in AccelOps.

Change permissions for IAM user

1. Select the user aomonitoring 2. Switch to tab Permissions
2. Click Attach Policy.
3. Select AmazonEC2ReadOnlyAccess, AWSCloudTrailReadOnlyAccess, AmazonRDSReadOnlyAccess, CloudWatchReadOnlyAccess, A mazonSQSFullAccess and click Attach Policy

You can choose to skip attaching some policies if you do not use that service or plan on monitoring that service. For instance, if you do not use RDS, then you do not need to attach AmazonRDSReadOnlyAccess

5. You can choose to provide blanket read-only access to all S3 buckets by attaching the policy AmazonS3ReadOnlyAccess. Alternatively, you can specificy a more restricted policy as described in the next step
6. Now, identify the set of S3 bucket(s) that you have configured to store Cloudtrail logs for each region. You can create an inline policy, ch oose custom policy, then paste the sample policy below. Make sure you replace the actual S3 bucket names below aocloudtrail1, aoclo udtrail2 with the ones you have configured

AWS CloudTrail API Configuration

What is Discovered and Monitored

Configuration

Settings for Access Credentials

Sample Events for AWS CloudTrail

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “Cloudtrail” in the Device Type column to see the event types associated with this device. See the Amazon API reference for more information about the event types available for CloudTrail monitoring.

Rules

There are no predefined rules for this device. However,

Reports

In Analytics > Reports, search for “cloudtrail” in the Name column to see the rules associated with this device.

Configuration

AccelOps receives information about AWS events through the CloudTrail API. After creating an S3 bucket for the storage of log files on AWS, you then configure the Simple Notification Service (SNS) and Simple Queue Service (SQS) to create a notification for the log file and have it delivered by SQS. In your AccelOps virtual appliance you then enter access credentials so AccelOps can communicate with CloudTrail as it would any other device.

Create a new Cloudtrail

1. Log in to https://console.aws.amazon.com/cloudtrail.
2. Switch to the region for which you want to generate cloud trail logs.
3. Click Trails.
4. Click on Add New Trail
5. Enter a Trail name such as aocloudtrail
6. Select No for Apply Trail to all regions

You will need to create a cloudtrail for each region by following all the steps mentioned here for cloudtrail, SQS, and SNS. You cannot use ‘Apply Trail to all regions’ to collect trails for all regions in one S3 bucket and have AccelOps pull these logs. In the future, AccelOps will be enhanced to support this capability

7. Select Yes for Create a new S3 bucket. ‘
8. For S3 bucket, enter a name like s3aocloudtrail.
9. Click Advanced.
10. Select Yes for Create a new SNS topic.
11. For SNS topic, enter a name like snsaocloudtrail.
12. Leave the rest of advanced settings to the default values
13. Click Create.

A dialog will confirm that logging is turned on.

Configure Simple Queue Service (SQS) Delivery

1. Log in to https://console.aws.amazon.com/sqs.
2. Switch to the region in which you created a new cloudtrail above
3. Click Create New Queue.
4. Enter a Queue Name such as sqsaocloudtrail
5. Enter the Queue Settings.

6. Click Create Queue.
7. When the queue is created, click the Details tab and make note of the ARN (Amazon Resource Name), as you will need this when configuring the Simple Notification Service below and when configuring the access credentials for AccelOps.

Set Up Simple Notification Service (SNS)

1. Log in to https://console.aws.amazon.com/sns.
2. Select Topics
3. Select the SNS topic snsaocloudtrail that you specified when creating a cloudtrail 4. Click Actions > Subscribe to topic from the menu to launch the popup Create Subscription.
4. For Protocol, select Amazon SQS.
5. For Endpoint, enter the ARN of the queue that you created when setting up SQS.
6. Click Create Subscription.

Give Permission for Amazon SNS to Send Messages to SQS

1. Log in to https://console.aws.amazon.com/sqs.
2. Select the queue you created, sqsaocloudtrail
3. In the Queue Actions menu, select Subscribe Queue to SNS Topic.
4. From the Choose a Topic dropdown, select the SNS topic snsaocloudtrail that you created earlier. 5. The Topic ARN will be automatically filled
5. Click Subscribe.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device

Discovery. You do not need to initiate discovery of AWS Cloud Trail, but should check that AccelOps is pulling events for AWS by checking for an amazon.com entry in Admin > Setup Wizard > Event Pulling.

Settings for Access Credentials

Sample Events for AWS CloudTrail

Fri Oct 10 14:44:23 2014 AccelOps-CloudTrail [additionalEventData/LoginTo]=https://console.aws.amazon.com/console/hom e?state=hashArgs%23&isauthcode=true [additionalEventData/MFAUsed]=No [additionalEventData/MobileVersion]=No [awsRegion]=us-east-1

[eventID]=fdf8f837-7e75-46a0-ac95-b6d15993ebf7 [eventName]=ConsoleLogin

[eventSource]=SIGNIN [eventTime]=2014-10-10T06:38:11Z

[eventVersion]=1.01 [requestParameters]=null

[responseElements/ConsoleLogin]=Success [sourceIPAddress]=211.144.207.10

[userAgent]=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36

[userIdentity/accountId]=623885071509

[userIdentity/arn]=arn:aws:iam::623885071509:user/John.Adams

[userIdentity/principalId]=AIDAIUSNMEIUYBS7AN4UW

[userIdentity/type]=IAMUser [userIdentity/userName]=John.Adams

Fri Oct 10 14:19:45 2014 AccelOps-CloudTrail [awsRegion]=us-east-1

[eventID]=351bda80-39d4-41ed-9e4d-86d6470c2436

[eventName]=DescribeInstances [eventSource]=EC2

[eventTime]=2014-10-10T06:12:24Z [eventVersion]=1.01

[requestID]=2d835ae2-176d-4ea2-8523-b1a09585e803

[requestParameters/filterSet/items/0/name]=private-ip-address

[requestParameters/filterSet/items/0/valueSet/items/0/value]=10.0.0.233

[responseElements]=null [sourceIPAddress]=211.144.207.10

[userAgent]=aws-sdk-php2/2.4.7 Guzzle/3.7.1 curl/7.19.7 PHP/5.3.3

[userIdentity/accessKeyId]=AKIAI2MUUCROHFSLLT3A

[userIdentity/accountId]=623885071509

[userIdentity/arn]=arn:aws:iam::623885071509:root

[userIdentity/principalId]=623885071509 [userIdentity/type]=Root

[userIdentity/userName]=accelops

AWS EC2 CloudWatch API Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Settings for Access Credentials

Sample events

What is Discovered and Monitored

Event Types

PH_DEV_MON_EBS_METRIC  captures EBS metrics

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure. You should also be sure to read the topic Discovering Amazon Web Services (AWS) Infrastructure.

Settings for Access Credentials

Sample events

[PH_DEV_MON_EC2_METRIC]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cp p,[lineNumber]=6571,[hostName]=ec2-54-81-216-218.compute-1.amazonaws.com ,[hostIpAddr]=10.144.18.131,[cpuUtil]=0.334000,[diskReadKBytesPerSec]=0. 000000,[diskWriteKBytesPerSec]=0.000000,[diskReadReqPerSec]=0.000000,[di skWriteReqPerSec]=0.000000,[sentBytes]=131,[recvBytes]=165,[sentBitsPerS ec]=17.493333,[recvBitsPerSec]=22.026667,[phLogDetail]=

[PH_DEV_MON_EBS_METRIC]:[eventSeverity]=PHL_INFO,[fileName]=deviceAws.cp p,[lineNumber]=133,[hostName]=ec2-52-69-215-178.ap-northeast-1.compute.a mazonaws.com,[hostIpAddr]=172.30.0.50,[diskName]=/dev/sda1,[volumeId]=vo l-63287d9f,[diskReadKBytesPerSec]=7.395556,[diskWriteKBytesPerSec]=7.395 556,[ioReadsPerSec]=0.000000,[ioWritesPerSec]=0.010000,[diskQLen]=0,[phL ogDetail]=

AWS RDS Configuration

What is Discovered and Monitored

Configuration

What is Discovered and Monitored

Event Types

PH_DEV_MON_RDS_METRIC  captures RDS metrics

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

1. Create a AWS credential
   1. Go to Admin > Credentials > Step 1: Enter Credentials
   2. Click Add
      1. Set Device Type to Amazon AWS RDS
      2. Set Access Protocol as AWS SDK

• Set Region as the region in which your AWS instance is located

1. Set Access Key ID as the access key for your EC2 instance v. Set Secret Key as the secret key for your EC2 instance

1. Click Save

2. Create a IP to credential mapping
   1. Set IP/IP Range to com
   2. Choose Credentials to the one created in Step 1b
3. Click test Connectivity to make sure the credential is working correctly
4. Go to Admin > Discovery
   1. Set Discovery Type as AWS Scan
   2. Click OK to Save
   3. Select the entry and Click Discover
5. After Discovery finishes, check CMDB > Amazon Web Services > AWS Database

