Configuring Network Compliance Management Applications

AccelOps supports these Network Compliance Management applications and monitoring.

Cisco Network Compliance Manager Configuration

Cisco Network Compliance Manager Configuration

What is Discovered and Monitored

Event Types

Over 40 event types are generated by parsing Cisco Network Configuration Manager logs. The complete list can be found in CMDB > Event Types by searching for Cisco-NCM. Some important ones are

Cisco-NCM-Device-Software-Change

Cisco-NCM-Software-Update-Succeeded

Cisco-NCM-Software-Update-Failed

Cisco-NCM-Policy-Non-Compliance

Cisco-NCM-Device-Configuration-Deployment

Cisco-NCM-Device-Configuration-Deployment-Failure

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

AccelOps processes events from this device via syslog.  Configure the device to send syslog to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example Syslog

Note that each JSON formatted syslog contains many logs.

490998571 Mon Mar 03 03:09:31 EST 2014 Savvy Device Command Script

Completed Successfully server01.foo.com 10.4.161.32 Script ‘Re-enable

EasyTech port for Cisco IOS configuration’ completed.  Connect –

Succeeded Connected via ssh to 10.170.30.9 [in realm Default Realm]   Login / Authentication – Succeeded Successfully used: Last successful password  (Password rule Retail TACACS NCM Login)    Optional:Script Succeeded Successfully executed: prepare configuration for deployment Script – Succeeded Successfully executed: deploy to running configuration via TFTP through CLI Bypassed: deploy to running configuration via SCP through CLI.  (Requires SCP, CLI to be enabled.) Tried: deploy to running configuration via FTP through CLI (Warning: SSH server username or password not specified in NA admin settings.) Optional:Script – Succeeded Successfully executed: determine result of deployment operation  Script run: ———————————————————— ! interface fast0/16 no shut

491354611 Tue Mar 04 03:38:22 EST 2014 FooA Software Update Succeeded server01.foo.com 1.1.1.32  44571 10.173.30.9 $OrignatorEmail$ FooA Update Device Software 2014-03-04 03:30:00.0 usmist_1699295009

(1.13.3.9) Succeeded

Configuring Network Intrusion Protection Systems (IPS)

AccelOps supports these intrusion protection systems for discovery and monitoring.

AirTight Networks SpectraGuard

Cisco FireSIGHT

Cisco Intrusion Protection System Configuration

Cylance Protect Endpoint Protection

Cyphort Cortex Endpoint Protection

FireEye Malware Protection System (MPS)

FortiDDoS

Fortinet FortiSandbox Configuration

IBM Internet Security Series Proventia Configuration

Juniper DDoS Secure Configuration

Juniper Networks IDP Series Configuration

McAfee IntruShield Configuration

McAfee Stonesoft IPS

Motorola AirDefense Configuration

Snort Intrusion Protection System Configuration

Sourcefire 3D and Defense Center Configuration

TippingPoint Intrusion Protection System Configuration

AirTight Networks SpectraGuard

What is Discovered and Monitored Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “airtight” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Example Syslog

<30><2013.09.09 19:45:16>CEF:0|AirTight|SpectraGuard Enterprise|6.7|5.51.515|Authorized AP operating on non-allowed channel|3|msg=Stop: Authorized AP [AP2.12.c11d] is operating on non-allowed channel. rt=Sep 09 2013 19:45:16 UTC dvc=10.255.1.36 externalId=726574 dmac=58:BF:EA:FA:26:EF cs1Label=TargetDeviceName cs1=AP2.12.c11d cs2Label=SSID cs2=WiFiHiSpeed cs3Label=SecuritySetting cs3=802.11i cn1Label=RSSI_dBm cn1=-50 cn2Label=Channel cn2=149 cs4Label=Location cs4=//FB/FBFL2

Cisco FireSIGHT

This section describes how AccelOps collects logs from Cisco FireSIGHT console.

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

What is Discovered and Monitored

Event Types

Intrusion events: PH_DEV_MON_FIREAMP_INTRUSION

[PH_DEV_MON_FIREAMP_INTRUSION]:[eventSeverity]=PHL_CRITICAL,[fileNa me]=phFireAMPAgent.cpp,[lineNumber]=381,[reptDevIpAddr]=10.1.23.177 ,[envSensorId]=6,[snortEventId]=393258,[deviceTime]=1430501705,[eve ntType]=Snort-1,[compEventType]=PH_DEV_MON_FIREAMP_INTRUSION,[ipsGe neratorId]=137,[ipsSignatureId]=2,[ipsClassificationId]=32,[srcIpAd dr]=10.131.10.1,[destIpAddr]=10.131.10.120,[srcIpPort]=34730,[destI pPort]=443,[ipProto]=6,[iocNum]=0,[fireAmpImpactFlag]=7,[fireAmpImp act]=2,[eventAction]=1,[mplsLabel]=0,[hostVLAN]=0,[userId]=3013,[we bAppId]=0,[clientAppId]=1296,[appProtoId]=1122,[fwRule]=133,[ipsPol icyId]=63098,[srcIntfName]=b16c69fc-cd95-11e4-a8b0-b61685955f02,[de stIntfName]=b1a1f900-cd95-11e4-a8b0-b61685955f02,[srcFwZone]=9e3405 2a-9b4f-11e4-9b83-efa88d47586f,[destFwZone]=a7bd89cc-9b4f-11e4-8260 -63a98d47586f,[connEventTime]=1430501705,[connCounter]=371,[srcGeoC ountryCode]=0,[destGeoCountryCode]=0,[phLogDetail]=

Malware events:  PH_DEV_MON_FIREAMP_MALWARE

[PH_DEV_MON_FIREAMP_MALWARE]:[eventSeverity]=PHL_INFO,[fileName]=ph FireAMPAgent.cpp,[lineNumber]=487,[reptDevIpAddr]=10.1.23.177,[envS ensorId]=6,[deviceTime]=1430502934,[srcIpAddr]=10.110.10.73,[destIp Addr]=10.0.112.132,[srcIpPort]=21496,[destIpPort]=80,[ipProto]=6,[f ileName]=CplLnk.exe ,[filePath]=,[fileSize64]=716325,[fileType]=1,[fileTimestamp]=0,[ha shAlgo]=SHA,[hashCode]=f1bfab10090541a2c3e58b4b93c504be8b65cdc82320 9c7f4def24acc38d7fd1 ,[fileDirection]=1,[fireAmpFileAction]=3,[parentFileName]=,[parentF ileHashCode]=,[infoURL]=http://wrl/wrl/CplLnk.exe ,[threatScore]=0,[fireAmpDisposition]=3,[fireAmpRetrospectiveDispos ition]=3,[iocNum]=1,[accessCtlPolicyId]=125870424,[srcGeoCountryCod e]=0,[destGeoCountryCode]=0,[webAppId]=0,[clientAppId]=638,[applica tionId]=676,[connEventTime]=1430502933,[connCounter]=409,[cloudSecI ntelId]=0,[phLogDetail]=

File events: PH_DEV_MON_FIREAMP_FILE

[PH_DEV_MON_FIREAMP_FILE]:[eventSeverity]=PHL_INFO,[fileName]=phFir eAMPAgent.cpp,[lineNumber]=541,[reptDevIpAddr]=10.1.23.177,[envSens orId]=6,[deviceTime]=1430497343,[srcIpAddr]=10.131.15.139,[destIpAd dr]=10.0.112.137,[srcIpPort]=1587,[destIpPort]=80,[ipProto]=6,[file Name]=Locksky.exe

,[hashAlgo]=SHA,[hashCode]=aa999f5d948aa1a731f6717484e1db32abf92fdb

5f1e7ed73ad6f5a21b0737c1,[fileSize64]=60905,[fileDirection]=1,[fire AmpDisposition]=3,[fireAmpSperoDisposition]=4,[fireAmpFileStorageSt atus]=11,[fireAmpFileAnalysisStatus]=0,[threatScore]=0,[fireAmpFile Action]=3,[fileType]=17,[applicationId]=676,[destUserId]=2991,[info

URL]=http://wrl/wrl/Locksky.exe

,[signatureName]=,[accessCtlPolicyId]=125869976,[srcGeoCountryCode] =0,[destGeoCountryCode]=0,[webAppId]=0,[clientAppId]=638,[connCount er]=103,[connEventTime]=1430497343,[phLogDetail]=

Discovery events:

PH_DEV_MON_FIREAMP_DISCOVERY_NETWORK_PROTOCOL

PH_DEV_MON_FIREAMP_DISCOVERY_NETWORK_PROTOCOL]:[eventSeverity]= PHL_INFO,[fileName]=phFireAMPAgent.cpp,[lineNumber]=815,[reptDe vIpAddr]=10.1.23.177,[destIpPort]=2054,[ipProto]=54,[phLogDetai l]=

PH_DEV_MON_FIREAMP_DISCOVERY_OS_FINGERPRINT

There are no predefined rules for this device.

Reports

The following reports are provided

1. Top Cisco FireAMP Malware Events
2. Top Cisco FireAMP File Analysis Events
3. Top Cisco FireAMP Vulnerable Intrusion Events
4. Top Cisco FireAMP Discovered Login Events
5. Top Cisco FireAMP Discovered Network Protocol
6. Top Cisco FireAMP Discovered Client App
7. Top Cisco FireAMP Discovered OS

Configuration

AccelOps obtains events from Cisco FireSIGHT via eStreamer protocol.

Cisco FireSIGHT Configuration

1. Logon to Cisco FIRESIGHT console
2. Go to System > Local > Registration > eStreamer
3. Click Create Client
   1. Enter IP address and password for AccelOps
   2. Click Save
4. Select the types of events that should be forwarded to AccelOps
5. Click Download Certificate and save the certificate to a local file

AccelOps Configuration

1. Go to Admin > Setup > Credentials
2. Create a credential
   1. Set Device Type to Cisco FireAMP
   2. Set Access Method to eStreamer
   3. Enter the Password as in Step 3a above
   4. Click Certificate File > Upload and enter the certificate downloaded in Step 5
   5. Click Save
3. Create an IP range to Credential Association
   1. Enter IP address of the FireSIGHT Console
   2. Enter the credential created in Step 2 above
4. Click Test Connectivity – AccelOps will start collecting events from the FIRESIGHT console

Cisco Intrusion Protection System Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “cisco ips” in the Device Type and Description columns to see the event types associated with this device.

Rules

In Analytics > Rules, search for “cisco ips” in the Name column to see the rules associated with this device.

Reports

In Analytics > Reports, search for “cisco ips” in the Name column to see the reports associated with this device.

Configuration

SNMP

1. Log in to the device manager for your Cisco IPS.
2. Go to Configuration > Allowed Hosts/Networks.
3. Click Add.
4. Enter the IP address of your AccelOps virtual appliance to add it to the access control list, and then click OK.
5. Go to Configuration > Sensor Management > SNMP > General Configuration.
6. For Read-Only Community String, enter public.
7. For Sensor Contact and Sensor Location, enter Unknown.
8. For Sensor Agent Port, enter 161.
9. For Sensor Agent Protocol, select udp.

If you need to create an SDEE account for AccelOps to use, go to Configuration > Users and Add a new administrator. Sample XML-Formatted Alert

<os idSource=”unknown” type=”unknown” relevance=”relevant”></os>          </victim>

<victim>

<addr locality=”OUT”>171.66.255.87</addr>            <os idSource=”unknown” type=”unknown” relevance=”relevant”></os>          </victim>

<victim>

<addr locality=”OUT”>171.66.255.86</addr>            <os idSource=”unknown” type=”unknown” relevance=”relevant”></os>          </victim>

<victim>

<addr locality=”OUT”>171.66.255.84</addr>            <os idSource=”unknown” type=”unknown” relevance=”relevant”></os>          </victim>

<victim>

<addr locality=”OUT”>171.66.255.85</addr>            <os idSource=”unknown” type=”unknown” relevance=”relevant”></os>         </victim>

<victim>

<addr locality=”OUT”>171.66.255.82</addr>            <os idSource=”unknown” type=”unknown” relevance=”relevant”></os>         </victim>

</attack>

</participants>

Cylance Protect Endpoint Protection

What is Discovered and Monitored Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “cylance” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via CEF formatted syslog sent by the device. Configure the device to send syslog to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example Syslog

Cyphort Cortex Endpoint Protection

What is Discovered and Monitored Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “cyphort” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via CEF formatted syslog sent by the device. Configure the device to send syslog to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example Syslog

FireEye Malware Protection System (MPS)

What is Discovered and Monitored Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “fireeye mps” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example. Example Syslog

<164>fenotify-45640.alert:

CEF:0|FireEye|MPS|6.0.0.62528|MC|malware-callback|9|rt=Apr 16 2012 15:54:41 src=192.168.26.142 spt=0 smac=00:14:f1:90:c8:01 dst=2.2.2.2 dpt=80 dmac=00:10:db:ff:50:00 cn1Label=vlan cn1=202 cn2Label=sid cn2=33335390 cs1Label=sname cs1=Trojan.Gen.MFC cs4Label=link cs4=https://10.10.10.10/event_stream/events_for_bot?ev_id\=45640 cs5Label=ccName cs5=3.3.3.3 cn3Label=ccPort cn3=80 proto=tcp cs6Label=ccChannel cs6= shost=abc.org <http://abc.org> dvchost=ALAXFEYE01 dvc=10.10.10.10 externalId=45640

FortiDDoS

What is Discovered and Monitored

Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “FortiDDoS” to see the event types associated with this device.

Rules

There are many IPS correlation rules for this device under Rules > Security > Exploits

Reports

There are many reports for this device under Reports > Function > Security

Configuration

Syslog

FortiSIEM processes FortiDDoS events via syslog. Configure FortiDDoS to send syslog to FortiSIEM as directed in the device’s product documentation.

Example Syslog

Jan 10 16:01:50 172.30.84.114 devid=FI400B3913000032 date=2015-01-23 time=17:42:00 type=attack SPP=1 evecode=1 evesubcode=8 dir=0 protocol=1 sIP=0.0.0.0 dIP=0.0.0.0 dropCount=312

devid=FI800B3913000055 date=2017-01-27 time=18:24:00 tz=PST type=attack spp=0 evecode=2 evesubcode=61 description=”Excessive Concurrent Connections Per Source flood” dir=1 sip=24.0.0.2 dip=24.255.0.253 subnet_name=default dropcount=40249 facility=Local0 level=Notice

Fortinet FortiSandbox Configuration

What is Discovered and Monitored Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “fortisandbox-” to see the event types associated with this device.

Rules

In CMDB > Rules, search for “fortisandbox-” to see the rules associated with this device.

Also, basic availability rules in CMDB > Rules> Availability > Network and performance rules in CMDB > Rules> Performance > Network also trigger

Reports

In CMDB > Reports, search for “fortisandbox-” to see the rules associated with this device.

Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog format is the same as that shown in the example.

