Quantcast
Channel: Fortinet GURU
Viewing all 2380 articles
Browse latest View live

FortiSIEM Creating Tickets In FortiSIEM In-built Ticketing System

July 5, 2017, 6:14 pm
$
0
0
Creating Tickets In FortiSIEM In-built Ticketing System

AccelOps includes a feature that will let you create and assign tickets for IT infrastructure tasks, and create tickets directly from incidents. You can see all tickets that have been created by going to Incidents > Tickets, and then use the filter controls to view tickets by assignee, organization, priority, and other attributes. You can also configure AccelOps and you Remedy system so that Remedy will take tickets created by incident notification actions.

Configuring Remedy to Accept Tickets from AccelOps Incident Notifications Ticket Related Operations

Configuring Remedy to Accept Tickets from AccelOps Incident Notifications

This topic describes how to configure Remedy to accept tickets as notification actions from AccelOps.

Prerequisites

Procedure

Incident Attributes for Defining Remedy Forms

Prerequisites

Make sure you have configured the Remedy server settings in AccelOps.

Procedure
  • In Remedy, create a new form, AccelOps_Incident_Interface, with the incident attributes listed in the table at the end of this topic as the form fields.
  1. When you have defined the fields in the form, right-click on the field and select the Data Type that corresponds to the incident attribute.
  2. After setting the form field data type, click in the form field again to set the Label for the field.
  3. When you are done creating the form, go to Servers > localhost > Web Service in Remedy, and select New Web Service.
  4. For Base Form, enter AccelOps_Incident_Interface.
  5. Click the WSDL
  6. For the WSDL Handler URL, enter http://<midtier_server>/arsys/WSDL/public/<servername>/AccelOps_Incident_I nterface.
  7. Click the Permissions tab and select
  8. Click

You can test the configuration by opening a browser window and entering the WSDL handler URL from step 7, substituting the Remedy Server IP address for <midtier_server> and localhost for <servername>. If you see an XML page, your configuration was successful.

Incident Attributes for Defining Remedy Forms

Incident Attribute Data Type Description
biz_service text Name of the business services affected by this incident
cleared_events text
cleared_reason text The reason for clearing the incident if it was cleared,
cleared_time bigint The time at which the incident was cleared
cleared_user character varying(255) The user who cleared the incident
comments text Comments
cust_org_id bigint The organization id to which the incident belongs
first_seen_time bigint Time when the incident occurred for the first time
last_seen_time bigint Time when the incident occurred for the last time
incident_count integer Number of times the incident triggered between the first and last seen times
incident_detail text Incident Detail attributes that are not included in incident_src and incident_target
incident_et text Incident Event type
incident_id bigint Incident Id
incident_src text Incident Source
incident_status integer Incident Status
incident_target text Incident Target
notif_recipients text Incident Notification recipients
notification_action_status text

 

orig_device_ip text
ph_incident_category character varying(255) AccelOps defined category to which the incident belongs: Network, Application, Server, Storage, Environmental, Virtualization, Internal, Other
rule_id bigint Rule id
severity integer Incident Severity 0 (lowest) – 10 (highest)
severity_cat character varying(255) LOW (0-4),  MEDIUM (5-8), HIGH (9-10)
ticket_id character varying(2048) Id of the ticket created in AccelOps
ticket_status integer Status of ticket created in AccelOps
ticket_user character varying(1024) Name of the user to which the ticket is assigned to in AccelOps
view_status integer
view_users text

 

 

Search

FortiSIEM Ticket Related Operations

July 6, 2017, 2:14 am
$
0
0

Ticket Related Operations

Creating a ticket without an Incident

  1. Go to Incidents > Tickets.
  2. Click New.
  3. Enter a Summary and Description for the ticket. Both of these fields are required.
  4. For Assigned To, select a user from the menu.
  5. Set any Due Date for the ticket.
  6. Select a Priority for the ticket.
  7. Click Save.

Creating a ticket from an Incident

  1. In the Incident Dashboard, select the incident you want to create a ticket for.
  2. Click Ticket.

The Incident ID, Summary and Description for the ticket will be populated from the incident information.

  1. Select the person you want to assign the ticket to.
  2. Enter a Due Date for the ticket.
  3. Set a Priority for the ticket.
  4. Click Save.

Closing a ticket

  1. Go to Incidents > Tickets.
  2. Select a ticket
  3. Click Edit
  4. For State drop down, select Closed
  5. Click

Changing the assignee in a ticket

  1. Go to Incidents > Tickets.
  2. Select a ticket
  3. Click Edit
  4. For Assigned drop down, select the new Assignee
  5. Click

Changing the due date in a ticket

  1. Go to Incidents > Tickets.
  2. Select a ticket
  3. Click Edit
  4. For Due Date edit box, select the date and then the time Click Save.

Adding notes to a ticket

  1. Go to Incidents > Tickets.
  2. Select a ticket
  3. Click Edit
  4. Add to Description
  5. Click Save

Adding attachments to a ticket

  1. Go to Incidents > Tickets.
  2. Select a ticket
  3. Click Edit
  4. Click PDF or PNG under Attach file
  5. Include the file and Click Upload.
  6. Click Save

Exporting a ticket

  1. Go to Incidents > Tickets. 2. Select a ticket
  2. Click Export

Viewing Ticket History

  1. Go to Incidents > Tickets.
  2. Select a ticket
  3. Click Edit
  4. See Action History on bottom right pane

Searching tickets

This can be done in two ways

Type in key words in Search box

Use the Attribute Value Search –

FortiSIEM Creating Tickets in External Ticketing System

July 6, 2017, 10:14 am
$
0
0

Creating Tickets in External Ticketing System

See External Helpdesk System Integration.