Sample Events

[PH_DEV_MON_RDS_METRIC]:[eventSeverity]=PHL_INFO,[fileName]=deviceAwsRDS .cpp,[lineNumber]=104,[hostName]=mysql1.cmdzvvce07ar.ap-northeast-1.rds. amazonaws.com,[hostIpAddr]=54.64.131.93,[dbCpuTimeRatio]=1.207500,[dbUse rConn]=0,[dbEnqueueDeadlocksPerSec]=0.000587,[freeMemKB]=489,[freeDiskMB ]=4555,[swapMemUtil]=0.000000,[ioReadsPerSec]=0.219985,[ioWritesPerSec]= 0.213329,[devDiskRdLatency]=0.08,[devDiskWrLatency]=0.4029,[phLogDetail]

=

Box.com Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “box.com” and look for BOX events in the Name column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

AccelOps can monitor a directory or subdirectory, for example /All Files or /All Files/my files, or a single file , for example /All Files/my files/user guide.pdf. When you set up the access credentials for AccelOps to communicate with Box.com, you provide the path to the folder or files you want to monitor, so you should have your Box.com storage set up before you set up your access credentials. You also won’t need to initiate discovery of Box.com as you would with other devices, but should go to to Admin > Setup wizard > Event Pulling and make sure that a Box.com event pulling job is created after you have successfully set up access credentials.

Settings for Access Credentials

Sample Box.com Events

//the following event is generated when a folder called share was created using the box.usage@gmail.com account [PH_DEV_MON_BOX_FILE_CREATE]:[eventSeverity]=PHL_INFO,[fileName]=phBoxAg ent.cpp,[lineNumber]=625,[fileType]=folder, [targetName]=share,[fileSize64]=0,[filePath]=/All Files,[fileOwner]=box usage,[fileDesc]=,[user]=box usage, [userId]=225282673,[accessTime]=1412700374,[accountName]=box.usage@gmail

.com,[fileId]=2541809279,[fileVersion]=1,

[targetHashCode]=,[phLogDetail]=

//the following event is generated when a file called  All

Files/share/b.txt was created using the box.usage@gmail.com account [PH_DEV_MON_BOX_FILE_CREATE]:[eventSeverity]=PHL_INFO,[fileName]=phBoxAg ent.cpp,[lineNumber]=625,[fileType]=file, [targetName]=b.txt,[fileSize64]=0,[filePath]=/All

Files/share,[fileOwner]=box usage,[fileDesc]=,[user]=box usage,

[userId]=225282673,[accessTime]=1412700377,[accountName]=box.usage@gmail .com,[fileId]=21701906465,[fileVersion]=1,[targetHashCode]=da39a3ee5e6b4 b0d3255bfef95601890afd80709,[phLogDetail]=

//the following event is generated when a file called  All

Files/share/b.txt was deleted using the box.usage@gmail.com account [PH_DEV_MON_BOX_FILE_DELETE]:[eventSeverity]=PHL_INFO,[fileName]=phBoxAg ent.cpp,[lineNumber]=503,[fileType]=file, [targetName]=b.txt,[fileSize64]=0,[filePath]=/All

Files/share,[fileOwner]=box usage,[fileDesc]=,[user]=box usage, [userId]=225282673,[accessTime]=0,[accountName]=box.usage@gmail.com,[fil eId]=21701844673,[fileVersion]=1,[targetHashCode]=da39a3ee5e6b4b0d3255bf ef95601890afd80709,[phLogDetail]=

//the following event is generated when a file called  All

Files/share/a.txt was modified using the box.usage@gmail.com account [PH_DEV_MON_BOX_FILE_MODIFY]:[eventSeverity]=PHL_INFO,[fileName]=phBoxAg ent.cpp,[lineNumber]=652,[fileType]=file, [targetName]=a.txt,[fileSize64]=8,[filePath]=/All Files,[fileOwner]=box usage,[fileDesc]=,[user]=box usage, [userId]=225282673,[accessTime]=1412700491,[accountName]=box.usage@gmail

.com,[fileId]=21701903189,[fileVersion]=2,[targetHashCode]=0a74245f78b73

39ea8cdfc4ac564ed14dc5c22ad,[phLogDetail]=

//the following event is generated periodically for each monitored file

and folder [PH_DEV_MON_BOX_FILE_SHARE]:[eventSeverity]=PHL_INFO,[fileName]=phBoxAge nt.cpp,[lineNumber]=601,[fileType]=folder, [targetName]=share,[fileSize64]=0,[filePath]=/All Files,[fileOwner]=box usage,[fileDesc]=,[accountName]=box.usage@gmail.com,

[fileId]=2541809279,[fileVersion]=1,[infoURL]=https://app.box.com/s/zine

f627pyuexdcxir1q,[downloadURL]=,[filePasswordEnabled]=no, [filePreviewEnabled]=yes,[fileDownloadEnabled]=yes,[fileUnshareAtTime]=-

1,[filePreviewCount]=0,[fileDownloadCount]=0,[phLogDetail]=

Cisco FireAMP Cloud Configuration

What is Discovered and Monitored

Configuration

Sample Events for Salesforce Audit

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “Cisco FireAMP Cloud” in the Search column to see the event types associated with this device.

Rules

There are no predefined rules for Cisco FireAMP Cloud

Reports

There are no predefined reports for Cisco FireAMP Cloud.

Configuration

Create Cisco FireAMP Cloud Credential

1. Log in to AccelOps Supervisor node.
2. Go to Admin > Setup Wizard > Credentials.
3. In Step 1, Click Add to create a new credential
4. For Device Type, select Cisco FireAMP Cloud
5. For Access Protocol, select FireAMP Cloud API
6. For Password Configuration, select Manual or CyberArk For Manual credential method, enter Client ID and Client Secret.
7. For CyberArk credential method, specify CyberArk properties.
8. Click Save.

Test Connectivity

1. Log in to AccelOps Supervisor node.
2. Go to Admin > Setup Wizard > Credentials.
3. In Step 2, Click Add to create a new association
4. For Name/IP/IP Range, enter amp.sourcefire.com
5. For Credentials, enter the name of credential created in the “Salesforce Audit Credential” step.
6. Click Save
7. Select the entry just created and Click Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
8. Go to Admin > Setup Wizard > Pull Events and make sure an entry is created for Microsoft Audit Log Collection

Sample Events for Salesforce Audit

[FireAMP_Cloud_Threat_Detected]:[eventSeverity]=PHL_CRITICAL,[connectorG UID]=d2f5d61f-feb0-4b67-80fd-073655b86425,[date]=2015-11-25T19:17:39+00: 00,[detection]=W32.DFC.MalParent,[detectionId]=6159251516445163587,[even tId]=6159251516445163587,[eventType]=Threat Detected,[eventTypeId]=1090519054,[fileDispostion]=Malicious,[fileName]= rjtsbks.exe,[fileSHA256]=3372c1edab46837f1e973164fa2d726c5c5e17bcb888828 ccd7c4dfcc234a370,[hostName]=Demo_TeslaCrypt

Google Apps Audit Configuration

What is Discovered and Monitored

Configuration

Sample Events for Google Apps Audit

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “Google_Apps” in the Search column to see the event types associated with this device.

Rules

There are no predefined rules for Google Apps

Reports

There are many reports defined in Analytics > Reports > Device > Application > Document Mgmt. Search for ” Google Apps”.

Configuration

Create a Google App Credential in Google API Console

1. Logon to Google API Console
2. Under Dashboard, create a Google Apps Project
   1. Project Name – enter a name
   2. Click Create
3. Under Dashboard, click Enable API to activate Reports API service for this project
4. Create a Service Account Key for this project
   1. Under Credentials, click Create Credentials > Create Service Account Key
   2. Choose Key type as JSON
   3. Click Create
   4. A JSON file containing the Service Account credentials will be stored in your computer
5. Enable Google Apps Domain-wide delegation
   1. Under IAM & Admin section, choose the Service account
   2. Check Enable Google Apps Domain-wide Delegation
   3. Click Save
6. View Client ID
   1. Under IAM & Admin section, choose the Service account
   2. Click View Client ID
7. Delegate domain-wide authority to the service account created in Step 4
   1. Go to your Google Apps domain’s Admin console
   2. Select Security from the list of controls. If you don’t see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls.
   3. Select Advanced settings from the list of options.
   4. Select Manage API Client access in the Authentication section
   5. In the Client name field enter the service account’s Client ID (Step 6)
   6. In the One or More API Scopes field enter the list of scopes that your application should be granted access to.

Define Google App Credential in FortiSIEM

1. Log in to AccelOps Supervisor node.
2. Go to Admin > Setup Wizard > Credentials.
3. In Step 1, Click Add to create a new credential
4. For Device Type, select Google Google Apps
5. For Access Protocol, select Google Apps Admin SDK
6. Enter the User Name
7. For Service Account Key, upload the JSON credential file (Step 4d above)
8. Click Save.