Example Syslog

Oct 12 14:35:12 172.16.69.142

devname=turnoff-2016-10-11-18-46-05-172.16.69.142

device_id=FSA3KE3A13000011 logid=0106000001 type=event subtype=system pri=debug user=system ui=system action= status=success  reason=none letype=9 msg=”Malware package: urlrel version 2.88897 successfully released, total 1000″

<14>2016-08-19T06:48:51 devhost=turnoff-2016-08-15-19-24-55-172.16.69.55 devid=FSA35D0000000006 tzone=-25200 tz=PDT  date=2016-08-19 time=06:48:51 logid=0106000001 type=event subtype=system level=information user=admin ui=GUI action=update status=success reason=none letype=9 msg=”Remote log server was successfully added”

IBM Internet Security Series Proventia Configuration

What is Discovered and Monitored

Configure IBM/ISS Proventia Appliances to Send SNMP Notifications to IBM/ISS SiteProtector Management Console

Define AccelOps as a Response Object for SNMP Traps

Define a Response Rule to Forward SNMP Traps to AccelOps

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “proventia” in the Device Type and Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP Trap

AccelOps receives SNMP traps from IBM/ISS Proventia IPS appliances that are sent by IBM/ISS SiteProtector Management Console. You need to first configure IBM/ISS Proventia to send alerts to IBM/ISS SiteProtector, then configure IBM/ISS SiteProtector to send those alerts as SNMP traps to AccelOps.

Configure IBM/ISS Proventia Appliances to Send SNMP Notifications to IBM/ISS SiteProtector Management Console

1. Log in to the IBM Proventia IPS web interface.
2. Click Manage System Settings > SiteProtector Management.
3. Click and select Register withSiteProtector.
4. Click and select Local Settings Override SiteProtector Group Settings.
5. Specify the Group, Heartbeat Interval, and Logging Level.
6. Configure these settings:

Define AccelOps as a Response Object for SNMP Traps

1. Log in to IBM SiteProtector console.
2. Go to Grouping > Site Management > Central Responses > Edit settings.
3. Select Response Objects > SNMP.
4. Click Add.
5. Enter a Name for your AccelOps virtual appliance.
6. For Manager, enter the IP address of your virtual appliance.
7. For Community, enter public.
8. Click OK.

Define a Response Rule to Forward SNMP Traps to AccelOps

1. Go to Response Rules.
2. Click Add.
3. Select Enabled.
4. Enter a Name and Comment for the response rule.
5. In the Responses tab, select SNMP.
6. Select Enabled for the response object that represents your AccelOps virtual appliance.
7. Click OK.

Sample SNMP trap

2013-02-07 16:52:18 100.0.0.218(via UDP: [192.168.64.218]:55545) TRAP,

SNMP v1, community public SNMPv2-SMI::enterprises.2499 Enterprise

Specific Trap (4) Uptime: 0:00:00.15 SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.1 = STRING:

“SiteProtector_Central_Response (Response1)”

SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.2 = STRING: “16:52:18

2013-02-07” SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.3 = STRING: “6”

SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.4 = STRING: “100.0.0.216”

SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.5 = STRING: “100.0.0.218”

SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.6 = “”

SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.7 = “”

SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.8 = STRING: “48879”

SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.9 = STRING: “80” SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.10 = STRING:

“DISPLAY=WithoutRaw:0,BLOCK=Default:0″ SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.11 = STRING: ” SensorName:

IBM-IPS ObjectName: 80 DestinationAddress: 100.0.0.218 AlertName:

HTTP_OracleAdmin_Web_Interface AlertTarget: 100.0.0.218 AlertCount: 1 VulnStatus: Simulated block (blocking not enabled) AlertDateTime:

16:52:17 2013-02-07 ObjectType: Target Port SourceAddress: 100.0.0.216

SensorAddress: 192.168.64.15″

Juniper DDoS Secure Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “juniper ddos” in the Device Type and Description columns to see the event types associated with this device.

Juniper-DDoS-Secure-WorstOffender

Juniper-DDoS-Secure-Blacklisted

Juniper-DDoS-Secure-Generic

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Configure the device to send syslog to AccelOps. Make sure that the event matches the format specified below.

Juniper Networks IDP Series Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Syslog

Example Syslog from NSM

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “juniper_idp” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Example Syslog from NSM

<25>Oct 11 14:29:27 10.146.68.68 20101011, 58420089, 2010/10/11

18:29:25, 2010/10/11 18:33:12, global.IDP, 1631, par-real-idp200, 10.146.68.73, traffic, udp port scan in progress, (NULL), (NULL), 161.178.223.221, 0, 0.0.0.0, 0, (NULL), (NULL), 10.248.8.110, 0, 0.0.0.0, 0, udp, global.IDP, 1631, Metro IDP IP / Port Scan Policy, traffic anomalies, 2, accepted, info, yes, ‘interface=eth3’, (NULL), (NULL), (NULL), 0, 0, 0, 0, 0, 0, 0, 0, no, 25, Not

McAfee IntruShield Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Syslog

Sample Parsed Syslog Message

What is Discovered and Monitored

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps handles custom syslog messages from McAfee Intrushield.

1. Log in to McAfee Intrushield Manager.
2. Create a customer syslog format with these fields:
   1. AttackName
   2. AttackTime
   3. AttackSeverity
   4. SourceIp
   5. SourcePort
   6. DestinationIp
   7. DestinationPort
   8. AlertId
   9. AlertType
   10. AttackId
   11. AttackSignature
   12. AttackConfidence
   13. AdminDomain
   14. SensorName:ASCDCIPS01
   15. Interface
   16. Category
   17. SubCategory
   18. Direction
   19. ResultStatus
   20. DetectionMechanism
   21. ApplicationProtocol
   22. NetworkProtocol
   23. Relevance
3. Set the message format as a sequence of Attribute:Value pairs as in this example.

AttackName:$IV_ATTACK_NAME$,AttackTime:$IV_ATTACK_TIME$,AttackSever ity::$IV_ATTACK_SEVERITY$,SourceIp:$IV_SOURCE_IP$,SourcePort:$IV_SO URCE_PORT$,

DestinationIp:$IV_DESTINATION_IP$,DistinationPort:$IV_DESTINATION_P ORT$,AlertId:$IV_ALERT_ID$,AlertType:$IV_ALERT_TYPE$,AttackId$IV_AT

TACK_ID$,

AttackSignature:$IV_ATTACK_SIGNATURE$,AttackConfidence:$IV_ATTACK_C ONFIDENCE$,AdminDomain:$IV_ADMIN_DOMAIN$,SensorName:$IV_SENSOR_NAME

$,

Interface:$IV_INTERFACE$,Category:$IV_CATEGORY$,SubCategory:$IV_SUB _CATEGORY$,Direction:$IV_DIRECTION$,ResultStatus:$IV_RESULT_STATUS$

,

DetectionMechanism:$IV_DETECTION_MECHANISM$,ApplicationProtocol:$IV _APPLICATION_PROTOCOL$,NetworkProtocol:$IV_NETWORK_PROTOCOL$,Releva nce:$IV_RELEVANCE$

4. Set AccelOps as the syslog recipient.

Sample Parsed Syslog Message

Mar 24 16:23:18 SyslogAlertForwarder: AttackName:Invalid Packets detected,AttackTime:2009-03-24 16:23:17 EDT,AttackSeverity:Low,SourceIp:127.255.106.236,

SourcePort:N/A,DestinationIp:127.255.106.252,DistinationPort:N/A,AlertId :5260607647261334188,AlertType:Signature,AttackId:0x00009300,AttackSigna ture:N/A, AttackConfidence:N/A,AdminDomain:ASC,SensorName:ASCDCIPS01,Interface:1A-

1B,Category:Exploit,SubCategory:protocol-violation,Direction:Outbound, ResultStatus:May be successful,DetectionMechanism:signature,ApplicationProtocol:N/A,NetworkP rotocol:N/A,Relevance:N/A,HostIsolationEndTime:N/A

McAfee Stonesoft IPS

What is Discovered and Monitored Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “stonesoft” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via CEF formatted syslog sent by the device. Configure the device to send syslog to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example Syslog

<6>CEF:0|McAfee|IPS|5.4.3|70018|Connection_Allowed|0|spt=123 deviceExternalId=STP-NY-FOO01 node 1 dmac=84:B2:61:DC:E1:31 dst=169.132.200.3 cat=System Situations app=NTP (UDP) rt=Apr 08 2016 00:26:13 deviceFacility=Inspection act=Allow deviceOutboundInterface=Interface #5 deviceInboundInterface=Interface #4 proto=17 dpt=123 src=10.64.9.3 dvc=12.17.2.17 dvchost=12.17.2.17 smac=78:DA:6E:0D:FF:C0 cs1Label=RuleId cs1=2097152.6

Motorola AirDefense Configuration

What is Discovered and Monitored

Event Types

About 37 event types covering various Wireless attack scenarios – search for them by entering “Motorola-AirDefense” in CMDB > EventType.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Configure the device to send logs to AccelOps. Make sure that the format is as follows.

Snort Intrusion Protection System Configuration

What is Discovered and Monitored

Example Parsed Snort Syslog

Supported Databases and Snort Database Schemas

SNMP Access to the Database Server

Debugging Snort Database Connectivity

Examples of Snort IPS Events Pulled over JDBC

Viewing Snort Packet Payloads in Reports

Exporting Snort IPS Packets as a PCAP File  Settings for Access Credentials

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “snort_ips” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

There are no predefined reports for this device.

Configuration

Syslog

Collecting event information from Snort via syslog has two drawbacks:

1. It is not reliable because it is sent over UDP.
2. Information content is limited because of UDP packet size limit.

For these reasons, you should consider using JDBC to collect event information from Snort.

These instructions illustrate how to configure Snort on Linux to send syslogs to AccelOps. For further information, you should consult the Snort product documentation.

1. Log in to your Linux server where Snort is installed.
2. Navigate to and open the file /etc/snort/snort.conf.
3. Modify alert_syslog to use a local log facility.
4. Navigate to and open the file /etc/syslog.conf.
5. Add a redirector to send syslogs to AccelOps.

6. Restart the Snort daemon.

Example Parsed Snort Syslog

<161>snort[2242]: [1:206:9] BACKDOOR DeepThroat 3.1 CD ROM Open Client

Request [Classification: Misc activity] [Priority: 3]: {UDP}

192.168.19.1:6555 -> 172.16.2.5:514 <161>snort[5774]: [1:1560:6] WEB-MISC /doc/ access [Classification:

access to a potentially vulnerable web application] [Priority: 2]: {TCP} 192.168.20.53:41218 -> 192.168.0.26:80 <161>snort[5774]: [1:466:4] ICMP L3retriever Ping [Classification:

Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.20.49 ->

192.168.0.10

<161>snort[5774]: [1:1417:9] SNMP request udp [Classification: Attempted

Information Leak] [Priority: 2]: {UDP} 192.168.20.40:1061 ->

192.168.20.2:161

JDBC

Supported Databases and Snort Database Schemas

When using JDBC to collect IPS information from Snort, AccelOps can capture a full packet that is detailed enough to recreate the packet via a PCAP file.

AccelOps supports collecting Snort event information over JDBC these database types:

Oracle

MS SQL

MySql

PostgreSQL

AccelOps supports Snort database schema 107 or higher.

SNMP Access to the Database Server

You will need to set up an SNMP access credential for the server that hosts the Snort database. See the topics under Database Server Configuration for information on setting up SNMP for communication with AccelOps for several common types of database servers.

Once you have set up SNMP on your database server, you can configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Debugging Snort Database Connectivity

Snort IPS alert are pulled over JDBC by a Java agent, which has to join multiple database tables to create the events. An internal log file is created for each pull.

At most 1000 database records (IPS Alerts) are pulled at a time. If AccelOps finds more than 1000 new records, then it begins to fall behind and this log is created.

Examples of Snort IPS Events Pulled over JDBC

UDP Event

<134>Feb 25 14:27:56 10.1.2.36 java: [Snort-1417]:[eventSeverity]=PHL_INFO,[relayDevIpAddr]=10.1.2.36,[ipsSen sorId]=1,[snortEventId]=10343430,[sensorHostname]=10.1.2.36,[signatureId ]=1417,[eventName]=SNMP request udp,[eventSeverity]=2,[eventTime]=2012-11-07 17:56:51.0,[srcIpAddr]=10.1.2.245,[destIpAddr]=10.1.2.36,[ipVersion]=4,[ ipHeaderLength]=5,[tos]=0,[ipTotalLength]=75,[ipId]=0,[ipFlags]=0,[ipFra gOffset]=0,[ipTtl]=64,[ipProto]=17,[ipChecksum]=8584,[srcIpPort]=35876,[ destIpPort]=161,[udpLen]=55,[checksum]=39621,[dataPayload]=302D020101040 67075626C6963A520…

TCP Event

<134>Aug 08 09:30:59 10.1.20.51 java: [Snort-1000001]:[eventSeverity]=PHL_INFO,[hostIpAddr]=10.1.20.51,[sensor

Id]=1,[eventId]=17897184,[signatureId]=1000001,[signatureName]=Snort

Alert [1:1000001:0],[signaturePri]=null,[eventTime]=2012-08-08

09:26:24.0,[srcIpAddr]=10.1.2.99,[destIpAddr]=10.1.20.51,[srcIpPort]=523

14,[destIpPort]=80,[seqNum]=967675661,[tcpAckNum]=3996354107,[tcpOffset] =5,[tcpReserved]=0,[tcpFlags]=24,[tcpWin]=16695,[checksum]=57367,[tcpUrg entPointer]=0,[dataPayload]=474554202F66617669636F6E2E69636F204…

Viewing Snort Packet Payloads in Reports

AccelOps creates an event for each IPS alert in Snort database. You can view the full payload packet associated with a Snort event when you run a report.

1. Set up a structured historical search.
2. Set these conditions, where Reporting IP is an IP belonging to the Snort Application group.

3. For Display Fields, include Data Payload.

When you run the query, Data Payload will be one one of the display columns.

4. When the query runs, select an event, and the data payload will display at the bottom of the search results in a byte-by-byte ethereal/wireshark format.

Exporting Snort IPS Packets as a PCAP File

After running a report, click the Export button and choose the PCAP option.

Settings for Access Credentials

Sourcefire 3D and Defense Center Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Syslog

Sample Syslogs from SourceFire3D IPS

Sample Syslogs from SourceFire DefenseCenter

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “sourcefire” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps handles SourceFire alerts via syslog either from IPS appliances themselves or from DefenseCenter. Events are classified as Snort event types.

Simply configure SourceFire appliances or DefenseCenter to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Sample Syslogs from SourceFire3D IPS

Sample Syslogs from SourceFire DefenseCenter

TippingPoint Intrusion Protection System Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “tippingpoint” in the Device Type and Description columns to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

 SNMP

1. Log in to the TippingPoint appliance or the SMS Console.
2. Go to System > Configuration > SMS/NMS.
3. For SMS Authorized IP Address/CIDR, make sure any is entered.
4. Select Enabled for SNMP V2.
5. For NMS Community String, enter public.
6. Click Apply.

Syslog

1. Log in to the TippingPoint appliance or the SMS Console.
2. Go to System > Configuration > Syslog Servers.
3. Under System Log, enter the IP Address of the AccelOps virtual appliance.
4. Select Enable syslog offload for System Log.
5. Under Aud Log, enter the IP Address of the AccelOps virtual appliance.
6. Select Enable syslog offload for Audit Log.
7. Click Apply.

Configure the Syslog Forwarding Policy (Filter Notification Forwarding)

The filter log can be configured to generate events related to specific traffic on network segments that need to pass through the device. This log includes three categories of events.

In addition, filter events contain a UUID, which is a unique numerical identifier that correlates with the exact security threat defined by Tipping Point Digital Vaccine Files. The Accelops Virtual Appliance will correlate these with authoritative databases of security threats.

1. Go to IPS > Action Sets.
2. Click Permit + Notify.
3. Under Contacts, click Remote Syslog.
4. Under Remote Syslog Information, enter the IP Address of the Accelops virtual appliance.
5. Make sure the Port is set to 514.
6. Make sure Delimiter is set to tab, comma, or semicolon.
7. Click Add to Table Below.