Using Incidents in Searches and Rules

Creating an Historical Search from an Incident

Creating a Real Time Search from an Incident Editing Rules from Incidents

Creating an Historical Search from an Incident

When you are viewing an incident, you may want to about other events related to the source or target of the incident. This topic describes how to create an historical search from an incident.

  1. In the Incident Dashboard, select the incident you want to use.
  2. Select the Incident Source or Incident Target you want to use, and then select Show Related Historical Events.

The Historical Search interface will load, with the IP address of the selected incident attribute loaded in the Filter By conditions, and the Display Fields set to the incident attributes.

  1. Click Run.
  2. You will see a list of events for the Incident Source or Target, which you can further analyze as described in Refining the Results from Historical Search.

Creating a Real Time Search from an Incident

When you are viewing an incident, you may want to about other events related to the source or target of the incident. This topic describes how to create a real time search from an incident.

  1. In the Incident Dashboard, select the incident you want to use.
  2. Select the Incident Source or Incident Target you want to use, and then select Show Related Real Time Events.

The real time search interface will load, with the IP address of the selected incident attribute loaded in the Filter By conditions, and the Di splay Fields set to the incident attributes.

  1. Click Run.
  2. You will see a list of events for the Incident Source or Target, which you can further analyze as described in Viewing and Refining Real Time Search Results.

Editing Rules from Incidents

If you need to edit the rule associated with an incident, you can do so directly from the Incident Dashboard.

  1. In the Incident Dashboard, select an incident based on the rule you want to edit.
  2. Click in any column of the selected incident to open the Options menu, and then select Edit Rule.
  3. Edit the rule as necessary, and then click Save.

New Videos Incoming

July 6, 2017, 10:34 am
$
0
0

Wanted everyone to know that I am still alive and well. Been moving and getting situated at the new location and just haven’t stayed disciplined enough over the past two months or so to when it comes to making video content.

Anyways, more videos should be incoming and if you have any suggestions please don’t hesitate to let me know.

I am also half tempted to start doing podcasts. Never done one but I am sure I could figure something out there.

FortiSIEM Incidents – HTML5 version

July 6, 2017, 6:35 pm
$
0
0
Incidents – HTML5 version

Incident tab allows users to view and manage incidents.

Incident Attributes

This topic describes all the columns that can be used to create views in the Incident Dashboard. You can add or remove columns from the dashboard by clicking the Columns icon.

Column Name Description
Severity The severity of the incident, High, Medium, or Low
Last Occurred The last time that the incident was triggered
First Occurred The first time that the incident was triggered
Incident The name of the rule that triggered the incident
Incident ID The unique ID assigned to the incident
Source The source IP or host name that triggered the incident
Target The IP or host name where the incident occurred
Detail Event attributes that triggered the incident
Status The status of the incident, Active, Cleared, Cleared Manually, System Cleared
Cleared Reason For manually cleared incidents, this displays the reason the incident was cleared
Cleared Time The time an incident was cleared
Cleared User The person who cleared the incident
Comments Any comments that users have entered for the incident
Ticket Status Status of any tickets associated with the incident
Ticket ID The ID number of any tickets generated by the incident
Ticket User The person assigned to any tickets generated by the event
External User If the ticket was cleared in an external ticket-handling system, this lists the name of the person the ticket was assigned to
External Cleared Time If the ticket was cleared in an external ticket-handling system, this lists the time it was cleared
External Resolved Time If the ticket was resolved in an external ticket-handling system, this lists the time it was resolved
External Ticket ID The ID of the incident in an external ticket-handling system
External Ticket State The state of the incident ticket in an external ticket-handling system
External Ticket Type The type assigned to the incident ticket in an external ticket-handling system
Organization The organization reporting the event
Impacts Organizations impacted by the event
Business Service Business services impacted by the incident
Incident Notification

Status

 Status of any notifications that were sent because of the incident
Notification Recipients Who received notification of the incident
Incident Count How many times the incident has occurred during the selected time interval

 

 

Viewing Incidents

Device Risk View of all incidents

List view of all incidents

Viewing incident details

Grouped View of all incidents

Device Risk View of all incidents

This is the default view when user clicks the Incident tab. It shows a list of devices that triggered incidents. Devices are ranked by a risk score that is computed by combining asset criticality, triggered incidents and found security vulnerabilities (details – here).

To see the incidents for a device, click that device. The incidents show up in a time line view.

List view of all incidents

This view provides a list of all incidents over a time period. By default:

Active Incidents over the last 2 hours are displayed

The following incident attributes are shown

Severity – High, Medium, Low – shown by colored icons

Last Occurred – the last time the Incident happened

Reporting Device Name – names of devices that reported the events that led to the incident Incident – rule name

Source – incident source

Target – incident target

Detail – incident parameters other than source and target

Count – number of times the same incident has triggered

To show incidents over a different time interval

Click Time Range Button

A search window appears

To choose a relative time window

Choose Time Range Operator as LAST.

Specify the number of Minutes/Hours/Days/Weeks.

Click Check button.

The Incident page will automatically refresh to show all the incidents over the time window.

To choose an absolute time window

Choose Time Range Operator as FROM.

Specify the starting and end times.

Click Check button.

The Incident page will automatically refresh to show all the incidents over the time window

An incident can be in any of the following states

Active

Cleared

Cleared Manually

System Cleared

By default only Active Incidents are shown. To show Incidents in other states

Click Incident Status Button  A search window appears

To add a new value, click on the white space next to the selected value. A menu appears. Select the needed values one by one.