Test Connectivity

1. Log in to AccelOps Supervisor node.
2. Go to Admin > Setup Wizard > Credentials.
3. In Step 2, Click Add to create a new association
4. For Name/IP/IP Range, enter com
5. For Credentials, enter the name of credential created in the “Google App Credential” step.
6. Click Save
7. Select the entry just created and Click Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
8. Go to Admin > Setup Wizard > Pull Events and make sure an entry is created for Salesforce Audit Log Collection

Sample Events for Google Apps Audit

Logon Success

<134>Jan 21 19:29:21 google.com java: [Google_Apps_login_login_success]:[eventSeverity]=PHL_INFO,[actor.profil eId]=117858279951236905887,[id.time]=2016-09-09T06:53:58.000Z,[id.applic ationName]=login,[kind]=admin#reports#activity,[id.customerId]=C01lzy8ye ,[id.uniqueQualifier]=8830301951515521023,[event.parameters.login_type]= google_password,[event.type]=login,[ipAddress]=45.79.100.103,[actor.emai l]=api1@accelops.net,[event.name]=login_success,[etag]=””6KGrH_UY2JDZNpg jPKUOF8yJF1A/Nfrg2SFjlC2gR6pJtpP2scVidmc”””,Google_Apps_login_login_succ ess,login_success,1,45.79.100.103,

Logon Failure

<134>Jan 21 19:29:21 google.com java: [Google_Apps_login_login_failure]:[eventSeverity]=PHL_INFO,[actor.profil eId]=117858279951236905887,[id.applicationName]=login,[kind]=admin#repor ts#activity,[event.parameters.login_type]=google_password,[ipAddress]=45 .79.100.103,[event.name]=login_failure,[id.time]=2016-09-19T09:27:51.000 Z,[id.customerId]=C01lzy8ye,[id.uniqueQualifier]=4795688196368428241,[ev ent.type]=login,[actor.email]=api1@accelops.net,[etag]=””6KGrH_UY2JDZNpg jPKUOF8yJF1A/v5zsUPNoEdXLLK79zQpBcuxNbQU””,[event.parameters.login_failu re_type]=login_failure_invalid_password”,Google_Apps_login_login_failure ,login_failure,1,45.79.100.103,

Create User

<134>Jan 21 19:29:20 google.com java: [Google_Apps_USER_SETTINGS_CREATE_USER]:[eventSeverity]=PHL_INFO,[actor. callerType]=USER,[actor.profileId]=117858279951236905887,[id.application Name]=admin,[kind]=admin#reports#activity,[ipAddress]=45.79.100.103,[eve nt.name]=CREATE_USER,[id.time]=2016-09-19T09:22:44.646Z,[id.customerId]= C01lzy8ye,[id.uniqueQualifier]=-8133102622954793216,[event.type]=USER_SE

TTINGS,[event.parameters.USER_EMAIL]=test-user@accelops.org,[actor.email ]=api1@accelops.net,[etag]=””6KGrH_UY2JDZNpgjPKUOF8yJF1A/R5GJyWG9YHSiGRv o3-8ZBM0ZlL0″””,Google_Apps_USER_SETTINGS_CREATE_USER,CREATE_USER,1,45.7 9.100.103,

Delete user

<134>Jan 21 19:29:20 google.com java: [Google_Apps_USER_SETTINGS_DELETE_USER]:[eventSeverity]=PHL_INFO,[actor. callerType]=USER,[actor.profileId]=117858279951236905887,[id.application Name]=admin,[kind]=admin#reports#activity,[ipAddress]=45.79.100.103,[eve nt.name]=DELETE_USER,[id.time]=2016-09-19T09:22:28.582Z,[id.customerId]= C01lzy8ye,[id.uniqueQualifier]=-4630441819990099585,[event.type]=USER_SE

TTINGS,[event.parameters.USER_EMAIL]=test-user@accelops.org,[actor.email ]=api1@accelops.net,[etag]=””6KGrH_UY2JDZNpgjPKUOF8yJF1A/08MaodxPU6Zv7s6 vJtuUQW9ugx0″””,Google_Apps_USER_SETTINGS_DELETE_USER,DELETE_USER,1,45.7 9.100.103,

Move user settings

<134>Jan 21 19:29:20 google.com java:

[Google_Apps_USER_SETTINGS_MOVE_USER_TO_ORG_UNIT]:[eventSeverity]=PHL_IN FO,[actor.callerType]=USER,[actor.profileId]=117858279951236905887,[even t.parameters.ORG_UNIT_NAME]=/test,[id.applicationName]=admin,[kind]=admi n#reports#activity,[ipAddress]=45.79.100.103,[event.name]=MOVE_USER_TO_O RG_UNIT,[id.time]=2016-09-19T09:24:25.285Z,[id.customerId]=C01lzy8ye,[id

.uniqueQualifier]=-6704816947489240452,[event.type]=USER_SETTINGS,[event .parameters.USER_EMAIL]=test-user@accelops.org,[actor.email]=api1@accelo ps.net,[event.parameters.NEW_VALUE]=/,[etag]=””6KGrH_UY2JDZNpgjPKUOF8yJF 1A/r1v9DiPZbL06fXFFjJlrWf2s3qI”””,Google_Apps_USER_SETTINGS_MOVE_USER_TO

_ORG_UNIT,MOVE_USER_TO_ORG_UNIT,1,45.79.100.103,,

Microsoft Azure AuditTrail Configuration

What is Discovered and Monitored

Configuration

Sample Events for Microsoft Azure Audit Trail

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “Microsoft Azure Auditl” in the Search column to see the event types associated with this device.

Rules

There are no predefined rules for Microsoft Azure Audit

Reports

There are no predefined reports for Microsoft Azure Audit.

Configuration

Create Microsoft Azure Audit Credential

1. Log in to AccelOps Supervisor node.
2. Go to Admin > Setup Wizard > Credentials.
3. In Step 1, Click Add to create a new credential
4. For Device Type, select Microsoft Azure Audit
5. For Access Protocol, select Azure CLI
6. For Password Configuration, select Manual or CyberArk
7. For Manual credential method, enter the user name and credentials 8. For CyberArk credential method, specify CyberArk properties.
8. Click Save.

Test Connectivity

1. Log in to AccelOps Supervisor node.
2. Go to Admin > Setup Wizard > Credentials.
3. In Step 2, Click Add to create a new association
4. For Name/IP/IP Range, enter some IP Address
5. For Credentials, enter the name of credential created in the “Microsoft Azure Audit Credential” step.
6. Click Save
7. Select the entry just created and Click Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
8. Go to Admin > Setup Wizard > Pull Events and make sure an entry is created for Microsoft Audit Log Collection

Sample Events for Microsoft Azure Audit Trail

2016-02-26 15:19:10 AccelOps-Azure,[action]=Microsoft.ClassicCompute/virtualmachines/shutdow n/action,[caller]=Cuiping.Wang@shashiaccelops.onmicrosoft.com,[level]=Er ror,[resourceId]=/subscriptions/3ed4ee1c-1a83-4e02-a928-7ff5e0008e8a/res ourcegroups/china/providers/Microsoft.ClassicCompute/virtualmachines/chi na,[resourceGroupName]=china,[eventTimestamp]=2016-02-14T06:12:18.553970 9Z,[status]=Failed,[subStatus]=Conflict,[resourceType]=Microsoft.Classic

Compute/virtualmachines,[category]=Administrative

Microsoft Office365 Audit Configuration

What is Discovered and Monitored

Configuration

Sample Events for Google Apps Audit

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “MS_Office365” in the Search column to see the event types associated with Office 365.

Rules

There are no predefined rules for Office 365

Reports

There are many reports defined in Analytics > Reports > Device > Application > Document Mgmt. Search for “Office365”

Configuration

Create Office365 API Credential

1. Check Office365 Account
   1. Login to Microsoft Online with your Office account
   2. Navigate to office home->admin center->Billing->Purchase services->Office 365 Business Premium
   3. Make sure the you have Office365 Business Premium subscription
2. Create a X.509 certificate and extract some values
   1. Download Windows SDK and install on your workstation
   2. In windows PowerShell run these commands and make sure they succeed
   3. Open certmgr.msc, and export the new X.509 certificate (office365Cert) by clicking Action->All Tasks-> Export Choose Do not export private key
      1. Choose Base-64 encoding

• Specify the file name to export

1. Run the following power shell commands to get values $base64Value, $base64Thumbprint, $keyid from the X.509 certificate for use in next step

After running these commands, the values will be set as follows

(prompt)> $keyid a8a98039-aa56-4497-ab82-d7c419e70eca (prompt)> $base64Thumbprint