You should now see the IP address of the Accelops virtual appliance appear as an entry in the Remote Syslogs table.

Sample parsed syslog messages

Configuring Routers and Switches

AccelOps supports these routers and switches for discovery and monitoring.

Alcatel TiMOS and AOS Switch Configuration

Arista Router and Switch Configuration

Brocade NetIron CER Routers

Cisco 300 Series Routers

Cisco IOS Router and Switch Configuration

How CPU and Memory Utilization is Collected for Cisco IOS

Cisco Meraki Cloud Controller and Network Devices Configuration

Cisco NX-OS Router and Switch Configuration

Cisco ONS Configuration

Dell Force10 Router and Switch Configuration

Dell NSeries Switch Configuration

Dell PowerConnect Switch and Router Configuration

Foundry Networks IronWare Router and Switch Configuration

HP/3Com ComWare Switch Configuration

HP ProCurve Switch Configuration

HP Value Series (19xx) and HP 3Com (29xx) Switch Configuration

Juniper Networks JunOS Switch Configuration

Mikrotek Router Configuration

Nortel ERS and Passport Switch Configuration

Alcatel TiMOS and AOS Switch Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “alcatel” in the Device Type and Description columns to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

Arista Router and Switch Configuration

What is Discovered and Monitored

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Telnet/SSH

AccelOps uses Telnet/SSH to communicate with this device. Refer to the product documentation for your device to enable Telnet/SSH.

These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in AccelOps have the permissions necessary to execute these commands on the device.

1. show startup-config
2. show running-config
3. show version
4. show ip route
5. enable
6. terminal pager 0

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Settings for Access Credentials

Brocade NetIron CER Routers

What is Discovered and Monitored

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules specifically for this device.

Reports

There are no predefined reports specifically for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

Cisco 300 Series Routers

What is Discovered and Monitored

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules specifically for this device.

Reports

There are no predefined reports specifically for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

Event Types

Performance Monitoring events

Configuration change events

Syslog events

In CMDB > Event Types, search for “cisco_os” in the Description column to see the event types associated with this device.

Rules

 Performance Monitoring rules

Configuration change rules

Other rules

Reports

Performance Monitoring Reports

Configuration change Reports

Other Reports

Configuration

Telnet/SSH

AccelOps uses SSH and Telnet to communicate with your device. Follow the instructions in the product documentation for your device to enable SSH and Telnet.

These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in AccelOps have the permissions necessary to execute these commands on the device.

1. show startup-config
2. show running-config
3. show version
4. show flash
5. show ip route
6. show mac-address-table or show mac address-table
7. show vlan brief
8. show process cpu
9. show process mem
10. show disk0
11. enable
12. terminal pager 0

SNMP

SNMP V1/V2c

1. Log in to the Cisco IOS console or telnet to the device.
2. Enter configuration mode.

SNMP V3

1. Log in to the Cisco IOS console or telnet to the device.
2. Enter configuration mode.
3. Exit configuration mode.

Syslog

1. Login to the Cisco IOS console or telnet to the device.
2. Enter configuration mode.

Sample Cisco IOS Syslog Messages

NetFlow

Enable NetFlow on the Router

1. Enter configuration mode.
2. For every interface, run this command.

Set Up NetFlow Export

1. Enter configuration mode.
2. Run these commands.

On MLS switches, such as the 6500 or 7200 models, also run these commands.

You can verify that you have set up NetFlow correctly by running these commands.

Sample Flexible Netflow Configuration in IOS

IP SLA

IP SLA is a technology where a pair of routers can run synthetic tests between themselves and report detailed traffic statistics. This enables network administrators to get performance reports between sites without depending on end-host instrumentation.

Cisco provides detailed documents for configuring IP SLA for both general traffic and VoIP.

A variety of IP SLA tests can be run, for example UDP/ICMP Jitter, UDP Jitter for VoIP, UDP/ICMP Echo, TCP Connect, HTTP, etc. You can see the traffic statistics for these these tests by routing appropriate Show commands on the router. However, only these IP SLA tests are exported via

RTT-MON SNMP MIB.

UDP Jitter (reported by AccelOps event type PH_DEV_MON_IPSLA_MET)

UDP Jitter for VoIP (reported by AccelOps event type PH_DEV_MON_IPSLA_VOIP_MET)

HTTP performance (reported by AccelOps event type PH_DEV_MON_IPSLA_HTTP_MET)

ICMP Echo (reported by AccelOps event type PH_DEV_MON_IPSLA_ICMP_MET) UDP Echo (reported by AccelOps event type PH_DEV_MON_IPSLA_UDP_MET)

These are the only IP SLA tests monitored by AccelOps.

Configuring IP SLA involves choosing and configuring a router to initiate the test and a router to respond. The test statistics are automatically reported by the initiating router via SNMP, so no additional configuration is required. Bi-directional traffic statistics are also reported by the initiating router, so you don’t need to set up a reverse test between the original initiating and responding routers.  AccelOps automatically detects the presence of the IP SLA SNMP MIB (CISCO-RTTMON-MIB) and starts collecting the statistics. Configuring IP SLA Initiator for UDP Jitter

Class-Based QoS

CBQoS enables routers to enforce traffic dependent Quality of Service policies on router interfaces for to make sure that important traffic such as VoIP and mission critical applications get their allocated network resources.

Cisco provides detailed documents for configuring IP SLA for both general traffic and VoIP,

The CbQoS statistics are automatically reported by the router via SNMP, so no additional configuration is needs. AccelOps detects the presence of valid CBQoS MIBs and starts monitoring them.

NBAR

Cisco provides protocol discovery via NBAR configuration guide.

Make sure that the CISCO-NBAR-PROTOCOL-DISCOVERY-MIB is enabled.

Sample event generated by AccelOps

[PH_DEV_MON_CISCO_NBAR_STAT]:[eventSeverity]=PHL_INFO,[fileName]=deviceC isco.cpp,[lineNumber]=1644,[hostName]=R1.r1.accelops.com,[hostIpAddr]=10 .1.20.59,[intfName]=Ethernet0/0,[appTransportProto]=snmp,[totFlows]=4752

,[recvFlows]=3168,[sentFlows]=1584,[totBytes64]=510127,[recvBytes64]=277

614,[sentBytes64]=232513,[totBitsPerSec]=22528.000000,[recvBitsPerSec]=1

2288.000000,[sentBitsPerSec]=10240.000000,[phLogDetail]=

Settings for Access Credentials

How CPU and Memory Utilization is Collected for Cisco IOS

AccelOps follows the process for collecting information about CPU utlization that is recommended by Cisco.

Monitoring CPU

Monitoring Memory using PROCESS-MIB

Monitoring CPU

The OID is 1.3.6.1.4.1.9.9.109.1.1.1.1.8. The issue there are multiple CPUs – which ones to take? A sample SNMP walk for this OID looks like this

Note that there are 4 CPUs – indexed 1-4. We need to identify Control plane CPU and Data plane CPU

The cpu Id -> entity Id mapping from the following SNMP walk

Combining all this information, we finally obtain the CPU information for each object

The relevant OIDs are

Used memory OID = 1.3.6.1.4.1.9.9.48.1.1.1.6

Free memory OID =  1.3.6.1.4.1.9.9.48.1.1.1.5

Memory Util = (Used memory) / (Used memory + Free memory)

Therefore

Cisco Meraki Cloud Controller and Network Devices Configuration

What is Discovered and Monitored

Availability (from SNMP Trap)

Performance (Fixed threshold)

Performance (Dynamic threshold based on baselines)

Settings for Access Credentials

What is Discovered and Monitored

Cisco Meraki Devices are discoverable in either of the following ways

SNMP to the Cloud Controller

SNMP to each Network Device

SNMP Traps can be sent from the Cloud Controller. Cisco Meraki Network Devices can also send logs directly to AccelOps.

Event Types

Interface Utilization: PH_DEV_MON_NET_INTF_UTIL

Rules

Availability (from SNMP Trap)

Meraki Device Cellular Connection Disconnected

Meraki Device Down

Meraki Device IP Conflict

Meraki Device Interface Down

Meraki Device Port Cable Error

Meraki Device VPN Connectivity Down

Meraki Foreign AP Detected

Meraki New DHCP Server

Meraki New Splash User

Meraki No DHCP lease

Meraki Rogue DHCP Server

Meraki Unreachable Device

Meraki Unreachable RADIUS Server

Meraki VPN Failover

Performance (Fixed threshold)

Network Intf Error Warning

Network Intf Error Critical

Network Intf Util Warning

Network Intf Util Critical

Performance (Dynamic threshold based on baselines)

Sudden Increase in Network Interface Traffic

Sudden Increase in Network Interface Errors

Reports

None

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

Cisco NX-OS Router and Switch Configuration

What is Discovered and Monitored

Enable NetFlow on the Router

Create a Flow Template and Define the Fields to Export

Set up Netflow Exporter

Associate the Record to the Exporter Using a Flow Monitor

Apply the Flow Monitor to Every Interface  Settings for Access Credentials

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “nx-os” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Telnet/SSH

AccelOps uses Telnet/SSH to communicate with this device. Refer to the product documentation for your device to enable Telnet/SSH.

These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in AccelOps have the permissions necessary to execute these commands on the device.

1. show startup-config
2. show running-config
3. show version
4. show flash
5. show context
6. show ip route
7. show cam dynamic
8. show mac-address-table
9. show mac address-table (for Nexus 1000v)
10. show vlan brief
11. show process cpu
12. show process mem
13. show disk0
14. enable
15. terminal length 0

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

NetFlow

Enable NetFlow on the Router

1. Enter configuration mode.
2. Run this command.

Create a Flow Template and Define the Fields to Export You can can also try using the pre-defined NetFlow template.

Set up Netflow Exporter Run these commands.

Associate the Record to the Exporter Using a Flow Monitor In this example the flow monitor is called AccelOpsMonitoring.

Run these commands.

Apply the Flow Monitor to Every Interface Run these commands.

You can now check the configuration using the show commands.

Settings for Access Credentials

Cisco ONS Configuration

What is Discovered and Monitored

Event Types

Over 1800 event types defined – search for “Cisco-ONS” in CMDB > Event Types

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

Dell Force10 Router and Switch Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “force10” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

TelNet/SSH

AccelOps uses Telnet/SSH to communicate with this device. Refer to the product documentation for your device to enable Telnet/SSH.

These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in AccelOps have the permissions necessary to execute these commands on the device. To initiate discovery and monitoring of your device over this protocol, follow the instructions in Setting Access Credentials for Device Discovery.

1. show startup-config
2. show running-config
3. show version
4. show ip route
5. enable
6. terminal pager 0

Settings for Access Credentials

Dell NSeries Switch Configuration

Configuration

SNMP

Settings for Access Credentials

What is Discovered and Monitored

Event Types

CPU Monitoring: PH_DEV_MON_SYS_CPU_UTIL

Memory Monitoring: PH_DEV_MON_SYS_MEM_UTIL

Interface Utilization: PH_DEV_MON_NET_INTF_UTIL

Hardware Status: PH_DEV_MON_HW_STATUS

Configuration Change: PH_DEV_MON_CHANGE_STARTUP_CONFIG

Rules

Availability

Network Device Degraded – Lossy Ping Response

Network Device Down – no ping response

Network Device Interface Flapping

Critical Network Device Interface Staying Down

Non-critical Network Device Interface Staying Down

Network Device Hardware Warning

Network Device Hardware Critical

Performance (Fixed threshold)

Network CPU Warning

Network CPU Critical

Network Memory Warning

Network Memory Critical

Network Intf Error Warning

Network Intf Error Critical

Network Intf Util Warning

Network Intf Util Critical

Performance (Dynamic threshold based on baselines)

Sudden Increase In System CPU Usage

Sudden Increase in System Memory Usage

Sudden Increase in Network Interface Traffic

Sudden Increase in Network Interface Errors

Change

Startup Config Change

Reports

Availability

Availability: Router/Switch Ping Monitor Statistics

Performance

Performance: Top Routers Ranked By CPU Utilization

Performance: Top Routers By Memory Utilization

Performance: Top Router Network Intf By Util, Error, Discards

Top Routers/Switches by Business Hours Network Ping Uptime Pct (Achieved Network Ping SLA)

Top Routers/Switches by Business Hours System Uptime Pct (Achieved System SLA)

Top Routers/Switches by Network Ping Uptime Pct (Achieved Network Ping SLA)

Top Routers/Switches by System Uptime Pct (Achieved System SLA)

Top Router Interfaces by Days-since-last-use

Change

Change: Router Config Changes Detected Via Login

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

Dell PowerConnect Switch and Router Configuration

What is Discovered and Monitored

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Telnet/SSH

AccelOps uses Telnet/SSH to communicate with this device. Refer to the product documentation for your device to enable Telnet/SSH.

These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in AccelOps have the permissions necessary to execute these commands on the device. To initiate discovery and monitoring of your device over this protocol, follow the instructions in Setting Access Credentials for Device Discovery.

1. show startup-config
2. show running-config
3. show version
4. show ip route
5. enable
6. terminal pager 0

Settings for Access Credentials

Foundry Networks IronWare Router and Switch Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP

Telnet/SSH

Syslog

Sample Parsed PowerConnect Syslog Message  Settings for Access Credentials

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “foundry_ironware” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

1. Log in to the device manager for your switch or router with administrative privileges.
2. Enter configuration mode.
3. Run these commands to set the community string and enable the SNMP service.
4. Exit config mode.
5. Save the configuration.

Telnet/SSH

AccelOps uses Telnet/SSH to communicate with this device. Refer to the product documentation for your device to enable Telnet/SSH. Syslog

1. Log in to the device manager for your switch or router with administrative privileges.
2. Enter configuration mode.
3. Run this command to set your AccelOps virtual appliance as the recipient of syslogs from your router or switch.
4. Exit config mode.
5. Save the configuration.

Sample Parsed PowerConnect Syslog Message

Settings for Access Credentials

HP/3Com ComWare Switch Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP

Syslog

Example Syslog for ComWare Switch Messages  Settings for Access Credentials

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “compare” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Example Syslog for ComWare Switch Messages

%Apr 2 11:38:11:113 2010 H3C DEVD/3/BOARD REBOOT:Chasis 0 slot 2 need be rebooted automatically! %Sep 22 20:38:32:947 2009 H3C DEVD/4/BRD MISPLUG: The board or subcard in slot 1 is not supported. %Sep 22 20:38:32:947 2009 H3C DEVD/4/BRD MISPLUG: The board type of MR in 1 is different from the Mate MR’s, so the MR can’t work properly. %Sep 22 20:38:32:947 2009 H3C DEVD/2/BRD TOO HOT:Temperature of the board is too high! %Sep 22 20:38:32:947 2009 H3C DEVD/2/ FAN CHANGE: Chassis 1: Fan communication state changed: Fan 1 changed to fault.

Settings for Access Credentials

HP ProCurve Switch Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “procurve” in the Device Type and Description columns to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

1. Go to Configuration > SNMP Community > V1/V2 Community.
2. Enter a Community Name.
3. For MIB-View, select Operator.
4. For Write-Access, leave the selection cleared.
5. Click Add.

SSH/Telnet

1. Log into the device manager for your ProCurve switch.
2. Go to Security > Device Passwords.
3. Create a user and password for Read-Write Access.

Although AccelOps does not modify any configurations for your switch, Read-Write Access is needed to read the device configuration.