Click Check button

The Incident page will automatically refresh to show all the incidents in selected state(s)

To select a different set of Incident attributes

Click Choose columns icon

In the popup, select the columns you want to display by moving them to the right. You can re-order the position of the columns. ClickOK.To force a refresh of the incident view, click the Refresh icon

Incidents may be displayed over multiple pages. To see incidents on a different page,

Select the Page Selector icon

Either enter the page number or click on the Next or Previous icon to go to the right page

To view incidents for a different organization (Service Provider version),

Click the User icon on top right

Choose the right organization

Click Change View

Viewing incident details

In the default view, an incident is shown in a single line. To see the details of the incident,

Click anywhere on the incident line

Basic incident attributes are shown immediately below the incident More advanced incident attributes are shown in a bottom pane

To revert to the single line incident view, click anywhere on the incident line. Detailed views will disappear.

To view the rule that triggered the incident,

Click anywhere on the incident line in the single line incident view In the bottom pane, Click Rule tab. Rule details are displayed.

To view the events that triggered the incident

Click anywhere on the incident line in the single line incident view

In the bottom pane, Click Events tab. Basic Event attributes are displayed in a single line. To see the raw events, click on the Basic Event line. Raw events are displayed.

Grouped View of all incidents

Sometimes user may need a grouped view of incidents to get an overview of what incidents have triggered and involves which devices. The following grouped views are provided

Severity – Ranks Incident Severities By Count

Name – Ranks the Incidents By Count

Name, Target – Ranks Incident Name and Incident Target By Count

Name, Source – Ranks Incident Name and Incident Source By Count

Name, Source, Target – Ranks Incident Name, Incident Source and Incident Target By Count

Name, Source, Target, Business Service – Ranks Incident Name, Incident Source, Incident Target and Business Services By Count Name, Source, Target, Business Service, Organizations – Ranks Incident Name, Incident Source, Incident Target, Business Services and Organizations By Count

Searching Incidents

Searchable Incident Attributes

Constructing Search Condition

Searchable Incident Attributes

Incident Attribute Description
Time Range In
ID Incident ID
IP Incident Source IP or Incident Target IP
Host Host name associated with Incident Source IP or Incident Target IP
User User field specified in Incident Target or Incident Details
Severity Incident Severity category – High, Medium or Low
Function Security, Availability, Performance or Change. This is a property of an Incident.
Incident Status Possible values are Active, Cleared, Cleared Manually, System Cleared
Ticket Status Possible values are New, Open, Closed, External, reopened, None. External means opened in an external system.
Incident Rule name
Biz Service Business Service name
Organization Organization name

Constructing Search Condition

To construct a Search condition from a displayed Incident,

Mouse over the cell containing the specific Incident attribute

Right click and choose Add to filter

The condition will be added to existing search string

Matching incidents will be displayed

To construct a Search condition from scratch

Click on the Add filter edit area. Three fields are displayed

Incident Attribute

Operator

Value

Select one of the Incident Attributes from the drop down

Select an Operator from =, != IN, NOT IN, CONTAINS, NOT CONTAINS Select one or more Values from the displayed choices Click the Check button.

Matching incidents will be displayed

 

Managing Incidents

Adding Comments

Clearing Incidents

Exporting Incidents to a PDF document

Adding Comments

Click on an Incident in the un-grouped view From Actions drop down, select Add Comments Write the comment and click OK.

Clearing Incidents

Click on an Incident in the un-grouped view

If you have more incidents to clear, then press Shift and click on the second incident. This will will select all incidents between the first one and this one. To get this approach to work effectively,

Create a filter to get all the incidents to be cleared in view

Select the first incident

Press Shift and click on the last incident – all incidents are now selected From Actions drop down, select Clear Click OK

Exporting Incidents to a PDF document

Click on an Incident in the un-grouped view

If you have more incidents to export, then press Shift and click on the second incident. This will will select all incidents between the first one and this one. To get this approach to work effectively,

Create a filter to get all the incidents to be exported in view

Select the first incident

Press Shift and click on the last incident – all incidents are now selected From Actions drop down, select Export Click OK

 

 

 

 

FortiSIEM Device Risk Score Computation

July 7, 2017, 2:34 am
$
0
0
Device Risk Score Computation

Risk computation algorithms are proprietary and this section presents only the knobs that user is able to tweak to change the score.

Risk score components

The following factors affect risk score of a device

  1. Device Importance (also called Asset Weight)
  2. Count and CVS Score for non-remediated vulnerabilities found for that device
  3. Severity and Frequency of Security incidents triggering with that device as source or destination
  4. Severity and Frequency of Other (performance, availability and change) incidents triggering on that device

Overall Score (0-100) is a weighted average of 3 components – Vulnerability Score, Security Incident Score and Other Incident Score, computed as follows.

User controllable constants
  1. Device Importance – this can be set in CMDB > Device > Summary. You can select multiple devices and set the Importance in one shot.

Values are

  1. Mission Critical – 10
  2. Critical – 7
  3. Important – 4
  4. Normal – 1
  1. Relative weights of Vulnerabilities, Security and Other incidents to the risk score. The default values of the constants are defined in phoenix_config.txt:
    1. vul_weight = 0.6
    2. security_inci_weight = 0.3
    3. security_inci_weight = 0.1
  2. Maximum number of high-severity events that a mission-critical host can tolerate for each of the 3 score components. These default thresholds are defined in ‘phoenix_config.txt:
    1. vul_threshold = 1
    2. security_inci_threshold = 3
    3. other_inci_threshold = 6
Time varying Risk score

Risk scores are computed for each day. Current risk score is a exponentially weighted average of today’s risk and yesterday’s risk.