A7DP44d3q++M+Cq5MQdFZDcwbr4=

(prompt)>$base64Value

MIIC/zCCAeugAwIBAgIQTdQI9aEaZ4FP/zTqmOXZrzAJBgUrDgMCHQUAMBgxFjA UBgNVBAMTDU9mZmljZTM2NUNlcnQwHhcNMTYwMzE1MDgwMDAwWhcNMTg wMzE1MDgwMDAwWjAYMRYwFAYDVQQDEw1PZmZpY2UzNjVDZXJ0MIIBIjANBgkqhk iG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp9IG5ZNQ9xrtolAc2jUItRhwjm FKsdST+GTlzax7bXiQl8Zp905DUBgfSyAQr77r/2cDRkf0mV7wW/2i+Pqbfi9CY wzjINLyzqxBL5lJPwzVo8aqi/ykILCsbBX6prGvc/TJXjWHbP90AHfZU t6cDPN3CrE98s3gZlWwz7wDnJP5AU/FXx4Cf4gPZOMEBPRdJqQwIZgLzHk0oDg9 kXFoiwDKORsTiamSMd34nncmmNivrqjKM57pa6jacxWFwbXDov6TlxLm tniHuH1psMRj/+jkmucoF2c2cRvTdqFePEqoWemB/np7Zwjj6VTruI5Zld22CcN IJY4ZbheAgYMXmwIDAQABo00wSzBJBgNVHQEEQjBAgBBekE2Kf2vBlJd fJmP+pAtAoRowGDEWMBQGA1UEAxMNT2ZmaWNlMzY1Q2VydIIQTdQI9aEaZ4FP/z TqmOXZrzAJBgUrDgMCHQUAA4IBAQANiw//Vxe04mUInzJUSNXCOUJFj9

HWDzQfbfBOWQQ9YiVm7o0qmSHR8bkaKTxNDl4ng0i6WpMnzmodJjtDpn4I7ZmwA

YehBiFWlUVhAW+M00bvOezcROiscOBuvWd6dQ7Op0XDpYGRnBctCv3w+

YWs0f3odrLCECvO3dk5QJbk500+S8QkLmoVv31/T1BEHnIaY3YudiVO/EpM8n7I /o8YlThHqqSQ6WGeMxYA+ts7yi+Jm++mV6xScK9qWdCbB4BW4ePZWxXi t5Bod+kC9iSco3o44hmmZdohUpF0t08Gu27dMXsaltd7djb7KeqxZrXihfFC8Xe FRBoPALIB52Ud

3. Create FortiSIEM application in Azure
   1. Login to Azure
   2. Click Active Directory in left panel
   3. Click Default Directory in the right
   4. Select APPLICATIONS tab, then click ADD.
   5. Fill application details and click Next
      1. Name – FortiSIEM
      2. Type – Choose WEB Application AND/OR API
      3. Fill in App properties and Click Done
      4. Sign-on URL – https://<Supervisor IP>
      5. App ID URL – https://<Supervisor IP>
      6. Click the application (FortiSIEM) in left panel, choose Configure tab
      7. Client ID is displayed
      8. User assignment required – No

• Keys – Select time duration

1. Save
2. Key is now displayed – copy this key to local workstation. You would not be able to retrieve it once you leave this page. In the command bar, click Manage Manifest and select Download Manifest

4. Edit the downloaded JSON file in Step 3.g.vi and
   1. Enter the following in the “keyCredentials” section
   2. The credential file looks like this
5. Store the JSON file. Click Upload Manifest to upload it to Azure

Permit Office365 Monitoring

1. Continue with Step 5 above
2. Choose Office 365 Activities
   1. Microsoft 265 Management APIs – Yes
   2. Microsoft Sharepoint Online – Yes
3. Allow read permission to chosen Office365 activities

Define Office365 Management Credential in FortiSIEM

1. Log in to AccelOps Supervisor node.
2. Go to Admin > Setup Wizard > Credentials.
3. In Step 1, Click Add to create a new credential
   1. For Name, provide a name for reference
   2. For Device Type, select Microsoft Office365
   3. For Access Protocol, select Office365 Mgmt Activity API
   4. For Tenant ID, use the ID from Azure Login URL

1. For Password Configuration, select Manual or
2. For Client ID, choose from Step 3.g.i in Create Office365 API Credential
3. For Client Secret, choose from Step 3.g.v in Create Office365 API Credential

4. For Manual credential method, enter the user name, password and Security Token.
5. For CyberArk credential method, specify CyberArk properties.
6. Click Save.

Test Connectivity

1. Log in to AccelOps Supervisor node.
2. Go to Admin > Setup Wizard > Credentials.
3. In Step 2, Click Add to create a new association
4. For Name/IP/IP Range, enter office.com
5. For Credentials, enter the name of credential created in the Define Office365 Management Credential step 3a 6. Click Save
6. Select the entry just created and Click Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
7. Go to Admin > Setup Wizard > Pull Events and make sure an entry is created for Office365 Log Collection

Sample Events for Google Apps Audit

Okta Configuration

AccelOps can integrate with Okta as a single-sign service for AccelOps users, discover Okta users and import them into the CMDB, and collect audit logs from Okta. See Setting Up External Authentication for information on configuring Okta to use as a single-sign on service, and Adding Users from Okta for discovering users and associating them with the Okta authentication profile. Once you have discovered Okta users, AccelOps will begin to monitor Okta events.

What is Discovered and Monitored

Event Types

Rules

Reports

Sample Okta Event

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “okta” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

 Sample Okta Event

Mon Jul 21 15:50:26 2014 AccelOps-Okta [action/message]=Sign-in successful [action/objectType]=core.user_auth.login_success [action/requestUri]=/login/do-login [actors/0/displayName]=CHROME

[actors/0/id]=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36

[actors/0/ipAddress]=211.144.207.10

[actors/0/login]=YaXin.Hu@accelops.com [actors/0/objectType]=Client

[eventId]=tev-UlpTnWJRI2vXNRKTJHE4A1405928963000

[eventName]=USER-AUTH-LOGIN-SUCCESS [published]=2014-07-21T07:49:23.000Z

[requestId]=U8zGA0zxVNXabfCeka9oGAAAA [sessionId]=s024bi4GPUkRaegPXuA1IFEDQ [targets/0/displayName]=YaXin Hu

[targets/0/id]=00uvdkhrxcPNGYWISAGK

[targets/0/login]=YaXin.Hu@accelops.com [targets/0/objectType]=User

Salesforce CRM Audit Configuration

What is Discovered and Monitored

Configuration

Sample Events for Salesforce Audit

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “Salesforce Audit” in the Search column to see the event types associated with this device.

Rules

There are no predefined rules for Salesforce CRM Audit

Reports

There are many reports defined in Analytics > Reports > Device > Application > CRM

Salesforce Failed Logon Activity

Salesforce Successful Logon Activity

Top Browsers By Failed Login Count

Top Browsers By Successful Login Count Top Salesforce Users By Failed Login Count

Top Salesforce Users By Successful Login Count

Top Successful Salesforce REST API Queries By Count, Run Time

Top Failed Salesforce Failed REST API Queries By Count, Run Time

Top Salesforce API Queries By Count, Run Time

Top Salesforce Apex Executions By Count, Run Time

Top Salesforce Dashboards Views By Count

Top Salesforce Document Downloads By Count

Top Salesforce Opportunity Reports By Count

Top Salesforce Report Exports By Count

Top Salesforce Reports By Count, Run Time Top Salesforce Events

Configuration

Create Salesforce Audit Credential

1. Log in to AccelOps Supervisor node.
2. Go to Admin > Setup Wizard > Credentials.
3. In Step 1, Click Add to create a new credential
4. For Device Type, select Salesforce Salesforce Audit
5. For Access Protocol, select Salesforce API
6. For Password Configuration, select Manual or CyberArk
7. For Manual credential method, enter the user name, password and Security Token.
8. For CyberArk credential method, specify CyberArk properties.
9. Click Save.

Test Connectivity

1. Log in to AccelOps Supervisor node.
2. Go to Admin > Setup Wizard > Credentials.
3. In Step 2, Click Add to create a new association
4. For Name/IP/IP Range, enter salesforce.com
5. For Credentials, enter the name of credential created in the “Salesforce Audit Credential” step.
6. Click Save
7. Select the entry just created and Click Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
8. Go to Admin > Setup Wizard > Pull Events and make sure an entry is created for Salesforce Audit Log Collection

Sample Events for Salesforce Audit

Configuring Console Access Devices

AccelOps supports these console access devices for discovery and monitoring.

Lantronix SLC Console Manager Configuration

Lantronix SLC Console Manager Configuration

What is Discovered and Monitored

Event Types

Around 10 event types are generated by parsing Lantronix SLC logs. The complete list can be found in CMDB > Event Types by searching for Lantronix-SLC. Some important ones are

Lantronix-SLC-RunCmd

Lantronix-SLC-Update

Lantronix-SLC-User-Logon-Success

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

AccelOps processes events from this device via syslog.  Configure the device to send syslog to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example Syslog

Configuring End point Security Software

The following anti-virus and host security (HIPS) applications are supported for discovery and monitoring by AccelOps.