4. Go to Security > Authorized Addresses and add the AccelOps IP to Telnet/SSH. This is an optional step.

Settings for Access Credentials

HP Value Series (19xx) and HP 3Com (29xx) Switch Configuration

Configuration

SNMP

Settings for Access Credentials

What is Discovered and Monitored

Event Types

CPU Monitoring: PH_DEV_MON_SYS_CPU_UTIL

Memory Monitoring: PH_DEV_MON_SYS_MEM_UTIL

Interface Utilization: PH_DEV_MON_NET_INTF_UTIL

Configuration Change: PH_DEV_MON_CHANGE_STARTUP_CONFIG

Rules

Availability

Network Device Degraded – Lossy Ping Response

Network Device Down – no ping response

Network Device Interface Flapping

Critical Network Device Interface Staying Down

Non-critical Network Device Interface Staying Down

Performance (Fixed threshold)

Network CPU Warning

Network CPU Critical

Network Memory Warning

Network Memory Critical

Network Intf Error Warning

Network Intf Error Critical

Network Intf Util Warning

Network Intf Util Critical

Performance (Dynamic threshold based on baselines)

Sudden Increase In System CPU Usage

Sudden Increase in System Memory Usage

Sudden Increase in Network Interface Traffic

Sudden Increase in Network Interface Errors

Change

Startup Config Change

Reports

Availability

Availability: Router/Switch Ping Monitor Statistics

Performance

Performance: Top Routers Ranked By CPU Utilization

Performance: Top Routers By Memory Utilization

Performance: Top Router Network Intf By Util, Error, Discards

Top Routers/Switches by Business Hours Network Ping Uptime Pct (Achieved Network Ping SLA)

Top Routers/Switches by Business Hours System Uptime Pct (Achieved System SLA)

Top Routers/Switches by Network Ping Uptime Pct (Achieved Network Ping SLA)

Top Routers/Switches by System Uptime Pct (Achieved System SLA)

Top Router Interfaces by Days-since-last-use

Change

Change: Router Config Changes Detected Via Login

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

Juniper Networks JunOS Switch Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP

Syslog

Sample JunOS Syslog Messages sFlow

Settings for Access Credentials

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “junos” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

1. Log in to the device manager for your JunOS switch with administrator privileges.
2. Go to Configure > Services > SNMP.
3. Under Communities, click Add.
4. Enter a Community Name.
5. Set Authorization to read-only.
6. Click OK.

Syslog

1. Log in to the device manager for your JunOS switch with administrator privileges.
2. Go to Dashboard > CLI Tools > CLI Editor.
3. Edit the syslog section to send syslogs to AccelOps.
4. Click Commit. Sample JunOS Syslog Messages

sFlow

Routing the sFlow Datagram in EX Series Switches

According to Juniper documentation, the sFlow datagram cannot be routed over the management Ethernet interface (me0) or virtual management interface (vme0) in an EX Series switch implementation. It can only be exported over the network Gigabit Ethernet or 10-Gigabit Ethernet ports using valid route information in the routing table.

1. Log in to the device manager for your JunOS switch with administrator privileges.
2. Go to Configure > CLI Tools > Point and Click CLI.
3. Expand Protocols and select slow.
4. Next to Collector, click Add new entry.
5. Enter the IP address for your AccelOps virtual appliance.
6. For UDP Port, enter 6343.
7. Click Commit.
8. Next to Interfaces, click Add new entry.
9. Enter the Interface Name for all interfaces that will send traffic over sFlow.
10. Click Commit.
11. To disable the management port, go to Configure > Management Access, and remove the address of the management port. You can also disconnect the cable.

Settings for Access Credentials

Mikrotek Router Configuration

What is Discovered and Monitored

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

Nortel ERS and Passport Switch Configuration

What is Discovered and Monitored

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

Configuring Security Gateways

AccelOps supports these security gateways for discovery and monitoring.

Barracuda Networks Spam Firewall Configuration

Blue Coat Web Proxy Configuration

Cisco IronPort Mail Gateway Configuration

Cisco IronPort Web Gateway

McAfee Web Gateway Configuration

Microsoft ISA Server Configuration

Squid Web Proxy Configuration

Websense Web Filter Configuration

Fortinet FortiWeb Fortinet FortiMail

Barracuda Networks Spam Firewall Configuration

What is Discovered and Monitored

Rules

Reports

Configuration

SNMP

Syslog

Sample Parsed Barracuda Spam Firewall Syslog Message  Settings for Access Credentials

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “barracuda” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Sample Parsed Barracuda Spam Firewall Syslog Message

Blue Coat Web Proxy Configuration

What is Discovered and Monitored

Sample Parsed Blue Coat Audit Syslog

Configure FTP in AccelOps

Configure an Epilog client in AccelOps

Configure FTP in Blue Coat

Settings for Access Credentials

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “blue coat” in the Device Type and Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

The following procedures enable AccelOps to discover Bluecoat web proxy.

1. Log in to your Blue Coat management console.
2. Go to Maintenance > SNMP.
3. Under SNMP General, select Enable SNMP.
4. Under Community Strings, click Change Read Community, and then enter a community string that AccelOps can use to access your device.
5. Click OK.

Syslog

Syslog is used by Blue Coat to send audit logs to AccelOps.

1. Log in to your Blue Coat management console.
2. Go to Maintenance > Event Logging.
3. Under Level, select Severe Errors, Configuration Events, Policy Messages, and
4. Under Syslog, enter the IP address of your AccelOps virtual appliance for Loghost.
5. Select Enable syslog.
6. Click

Sample Parsed Blue Coat Audit Syslog

SFTP

SFTP is used to send access logs to AccelOps. Access logs includes the traffic that Blue Coat proxies between the client and the server. The access logs are sent via FTP, where Bluecoat is the client and AccelOps is the server. You need to configure SFTP in AccelOps first, and then on your Blue Coat web proxy server.

Configure FTP in AccelOps

1. Log in to your Supervisor node as root.
2. Run the ./phCreateBluecoatDestDir command to create an FTP user account.

The files sent from Blue Coat will be temporarily stored in this account. The script will create an user called ftpuser. If the this user already exists, you do not need to create a new one. The script will ask for the IP address of Blue Coat and the password for the user ft puser, and will then create the directory /opt/phoenix/cache/bluecoat/<Bluecoat IP>.

3. Run vi /etc/passwd to change the home directory for ftpuser to /opt/phoenix/cache/bluecoat.

Change only the home directory as shown in this screenshot, do not change any other value.

Configure an Epilog client in AccelOps

The Epilog client converts each line of the log files in the /opt/phoenix/cache/bluecoat/<Bluecoat IP> directory in real time into a syslog, and sends it to the AccelOps parser for processing.

1. Log in to your Supervisor node as root.
2. Update the Epilog configuration in /etc/snare/epilog/epilog.conf as shown in this code block, and then restart the epilog
3. Log in to your Blue Coat management console.
4. Go to Management Console > Configuration > Access Logging > General.
5. Select Enable Access Logging.
6. In the left-hand navigation, select Logs.
7. Under Upload Client, configure these settings.

6. Next to Client Type, click Settings.
7. Configure these settings.

8. Clear the selections Use Secure Connections (SSL) and Use Local Time.
9. Select Use Pasv.
10. Click OK.
11. Follow this same process to configure the settings for im, ssl and p2p. For each of these, you will refer to a different Filename.

For im the file name is SG_AccelOps_bluecoat_im.log

For ssl the file name is SG_AccelOps_bluecoat_ssl.log

For p2p the file name is SG_AccelOps_bluecoat_p2p.log

Sample Parsed Blue Coat Access Syslog

<2> Jun 25 11:15:33 SJ-QA-W-FDR-Test-01.prospect-hills.net

BluecoatWebLog 0 2010-06-25 18:13:34 2021 192.168.22.21 200 TCP_TUNNELED

820 1075 CONNECT tcp accelops.webex.com 443 / – – – NONE 172.16.0.141 –

– “WebEx Outlook Integration Http Agent” PROXIED “none” – 25.24.23.22

Settings for Access Credentials

Cisco IronPort Mail Gateway Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP

Syslog

Sample Parsed Ironport Mail Gateway Syslog  Settings for Access Credentials

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “ironport-mail” in the Display Name column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “ironport mail” in the Name and Description columns to see the reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Syslog

1. Log in to your Ironport Mail Gateway device manager with administrator privileges.
2. Edit the Log Subscription settings.
3. For Log Name, enter IronPort-Mail.

This identifies the log to AccelOps as originating from an Ironport mail gateway device.

4. For Retrieval Method, select Syslog Push.
5. For Hostname, enter the IP address of your AccelOps virtual appliance.
6. For Protocol, select UDP.

Sample Parsed Ironport Mail Gateway Syslog

Settings for Access Credentials

Cisco IronPort Web Gateway

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Syslog

Sample Parsed Ironport Web Gateway Syslog

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “ironport-web” in the Display Name column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

1. Log in to your Ironport gateway device manager with administrator privileges.
2. Edit the settings for Log Subscription.

Sample Parsed Ironport Web Gateway Syslog

<134>Oct 09 09:19:25 IronPort-Web: Info: 1349795965.314 92 10.163.154.153 TCP_CLIENT_REFRESH_MISS/200 70798 GET http://forefrontdl.microsoft.com/server/scanengineupdate/x86/Kaspersky/P ackage/1210090007/bases/base1b1d.kdc.cab DIRECT/forefrontdl.microsoft.com application/octet-stream

ALLOW_CUSTOMCAT_11-UnAuthenticated_Applications-APU_No_Auth-NONE-NONE-NO

NE-DefaultGroup

<J_Doe,6.9,-,””-“”,-,-,-,-,””-“”,-,-,-,””-“”,-,-,””-“”,””-“”,-,-,IW_swup

,-,””-“”,””-“”,””Unknown””,””Unknown””,””-“”,””-“”,6156.35,0,-,””-“”,””-

“”> – “”09/Oct/2012:09:19:25 -0600″” 71052

“”V3S;{6ADC64A3-11F9-4B04-8257-BEB541BE2975};””

McAfee Web Gateway Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Syslog

Sample Parsed McAffee Web Gateway Syslog Message

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “mcafee_web” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Sample Parsed McAffee Web Gateway Syslog Message

[21/Feb/2012:11:44:19  -0500]  “”””””””””””    “”10.200.11.170 200

“”””GET http://abc.com/ HTTP/1.1″””” “”””General News”””” “”””Minimal Risk”””” “”””text/html”””” 101527 “””””””” “””””””” “”””0″”””””

[30/May/2012:10:39:44 -0400] “” 10.19.2.63 200

“GEThttp://abc.com/html.ng/site=cnn&cnn_pagetype=main&cnn_position=126×3

1_spon2&cnn_rollup=homepage&page.allowcompete=no&params.styles=fs&Params

.User.UserID=4fc6251c068c9f0aa51475025d0040b8&transactionID=717986062880 5012&tile=4893878838331&domId=135492 HTTP/1.1” “Web Ads, Forum/Bulletin

Boards” “MinimalRisk” “text/html” 1 “” “” “0”

Microsoft ISA Server Configuration

What is Discovered and Monitored

Enabling SNMP on Windows Server 2003

Enabling SNMP on Windows 7 or Windows Server 2008 R2

Creating a Generic User Who Does Not Belong to the Local Administrator Group Creating a User Who Belongs to the Domain Administrator Group

Sample Microsoft ISA Server Syslog  Settings for Access Credentials

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “isa server” in the Device Type  andDescription column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

Enabling SNMP on Windows Server 2003

SNMP is typically enabled by default on Windows Server 2003, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you need to make sure that the SNMP Management tool has been enabled for your device.

1. In the Start menu, go to Administrative Tools > Services.
2. Go to Control Panel > Add or Remove Programs.
3. Click Add/Remove Windows Components.
4. Select Management and Monitoring Tools and click Details.

Make sure that Simple Network Management Tool is selected.

If it isn’t selected, select it, and then click Next to install.

5. Go to Start > Administrative Tools > Services.
6. Select and open SNMP Service.
7. Click the Security
8. Select Send authentication trap.
9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
10. Select Accept SNMP packets from these hosts.
11. Click
12. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
13. Click Add.
14. Click Apply.
15. Under SNMP Service, click Restart service.

Enabling SNMP on Windows 7 or Windows Server 2008 R2

SNMP is typically enabled by default on Windows Server 2008, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you should check that SNMP Services have been enabled for your server.

1. Log in to the Windows 2008 Server where you want to enable SNMP as an administrator.
2. In the Start menu, select Control Panel.
3. Under Programs, click Turn Windows features on/off.
4. Under Features, see if SNMP Services is installed.

If not, click Add Feature, then select SMNP Service and click Next to install the service.

5. In the Server Manager window, go to Services > SNMP Services.
6. Select and open SNMP Service.
7. Click the Security
8. Select Send authentication trap.
9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
10. Select Accept SNMP packets from these hosts.
11. Click
12. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
13. Click Add.
14. Click Apply.
15. Under SNMP Service, click Restart service.

WMI

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
2. Right-click Users and select Add User.
3. Create a user.
4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
5. In the Distributed COM Users Properties dialog, click Add.
6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

7. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
8. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account
9. Go to Start > Control Panel > Administrative Tools > Component Services.
10. Right-click My Computer, and then Properties.
11. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
12. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
13. Click OK.
14. Under Access Permissions, click EditDefault.
15. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
16. Click
17. Under Launch and Activation Permissions, click Edit Limits.
18. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
19. Click OK.
20. Under Launch and Activation Permissions, click Edit Defaults.
21. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
2. Right-click Users and select Add User.
3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

4. Go to Groups, right-click Administrators, and then click Add to Group.
5. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
6. For Enter the object names to select, enter the user you created in step 3.
7. Click OK to close the Domain Admins Properties dialog.
8. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

1. Go to Start > Control Panel > Administrative Tools > Component Services.
2. Right-click My Computer, and then select Properties.
3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
5. Click OK.
6. In the Com Security tab, under Access Permissions, click Edit Defaults.
7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
8. Click OK.
9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
2. Select WMI Control, and then right-click and select Properties.
3. Select the Security
4. Expand the Root directory and select CIMV2.
5. Click Security.
6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot e Enable.
7. Click Advanced.
8. Select the user you created for the monitoring account, and then click Edit.
9. In the Apply onto menu, select This namespace and subnamespaces.
10. Click OK to close the Permission Entry for CIMV2 dialog.
11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
12. In the left-hand navigation, under Services and Applications, select Services.
13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
14. In the Start menu, select Run.
15. Run msc.
16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
18. Select Windows Firewall: Allow remote administration exception.
19. Run exe and enter these commands:
20. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

1. Go to Control Panel > Windows Firewall.
2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
3. Select Windows Management Instrumentation, and the click OK.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Syslog

Use the Windows Agent Manager to configure sending syslogs from your device to AccelOps.