The algorithm also reduces the score for earlier vulnerabilities that are now patched. Such vulnerabilities have a weight of 0.7 while new and old but existing vulnerabilities have weight 1

FortiSIEM Miscellaneous Operations

July 7, 2017, 10:35 am
$
0
0
Miscellaneous Operations
Exporting Events to Files

You can run the phExportEvent tool from a Supervisor or Worker node to export events to CSV files. The file will contain these fields:

phExportEvent Command Description
DESTINATION_DIR Destination directory where the exported event files are saved
START_TIME Starting time of events to be exported. The format is YYYY-MM-DD HH:MM:SS {+|-} TZ. If TZ is not given, local time zone of the machine where the script is running will be used. Example: 2010-03-10 23:00:00 -8 means Pacific Standard Time, 23:00:00 03/10/2010. 2010-07-29 10:20:00 +5:30 means India Standard Time 10:20:00 07/29/2010.
RELATIVE_START_TIME Starting time of events to be exported relative backward to the end time as specified using –endtime END_TIME

. The format is

where NUM is the number of days or hours or minutes. For example, –relstarttime 5d means the starting time is 5 days prior to the ending time.
END_TIME Ending time of events to be exported. The format is the same as START_TIME.
RELATIVE_END_TIME Ending time of events to be exported relative forward to the start time as specified using START_TIME. The format is same as RELATIVE_START_TIME.
DEVICE_NAME Host name or IP address of the device with the events to be exported. Use a comma-separated list to specify multiple IPs or host names, for example, –dev 10.1.1.1,10.10.10.1,router1,router2. Host name is case insensitive
ORGANIZATION_NAME Used only for multi-tenant deployments. The name of the organization with the events to be exported. To specify multiple organizations, enter a commandeach for one organization, for example, –org “Public Bank” –org “Private Bank”. The organization name is case insensitive.
TIME_ZONE Specifies the time zone used to format the event received time in the exported event files. The format is {+|-}TZ, for example, -8 means Pacific Standard Time, +5:30 means India Standard Time.

FortiSIEM Dynamic Population of Location, User, and and Geolocation Information for Events

July 7, 2017, 6:35 pm
$
0
0
Dynamic Population of Location, User, and and Geolocation Information for Events

In most cases, network logs only contain IP address information, but to investigate incidents involving that IP, you need additional context for that IP address such as host name, user, and geolocation information. Because FortiSIEM collects detailed IT infrastructure information in the CMDB, it is able to correlate that information to the IP address to create a context for the event, and insert that context information into events in real time as parsed attributes. This topic describes the way in which this context information is populated into events.

Correlating Event Information

Assigning Attributes to Events

Host Name Attribute

User Name Attribute

Geolocation Attribute

Dynamic Updating of Attribute Information

Attributes Added to Events

Correlating Event Information

Event information is derived from several different sources.

  1. During the discovery process, FortiSIEM discovers the host name and network interface address information during discovery and stores them in the CMDB. If any IP address other than the Access IP changes, then running a rediscovery will update the CMDB with the right information.
  2. FortiSIEM collates information from various authentication logs and forms a time-based Identity and Location Report containing the IP address, MAC address, Host Name, Domain, User, Network Access Point, and Network Access Point Port for the event.
  3. The geolocation database maps IP addresses to Country, State, City, Organization, Longitude, and Latitude information.

Assigning Attributes to Events

When FortiSIEM parses an event, attributes are assigned to it following this process:

Host Name Attribute

For each IP address (Host IP, Source IP, Destination IP, Reporting IP):

  1. FortiSIEM checks the CMDB for an associated host name, and if one is found, then the host name is added to the event.
  2. If the host name is not found in then CMDB, then FortiSIEM checks the Identity and Location Report for the host name, and if one is found, then it is added to the event.
  3. If the host name is not found in either the CMDB or Identity and Location Report, then FortiSIEM runs DNS lookup for the host name, and if one is found, then it is added to the event. For performance reasons the DNS result is cached, and because excessive DNS lookups can cause event processing delays, FortiSIEM has an algorithm to dynamically bypass DNS lookup if it begins falling behind in event processing.

User Name Attribute

For Source IP, FortiSIEM checks for user information in the Identity and Location Report, and if anything is found, it is added to the event.

Geolocation Attribute

For each IP address (Host IP, Source IP, Destination IP, Reporting IP), FortiSIEM checks the geolocation database. If geolocation information is found for that IP, then  Country, State, City, Organization, Longitude, and Latitude information is added to it.

Dynamic Updating of Attribute Information

For any of these attributes, when there is a change in the infrastructure (for example, a network device has a new IP or a new user logs on to the system), the change is populated into the CMDB and/or Identity and Location Report, and the event parsing module learns of the change and starts populating events with the new metadata.

Because the FortiSIEM approach to populating event attributes is dynamic and change driven, it is always able to map the right IP address to host names and users in the face of dynamic changes in the IT infrastructure.