Bit9 Security Platform Configuration

Cisco Security Agent (CSA) Configuration

ESET NOD32 Anti-Virus Configuration

MalwareBytes Configuration

McAfee ePolicy Orchestrator (ePO) Configuration

Sophos Endpoint Security and Control Configuration

Symantec Endpoint Protection Configuration

Trend Micro Intrusion Defense Firewall (IDF) Configuration Trend Micro OfficeScan Configuration

Bit9 Security Platform Configuration

What is Discovered and Monitored

Bit9 Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “Bit9” in the Device Type columns to see the event types associated with this device.

Rules

Bit9 Agent Uninstalled or File Tracking Disabled

Bit9 Fatal Errors

Blocked File Execution

Unapproved File Execution

Reports

Bit9 Account Group Changes

Bit9 Fatal and Warnings Issues

Bit9 Functionality Stopped

Bit9 Security Configuration Downgrades

Bit9 Configuration

Syslog

AccelOps processes events from this device via syslog. Configure the device to send syslog to AccelOps on port 514.

Sample Syslog

<14>1 2015-04-06T16:24:02Z server1.foo.com – – – – Bit9 event: text=”Server discovered new file ‘c:\usersacct\appdata\local\temp\3cziegdd.dll’ [361aa7fbd5d00aa9952e94adc01d6f8d4cb08766eb03ff522ba5c7a2f9e99f9f].” type=”Discovery” subtype=”New file on network” hostname=”SVR123″ username=”SVR123\acct” date=”4/6/2015 4:22:52 PM” ip_address=”10.168.1.1″

process=”c:\abc\infrastructure\bin\scannerreset.exe” file_path=”c:\users\acct\appdata\local\temp\3cziegdd.dll” file_name=”3cziegdd.dll” file_hash=”361aa7fbd5d00aa9952e94adc01d6f8d4cb08766eb03ff522ba5c7a2f9e99 f9f” installer_name=”csc.exe” policy=”High Enforce” process_key=”00000000-0000-1258-01d0-7085edb50080″ server_version=”7.2.0.1395″ file_trust=”-2″ file_threat=”-2″ process_trust=”-1″ process_threat=”-1″

Cisco Security Agent (CSA) Configuration

What is Discovered and Monitored

Events

There are no specific events defined for this device.

Rules

AccelOps uses these rules to monitor events for this device:

Reports

There are no predefined reports for Cisco Security Agent.

Configuration

SNMP Trap

AccelOps processes events from this device via SNMP traps sent by the device. Configure the device to send send SNMP traps to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example SNMP Trap

2008-05-13 11:00:36 192.168.1.39 [192.168.1.39]:SNMPv2-MIB::sysUpTime.0

= Timeticks: (52695748) 6 days, 2:22:37.48

SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.8590.3.1

SNMPv2-SMI::enterprises.8590.2.1 = INTEGER: 619

SNMPv2-SMI::enterprises.8590.2.2 = INTEGER: 261 SNMPv2-SMI::enterprises.8590.2.3 = STRING:

“sjdevVwindb06.ProspectHills.net”

SNMPv2-SMI::enterprises.8590.2.4 = STRING: “2008-05-13 19:03:21.157”

SNMPv2-SMI::enterprises.8590.2.5 = INTEGER: 5

SNMPv2-SMI::enterprises.8590.2.6 = INTEGER: 452

SNMPv2-SMI::enterprises.8590.2.7 = STRING: “C:\\Program

Files\\RealVNC\\VNC4\\winvnc4.exe”

SNMPv2-SMI::enterprises.8590.2.8 = NULL SNMPv2-SMI::enterprises.8590.2.9

= STRING: “192.168.20.38”

SNMPv2-SMI::enterprises.8590.2.10 = STRING: “192.168.1.39”

SNMPv2-SMI::enterprises.8590.2.11 = STRING: “The process ‘C:\\Program

Files\\RealVNC\\VNC4\\winvnc4.exe’ (as user NT AUTHORITY\\SYSTEM) attempted to accept a connection as a server on TCP port 5900 from 192.168.20.38 using interface Wired\\VMware Accelerated AMD PCNet Adapter. The operation was denied.”

SNMPv2-SMI::enterprises.8590.2.12 = INTEGER: 109

SNMPv2-SMI::enterprises.8590.2.13 = STRING: “192.168.1.39”

SNMPv2-SMI::enterprises.8590.2.14 = STRING: “W”

SNMPv2-SMI::enterprises.8590.2.15 = INTEGER: 3959

SNMPv2-SMI::enterprises.8590.2.16 = INTEGER: 5900

SNMPv2-SMI::enterprises.8590.2.17 = STRING: “Network access control” SNMPv2-SMI::enterprises.8590.2.18 = STRING: “Non CSA applications, server for TCP or UDP services” SNMPv2-SMI::enterprises.8590.2.19 = INTEGER: 33

SNMPv2-SMI::enterprises.8590.2.20 = STRING: “CSA MC Security Module”

SNMPv2-SMI::enterprises.8590.2.21 = NULL

SNMPv2-SMI::enterprises.8590.2.22 = STRING: “NT AUTHORITY\\SYSTEM”

SNMPv2-SMI::enterprises.8590.2.23 = INTEGER: 2

ESET NOD32 Anti-Virus Configuration

What is Discovered and Monitored

ESET NOD32 Configuration

What is Discovered and Monitored

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

ESET NOD32 Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps Supervisor.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Example Syslog

MalwareBytes Configuration

What is Discovered and Monitored

Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “malwarebytes” to see the event types associated with this device.

Rules

Malware found but not remediated

Reports

In Analytics > Reports, search for “malware found” to see the reports associated with this device.

Configuration

Syslog

AccelOps processes events from this device via syslog. Configure the device to send syslog to AccelOps on port 514.

Sample Syslog

<45>1 2016-09-23T14:40:35.82-06:00 reportDeviceName

Malwarebytes-Endpoint-Security 1552 – {“security_log”:{“client_id”:”ef5f8fc8-ad0e-46f8-b6d7-1a85d5f73e64″,”hos t_name”:”Abc-cbd”,”domain”:”abc.com”,”mac_address”:”FF-FF-FF-FF-FF”,”ip_ address”:”10.1.1.1″,”time”:”2016-09-23T14:40:14″,”threat_level”:”Moderat e”,”object_type”:”FileSystem”,”object”:”HKLM\\SOFTWARE\\POLICIES\\GOOGLE \\UPDATE”,”threat_name”:”PUM.Optional.DisableChromeUpdates”,”action”:”Qu arantine”,”operation”:”QUARANTINE”,”resolved”:true,”logon_user”:”dsamuel s”,”data”:”data”,”description”:”No

description”,”source”:”MBAM”,”payload”:null,”payload_url”:null,”payload_ process”:null,”application_path”:null,”application”:null}}

McAfee ePolicy Orchestrator (ePO) Configuration

What is Discovered and Monitored ePO Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “mcafee epolicy” in the Description column to see the event types associated with this application or device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

ePO Configuration

SNMP Trap

AccelOps processes events from this device via SNMP traps sent by the device.

1. Log in to the McAfee EPO console.
2. Go to Menu > Configuration > Registered Servers, and then click New Server.

The Registered Server Builder opens.

3. For Server type, enter SNMP Server.
4. For Name, enter the IP address of your SNMP server.
5. Enter any Notes, and then click Next to go to the Details
6. For Address, enter the IP address or DNS Name for the AccelOps virtual appliance that will receive the SNMP trap.
7. For SNMP Version, select SNMPv1.
8. For Community, enter public.
9. Click Send Test Trap, and then click OK.
10. Log in to your Supervisor node and use Real Time Search to see if AccelOps received the trap.

Example SNMP Trap

2011-04-14 01:28:46 192.168.20.214(via UDP: [192.168.20.214]:45440)

TRAP, SNMP v1, community public SNMPv2-SMI::enterprises.3401 Enterprise Specific Trap (5) Uptime:

0:00:00.30

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.9.245 = STRING: “To

SJ-Dev-S-RH-DNS-01”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.11.245 = STRING: “My

Organization”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.12.245 = STRING: “Directory”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.18.245 = STRING: “Any”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.19.245 = STRING: “Any”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.33.245 = STRING: “(Any)”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.15.245 = STRING: “4/16/08

3:07:04 AM”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.31.245 = STRING: “1278” SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.32.245 = STRING: “file infected.  No cleaner  available, file deleted successfully” SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.16.245 = STRING: “1”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.17.245 = STRING: “1”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.13.245 = STRING: “VirusScan” SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.14.245 = STRING: “Virus detected and removed” SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.22.245 = STRING: “EICAR test file” SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.23.245 = STRING: “Not

Available” SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.24.245 = STRING:

“192.168.1.6” SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.25.245 = STRING:

“SJDEVSWINIIS01” SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.26.245 = STRING:

“C:\Documents and

Settings\administrator.PROSPECTHILLS\Desktop\eicar.com”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.27.245 = STRING: “3”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.6.245 = STRING: “4/16/08

3:07:04 AM”

Sophos Endpoint Security and Control Configuration

What is Discovered and Monitored

Sophos Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “sophos endpoint” in the Device Type column to see the event types associated with this application or device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device. .