Sample Microsoft ISA Server Syslog

<13>Mar  6 20:56:03 ISA.test.local ISAWebLog    0    192.168.69.9   anonymous    Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12    Y    2011-03-05   21:33:55    w3proxy    ISA    –    212.58.246.82    212.58.246.82    80 156    636    634    http    TCP    GET   http://212.58.246.82/rss/newsonline_uk_edition/front_page/rss.xml   text/html; charset=iso-8859-1    Inet    301    0x41200100    Local Machine    Req ID: 07c10445; Compression: client=No, server=No, compress rate=0% decompress rate=0%    Local Host    External    0x400    Allowed 2011-03-05 21:33:55    –

Settings for Access Credentials

Squid Web Proxy Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP

Syslog

Configure syslogd (or rsyslogd) to Forward the Logs to AccelOps Sample Parsed Squid Syslog Messages

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “squid” in the Description and Device Type columns to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled on the server where Squid is running, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Syslog

1. Add this line to the logformat section in /etc/squid/squid.conf.

Configure syslogd (or rsyslogd) to Forward the Logs to AccelOps

1. Modify /etc/syslog.conf (/etc/rsyslog.conf if running rsyslog) .
2. Restart syslogd (or rsyslogd).

Sample Parsed Squid Syslog Messages

Squid on Linux with syslog locally to forward to Accelops

<166>squid[28988]: 192.168.25.15 51734 65.54.87.157 172.16.10.40 3128

5989 – – – – – [22/Apr/2011:17:17:46 -0700] GET

“http://col.stj.s-msn.com/br/sc/js/jquery/jquery-1.4.2.min.js” HTTP/1.1

200 26141 407 “http://www.msn.com/” “Mozilla/5.0 (Windows; U; Windows NT

6.1; en-US; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16” TCP_MISS:DIRECT

Squid on Linux with syslog-ng locally to forward to Accelops

<166>Oct 20 09:21:54 QA-V-CentOS-Syslog-ng squid[7082]: 192.168.20.42

1107 74.125.19.100 172.16.10.34 3128 291 – – – – – [20/Oct/2009:09:21:54

-0700] GET “http://clients1.google.com/generate_204” HTTP/1.1 204 387

603 “http://www.google.com/” “Mozilla/4.0 (compatible; MSIE 7.0; Windows

NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)”

TCP_MISS:DIRECT

Squid on Linux with syslog locally and forward to syslog-ng remotely to forward to Accelops

<166>Oct 20 10:21:42 172.16.10.40 squid[26033]: 192.168.20.42 1121

66.235.132.121 172.16.10.40 3128 117 – – – – – [20/Oct/2009:12:05:49

\-0700|] GET

“http://metrics.sun.com/b/ss/sunglobal,suncom,sunstruppdev/1/H.14/s21779

365053734?” HTTP/1.1 200 746 1177 “http://www.sun.com/” “Mozilla/4.0

(compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR

3.0.4506.2152; .NET CLR 3.5.30729)” TCP_MISS:DIRECT

Squid on Linux with syslog-ng locally and forward to syslog-ng remotely to forward to Accelops

<166>Oct 20 12:44:12 172.16.10.40 squid[26033]: 192.168.20.42 1125

64.213.38.80 172.16.10.40 3128 117 – – – – – [20/Oct/2009:12:44:12

-0700] GET

“http://www-cdn.sun.com/images/hp5/hp5b_enterprise_10-19-09.jpg”

HTTP/1.1 200 12271 520 “http://www.sun.com/” “Mozilla/4.0 (compatible;

MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152;

.NET CLR 3.5.30729)” TCP_MISS:DIRECT

Squid on Solaris with syslog locally to forward to Accelops

<166>May  6 17:55:48 squid[1773]: [ID 702911 local4.info] 192.168.20.39

1715 72.14.223.18 172.16.10.6 3128 674 – – – – – [06/May/2008:17:55:48

-0700] GET “http://mail.google.com/mail/?” HTTP/1.1 302 1061 568 “http://www.google.com/” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14” TCP_MISS:DIRECT

Squid on Solaris with syslog locally and forward to syslog-ng remotely to forward to Accelops

<166>Oct 20 13:02:19 172.16.10.6 squid[687]: [ID 702911 local4.info]

192.168.20.42 1112 208.92.236.184 172.16.10.6 3128 201 – – – – –

[20/Oct/2009:13:02:19 -0700] GET

“http://m.webtrends.com/dcs4f6vsz99k7mayiw2jzupyr_1s2e/dcs.gif?”

HTTP/1.1 200 685 1604 “http://www.microsoft.com/en/us/default.aspx”

“Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727;

.NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)” TCP_MISS:DIRECT

Websense Web Filter Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “web sense_mail” in the Display Name column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

AccelOps integrates with Websense Web Filter via syslogs sent in the SIEM integration format as described in the Websense SEIM guide. See page 22 for instructions on how to install a Websense Multiplexer that integrates with Websense Policy server and creates syslog for consumption by SIEM products such as AccelOps.

Sample Parsed Websense Web Filter Syslog Message

<159>Feb 28 14:25:32 10.203.28.21 vendor=Websense product=Security product_version=7.7.0 action=permitted severity=1 category=153 user=- src_host=10.64.134.74 src_port=62189 dst_host=mail.google.com dst_ip=74.125.224.53 dst_port=443 bytes_out=197 bytes_in=76 http_response=200 http_method=CONNECT http_content_type= – http_user_agent=Mozilla/5.0_(Windows;_U;_Windows_NT_6.1;_enUS;_rv:1.9.2. 23)_Gecko/20110920_Firefox/3.6.23

http_proxy_status_code=200 reason=- disposition=1034 policy=- role=8 duration=0 url=https://mail.google.com

Fortinet FortiWeb

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “fortiweb” to see the event types associated with this device.

Rules

In Analytics > Rules, search for “fortiweb” to see the rules associated with this device.

For generic availability rules, see Analytics > Rules > Availability > Network

For generic performance rules, see Analytics > Rules > Performance > Network

Reports

In CMDB > Reports, search for “fortiweb” to see the reports associated with this device.

Configuration

Syslog

Configure FortiWenb appliance to send logs to FortiSIEM. Make sure the format matches.

Sample FortiWeb Syslog

Fortinet FortiMail

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “fortimail” to see the event types associated with this device.

Rules

In CMDB > Rules, search for “fortimail” to see the rules associated with this device.

For generic availability rules, see Analytics > Rules > Availability > Network

For generic performance rules, see Analytics > Rules > Performance > Network

Reports

In Analytics > Reports, search for “fortimail” to see the reports associated with this device.

Configuration

Syslog

Configure FortiMail appliance to send logs to FortiSIEM. Make sure the format matches.

Sample Parsed FortiMail Syslog

date=2012-08-17 time=12:26:41 device_id=FE100C3909600504 log_id=0001001623 type=event subtype=admin pri=information user=admin ui=GUI(172.20.120.26) action=login status=success reason=none msg=”User admin login successfully from GUI(172.20.120.26)” date=2012-07-16 time=12:22:56 device_id=FE100C3909600504 log_id=0200001075 type=statistics pri=information

session_id=”q6GJMuPu003642-q6GJMuPv003642″ client_name=”[172.20.140.94]” dst_ip=”172.20.140.92″ endpoint=”” from=”user@external.lab” to=”user5@external.lab” subject=””mailer=”mta” resolved=”OK” direction=”in” virus=”” disposition=”Reject” classifier=”Recipient

Verification” message_length=”188″

Configuring Servers

AccelOps supports these servers for discovery and monitoring.

HP UX Server Configuration

IBM AIX Server Configuration

IBM OS400 Server Configuration

Linux Server Configuration

Microsoft Windows Server Configuration Sun Solaris Server Configuration

HP UX Server Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “hp_ux” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “hp_ux” in the Name column to see the reports associated with this device.

Configuration

SNMP v1 and v2c

1. Make sure that snmp libraries are installed. Accelops has been tested to work with the default HP UX package that comes with snmpd preinstalled.
2. Start snmpd deamon with the default configuration by issuing /etc/init.d/snmpd restart.
3. Make sure that snmpd is running.

SSH

1. Make sure that the vmstat and iostat commands are available. If not, install these libraries.
2. Create a user account that can issue vmstat and iostat AccelOps will use that user account to login to the server.

Settings for Access Credentials

IBM AIX Server Configuration

SSH

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “ibm_aix” in the Device Type and Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP v1 and v2c

1. Make sure that snmp libraries are installed. Accelops has been tested to work with the default AIX package that comes with snmpd preinstalled.
2. Start snmpd deamon with the default configuration by issuing /etc/init.d/snmpd restart.
3. Make sure that snmpd is running.

SSH

1. Make sure that the vmstat and iostat commands are available. If not, install these libraries.
2. Create a user account that can issue vmstat and iostat AccelOps will use that user account to log in to the server.

Syslog

1. Makes sure that /etc/syslog.conf contains a *.* entry and points to a log file.

. @<SENSORIPADDRESS>

2. Refresh syslogd.

# refresh -s syslogd

Settings for Access Credentials

IBM OS400 Server Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Syslog

Sample Parsed IBM OS400 Syslog Messages

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “os400” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps parses IBM OS 400 logs received via the PowerTech Agent as described here. The PowerTech agent sends syslogs to AccelOps. Sample Parsed IBM OS400 Syslog Messages

Mar 18 17:49:36 ROBINSON CEF :0|PowerTech|Interact|2.0|UNA0603|A File

Server transaction was allowed for user BRENDAN.|2| src =10.0.1.60 dst

=10.0.1.180 msg=TYPE:JRN CLS :AUD JJOB :QPWFSERVSO JUSER :BRENDAN JNBR

:025355 PGM :PLKR108JEL OBJECT : LIBRARY : MEMBER: DETAIL: OB BRENDAN

*FILESRV CRTSTRMFIL QPWFSERVSO LNS0811 000112 00023

/home/BRENDAN/subfolder

Mar 18 17:48:36 ROBINSON CEF :0|PowerTech|Interact|2.0|UNA0604|A File

Server transaction was allowed for user BRENDAN.|2| src =10.0.1.60 dst

=10.0.1.180 msg=TYPE:JRN CLS :AUD JJOB :QPWFSERVSO JUSER :BRENDAN JNBR

:025355 PGM :PLKR108JEL OBJECT : LIBRARY : MEMBER: DETAIL: OB BRENDAN

*FILESRV DLTSTRMFIL QPWFSERVSO LNS0811 000112 00025

/home/BRENDAN/BoardReport

Mar 18 17:53:00 ROBINSON CEF :0|PowerTech|Interact|2.0|UNA0703|A System i FTP Client transaction was allowed for user BRENDAN.|3| src =10.0.1.180 dst =10.0.1.180 msg=TYPE:JRN CLS :AUD JJOB :QTFTP00149 JUSER :BRENDAN JNBR :029256 PGM :PLKR108JEL OBJECT : LIBRARY : MEMBER: DETAIL:

ST BRENDAN *FTPCLIENT DELETEFILE QTFTP00149 LNS0811 000112 00033

/QSYS.LIB/PAYROLL.LIB/NEVADA.FILE

Linux Server Configuration

What is Discovered and Monitored

Configuration

Settings for Access Credentials

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “linux” in the Description column to see the event types associated with this device.

Rules

In Analytics > Rules, search for “linux” in the Name column to see the rules associated with this device.

Reports

In Analytics > Reports, search for “linux” in the Name column to see the reports associated with this device.

Configuration

SNMP v1 and v2c

1. Make sure that snmp libraries are installed. AccelOps has been tested to work with net-snmp libraries.
2. Log in to your server with administrative access.
3. Make these modifications to the /etc/snmp/snmpd.conf file:
   1. Define the community string for AccelOps usage and permit snmp access from AccelOps IP.
   2. Allow AccelOps read-only access to the mib-2
   3. Allow Accelops read-only access to the enterprise MIB: UCD-SNMP-MIB.
   4. Open up the entire tree for read-only view.
4. Reduce the logging level to avoid per connection logging which may cause resource issues (see here for more details)
   1. Edit /etc/sysconfig/snmpd (on RedHat/CentOS) or /etc/defaults/snmpd (on Debian/Ubuntu)
   2. Look for the line that passes the command line options to snmpd. On RedHat Enterprise 6 this looks like

1. Change the range from 0-6 to 0-5

5. Restart the snmpd deamon by issuing /etc/init.d/snmpd restart.
6. Add the snmpd daemon to start from boot by issuing chkconfig snmpd on.
7. Make sure that snmpd is running.

SNMP v3

Configuring rwcommunity/rocommunity or com2sec

1. Log in to your Linux server.
2. Stop SNMP.
3. Use vi to edit the /etc/snmp/snmpd.conf

Before you edit this file, make sure you have created a backup, as it is very important to have a valid version of this file so the snap daemon has correct credentials.

4. At the end of the file, add this line, substituting your username for snmpv3user and removing the <> tags: rouser <snmpv3user>.
5. Save the file.
6. Use vi to edit the /var/lib/snmp/snmpd.conf

Before you edit this file, make sure you have created a backup, as it is very important to have a valid version of this file for the SNMP daemon to function correctly.

7. At the end of the file, add this line, entering the username you entered in step 4, and then passwords for that user for MD5 and DES.

If you want to use SHA or AES, then add those credentials as well.

8. Save the file.
9. Reduce the logging level to avoid per connection logging which may cause resource issues (see here for more details)
   1. Edit /etc/sysconfig/snmpd (on RedHat/CentOS) or /etc/defaults/snmpd (on Debian/Ubuntu)
   2. Look for the line that passes the command line options to snmpd. On RedHat Enterprise 6 this looks like

1. Change the range from 0-6 to 0-5

10. Restart SNMP.
11. View the contents of the /var/lib/snmp/snmpd.conf

If this works, restarting snmpd will have no errors, also the entry that you created under /var/lib/snmp/snmpd.conf will be removed

12. Run snmpwalk -v 3 -u <snmpv3user> -l authpriv <IP> -a MD5 -A <snmpv3md5password> -x DES -X <snmpv3des password> .

You will see your snmpwalk if this works, if there are any errors after this please reference net-snmp for further instructions.

Configuring net-smnp-devel

If you havenet-snmp-devel on your Linux server/client, follow these steps to configure SNMP v3.

1. Stop SNMP.
2. Run net-snmp-config –create-snmpv3-user -ro -A <MD5passwordhere> -X <DESpasswordhere> -x DES -a MD5

<SNMPUSERNAME>.

3. Restart SNMP.
4. Test by following step 10 from above.

SSH

1. Make sure that the vmstat and iostat commands are available. If not, install these libraries.
2. Create a user account that can issue vmstat and iostat AccelOps will use that user account to log in to the server.

Syslog

AccelOps uses the LinuxFileMon monitoring agent to detect user activity and create syslogs. When a change as defined in the configuration file is detected, the agent gets the user information from the Audit module and sends a syslog to AccelOps. You will need to install the agent on your Linux server to send syslogs to AccelOps.

1. Log in to your server as root.
2. Install the audit service.

This is needed for obtaining user information. For more information about Linux audit files, see this blog post.

4. Copy the LinuxFileMon executable from the AccelOps /opt/phoenix/bin directory to any location on the server.

This is the agent that monitors the file changes.

5. Edit the LinuxFileMon configuration file conf as shown here.

The file should be in the same directory as the executable.

6. Start the LinuxFileMon agent.

Sample Parsed Linux Syslog Message

Settings for Access Credentials

Microsoft Windows Server Configuration

What is Discovered and Monitored

Configuration

Setting Access Credentials

What is Discovered and Monitored

Metrics in bold are unique to Microsoft Windows Server monitoring.

Installed Software Monitored via SNMP

Although information about installed software is available via both SNMP and WMI, AccelOps uses SNMP to obtain installed software information to avoid an issue in Microsoft’s WMI implementation for the Win32_Product WMI class – see Microsoft KB 974524 article for more information. Because of this bug, WMI calls to the Win32_Product class create many unnecessary Windows event log messages indicating that the Windows Installer has reconfigured all installed applications.