Attributes Added to Events

IP Type Attributes

 

Source IP 1.  Source Host Name

2.  User (corresponding to Source IP)

3.  Source Country

4.  Source State

5.  Source City

6.  Source Organization

7.  Source Longitude

8.  Source Latitude
Destination IP 1.  Destination Host Name

2.  Destination Country

3.  Destination State

4.  Destination City

5.  Destination Organization

6.  Destination Longitude

7.  Destination Latitude
Host IP 1.  Host Name

2.  Host Country

3.  Host State

4.  Host City

5.  Host Organization

6.  Host Longitude

7.  Host Latitude
Reporting IP 1.  Reporting Host Name

2.  Reporting Country

3.  Reporting State

4.  Reporting City

5.  Reporting Organization

6.  Reporting Longitude

7.  Reporting Latitude
PostNAT (Network Address Translation) IP 1.  PostNAT Country

2.  PostNAT State

3.  PostNAT City

4.  PostNAT Organization

5.  PostNAT Longitude

6.  PostNAT Latitude
Search

FortiSIEM Monitoring Custom Applications

July 8, 2017, 2:36 am
$
0
0
Monitoring Custom Applications

While FortiSIEM provides support for many applications, there may also be situations in which you have a custom application running in your infrastructure that you want to monitor. This topic explains how to set up FortiSIEM to monitor that application, and add it to a business service.

  1. Log in to your Supervisor.
  2. Go to CMDB > Applications, and either select a group where you want to add the application, or create a new one.
  3. Click New, and enter an Application Name and a Process Name.
  4. Click Save.
  5. Initiate discovery of the server where the application is running.
  6. Go to CMDB > Devices and select the server.
  7. Click the Software tab and make sure the application has been discovered.
  8. Go to General Settings > Monitoring > Important Processes.
  9. Click Add and enter the name of the process that the application is running on.
  10. Click Apply All.
  11. Run a structured historical search using these attributes to make sure the process utilization metrics are being received by FortiSIEM.
Attribute Value
Reporting IP The IP address of the server where the application is running
Event Type PH_DEV_MON_PROC_RESOURCE_UTIL
Application Name The name of the application
  1. Add your application to a business service.

You should now be able to go Dashboard > Summary Dashboards > Biz Service Summary and see your process running under Top Monitored Processes when you select the associated business service.

FortiSIEM The IPS Vulnerability Map

July 8, 2017, 10:34 am
$
0
0
The IPS Vulnerability Map

The IPS Vulnerability Map lists devices that have a known vulnerability. You can view the IPS Vulnerability Map by going to Incidents > IPS Vunerability Map, and you can also add new devices to the map.

The IPS Vulnerability Map includes these columns.

Column Description
IPS Event Types The event types associated with the vulnerability
Vendor Vulnerability ID The vulnerability ID provided by the device vendor
CVE IDs The vulnerability ID provided by Common Vulnerabilities and Exposures
Vulnerability Description A brief description of the device’s vulnerability
Found in Device Type Specific devices or applications that have the vulnerability
Found in Version The version of the device or application that has the vulnerability
Fixed in Version The version in which the vulnerability was fixed
Fixed via Patches The patch version in which the vulnerability was fixed

 

Adding Entries to the IPS Vulnerabilities Map

 

Adding Entries to the IPS Vulnerabilities Map

  1. Go to Incidents > IPS Vulnerability Map.
  2. Click Add.
  3. Select the IPS Event Type associated with the vulnerability.
  4. Enter any Vendor Vulnerability ID
  5. Enter any CVE ID

See the Common Vulnerability and Exposures website for CVE IDs. Separate multiple IDs with commas.

  1. Enter a Vulnerability Description.
  2. For Affected Software, click Add, and then select the affected devices or applications from the Found in Device Type
  3. Enter any Found in Version information for the affected software.
  4. Enter any fix information for the vulnerability.
  5. Click OK.
  6. Click Save.

FortiSIEM Event Attribute Master List Troubleshooting

July 8, 2017, 6:35 pm
$
0
0
Event Attribute Master List

This section describes the master list of event attributes. Events are parsed into these attributes and used in Accelops analytics. There are 4 broad categories of event attributes

Generic Attributes

Network Attributes

System Attributes

Application Attributes

Environmental Attributes

Generic Attributes
Name Id Type Description
Event Type eventType string Event type set to PH_DEV_MON_SYS_CPU_UTIL
Event Name eventName string
Event Severity eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event Severity

Category

 eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to Low, 5-8 are mapped to Medium and 9-10 are mapped to High
IPS Event Risk

Rating

 ipsEvRR
IPS Event Threat

Rating

 ipsEvTR
Event ID eventId
Event Receive

Time

 phRecvTime Date Time at which AccelOps generated this event
Device Time deviceTime Date
Event Action eventAction uint16
Reporting IP reptDevIpAddr Date IP address of device reporting this event. In this case set to the device reporting the utilization (same as Host name attribute)
Reporting Device

Name

 reptDevName string
Relaying IP relayDevIpAddr Date IP address of device relaying this event from the source to AccelOps. In general it could be a syslog-ng IP address but in this, since AccelOps talks to the device directly, Relaying IP is set to AccelOps IP Address.
Relaying Device

Name

 relayDevName string
Raw Event Log rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
Poll Interval pollIntv uint32 Polling interval in seconds
Customer ID phCustId
Customer Name customer
Agent ID phAgentId
Event Rate (/sec) eventsPerSec
Peak Event Rate

(/sec)

 peakEventsPerSec
Event Parse

Status

 eventParsedOK
Incident Source incidentSrc
Incident Target incidentTarget
Incident Reporting

IP

 incidentRptIp
Incident Trigger

Attribute List

 triggerAttrList
Incident Detail incidentDetail
Incident ID incidentId
Incident Status incidentStatus
Incident First