Sophos Configuration

SNMP Trap

AccelOps processes Sophos Endpoint control events via SNMP traps sent from the management console. Configure the management console to send SNMP traps to AccelOps, and the system will automatically recognize the messages.

SNMP Traps are configured within the Sophos policies.

1. In the Policies pane, double-click the policy you want to change.
2. In the policy dialog, in the Configure panel, click Messaging.
3. In the Messaging dialog, go to the SNMP messaging tab and select Enable SNMP messaging.
4. In the Messages to send panel, select the types of event for which you want Sophos Endpoint Security and Control to send SNMP messages.
5. In the SNMP trap destination field, enter the IP address of the recipient.
6. In the SNMP community name field, enter the SNMP community name.

Sample SNMP Trap

Symantec Endpoint Protection Configuration

What is Discovered and Monitored

Symantec Endpoint Protection Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “symantec endpoint” in the Device Type and Description columns to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Symantec Endpoint Protection Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device.

Configuring Log Transmission to AccelOps

1. Log in to Symantec Endpoint Protection Manager.
2. Go to Admin> Configure External Logging > Servers > General.
3. Select Enable Transmission of Logs to a Syslog Server.
4. For Syslog Server, enter the IP address of the AccelOps virtual appliance.
5. For UDP Destination Port, enter 514.

Configuring the Types of Logs to Send to AccelOps

1. Go to Admin> Configure External Logging > Servers > Log Filter.
2. Select the types of logs and events you want to send to AccelOps.

Sample Syslog

<13>Feb 23 12:36:37 QA-V-Win03-App1.ProspectHills.net SymAntiVirus  0   2701170C2410,3,2,1,QA-V-WIN03-APP1,Administrator,,,,,,,16777216,”Scan started on selected drives and folders and all

extensions.”,1235421384,,0,,,,,0,,,,,,,,,,,{C11B44CF-35C9-4342-AB3D-E0E9 E3756510},,(IP)-0.0.0.0,,ACME,00:50:56:A3:30:2F,11.0.1000.1112,,,,,,,,,,

,,,,,,0,,,,,

<54>Jun 11 12:24:38 SymantecServer sjdevswinapp05: Site: Site sjdevswinapp05,Server: sjdevswinapp05,Domain: Default,Admin: admin,Administrator  log on failed

<54>Jun 11 12:24:51 SymantecServer sjdevswinapp05: Site: Site sjdevswinapp05,Server: sjdevswinapp05,Domain: Default,Admin:

admin,Administrator  log on succeeded

<54>Feb 23 13:08:29 SymantecServer sjdevswinapp05: Virus found,Computer name: Filer,Source: Real Time Scan,Risk name: EICAR Test String,Occurrences: 1,C:/Documents and

Settings/Administrator.PROSPECTHILLS/Local Settings/Temp/vpqz3cxj.com,””,Actual action: Cleaned by deletion,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2009-02-23 21:06:51,Inserted: 2009-02-23 21:08:29,End: 2009-02-23 21:06:51,Domain: Default,Group: Global\Prospecthills,Server:

sjdevswinapp05,User: Administrator,Source computer:  ,Source IP: 0.0.0.0

Mar 16 15:11:06 SymantecServer aschq97: NF77088-PCA,Local:

192.168.128.255,Local: 138,Local: FFFFFFFFFFFF,Remote:

192.168.128.86,Remote: ,Remote: 138,Remote:

0015C53B9216,UDP,Inbound,Begin: 2009-03-16 15:05:02,End: 2009-03-16 15:05:02,Occurrences: 1,Application: C:/WINDOWS/system32/ntoskrnl.exe,Rule: Allow local file sharing,Location: Default,User: ,Domain: ASC

<54>Feb 24 11:51:19 SymantecServer sjdevswinapp05: QA-V-Win03-App2,[SID: 20352] HTTP Whisker/Libwhisker Scan (1) detected.  Traffic has been allowed from this application: C:\WINDOWS\system32 toskrnl.exe,Local: 0.0.0.0,Local: 000000000000,Remote: ,Remote: 192.168.1.4,Remote:

000000000000,Inbound,TCP,Intrusion ID: 0,Begin: 2009-02-24 11:50:01,End:

2009-02-24 11:50:01,Occurrences: 1,Application:

C:/WINDOWS/system32/ntoskrnl.exe,Location: Default,User:

Administrator,Domain: PROSPECTHILLS

<54>Jul 28 08:08:52 SymantecServer corpepp01: 6910p-X751008R,Category:

2,Symantec AntiVirus,New virus definition file loaded. Version:

130727ag.

<54>Jul 28 08:09:32 SymantecServer corpepp01: CORPMIO-H4VYWB1,Category: 2,Symantec AntiVirus,Symantec Endpoint Protection services shutdown was successful.

<52>Jul 28 08:10:13 SymantecServer corpepp01: TEMPEXP02,Category:

0,Smc,Failed to disable Windows firewall

<54>Jul 28 08:08:52 SymantecServer corpepp01: 8440p-X0491JYR,Category:

0,Smc,Connected to Symantec Endpoint Protection Manager (10.0.11.17)

<54>Jul 28 08:08:52 SymantecServer corpepp01: 8440p-X0491JYR,Category:

0,Smc,Disconnected from Symantec Endpoint Protection Manager

(10.0.11.17)

<54>Jul 28 08:09:52 SymantecServer corpepp01: CORPES-3042,Category:

0,Smc,Connected to Symantec Endpoint Protection Manager (corphqepp01) <54>Jul 28 08:09:52 SymantecServer corpepp01: CORPES-3042,Category: 0,Smc,Disconnected from Symantec Endpoint Protection Manager (corpepp01)

<54>Jul 28 08:09:32 SymantecServer corpepp01: CORPMIO-H4VYWB1,Category:

0,Smc,Network Threat Protection – – Engine version: 11.0.480  Windows

Version info:  Operating System: Windows XP (5.1.2600 Service Pack 3)

Network  info:  No.0  “Local Area Connection 3”  00-15-c5-46-58-1e

“Broadcom NetXtreme 57xx Gigabit Controller” 10.0.208.66

<54>Jul 28 07:55:32 SymantecServer corpepp01: tol-afisk,Blocked,Unauthorized NT call rejected by protection driver.,System,Begin: 2011-07-27 15:29:57,End: 2011-07-27 15:29:57,Rule:

Trend Micro Intrusion Defense Firewall (IDF) Configuration

What is Discovered and Monitored

Trend Micro Configuration

What is Discovered and Monitored

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Trend Micro Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Example Syslog

Trend Micro OfficeScan Configuration

What is Discovered and Monitored

Trend Micro Configuration

What is Discovered and Monitored

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Trend Micro Configuration

SNMP Trap

AccelOps processes events from this device via SNMP traps sent by the device. Configure the device to send send SNMP traps to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example SNMP Trap

2011-04-14 02:17:54 192.168.20.214(via UDP: [192.168.20.214]:45440)

TRAP, SNMP v1, community public    SNMPv2-SMI::enterprises.6101

Enterprise Specific Trap (5) Uptime: 0:00:00.30   SNMPv2-SMI::enterprises.6101.141 = STRING: “Virus/Malware:

Eicar_test_file Computer: SJDEVVWINDB05 Domain: ABC File:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\yc8eayj0.com Date/Time: 4/10/2008 14:23:26 Result: Virus successfully detected, cannot perform the Clean action (Quarantine) ”

Configuring Environmental Sensors

AccelOps supports these devices for monitoring.

APC Netbotz Environmental Monitor Configuration

APC UPS Configuration

Generic UPS Configuration

Liebert FPC Configuration

Liebert HVAC Configuration Liebert UPS Configuration

APC Netbotz Environmental Monitor Configuration

What is Monitored and Collected

Event Types

Rules

Reports

Configuration

SNMP

SNMP Trap

Example SNMP Trap

Setting Access Credentials

What is Monitored and Collected

Event Types

In CMDB > Event Types, search for “NetBotz” in the Name column to see the event types associated with this application or device.

Event types for NetBotz NBRK0200

In Analytics > Rules, search for “NetBotz” in the Name column to see the rules associated with this application or device.

Reports

In Analytics > Reports, search for “Netbotz” in the Name column to see the reports associated with this application or device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

SNMP Trap

AccelOps processes events from this device via SNMP traps sent by the device. Configure the device to send send SNMP traps to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example SNMP Trap

Setting Access Credentials

APC UPS Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP

SNMP Trap

Example SNMP Trap

Setting Access Credentials

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “apc” in the Device Type column to see the event types associated with this device.

Rules

In Analytics > Rules, search for “apc” in the Name column to see the rules associated with this device.