Winexe execution and its effect

AccelOps uses the winexe command during discovery and monitoring of Windows servers for the following purposes

1. Windows domain controller diagnostic (dcdiag) and replication monitoring (repadmin /replsummary)
2. HyperV Performance Monitoring
3. Windows Custom performance monitoring – to run a command (e.g. powershell) remotely on windows systems Note that running the winexe command remotely will automatically install the winexesvc command on the windows server.

Supported Operating Systems

Windows Server 2003 Server

Windows Server 2008

Windows Server 2008 R2

Windows Server 2012

Windows Server 2012 R2

Windows Server 2016

Event Types

In CMDB > Event Types, search for “windows server” in the Description column to see the event types associated with this application or device.

Rules

In Analytics > Rules, search for “windows server”in the Name column to see the rules associated with this application or device.

Reports

In Analytics > Reports, search for “windows server” in the Name column to see the reports associated with this application or device.

Configuration

SNMP

Enabling SNMP on Windows Server 2003

SNMP is typically enabled by default on Windows Server 2003, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you need to make sure that the SNMP Management tool has been enabled for your device.

1. In the Start menu, go to Administrative Tools > Services.
2. Go to Control Panel > Add or Remove Programs.
3. Click Add/Remove Windows Components.
4. Select Management and Monitoring Tools and click Details.

Make sure that Simple Network Management Tool is selected.

If it isn’t selected, select it, and then click Next to install.

5. Go to Start > Administrative Tools > Services.
6. Select and open SNMP Service.
7. Click the Security
8. Select Send authentication trap.
9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
10. Select Accept SNMP packets from these hosts.
11. Click
12. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
13. Click Add.
14. Click Apply.
15. Under SNMP Service, click Restart service.

Enabling SNMP on Windows 7 or Windows Server 2008 R2

SNMP is typically enabled by default on Windows Server 2008, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you should check that SNMP Services have been enabled for your server.

1. Log in to the Windows 2008 Server where you want to enable SNMP as an administrator.
2. In the Start menu, select Control Panel.
3. Under Programs, click Turn Windows features on/off.
4. Under Features, see if SNMP Services is installed.

If not, click Add Feature, then select SMNP Service and click Next to install the service.

5. In the Server Manager window, go to Services > SNMP Services.
6. Select and open SNMP Service.
7. Click the Security
8. Select Send authentication trap.
9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
10. Select Accept SNMP packets from these hosts.
11. Click
12. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
13. Click Add.
14. Click Apply.
15. Under SNMP Service, click Restart service.

WMI

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
2. Right-click Users and select Add User.
3. Create a user.
4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
5. In the Distributed COM Users Properties dialog, click Add.
6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

7. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
8. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account
9. Go to Start > Control Panel > Administrative Tools > Component Services.
10. Right-click My Computer, and then Properties.
11. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
12. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
13. Click OK.
14. Under Access Permissions, click EditDefault.
15. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
16. Click
17. Under Launch and Activation Permissions, click Edit Limits.
18. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
19. Click OK.
20. Under Launch and Activation Permissions, click Edit Defaults.
21. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
2. Right-click Users and select Add User.
3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

4. Go to Groups, right-click Administrators, and then click Add to Group.
5. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
6. For Enter the object names to select, enter the user you created in step 3.
7. Click OK to close the Domain Admins Properties dialog.
8. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

1. Go to Start > Control Panel > Administrative Tools > Component Services.
2. Right-click My Computer, and then select Properties.
3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
5. Click OK.
6. In the Com Security tab, under Access Permissions, click Edit Defaults.
7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
8. Click OK.
9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
2. Select WMI Control, and then right-click and select Properties.
3. Select the Security
4. Expand the Root directory and select CIMV2.
5. Click Security.
6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot e Enable.
7. Click Advanced.
8. Select the user you created for the monitoring account, and then click Edit.
9. In the Apply onto menu, select This namespace and subnamespaces.
10. Click OK to close the Permission Entry for CIMV2 dialog.
11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
12. In the left-hand navigation, under Services and Applications, select Services.
13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
14. In the Start menu, select Run.
15. Run msc.
16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
18. Select Windows Firewall: Allow remote administration exception.
19. Run exe and enter these commands:
20. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

1. Go to Control Panel > Windows Firewall.
2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
3. Select Windows Management Instrumentation, and the click OK.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Syslog

Use the Windows Agent Manager to configure sending syslogs from your device to AccelOps.

Sample Windows Server Syslog

Configuring the Security Audit Logging Policy

Because Windows generates a lot of security logs, you should specify the categories of events that you want logged and available for monitoring by AccelOps.

1. Log in the machine where you want to configure the policy as an administrator.
2. Go to Programs > Administrative Tools > Local Security Policy.
3. Expand Local Policies and select Audit Policy.

You will see the current security audit settings.

4. Selet a policy and edit the Local Security Settings for the events you want audited. Recommended settings are:

Configuring the File Auditing Policy

When you enable the policy to audit object access events, you also need to specify which files, folders, and user actions will be logged. You should be very specific with these settings, and set their scope to be as narrow as possible to avoid excessive logging. For this reason you should also specify system-level folders for auditing.

1. Log in the machine where you want to set the policy with administrator privileges. On a domain computer, a Domain administrator account is needed
2. Open Windows Explorer, select the file you want to set the auditing policy for, right-click on it, and select Properties.
3. In the Security tab, click Advanced.
4. Select the Auditing tab, and then click Add.

This button is labeled Edit in Windows 2008.

5. In the Select User or Group dialog, click Advanced, and then find and select the users whose access to this file you want to monitor.
6. Click OK when you are done adding users.
7. In the Permissions tab, set the permissions for each user you added.

The configuration is now complete. Windows will generate audit events when the users you specified take the actions specified on the files or fold ers for which you set the audit policies.

Setting Access Credentials

Sun Solaris Server Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “solaris” in the Device Type and Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP v1 and v2c

1. Check if the netsnmp package installed. Solaris has built-in snmp packages. If the netsnmp is not installed, use pkgadd cmd to install it.
2. Start snmnp with the default configuration.

SSH

1. Make sure that the vmstat and iostat commands are available. If not, install these libraries.
2. Create a user account that can issue vmstat and iostat AccelOps will use that user account to log in to the server.

Settings for Access Credentials

Configuring Storage

AccelOps supports these storage devices for discovery and monitoring.

Brocade SAN Switch Configuration

Dell Compellant Storage Configuration

Dell EqualLogic Storage Configuration

EMC Clarion Storage Configuration

EMC Isilon Storage Configuration

EMC VNX Storage Configuration

NetApp Filer Storage Configuration

Nimble Storage Configuration

Nutanix Storage Configuration

Brocade SAN Switch Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “brocade” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

Dell Compellant Storage Configuration

What is Discovered and Monitored

Event Types

Rules

Availability

Performance (Fixed threshold) Reports

Configuration

SNMP

Settings for Access Credentials

What is Discovered and Monitored

Event Types

Ping Monitoring: PH_DEV_MON_PING_STAT

Interface Utilization: PH_DEV_MON_NET_INTF_UTIL

Hardware Status: PH_DEV_MON_HW_STATUS

Disk Utilization: PH_DEV_MON_DISK_UTIL

Rules

Availability

Storage Hardware Warning

Storage Hardware Critical

Performance (Fixed threshold)

NFS Disk space Warning

NFS Disk Space Critical

Reports

Dell Compellent Hardware Status

Top Dell Compellent Devices By Disk Space Util

Top Dell Compellent Devices By Disk Space Util (Detailed)

Top Dell Compellent modules by fan speed

Top Dell Compellent modules by temperature

Top Dell Compellent modules by voltage

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

Dell EqualLogic Storage Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “equallogic” in the Description column to see the event types associated with this device.

Rules

In Analytics > Rules, search for “equallogic” in the Name column to see the rules associated with this device.

Reports

In Analytics > Reports, search for “equallogic” in the Name column to see the reports associated with this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

EMC Clarion Storage Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “clarion” in the Name column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Installing the NaviSecCLI Library in AccelOps

Changing NaviSecCLI Credentials

If you change the NaviSecCLI credentials on your EMC Clarion device, the certificates may also be changed and naviseccli may prompt you to accept new certificates. This should only happen the first time after a certificate change, however, AccelOps discovery and performance monitoring will fail. You will need to run NaviSecCLI manually on each Supervisor and Worker in your deployment and accept the certificate, and then rediscover your EMC Clarion device for performance monitoring to resume.

Configuration of your EMC Clarion storage device involves installing EMC’s NaviSecCLI library in your AccelOps virtual appliance, and then setting the access credentials that the appliance will use to communicate with your device.

1. Log in to your AccelOps virtual appliance as root.
2. Copy the file NaviCLI-Linux-64-x86-versionxyz.rpm to the AccelOps directory.
3. Run rpm –Uvh NaviCLI-Linux-64-x86-versionxyz.rpm to install the rpm package.

4. Change the user role to the admin su – admin and make sure that the user can run the command naviseccli -h -User <user> -Password <pwd> -Scope global getall -sp from the directory /opt/phoenix/bin.
5. Make sure that the Navisphere Analyzer module is on.

If the module is off, performance metrics will not be available and discovery will fail. This log shows an example of  the module being turned off.

[admin@accelops ~]$ naviseccli -user admin -password admin*1 -scope

0 -h 192.168.1.100 getall -sp

Server IP Address:       192.168.1.100

Agent Rev:           7.32.26 (0.95)

SP Information

————–

Storage Processor:                  SP A

Storage Processor Network Name:     A-IMAGE

Storage Processor IP Address:       192.168.1.100

Storage Processor Subnet Mask:      255.255.255.0

Storage Processor Gateway Address:  192.168.1.254

Storage Processor IPv6 Mode:               Not Supported Management Port Settings:

Link Status:                        Link-Up

Current Speed:                      1000Mbps/full duplex

Requested Speed:                    Auto

Auto-Negotiate:                     YES

Capable Speeds:                     1000Mbps half/full duplex

10Mbps half/full duplex

100Mbps half/full duplex

Auto

System Fault LED:              OFF Statistics Logging:            OFF    <—– Note: performance statistics are not being collected                                       <—— so AccelOp can not pull stats and discovery will fail.                                       <—— See how to turn ON Statistics Logging below.

SP Read Cache State            Enabled

SP Write Cache State           Enabled ….

6. If the Navisphere Analyzer module is off, turn it on with the setstats -on

7. Once this command runs successfully, you are ready to set the access credentials for your device in AccelOps and initiate the discovery process.

Settings for Access Credentials

EMC Isilon Storage Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “isilon” in the Description column to see the event types associated with this device.

Rules

In Analytics > Rules, search for “isilon” in the Name column to see the rules associated with this device.

Reports

In Analytics > Reports, search for “isilon” in the Name column to see the reports associated with this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

EMC VNX Storage Configuration

Configuring EMC VNX

Like EMC Clarion, AccelOps uses Navisec CLI to discover the device and to collect performance metrics. The only difference is that a slightly different command and XML formatted output is used.

Configuration

Installing the NaviSecCLI Library in AccelOps

Changing NaviSecCLI Credentials

If you change the NaviSecCLI credentials on your EMC Clarion device, the certificates may also be changed and naviseccli may prompt you to accept new certificates. This should only happen the first time after a certificate change, however, AccelOps discovery and performance monitoring will fail. You will need to run NaviSecCLI manually on each Supervisor and Worker in your deployment and accept the certificate, and then rediscover your EMC Clarion device for performance monitoring to resume. 

Configuration of your EMC Clarion storage device involves installing EMC’s NaviSecCLI library in your AccelOps virtual appliance, and then setting the access credentials that the appliance will use to communicate with your device.

1. Log in to your AccelOps virtual appliance as root.
2. Copy the file NaviCLI-Linux-64-x86-versionxyz.rpm to the AccelOps directory.
3. Run rpm –Uvh NaviCLI-Linux-64-x86-versionxyz.rpm to install the rpm package.

4. Change the user role to the admin su – admin and make sure that the user can run the command naviseccli -h -User <user> -Password <pwd> -Scope global getall -sp from the directory /opt/phoenix/bin.
5. Make sure that the Navisphere Analyzer module is on.

If the module is off, performance metrics will not be available and discovery will fail. This log shows an example of  the module being turned off.

[admin@accelops ~]$ naviseccli -user admin -password admin*1 -scope

0 -h 192.168.1.100 getall -sp

Server IP Address:       192.168.1.100

Agent Rev:           7.32.26 (0.95)

SP Information

————–

Storage Processor:                  SP A

Storage Processor Network Name:     A-IMAGE

Storage Processor IP Address:       192.168.1.100

Storage Processor Subnet Mask:      255.255.255.0

Storage Processor Gateway Address:  192.168.1.254

Storage Processor IPv6 Mode:               Not Supported Management Port Settings:

Link Status:                        Link-Up

Current Speed:                      1000Mbps/full duplex

Requested Speed:                    Auto

Auto-Negotiate:                     YES

Capable Speeds:                     1000Mbps half/full duplex

                                    10Mbps half/full duplex

                                    100Mbps half/full duplex

                                    Auto

System Fault LED:              OFF Statistics Logging:            OFF    <—– Note: performance statistics are not being collected                                       <—— so AccelOp can not pull stats and discovery will fail.                                       <—— See how to turn ON Statistics Logging below.

SP Read Cache State            Enabled

SP Write Cache State           Enabled ….

6. If the Navisphere Analyzer module is off, turn it on with the setstats -on

7. Once this command runs successfully, you are ready to set the access credentials for your device in AccelOps and initiate the discovery process.

Settings for Access Credentials

NetApp Filer Storage Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “netapp” in the Device Type column to see the event types associated with this device.

Rules

In Analytics > Rules, search for “netapp” in the Name column to see the rules associated with this device.

Reports

In Analytics > Reports, search for “netapp” in the Name column to see the reports associated with this device.

Configuration

SNMP

1. Log in to your NetApp device with administrative privileges.
2. Go to SNMP > Configure.
3. For SNMP Enabled, select Yes.
4. Under Communities, create a public community with Read-Only
5. Click Apply.

Settings for Access Credentials

Nimble Storage Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “nimble” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

Nutanix Storage Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP

Settings for Access Credentials

What is Discovered and Monitored

Currently there are no system rules defined.

Reports

Nutanix Cluster Disk Usage

Nutanix Cluster Performance

Nutanix Cluster Service Status

Nutanix Cluster Storage Usage

Nutanix Container Performance

Nutanix Container Storage Usage

Nutanix Storage Pool Performance

Nutanix Storage Pool Usage

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

Configuring Virtualization

AccelOps supports these virtualization servers for discovery and monitoring.