Occurrence Time

 incidentFirstSeen
Incident Last

Occurrence Time

 incidentLastSeen
Incident Ticket ID incidentTicketId
Incident Ticket

Status

 incidentTicketStatus
Incident Ticket

User

 incidentTicketUser
Incident

Comments

 incidentComments
Incident View

Status

 incidentViewStatus
Incident View

Users

 incidentViewUsers
Incident Cleared

Time

 incidentClearedTime
Incident Cleared

User

 incidentClearedUser
Incident Cleared

Reason

 incidentClearedReason
Incident

Notification

Recipients

 incidentNotiRecipients
Network Attributes
Name Id Type Description
Source IP srcIpAddr IP Source IP address of the flow
Source Host Name srcName
Host IP hostIpAddr IP
Host Name hostName
Dest IP destIpAddr IP Destination IP address of the flow
Dest Name destName
Source MAC srcMACAddr
Dest MAC destMACAddr
Host MAC hostMACAddr
IP Protocol ipProto uint16 IP protocol e.g. TCP/UDP/GRE/ICMP etc
Source TCP/UDP Port srcIpPort uint16 Source TCP/UDP port
Dest TCP/UDP Port destIpPort uint16 Destination TCP/UDP port
ICMP Type icmpType uint16 ICMP type
ICMP Code icmpCode uint16 ICMP code
IP Type of Service tos uchar IP Type of Service
Sent TCP flags srcDestTCPFlags uchar OR-ed TCP Flags from Source to Destination
Received TCP flags destSrcTCPFlags uchar OR-ed TCP Flags from Destination to Source
Source Intf SNMP Index srcSnmpIntfIndex uint16 Source SNMP interface index
Dest Intf SNMP Index destSnmpIntfIndex uint16 Destination SNMP interface index
Source Intf name srcIntfName
Dest Intf Name destIntfName
Host Intf Name intfName
Source Autonomous System Number srcASNum uint16 Source Autonomous number

 

Dest Autonomous System Number destASNum uint16 Destination Autonomous number
Source VLAN srcVLAN
Dest VLAN destVLAN
Host VLAN hostVLAN
Sent Bytes sentBytes uint32 Sent Bytes in this flow
Sent Packets sentPkts uint32 Sent Packets in this flow
Sent Bytes Rate (/sec) sentBytesPerSec
Received Bytes recvBytes uint32 Received Bytes in this flow
Received Packets recvPkts uint32 received Packets in this flow
Received Bytes Rate (/sec) recvBytesPerSec
Total Bytes totBytes
Total Packets totPkts
Total Byte rate (/sec) totBytesPerSec
Total Packet Rate (/sec) totPktsPerSec
Duration durationMsec
Intf Out Queue Length outQlen
In Packet Error inIntfPktErr
Out Packet Error outIntfPktErr
In Packet Error Pct inIntfPktErrPct
Out Packet Error Pct outIntfPktErrPct
In Intf Util inIntfUtil double
Out Intf Util outIntfUtil double
In Packet Discard inIntfPktDiscarded
Out Packet Discard outIntfPktDiscarded
In Packet Discard Pct inIntfPktDiscardedPct
Out Packet Discard Pct outIntfPktDiscarded
Source Firewall Zone srcFwZone
Dest Firewall Zone destFwZone
Min Jitter minJitterMs
Max Jitter maxJitterMs
Avg Jitter avgJitterMs
Min SD Jitter minJitterSDMs
Max SD Jitter maxJitterSDMs
Avg SD Jitter avgJitterSDMs
Min DS Jitter minJitterDSMs
Max DS Jitter maxJitterDSMs
Avg DS Jitter avgJitterDSMs
Packets Lost pktLost
Packets SD Lost pktLostSD
Packets DS Lost pktLostDS
Packets Missing pktMIA
Packets Late pktLate
Packets Out-of-Seq pktOutSeq
VoIP MOS Score mosScore
VoIP ICPIF Score icpifScore
VoIP Codec codec
VoIP Phone Status voIPPhoneStatus
Calling Party Number callingPartyNumber
Original Called Party Number originalCalledPartyNumber

 

Final Called Party Number finalCalledPartyNumber
Call Connect Time dateTimeConnect
Call Disconnect Time dateTimeDisconnect
Call Duration callDuration
CBQoS Policy Name qosPolicy
CBQoS Class Name qosClass
CBQoS Conform KBps qosConformRate
CBQoS Exceeded KBps qosExceedRate
CBQoS Violated KBps qosViolateRate
CBQoS PrePolice KBps qosPrePoliceRate
CBQoS PostPolice KBps qosPostPoliceRate
CBQoS Drop KBps qosDropRate
CBQoS Drop Pct qosDropPct
CBQoS Curr Queue Length qosCurrQueue
CBQoS Max Queue Length qosMaxQueue
CBQoS Discarded Pkt qosDiscardPkt
OSPF State ospfState
BGP State bgpState
OSPF Area Id ospfAreaId
Source FiberChannel WWN Id srcWWN
Dest FiberChannel WWN Id destWWN
wlanSsid
wlanControllerIp
wlanContrHostName
wlanUserCount
wlanSuppChannels
wlanSendutil
wlanRecvUtil
wlanChannelUtil
wlanPoorSNRUserCount
ifLoadProfile
ifIntefProfile
ifCoverageProfile
ifNoiseProfile
wlanRssi
wlanSnr
wlanMobilityStatus
wlanProtocol
wlanAssocUpTime
wlanMaxHostTxmitRate
ifCoverageIndx
ifNoseIndx
ifIntefIndex
System Attributes
Name Id Type Description
Computer computer
Target Computer targetComputer

 

Domain domain
Target Domain targetDomain
Source Domain srcDomain
Destination Domain destDomain
Operating System Type osType
Operating System