Reports

In Analytics > Reports, search for “apc” in the Name column to see the reports associated with this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

SNMP Trap

AccelOps processes events from this device via SNMP traps sent by the device. Configure the device to send send SNMP traps to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example SNMP Trap

Setting Access Credentials

Generic UPS Configuration

What is Discovered and Monitored

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Setting Access Credentials

Liebert FPC Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “LIebert FPC” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “Liebert FPC” in the Name column to see the reports associated with this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

Liebert HVAC Configuration

What is Discovered and Monitored

AccelOps uses SNMP to discover and collector metrics from Generic UPS devices – requires the presence of UPS-MIB on the UPS device.

Follow Liebert HVAC documentation to enable AccelOps to poll the device via SNMP.

Event Types

In CMDB > Event Types, search for “Liebert HVAC” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “Liebert HVAC” in the Name column to see the reports associated with this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

Liebert UPS Configuration

What is Discovered and Monitored

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

Configuring Firewalls

AccelOps supports these firewalls for discovery and monitoring.

Check Point FireWall-1 Configuration

Check Point Provider-1 Firewall Configuration

Configuring MDS for Check Point Provider-1 Firewalls

Configuring MLM for Check Point Provider-1 Firewalls

Configuring CMA for Check Point Provider-1 Firewalls

Configuring CLM for Check Point Provider-1 Firewalls

Check Point VSX Firewall Configuration

Cisco Adaptive Security Appliance (ASA) Configuration

Dell SonicWALL Firewall Configuration

Fortinet FortiGate Firewall Configuration

Juniper Networks SSG Firewall Configuration

McAfee Firewall Enterprise (Sidewinder) Configuration

Palo Alto Firewall Configuration

Sophos UTM Firewall Configuration

WatchGuard Firebox Firewall Configuration

Check Point FireWall-1 Configuration

What is Discovered and Monitored

Add AccelOps as a Managed Node

Create an OPSEC Application for AccelOps

Create a Firewall Policy for AccelOps  Settings for Access Credentials

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “firewall-1” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

LEA

Add AccelOps as a Managed Node

1. Log in to your Check Point SmartDomain Manager.
2. In the Global Policies tab, select Multi-Domain Security Management, and then right-click to select Launch Global SmartDashboard

.

3. Select the Firewall
4. Click the Network Objects
5. Select Nodes, and then right-click to select Node > Host… .
6. Select General Properties.
7. Enter a Name for your AccelOps host, like AccelOpsVA. 8. Enter the IP Address of your AccelOps virtual appliance.
8. Click OK.

Create an OPSEC Application for AccelOps

1. In the Firewall tab, click the Servers and OPSEC
2. Select OPSEC Applications, and then right-click to select New > OPSEC Application.
3. Click the General
4. Enter a Name for your OPSEC application, like OPSEC_AccelOpsVA.
5. For Host, select the AccelOps host.
6. Under Client Entities, select LEA and CPMI.

For Check Point FireWall-1, also select SNMP.

7. Click Communication.
8. Enter a one-time password.

This is the password you will use in setting up access credentials for your firewall in AccelOps.

9. Click Initialize.
10. Close and re-open the application.
11. In the General tab, next to Communication, the DN field will now contain a value like CN=OPSEC_AccelOpsVA,0=MDS..i6g4zq. This is the AccelOps Client SIC DN that you will need when you copy the secure internal communication certificates and set the access credentials for your firewall in AccelOps.

Create a Firewall Policy for AccelOps

1. In Servers and Opsec > OPSEC Applications, select your AccelOps application.
2. In the Rules menu, select Top.
3. Right-click SOURCE, then click Add and select your AccelOps virtual appliance.
4. Right-click DESTINATION, then click Add and select your Check Point firewall.
5. Right-click SERVICE, then click Add and select FW1_lea, and CPMI.

Also select snmp if you are configuring a Check Point FireWall-1 firewall.

6. Right-click ACTION and select Accept.
7. Right-click TRACK and select Log.
8. Go to Policy > Install.
9. Click OK.
10. Go to OPSEC Applications and select your AccelOps application.
11. In the General tab of the Properties window, make sure that the communications have been enabled between your firewall and AccelOps.

Settings for Access Credentials

Check Point Provider-1 Firewall Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration Overview

Component Configuration for Domain-Level Audit Logs

Component Configuration for Firewall Logs

What is Discovered and Monitored

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration Overview

The configuration of  Check Point Provider-1 depends on the type of log that you want sent to AccelOps. There are two options:

 Domain level audit logs, which contain information such as domain creation, editing, etc.

Firewall logs, which include both audit log for firewall policy creation, editing, etc., and traffic logs

These logs are generated and stored among four different components:

Multi-Domain Server (MDS), where domains are configured and certificates have to be generated

Multi-Domain Log Module (MLM), where domain logs are stored

Customer Management Add-on (CMA), the customer management module

Customer Log Module (CLM), which consolidates logs for an individual customer/domain

Discover Paired Components on the Same Collector or Supervisor

Discovery of the MLM requires the certificate of the MDS, and discovery of the CLM requires the certificate of the CMA. Make sure that you discover the MDS & MLM pair, and the CMA & CLM pair, on the same Supervisor or Collector. If you attempt to discover them on separate Collectors, discovery will fail.

Component Configuration for Domain-Level Audit Logs

1. Configure MDS.
2. Use the Client SIC obtained while configuring MDS to configure MLM.
3. Pull logs from MLM.

Component Configuration for Firewall Logs

1. Configure CMA.
2. Use the Client SIC obtained while configuring CMA to configure CLM.
3. Pull logs from CLM.

If you want to pull firewall logs from a domain, you have to configure CLM for that domain.

See these topics for instructions on how to configure each component for Check Point Provider-1 firewalls.

Configuring MDS for Check Point Provider-1 Firewalls

Configuring MLM for Check Point Provider-1 Firewalls

Configuring CMA for Check Point Provider-1 Firewalls

Configuring CLM for Check Point Provider-1 Firewalls

Configuring MDS for Check Point Provider-1 Firewalls

Configuration

Get the MDS Server SIC for AccelOps Access Credentials

Add AccelOps as a Managed Node

Create an OPSEC Application for AccelOps

Create a Firewall Policy for AccelOps

Copy Secure Internal Communication (SIC) certificates Settings for Access Credentials

The Check Point Provider-1 firewall Multi-Domain Server (MDS) is where domains are configured and certificates are generated for communicating with AccelOps. if you want to have domain logs from the Multi-Domain Log Module (MLM) sent from your firewall to AccelOps, you must first configure and discover MDS, then use the AO Client SIC created for your AccelOps OPSEC application to configure the access credentials for MLM.

Discover Paired Components on the Same Collector or Supervisor

Discovery of the MLM requires the certificate of the MDS, and discovery of the CLM requires the certificate of the CMA. Make sure that you discover the MDS & MLM pair, and the CMA & CLM pair, on the same Supervisor or Collector. If you attempt to discover them on separate Collectors, discovery will fail.

Configuration

Get the MDS Server SIC for AccelOps Access Credentials

You will use the MDS Server SIC to create access credentials in AccelOps for communicating with your server.

1. Log in to your Check Point SmartDomain Manager.
2. Select Multi-Domain Server Contents.
3. Select MDS, and then right-click to select Configure Multi-Domain Server… .
4. In the General tab, under Secure Internet Communication, note the value for DN.

Add AccelOps as a Managed Node

1. Log in to your Check Point SmartDomain Manager.
2. In the Global Policies tab, select Multi-Domain Security Management, and then right-click to select Launch Global SmartDashboard

.

3. Select the Firewall
4. Click the Network Objects
5. Select Nodes, and then right-click to select Node > Host… .
6. Select General Properties.
7. Enter a Name for your AccelOps host, like AccelOpsVA. 8. Enter the IP Address of your AccelOps virtual appliance.
8. Click OK.

Create an OPSEC Application for AccelOps

1. In the Firewall tab, click the Servers and OPSEC
2. Select OPSEC Applications, and then right-click to select New > OPSEC Application.
3. Click the General
4. Enter a Name for your OPSEC application, like OPSEC_AccelOpsVA.
5. For Host, select the AccelOps host.
6. Under Client Entities, select LEA and CPMI.

For Check Point FireWall-1, also select SNMP.

7. Click Communication.
8. Enter a one-time password.

This is the password you will use in setting up access credentials for your firewall in AccelOps.

9. Click Initialize.
10. Close and re-open the application.
11. In the General tab, next to Communication, the DN field will now contain a value like CN=OPSEC_AccelOpsVA,0=MDS..i6g4zq. This is the AccelOps Client SIC DN that you will need when you copy the secure internal communication certificates and set the access credentials for your firewall in AccelOps.

Create a Firewall Policy for AccelOps

1. In Servers and Opsec > OPSEC Applications, select your AccelOps application.
2. In the Rules menu, select Top.
3. Right-click SOURCE, then click Add and select your AccelOps virtual appliance.
4. Right-click DESTINATION, then click Add and select your Check Point firewall.
5. Right-click SERVICE, then click Add and select FW1_lea, and CPMI.