HyperV Configuration

VMware ESX Configuration

HyperV Configuration

What is Discovered and Monitored

PH_DEV_MON_HYPERV_CPU_GUEST_VIRTUAL_PROC: HyperV Guest Virtual Processor Usage

PH_DEV_MON_HYPERV_MEM_VID_PARTITION_PER_VM: HyperV per-VM VID Partition Memory Usage

[PH_DEV_MON_HYPERV_MEM_VID_PARTITION_PER_VM]:[phyMachIpAddr]=172.16 .20.180,[phyMachName]=WIN-HH2MFBPMHMR,[hostIpAddr]=172.16.20.185,[h ostName]=accelops-reporter-hyperv-4.3.1.1158,[vmName]=accelops-repo rter-hyperv-4.3.1.1158,[physicalPages]=1050632,[remotePages]=0

PH_DEV_MON_HYPERV_MEM_OVERALL: HyperV Root Memory Usage

[PH_DEV_MON_HYPERV_MEM_OVERALL]:[hostIpAddr]=172.16.20.180,[hostNam e]=WIN-HH2MFBPMHMR,[freeMemKB]=27519348,[pageFaultsPersec]=0

PH_DEV_MON_HYPERV_NET_VIRTUAL_SWITCH: HyperV Virtual Switch Network Usage

[PH_DEV_MON_HYPERV_NET_VIRTUAL_SWITCH]:[hostIpAddr]=172.16.20.180,[ hostName]=WIN-HH2MFBPMHMR,[vSwitch]=broadcom bcm5709c netxtreme ii gige [ndis vbd client] _34 – virtual

switch,[recvBitsPerSec]=719403.45,[recvPktsPerSec]=323.03,[sentBits PerSec]=3382443.50,[sentPktsPerSec]=283.90,[totalPktsPerSec]=323.03 [PH_DEV_MON_HYPERV_NET_VIRTUAL_SWITCH]:[hostIpAddr]=172.16.20.180,[ hostName]=WIN-HH2MFBPMHMR,[vSwitch]=broadcom bcm5709c netxtreme ii gige [ndis vbd client] _34 – virtual

switch,[recvBitsPerSec]=719403.45,[recvPktsPerSec]=323.03,[sentBits PerSec]=3382443.50,[sentPktsPerSec]=283.90,[totalPktsPerSec]=323.03

PH_DEV_MON_HYPERV_NET_VIRTUAL_ADAPTER: HyperV Virtual Switch Per Adapter Network Usage

[PH_DEV_MON_HYPERV_NET_VIRTUAL_ADAPTER]:[phyMachIpAddr]=172.16.20.1 80,[phyMachName]=WIN-HH2MFBPMHMR,[hostIpAddr]=172.16.20.182,[hostNa me]=accelops-va-hyperv-4.3.1.1158,[vmName]=accelops-va-hyperv-4.3.1 .1158,[intfName]=adapter_e1eb0a1f-1b36-48fe-be79-fde20d335364–3157 5d2f-5085-45d3-905f-2f3e17342a81,[recvBitsPerSec]=64970.24,[recvPkt sPerSec]=20.86,[sentBitsPerSec]=124741.68,[sentPktsPerSec]=42.61,[t otalPktsPerSec]=20.86

PH_DEV_MON_HYPERV_STORAGE_VIRTUAL_STORAGE: HyperV Virtual Storage Usage

HyperV Disk I/O Warning

HyperV Disk I/O Critical

HyperV Guest Critical

HyperV Guest Hypervisor Run Time Percent Warning

HyperV Logical Processor Total Run Time Percent Critical

HyperV Logical Processor Total Run Time Percent Warning

HyperV Page fault Critical

HyperV Page fault Warning

HyperV Remainining Guest Memory Warning

Reports

Look in Analytics > Reports > Device > Server > HyperV

HyperV Configuration and Health

Top HyperV Guests By Virtual Processor Run Time Pct

Top HyperV Guests by Large Page Size Usage

Top HyperV Guests by Remote Physical Page Usage

Top HyperV Root Partitions By Virtual Processor Run Time Pct

Top HyperV Root Partitions by Large Page Size Usage

Top HyperV Servers By Logical Processor Run Time Pct

Top HyperV Servers by Disk Activity

Top HyperV Servers by Disk Latency

Top HyperV Servers by Large Page Size Usage

Top HyperV Servers by Memory Remaining for Guests

Top HyperV Servers by Remote Physical Page Usage

Configuration

AccelOps needs WMI credentials to get the HyperV performance metrics. Configure this following the guidelines described in Microsoft Windows Server Configuration.

Settings for Access Credentials

Configure WMI on AccelOps

VMware ESX Configuration

What is Discovered and Monitored

Configuration

Settings for Access Credentials

What is Discovered and Monitored

Configuration

AccelOps discovers and monitors VMware ESX servers and guests over the the VMware SDK. Make sure that VMware Tools is installed on all the guests in your ESX deployment, and AccelOps will be able to obtain their IP addresses.

Settings for Access Credentials

Configuring VPN Gateways

AccelOps supports these VPN gateways for discovery and monitoring.

Cisco VPN 3000 Gateway Configuration

Juniper Networks SSL VPN Gateway Configuration

Microsoft PPTP VPN Gateway Configuration PulseSecure Configuration

Cisco VPN 3000 Gateway Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP

Syslog

Sample Parsed Cisco VPN 3000 Syslog Messages  Settings for Access Credentials

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “cisco_vpn” in the Name and Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

1. Log in to your device with administrative credentials.
2. Go to Configuration > System > Management Protocols > SNMP Communities.
3. Click Add.
4. For Community String, enter public.

Syslog

1. Go to Configuration > System > Events > Syslog Servers.
2. Click Add.
3. Enter the IP address of your AccelOps virtual appliance for Syslog Server.
4. Add a syslog server with AccelOps IP address

Sample Parsed Cisco VPN 3000 Syslog Messages

Settings for Access Credentials

Juniper Networks SSL VPN Gateway Configuration

What is Discovered and Monitored

Configuration

Settings for Access Credentials

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “junos_dynamic_vpn” in the Name column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

1. Log into your device with administrative credentials.
2. Go to System > Log/Monitoring > SNMP.
3. Under Agent Properties, enter public for Community.

Syslog

VPN Access Syslogs

1. Go to System > Log/Monitoring > User Access > Settings.
2. Under Select Events to Log, select Login/logout, User Settings, and Network Connect.
3. Under Syslog Servers, enter the IP address of your AccelOps virtual appliance, and set the Facility to LOCAL0.
4. Click Save Changes.

Admin Access Syslogs

1. Go to System > Log/Monitoring > Admin Access > Settings.
2. Under Select Events to Log, selectAdministrator changes, License Changes, and Administrator logins.
3. Under Syslog Servers, enter the IP address of your AccelOps virtual appliance, and set the Facility to LOCAL0.
4. Click Save Changes.

Sample Parsed Juniper Networks SSL VPN Syslog Messages

Settings for Access Credentials

Microsoft PPTP VPN Gateway Configuration

Configuring Microsoft PPTP

Windows 2003 Server

1. Logon with administrative rights
2. Configure PPTP VPN
3. Go to Start | All Programs | Administrative Tools | Configure Your Server Wizard, select the Remote Access/VPN Server role. The click the next button which runs the the Routing and Remote Access Wizard.
4. Configure Server Logging – Enable authentication and accounting logging from the Settings tab on the properties of the Local File object in the Remote Access Logging folder in the Routing and Remote Access snap-in. The authentication and accounting information is stored in a configurable log file or files stored in the SystemRoot\System32\LogFiles folder. The log files are saved in Internet Authentication Service (IAS) or database-compatible format, meaning that any database program can read the log file directly for analysis.
5. Configure Snare agent to send logs to Accelops.

Sample syslog messages

<13>Apr  1 09:28:03 dev-v-win03-vc MSPPTPLog 0

192.168.24.11,administrator,04/01/2009,09:28:00,RAS,DEV-V-WIN03-VC,44,29

,4,192.168.24.11,6,2,7,1,5,129,61,5,64,1,65,1,31,192.168.20.38,66,192.16 8.20.38,4108,192.168.24.11,4147,311,4148,MSRASV5.20,4155,1,4154,Use

Windows authentication for all users,4129,DEV-V-WIN03-VC\administrator,4130,DEV-V-WIN03-VC\administrato r,4127,4,25,311 1 192.168.24.11 04/01/2009 16:12:12 3,4149,Connections to Microsoft Routing and Remote Access server,4136,1,4142,0

PulseSecure Configuration

What is Discovered and Monitored

Configuration

Settings for Access Credentials

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “PulseSecure”  to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

Sample PulseSecure Syslog Messages

Settings for Access Credentials

Configuring Vulnerability Scanners

AccelOps supports these vulnerability scanners for discovery and monitoring.

McAfee Foundstone Vulnerability Scanner Configuration

Nessus Vulnerability Scanner Configuration

Qualys Vulnerability Scanner Configuration

Rapid7 NeXpose Vulnerability Scanner Configuration

McAfee Foundstone Vulnerability Scanner Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “foundstone” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined rules for this device.

Configuration

JDBC

AccelOps connects to the faultline database in the McAfee vulnerability scanner to collect metrics. This is a SQL Server database, so you will need to have set up access credentials for the database over JDBC to set up access credentials in AccelOps and initiate discovery. Settings for Access Credentials

Nessus Vulnerability Scanner Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “nessus” in the Description and Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “nessus” in the Description column to see the reports associated with this device.

Configuration

Nessus API

Create a user name and password that AccelOps can use as access credentials for the API. Make sure the user has permissions to view the scan report files on the Nessus device. You can check if your user has the right permissions by running a scan report as that user.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Settings for Access Credentials

Qualys Vulnerability Scanner Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “qualys” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “qualys” in the Description column to see the reports associated with this device.

Configuration

Qualys API

Create a user name and password that AccelOps can use as access credentials for the API.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Settings for Access Credentials

Rapid7 NeXpose Vulnerability Scanner Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “rapid7” in the Description and Device Type columns to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Rapid7 NeXpose API

1. Log into the device manger for your vulnerability scanner with administrative credentials.
2. Go to Administration > General > User Configuration, and create a user that AccelOps can use to access the device.
3. Go to Reports > General > Report Configuration.
4. Create a report with the Report format set to Simple XM

AccelOps can only pull reports in this format.

Settings for Access Credentials

Configuring WAN Accelerators

AccelOps supports these wide area network accelerators for discovery and monitoring.

Cisco Wide Area Application Server Configuration

Riverbed SteelHead WAN Accelerator Configuration

Cisco Wide Area Application Server Configuration

What is Discovered and Monitored

Event Types

[PH_DEV_MON_SYS_PROC_COUNT]:[eventSeverity]=PHL_INFO,[fileName]=phP erfJob.cpp,[lineNumber]=11710,[hostName]=edge.bank.com,[hostIpAddr] =10.19.1.5,[procCount]=429,[pollIntv]=176,[phLogDetail]=

PH_DEV_MON_NET_INTF_UTIL

[PH_DEV_MON_NET_INTF_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phI ntfFilter.cpp,[lineNumber]=323,[intfName]=GigabitEthernet 1/0,[intfAlias]=,[hostName]=edge.bank.com,[hostIpAddr]=10.19.1.5,[p ollIntv]=56,[recvBytes64]=0,[recvBitsPerSec]=0.000000,[inIntfUtil]= 0.000000,[sentBytes64]=0,[sentBitsPerSec]=0.000000,[outIntfUtil]=0.

000000,[recvPkts64]=0,[sentPkts64]=0,[inIntfPktErr]=0,[inIntfPktErr

Pct]=0.000000,[outIntfPktErr]=0,[outIntfPktErrPct]=0.000000,[inIntf PktDiscarded]=0,[inIntfPktDiscardedPct]=0.000000,[outIntfPktDiscard ed]=0,[outIntfPktDiscardedPct]=0.000000,[outQLen64]=0,[intfInSpeed6 4]=100000000,[intfOutSpeed64]=100000000,[intfAdminStatus]=,[intfOpe rStatus]=,[daysSinceLastUse]=0,[totIntfPktErr]=0,[totBitsPerSec]=0. 000000,[phLogDetail]=

PH_DEV_MON_PROC_RESOURCE_UTIL

[PH_DEV_MON_PROC_RESOURCE_UTIL]:[eventSeverity]=PHL_INFO,[fileName] =phPerfJob.cpp,[lineNumber]=4320,[swProcName]=syslogd,[hostName]=ed ge.bank.com,[hostIpAddr]=10.19.1.5,[procOwner]=,[memUtil]=0.038191, [cpuUtil]=0.000000,[appName]=Syslog Server,[appGroupName]=Unix

Syslog Server,[pollIntv]=116,[swParam]=-s -f

/etc/syslog.conf-diamond,[phLogDetail]=

Rules

Regular monitoring rules

Reports

Regular monitoring reports

Configuration

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Riverbed SteelHead WAN Accelerator Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “steelhead” in the Description and Device Type columns to see the event types associated with this device.

Rules

In Analytics > Rules, search for “steelhead” in the Name column to see the rules associated with this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

SNMP Trap

AccelOps processes events from this device via SNMP traps sent by the device. Configure the device to send send SNMP traps to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example SNMP Trap

Settings for Access Credentials

Configuring Wireless LANs

AccelOps supports these wireless local area network devices for discovery and monitoring.

Aruba Networks Wireless LAN Configuration

Cisco Wireless LAN Configuration

Motorola WiNG WLAN AP Configuration Ruckus Wireless LAN Configuration

Aruba Networks Wireless LAN Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP V1/V2c

Sample Aruba Networks Wireless LAN Controller SNMP Trap Messages Settings for Access Credentials

What is Discovered and Monitored

AccelOps uses SNMP and NMAP to discover the device and to collect logs and performance metrics. AccelOps communicates to the WLAN Controller only and discovers all information from the Controller. AccelOps does not communicate to the WLAN Access points directly.

Event Types

In CMDB > Event Types, search for “aruba” in the Description and Device Type columns to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “aruba” in the Name column to see the reports associated with this device.

Configuration

SNMP V1/V2c

1. Log in to your Aruba wireless controller with administrative privileges.
2. Go to Configuration > Management > SNMP.
3. For Read Community String, enter public.
4. Select Enable Trap Generation.
5. Next to Read Community String, click Add.
6. Under Trap Receivers, click Add and enter the IP address of your AccelOps virtual appliance.

Sample Aruba Networks Wireless LAN Controller SNMP Trap Messages

Settings for Access Credentials

Cisco Wireless LAN Configuration

What is Discovered and Monitored

Event Types

In CMDB > Event Types, search for “cisco wireless” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP V1/V2c and SNMP Traps

1. Log in to your Cisco wireless LAN controller with administrative privileges.
2. Go to MANAGEMENT > SNMP > General.
3. Set both SNMP v1 Mode and SNMP v2c Mode to Enable.
4. Go to SNMP > Communities.
5. Click New and create a public community string with Read-Only
6. Click Apply.
7. Go to SNMP > Trap Controls.
8. Select the event traps you want to sent to AccelOps.
9. Click Apply.
10. Go to SNMP > Trap Receivers.
11. Click New and enter the IP address of your AccelOps virtual appliance as a trap receiver.
12. Click Apply.