Version

 osVersion
File Name fileName
Object Type osObjType
Object Name osObjName
Target Object Type targetOsObjType
Target Object Name targetOsObjName
Object Handle osObjHandleID
Object Access Type osObjAccessType
Object Action osObjAction
System Uptime sysUpTime
System Uptime Pct sysUpTimePct double
System Downtime sysDownTime
CPU Name cpuName string
CPU utilization cpuUtil double Overall CPU utilization (between 0-100). The number is an average over all CPUs in a multi-cpu system.
User CPU Utilization userCpuUtil double User CPU utilization (between 0-100). The number is an average over all CPUs in a multi-cpu system. Available for Linux (via SNMP) only.
System CPU Utilization sysCpuUtil double System CPU utilization (between 0-100). The number is an average over all CPUs in a multi-cpu system. Available for Linux (via SNMP) only.
Memory Name memName string
Memory Utilization memUtil double
Free memory (KB) freeMemKB uint32
Buffer Memory (KB) bufMemKB uint32
Cache Memory (KB) cacheMemKB uint32
Swap Memory Utilization swapMemUtil double
Free Swap Memory (KB) freeSwapMemKB uint32
Minimum Swap Memory

(KB)

 memMinimumSwap uint32
Swap Memory Error

Message

 swapMemErrorString string
Swap Read (Pages/sec) swapInRate double
Swap Write (Pages/sec) swapOutRate double
Total Swap (Pages/sec) swapRate double
Swap Read (KBps) swapReadKBytesPerSec
Swap Write (KBps) swapWriteKBytesPerSec
Total Read I/O Rate

(KBps)

 ioReadKBytesPerSec
Total Write I/O Rate

(KBps)

 ioWriteKBytesPerSec
Disk Name diskName
Disk Utilization diskUtil
Free Disk (MB) freeDiskMB
Total Disk (MB) totalDiskMB
Used Disk (MB) usedDiskMB
Disk Queue Length diskQLen

 

Current Daily Disk

Growth

 diskGrowthMBDaily
Current Weekly Disk

Growth

 diskGrowthMBWeekly
Current Monthly Disk

Growth

 diskGrowthMBMonthly
Average Daily Disk

Growth

 avgDiskGrowthMBDaily
Average Weekly Disk

Growth

 avgDiskGrowthMBWeekly
Average Monthly Disk

Growth

 avgDiskGrowthMBMonthly
Days To Disk Full timeToDiskFull
RAID Group Id raidGrpId
RAID Type raidType
Application Attributes
Name Id Type Description
Application Name appName string Short descriptive name of the process, e.g. “Microsoft IIS”
Application Group Name appGroupName string Name of the application group to which the process belongs; e.g. “Microsoft IIS”
Software Name swProcName string Process/Executable name; e.g. svchost.exe
Software Param swParam string Process/Executable parameters, e.g. “-k iissvc”
CPU utilization cpuUtil double Process CPU utilization (between 0-100).
Memory utilization memUtil double Process memory utilization (between 0-100).
Real Peak Memory (KB) realMemPeakKBytes uint32 Peak real memory usage (KBytes).
Disk Read Rate (KBps) diskReadKBytesPerSec double Process disk read rate (KBytes/sec).
Disk Write Rate (KBps) diskWriteKBytesPerSec double Process disk write rate (KBytes/sec).
Environmental Attributes
Name Id Type Description
Hardware Status hwStatusCode string
Hardware Battery Status hwBatteryStatus
Hardware Disk Status hwDiskStatus
Hardware Power Supply Status hwPowerSupplyStatus
Hardware Temp Sensor Status hwTempSensorStatus
Hardware Fan Status hwFanStatus
Hardware Amp Status hwAmpStatus
Hardware Voltage Status hwVoltageStatus
Hardware Memory Status hwMemoryStatus
Hardware Log Status hwLogStatus
Hardware Processor Status hwProcStatus
Hardware Power Chord Status hwPowerChordStatus
Hardware Storage Controller Status hwStorageControllerStatus
HardwareStorage Channel  Status hwStorageChannelStatus
Hardware Storage Enclosure Status hwStorageEnclosureStatus

 

Hardware Power Supply Status hwStoragePowerSupplyStatus
Hardware Storage Fan Status hwStorageFanStatus
Hardware Storage Temp Status hwStorageTempStatus
Hardware EMM Status hwStorageEMMStatus
Hardware Log Disk Status logDiskStatus
Failed Power Supply Count hwFailedPowerSupplyCount
Storage LLC Status hwLLCStatus
Storage Link Status hwLinkStatus
Storage Port Status hwPortStatus
Hardware Misc Component Status hwMiscCompStatus
Host Spare Disk Count hwHotSpareDiskCount
UPS Battery Status upsBatteryStatus
UPS Remaining Battery Charge (Pct) upsRemainBatteryChargePct
UPS Replace Battery Indicator upsReplaceBatteryIndicator
UPS Time On Battery (sec) upsTimeOnBattery
UPS Output Status upsBasicOutputStatus
UPS Output Load upsAdvOutputLoad
UPS Output Voltage (V) upsAdvOutputVoltage
UPS Output Frequency (Hz) upsAdvOutputFreq
UPS  Battery Current (Amp) upsBatteryCurrent
UPS Battery Temperature (C) upsBatteryTempC
UPS Battery Voltage upsBatteryVoltage
UPS Estimated Time Remaining (sec) upsEstSecRemain
Temperature (C) envTempDegC
High Temperature Threshold (C) envTempHighThreshDegC
Low Temperature Threshold (C) envTempLowThreshDegC
Temperature Offset High (C) envTempOffHighDegC
Temperature Offset Low (C) envTempOffLowDegC
Temperature (F) envTempDegF
High Temperature Threshold (F) envTempHighThreshDegF
Low Temperature Threshold (F) envTempLowThreshDegF
Temperature Offset High (F) envTempOffHighDegF
Low Temperature Threshold (F) envTempOffLowDegF
Relative Humidity envHumidityRel
High Relative Humidity Threshold envHumidityRelHighThresh
Low Relative Humidity Threshold envHumidityRelLowThresh
Humidity Offset High envHumidityOffHigh
Humidity Offset Low envHumidityOffLow
Liebert HVAC System State lgpSystemState
Liebert HVAC Cooling State lgpCoolingState
Liebert HVAC Heating State lgpHeatingState
Liebert HVAC Humidifying State lgpHumidState
Liebert HVAC Dehumidifying State lgpDehumidState
Liebert HVAC Economy Cycle State lgpEconCycle
Liebert HVAC Fan State lgpFanState
Liebert HVAC Cooling capacity envCoolCap
Liebert HVAC Heating Capacity envHeatCap
outputVoltageXNVolts