Also select snmp if you are configuring a Check Point FireWall-1 firewall.

6. Right-click ACTION and select Accept.
7. Right-click TRACK and select Log.
8. Go to Policy > Install.
9. Click OK.
10. Go to OPSEC Applications and select your AccelOps application.
11. In the General tab of the Properties window, make sure that the communications have been enabled between your firewall and AccelOps.

Copy Secure Internal Communication (SIC) certificatesCopy Client SIC

1. Go to Manage > Server and OPSEC Applications.
2. Select OPSEC Application and then right-click to select accelops.
3. Click
4. Enter the SIC DN of your application. Copy Server SIC
5. In the Firewall tab, go to Manage.
6. Click the Network Object icon, and then right-click to select Check Point Gateway.
7. Click Edit.
8. Enter the SIC DN.
9. If there isn’t a field to enter the SIC DN, click Test SIC Status and a dialog will display the SIC DN.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

1. Configure Checkpoint Provider-1 MDS credential as shown below.

Activation key was the one-time password you input in Step 2f above.

AO Client SIC was generated in Step 2g above

MDS Server SIC was generated in Step 1 above

1. Click “Generate Certificate”. It should be successful. Note that the button will be labeled ‘Regenerate Certificate’ if you have

Configuring MLM for Check Point Provider-1 Firewalls

Prerequisites

Configuration

Get MLM Server SIC for Setting Up AccelOps Access Credentials

Settings for Access Credentials

Prerequisites

You need to have configured and discovered your Check Point Provider-1 MDS before you configure the Multi-Domain Log Module (MLM). You will need the AO Client SIC that was generated when you created your AccelOps OPSEC application in the MDS to set up the access credentials for your MLM in AccelOps.

Discover Paired Components on the Same Collector or Supervisor

Discovery of the MLM requires the certificate of the MDS, and discovery of the CLM requires the certificate of the CMA. Make sure that you discover the MDS & MLM pair, and the CMA & CLM pair, on the same Supervisor or Collector. If you attempt to discover them on separate Collectors, discovery will fail.

Configuration

 Get MLM Server SIC for Setting Up AccelOps Access Credentials

1. Log in to your Check Point SmartDomain Manager.
2. In the General tab, click Multi-Domain Server Contents.
3. Right-click MLM and select Configure Multi-Domain Server… .
4. Next to Communication, note the value for DN.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Configuring CMA for Check Point Provider-1 Firewalls

The Check Point Provider-1 Customer Management Add-On (CMA) creates logs that are then consolidated by the Customer Log Module (CLM). If you want the CLM to send logs to AccelOps, you need to first configure the CMA and obtain the AO Client SIC to configure access credentials for communication between the CLM and AccelOps.

Configuration

Get CMA Server SIC for Setting Up AccelOps Access Credentials

1. Log in to your Check Point SmartDomain Manager.
2. Click the General
3. Select Domain Contents.
4. Select the Domain Management Server and right-click to select Launch Application > Smart Dashboard.
5. Select the Desktop
6. Select the Network Objects
7. Double-click on the Domain Management Server to view the General Properties
8. Click Test SIC Status… .

Note the value for DN. You will use this for the CMA Server SIC setting when creating the access credentials for AccelOps to access your CMA server.

Add AccelOps as a Managed Node

1. Log in to your Check Point SmartDomain Manager.
2. In the Global Policies tab, select Multi-Domain Security Management, and then right-click to select Launch Global SmartDashboard

.

3. Select the Firewall
4. Click the Network Objects
5. Select Nodes, and then right-click to select Node > Host… .
6. Select General Properties.
7. Enter a Name for your AccelOps host, like AccelOpsVA. 8. Enter the IP Address of your AccelOps virtual appliance.
8. Click OK.

Create an OPSEC Application for AccelOps

1. In the Firewall tab, click the Servers and OPSEC
2. Select OPSEC Applications, and then right-click to select New > OPSEC Application.
3. Click the General
4. Enter a Name for your OPSEC application, like OPSEC_AccelOpsVA.
5. For Host, select the AccelOps host.
6. Under Client Entities, select LEA and CPMI.

For Check Point FireWall-1, also select SNMP.

7. Click Communication.
8. Enter a one-time password.

This is the password you will use in setting up access credentials for your firewall in AccelOps.

9. Click Initialize.
10. Close and re-open the application.
11. In the General tab, next to Communication, the DN field will now contain a value like CN=OPSEC_AccelOpsVA,0=MDS..i6g4zq. This is the AccelOps Client SIC DN that you will need when you copy the secure internal communication certificates and set the access credentials for your firewall in AccelOps.

Create a Firewall Policy for AccelOps

1. In Servers and Opsec > OPSEC Applications, select your AccelOps application.
2. In the Rules menu, select Top.
3. Right-click SOURCE, then click Add and select your AccelOps virtual appliance.
4. Right-click DESTINATION, then click Add and select your Check Point firewall.
5. Right-click SERVICE, then click Add and select FW1_lea, and CPMI.

Also select snmp if you are configuring a Check Point FireWall-1 firewall.

6. Right-click ACTION and select Accept.
7. Right-click TRACK and select Log.
8. Go to Policy > Install.
9. Click OK.
10. Go to OPSEC Applications and select your AccelOps application.
11. In the General tab of the Properties window, make sure that the communications have been enabled between your firewall and AccelOps.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Configuring CLM for Check Point Provider-1 Firewalls

Prequisites

Configuration

Get CLM Server SIC for Creating AccelOps Access Credentials

Settings for Access Credentials

Prequisites

You must first configure and discover the Check Point CLA and obtain the AO Client SIC before you can configure the Customer Log Module (CLM). The AO Client SIC is generated when you create the AccelOps OPSEC application.

Discover Paired Components on the Same Collector or Supervisor

Discovery of the MLM requires the certificate of the MDS, and discovery of the CLM requires the certificate of the CMA. Make sure that you discover the MDS & MLM pair, and the CMA & CLM pair, on the same Supervisor or Collector. If you attempt to discover them on separate Collectors, discovery will fail.

Configuration

Get CLM Server SIC for Creating AccelOps Access Credentials

1. Log in to your Check Point SmartDomain Manager.
2. Click the General
3. Select Domain Contents.
4. Select the Domain Management Server and right-click to select Launch Application > Smart Dashboard.
5. Select the Desktop
6. Click the Network Objects
7. Under Check Point, select the CLM host and double-click to open the General Properties
8. Under Secure Internal Communication, click Test SIC Status… .
9. In the SIC Status dialog, note the value for DN.

This is the CLM Server SIC that you will use in setting up access credentials for the CLM in AccelOps.

10. Click Close.
11. Click OK.

Install the Database

1. In the Actions menu, select Policy > Install Database… .
2. Select the MDS Server and the CLM, and then OK. The database will install in both locations.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Check Point VSX Firewall Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

SNMP

Add AccelOps as a Managed Node

Create an OPSEC Application for AccelOps

Create a Firewall Policy for AccelOps

Copy Secure Internal Communication (SIC) certificates Settings for Access Credentials

What is Discovered and Monitored

AccelOps uses SNMP, LEA to discover the device and to collect logs, configurations and performance metrics.

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

LEA

Add AccelOps as a Managed Node

1. Log in to your Check Point SmartDomain Manager.
2. In the Global Policies tab, select Multi-Domain Security Management, and then right-click to select Launch Global SmartDashboard

.

3. Select the Firewall
4. Click the Network Objects
5. Select Nodes, and then right-click to select Node > Host… .
6. Select General Properties.
7. Enter a Name for your AccelOps host, like AccelOpsVA. 8. Enter the IP Address of your AccelOps virtual appliance.
8. Click OK.

Create an OPSEC Application for AccelOps

1. In the Firewall tab, click the Servers and OPSEC
2. Select OPSEC Applications, and then right-click to select New > OPSEC Application.
3. Click the General
4. Enter a Name for your OPSEC application, like OPSEC_AccelOpsVA.
5. For Host, select the AccelOps host.
6. Under Client Entities, select LEA and CPMI.

For Check Point FireWall-1, also select SNMP.

7. Click Communication.
8. Enter a one-time password.

This is the password you will use in setting up access credentials for your firewall in AccelOps.

9. Click Initialize.
10. Close and re-open the application.
11. In the General tab, next to Communication, the DN field will now contain a value like CN=OPSEC_AccelOpsVA,0=MDS..i6g4zq. This is the AccelOps Client SIC DN that you will need when you copy the secure internal communication certificates and set the access credentials for your firewall in AccelOps.

Create a Firewall Policy for AccelOps

1. In Servers and Opsec > OPSEC Applications, select your AccelOps application.
2. In the Rules menu, select Top.
3. Right-click SOURCE, then click Add and select your AccelOps virtual appliance.
4. Right-click DESTINATION, then click Add and select your Check Point firewall.
5. Right-click SERVICE, then click Add and select FW1_lea, and CPMI.