Sample SNMP Trap

2008-06-09 08:59:50 192.168.20.9 [192.168.20.9]:SNMPv2-MIB::sysUpTime.0

= Timeticks: (86919800) 10 days, 1:26:38.00

SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.14179.2.6.3.2

SNMPv2-SMI::enterprises.14179.2.6.2.35.0 = Hex-STRING: 00 21 55 4D 66 B0

SNMPv2-SMI::enterprises.14179.2.6.2.36.0 = INTEGER: 0

SNMPv2-SMI::enterprises.14179.2.6.2.37.0 = INTEGER: 1

SNMPv2-SMI::enterprises.14179.2.6.2.34.0 = Hex-STRING: 00 12 F0 0A 3F 15

2010-11-01 12:59:57 0.0.0.0(via UDP: [172.22.2.25]:32769) TRAP2, SNMP v2c, community 1n3t3ng . Cold Start Trap (0) Uptime: 0:00:00.00 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (9165100) 1 day, 1:27:31.00 SNMPv2-MIB::snmpTrapOID.0 = OID:

SNMPv2-SMI::enterprises.9.9.599.0.4

SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.1.0 = Hex-STRING: 00 24 D7 36 A0

00  SNMPv2-SMI::enterprises.9.9.513.1.1.1.1.5.0 = STRING: “AP-2”

SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.8.0 = Hex-STRING: 00 25 45 B7

66 70  SNMPv2-SMI::enterprises.9.9.513.1.2.1.1.1.0 = INTEGER: 0

SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.10.0 = IpAddress: 172.22.4.54

SNMPv2-SMI::enterprises.9.9.599.1.2.1.0 = STRING: “IE\brouse”

SNMPv2-SMI::enterprises.9.9.599.1.2.2.0 = STRING: “IE”

2011-04-05 10:37:42 0.0.0.0(via UDP: [10.10.81.240]:32768) TRAP2, SNMP v2c, community AccelOps . Cold Start Trap (0) Uptime: 0:00:00.00 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1672429600) 193 days, 13:38:16.00 SNMPv2-MIB::snmpTrapOID.0 = OID:

SNMPv2-SMI::enterprises.9.9.615.0.1

SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.1.0 = Hex-STRING: 00 25 BC 80 E8

77  SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.8.0 = Hex-STRING: 6C 50 4D

7D AC 50  SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.9.0 = INTEGER: 1

SNMPv2-SMI::enterprises.9.9.513.1.1.1.1.5.0 = STRING: “AP03-3.rdu2”

SNMPv2-SMI::enterprises.9.9.615.1.2.1.0 = INTEGER: 1

SNMPv2-SMI::enterprises.9.9.615.1.2.2.0 = INTEGER: 5000

SNMPv2-SMI::enterprises.9.9.615.1.2.3.0 = INTEGER: 1

SNMPv2-SMI::enterprises.9.9.615.1.2.4.0 = INTEGER: 31 SNMPv2-SMI::enterprises.9.9.615.1.2.5.0 = INTEGER: -60

SNMPv2-SMI::enterprises.9.9.615.1.2.6.0 = INTEGER: -90 SNMPv2-SMI::enterprises.9.9.615.1.2.7.0 = STRING:

“0,0,0,0,1,20,24,28,3,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0”

SNMPv2-SMI::enterprises.9.9.615.1.2.8.0 = INTEGER: 2 SNMPv2-SMI::enterprises.9.9.615.1.2.9.0 = STRING:

“6c:50:4d:7d:ac:50,e8:04:62:0b:b5:f0”

SNMPv2-SMI::enterprises.9.9.615.1.2.10.0 = STRING: “-83,-85”

SNMPv2-SMI::enterprises.9.9.615.1.2.11.0 = STRING: “1,1”

SNMPv2-SMI::enterprises.9.9.512.1.1.1.1.11.5 = INTEGER: 1

Settings for Access Credentials

Motorola WiNG WLAN AP Configuration

What is Discovered and Monitored

Event Types

Over 127 event types – In CMDB > Event Types, search for “Motorola-WiNG” to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Configure devices to send syslog to AccelOps – make sure that the version matches the format below

Ruckus Wireless LAN Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

What is Discovered and Monitored

Event Types

PH_DEV_MON_RUCKUS_CONTROLLER_STAT

[PH_DEV_MON_RUCKUS_CONTROLLER_STAT]:[eventSeverity]=PHL_INFO,[fileN ame]=deviceRuckusWLAN.cpp,[lineNumber]=555,[hostName]=guest-zd-01,[ hostIpAddr]=172.17.0.250,[numAp]=41,[numWlanClient]=121,[newRogueAP ]=0,[knownRogueAP]=0,[wlanSentBytes]=0,[wlanRecvBytes]=0,[wlanSentB itsPerSec]=0.000000,[wlanRecvBitsPerSec]=0.000000,[lanSentBytes]=16 6848,[lanRecvBytes]=154704,[lanSentBitsPerSec]=7584.000000,[lanSent

BitsPerSec]=7032.000000,[phLogDetail]=

PH_DEV_MON_RUCKUS_ACCESS_POINT_STAT

[PH_DEV_MON_RUCKUS_ACCESS_POINT_STAT]:[eventSeverity]=PHL_INFO,[fil eName]=deviceRuckusWLAN.cpp,[lineNumber]=470,[hostName]=AP-10.20.30 .3,[hostIpAddr]=10.20.30.3,[description]=,[numRadio]=0,[numWlanClie nt]=0,[knownRogueAP]=0,[connMode]=layer3,[firstJoinTime]=1404672517 29776,[lastBootTime]=140467251729776,[lastUpgradeTime]=140467251729

776,[sentBytes]=0,[recvBytes]=0,[sentBitsPerSec]=0.000000,[recvBits

PerSec]=0.000000,[phLogDetail]=

PH_DEV_MON_RUCKUS_SSID_PERF

[PH_DEV_MON_RUCKUS_SSID_PERF]:[eventSeverity]=PHL_INFO,[fileName]=d eviceRuckusWLAN.cpp,[lineNumber]=807,[hostName]=c1cs-guestpoint-zd01,[hostIpAddr]=172.17.0.250,[wlanSsid]=GuestPoint,[description]=We lcome SSID for not yet authorized APs.,[wlanName]=Welcome SSID,[authenMethod]=open,[encryptAlgo]=none,[isGuest]=1,[srcVLAN]=5 98,[sentBytes]=0,[recvBytes]=0,[sentBitsPerSec]=0.000000,[recvBitsP erSec]=0.000000,[authSuccess]=0,[authFailure]=0,[assocSuccess]=0,[a ssocFailure]=0,[assocDeny]=0,[disassocAbnormal]=0,[disassocLeave]=0 ,[disassocMisc]=0,[phLogDetail]=

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Configure the Controller so that AccelOps can connect to via SNMP.

Using Virtual IPs to Access Devices in Clustered Environments

AccelOps communicates to devices and applications using multiple protocols. In many instances, access credentials for discovery protocols such as SNMP and WMI will need to be associated to the real IP address (assigned to a network interface) of the device, while application performance or synthetic transaction monitoring protocols (such as JDBC) will need the Virtual IP (VIP) assigned to the cluster. Since AccelOps uses a single access IP to communicate to a device, you need to create an address translation for the Virtual IPs.

1. Log into your AccelOps virtual appliance as root.
2. Update the mapping in your IP table to map the IP address used in setting up your access credentials to the virtual IP.

As an example, suppose an Oracle database server is running on a server with a network address of 10.1.1.1, which is in a cluster with a VIP of 192.168.1.1. The port used to communicate with Oracle over JDBC is 1521. In this case, the update command would be:

Configuring Syslog over TLS

To receive syslog over TLS, a port needs to be enabled and certificates need to be defined.

The following configurations are already added to phoenix_config.txt in Super/Worker and Collector nodes.

Note – the syslog over TLS client needs to be configured to communicate properly with FortiSIEM.

Discovering Infrastructure

FortiSIEM can automatically discover the devices, applications, and users in your IT infrastructure and begin monitoring them. You initiate device discovery by providing the credentials that are needed to access the infrastructure component, and from there FortiSIEM is able to discover information about your component such as the host name, operating system, hardware information such as CPU and memory, software information such as running processes and services, and configuration information. Once discovered, FortiSIEM will also begin monitoring your component on an ongoing basis.

Though FortiSIEM is able to automatically manage device discovery, the pulling of event information such as logs and IPS events from your device, and establishing what aspects of your device functionality it can monitor, you can also manually configure the way FortiSIEM interacts with your infrastructure by creating custom event pulling methods and monitoring profiles for your devices.

Discovery Settings

Before you initiate discovery, you should configure the Discovery Settings in your Supervisor.

• Log in to your Supervisor node.

2. Go to Admin > General Settings > Discovery.
3. Configure the settings as required for your deployment.

See Setting Device Location Information for information on how to manually enter locations for devices, or to upload a CSV file of device locations.

Setting Device Location Information

In the Admin > General Settings > Discovery screen, you can set device locations based on IP range and organization. You can do this manually for each organization or IP range, or upload a CSV file that contains location information. This information can then be applied to devices already in the CMDB, or during the discovery process, to set their location.

Manually Creating Location Information

Uploading Location Information from a CSV File

Prerequisite

Procedure

Manually Creating Location Information

1. Log into your Supervisor node.
2. Go to Admin > General Settings > Discovery.
3. Under Location, click Add.
4. For Multi-Tenant deployments, enter the Organization you want to associate with the IP range and devices.
5. Enter the IP/IP Range you want to associate with the location.

This can be in either CIDR notation, such as 192.168.64.0/24, or range notation, such as 192.168.64.0-192.168.64.255.

6. Enter the Display Name you want to use for this location.

For example, San Jose Office, Northern California Campus, etc.

7. Enter any additional location information that is relevant for your location.
8. Click OK.
9. In the Location Definition dialog, select Update Manual Devices if you want to update devices that have had their locations set manually in the CMDB.
10. Click OK.

The location information will appear in the Location pane.

11. Select a location in the Location pane, and then click Apply to associate all devices in the CMDB with that IP/IP range to that organization and location.

A dialog will indicate how many devices have been updated.

12. Click OK.
13. Go to CMDB > Devices and check that your device locations have been updated.

Uploading Location Information from a CSV File

Prerequisite

Before you can upload it, you must first create a CSV file with this format.

Example

Procedure

1. Log into your Supervisor node.
2. Go to Admin > General Settings > Discovery.
3. Under Location, click Import.
4. Browse to your CSV file and select it.
5. Click Upload.

Discovery for Multi-Tenant Deployments

In multi-tenant deployments with organizations, the discovery process differs depending on whether or not you are using Collectors. This is because of the way in which IP addresses are used to establish the relationship between devices and organizations.

If you are using Collectors, IP address overlap between organizations is allowed

If you are not using Collectors, then each organization must have a unique IP address

These two requirements determine which administrative account you will use for discovery.

For organizations with collectors, you must initiate discovery using the administrative account associated with the organization. Every device discovered by a collector is automatically assigned to the organization that the collector belongs to.

For organizations without collectors, you must initiate discovery using the Super/Global administrative account. Devices for all organizations are discovered at the same time, and are assigned to organizations based on the IP address assignments you set up for the organization.

.

If a device matches only one organization’s IP address assignment, then it is assigned to that organization

If a device matches multiple organization definitions, then it is assigned to the Super/Global organization. These would typically be devices that are part of the Super/Global organization’s network backbone.

Related Links

How Devices are Added to Organizations

Managing Organizations for Multi-Tenant Deployments

Setting up CyberArk

This section specifies how FortiSIEM can be configured to fetch credentials from CyberArk.

Installing CyberArk Provider in FortiSIEM

1. Login to FortiSIEM as root
2. Run the rpm command to begin the installation:

The installation runs automatically and does not require any interactive response from the user. When the installation is complete, the following message appears: “Installation process completed successfully.”

Configuring CyberArk Provider in FortiSIEM

1. Login as root
2. Open the Vault.ini file and specify the parameters of the Vault that will be accessed by the Provider
3. Run CreateCredFile to create a credential file for the administrative user that will create the Vault environment during installation.
4. Check the log file /var/tmp/aim-install-logs/CreateEnv.log to make sure that the Provider environment was created successfully
5. Start the CyberArk Application Password Provider service manually as a privileged user
6. Run ldconfig

Configuring CyberArk for communication with FortiSIEM

1. Login to CyberArk Password Vault Web Access (PVWA) Interface as an user allowed to managed applications (it requires Manage Users authorization).
2. Add FortiSIEM as an Application
   1. Go to Applications and click Add Application.
   2. Set Name to FortiSIEM
   3. In the Description, specify a short description of the application that will help you identify it (e.g. FortiSIEM SIEM)
   4. In the Business owner section, specify contact information about the application’s Business owner.
   5. In the lowest section, specify the Location of the application in the Vault hierarchy. If a Location is not selected, the application will be added in the same Location as the user who is creating this application.
   6. Click Add; the application is added and is displayed in the Application Detailspage
3. Check Allow extended authentication restrictions – this enables you to specify an unlimited number of machines and Windows domain OS users for a single application
4. Specify the application’s (FortiSIEM) Authentication This information enables the Credential Provider to check certain application characteristics before retrieving the application password.
   1. In the Authentication tab, click Add; a drop-down list of authentication characteristics is displayed.
   2. Specify the OS user as “admin” and Click
   3. Specify the application path as “/opt/phoenix/bin”. Make sure Path is folder and Allow internal scripts to request credentials… check boxes are checked
   4. Do not specify a hash
   5. In the Allowed Machines tab, click Add and specify the IP/host name of the FortiSIEM Supervisor, Workers and Collectors 5.  Authorize FortiSIEM to retrieve accounts.
   6. Go to Policies > Access Control (Safes)
   7. For every Safe, Click on Members.
   8. Click on Add Safe Member
   9. Search for FortiSIEM. An entry will already exist. Select that entry.
   10. Check Retrieve accounts.
   11. Click Add

Now FortiSIEM should be ready to retrieve passwords from CyberArk via Test Connectivity and Discovery.

Setting Access Credentials for Device Discovery

Before you can discover devices, you need to provide the access protocol and credentials associated with the IP address or range where your devices are located. FortiSIEM will then use this information to access your devices, pull information from them, and begin monitoring them.

Access Protocols Required for Discovery

SNMP, VM SDK (for VMware vCenter), or WMI (for Windows devices) must be one of the access protocols for which you provide credentials in order for the devices associated with an IP address or range to be discovered. If your device does not use one of these protocols, then you must configure it to communicate with FortiSIEM as described in the topics under Configuring External Systems for Discovery, Monitoring and Log Collection. As described in those topics, you may also need to set up additional configurations within your devices to send logs and other information to FortiSIEM.

Associate Credentials Only with the IP Address Where They Will be Used

Credentials should only be associated with IP addresses where they can be used. Assigning multiple credentials to IP addresses where they are not used will trigger discovery operations for each credential, and the system will wait for a timeout to occur for each credential before it moves to the next one. This will cause the discovery process to require much more processing time and processing power from the FortiSIEM system. You can, however, associate the same credential (for example, a generic SNMP access credential) to multiple IP addresses where it will be used to communicate with a device over that protocol.

Before starting the discovery process, credentials need to be defined and then associated to specific IP addresses.

Define Credentials

1. Log into your Supervisor node.
2. Go to Admin > Setup Wizard > Discovery.
3. Under Enter Credentials, click Add.
4. Enter a Name for the credential.
5. Select a Device Type to associate with the credential.
6. Select the Access Protocol for which you want to enter credentials.

Note that the Device Type selection determines which Access Protocols are available. Change the default destination ports only if needed

7. Choose Password Configuration method
   1. Manual – means that you have to define credentials in FortiSIEM
   2. CyberArk – means Accelps will fetch credentials from CyberArk
8. If you choose Password Configuration as Manual, then enter the credentials required for the Access Protocol.
9. If you choose Password Configuration as CyberArk, then choose CyberArk parameters
   1. AppID must be set to FortiSIEM
   2. Specify Safe, Folder, Object: This is the CyberArk Vault Safe, Folder, Object where the credential is defined.
   3. Specify User Name: This is the User Name of the credential
   4. Specify Platform (Policy ID): This is the platform related property for the credential. Specify this only if this property is also set in CyberArk. The match will be case sensitive.
   5. Specify Database: This is a property for the database credential. Specify this only if this property is also set in CyberArk. The match will be case sensitive.
   6. Check Include Address for Query: If checked, FortiSIEM will query the CyberArk credential by IP or host name. Specify this if CyberArk credential objects are specified by IP.
10. Click Save. The credentials you created will be added to the list.