 

 

 

 

AccelOps Generated Event Format

July 9, 2017, 2:36 am
$
0
0
AccelOps Generated Event Format
AccelOps Generated Events

AccelOps is an event based analytics system. When it monitors systems and applications, it produces events containing the collected metrics this section describes details of such events. This can used to write custom queries, reports and rules.

System Performance Monitoring Events

Availability Monitoring Events

VMware Monitoring Events

Hardware Monitoring Events

Application Monitoring Events

Network Flow Monitoring Events

Security Information Management

System Performance Monitoring Events

System Performance Monitoring Events

AccelOps generates the following events related to system monitoring events

CPU Monitoring Event

Memory Monitoring

Disk space Monitoring

Disk I/O Monitoring

Network I/O Monitoring

Disk Growth Trend – Daily

Disk Growth Trend – Weekly

Disk Growth Trend – Monthly

CPU Monitoring

Event Type: PH_DEV_MON_SYS_CPU_UTIL

Description: Event containing CPU utilization metrics

Cisco IOS (SNMP), , Cisco NX-OS, Extreme ExtremeOS, Foundry Ironware, HP ProCurve

Cisco ASA/PIX/FWSM (SNMP), Checkpoint FW-1, Juniper SSG/ISG, Palo Alto Firewall, Sonicwall SonicOS, Fortinet FortiOS Cisco IPS (SNMP), Tippingpoint IPS (SNMP)

NetApp DataONTAP

Microsoft Windows (SNMP, WMI), Linux (SNMP), Solaris (SNMP), HP-UX (SNMP), IBM AIX (SNMP) Key Attributes:

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_MON_SYS_CPU_UTIL
Event

Severity

 eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event

Severity

Category

 eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to Low, 5-8 are mapped to Medium and 9-10 are mapped to High
Event

Receive

Time

 phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date IP address of device reporting this event. In this case set to the device reporting the utilization (same as

Host name attribute)
Relaying IP relayDevIpAddr Date IP address of device relaying this event from the source to AccelOps. In general it could be a syslog-ng IP address but in this, since AccelOps talks to the device directly, Relaying IP is set to AccelOps IP Address.
Raw Event

Log

 rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
Host name hostName string Host name (as in AccelOps CMDB) of the device whose CPU utilization is being reported
Host IP

Address

 hostIpAddr IP Access IP (as in AccelOps CMDB) of the device whose CPU utilization is being reported
CPU

utilization

 cpuUtil double Overall CPU utilization (between 0-100). The number is an average over all CPUs in a multi-cpu system.
User CPU

Utilization

 sysCpuUtil double User CPU utilization (between 0-100). The number is an average over all CPUs in a multi-cpu system. Av ailable for Linux (via SNMP) only.
System

CPU

Utilization

 userCpuUtil double System CPU utilization (between 0-100). The number is an average over all CPUs in a multi-cpu system. Available for Linux (via SNMP) only.
Poll Interval pollIntv uint32 Polling interval in seconds

Memory Monitoring

Event Type: PH_DEV_MON_SYS_MEM_UTIL

Description: Event containing system memory utilization metrics Source:

Cisco IOS (SNMP), , Cisco NX-OS, Extreme ExtremeOS, Foundry Ironware, HP ProCurve

 

Cisco ASA/PIX/FWSM (SNMP), Checkpoint FW-1, Juniper SSG/ISG, Palo Alto Firewall, Sonicwall SonicOS, Fortinet FortiOS Cisco IPS (SNMP), Tippingpoint IPS (SNMP)

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_MON_SYS_DISK_UTIL
Event

Severity

 eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event

Severity

Category

 eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to Low, 5-8 are mapped to Medium and 9-10 are mapped to High
Event

Receive

Time

 phRecvTime Date Time at which AccelOps generated this event

Microsoft Windows (SNMP, WMI), Linux (SNMP,SSH), Solaris (SNMP), HP-UX (SNMP,SSH), IBM AIX (SNMP,SSH) Key Attributes:

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_MON_SYS_MEM_UTIL
Event Severity eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event Severity

Category

 eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to

Low, 5-8 are mapped to Medium and 9-10 are mapped to High
Event Receive

Time

 phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date IP address of device reporting this event. In this case set to the device reporting the utilization (same as

Host name attribute)
Relaying IP relayDevIpAddr Date IP address of device relaying this event from the source to AccelOps. In general it could be a syslog-ng IP address but in this, since AccelOps talks to the device directly, Relaying IP is set to AccelOps IP Address.
Raw Event Log rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
Host name hostName string Host name (as in AccelOps CMDB) of the device whose memory utilization is being reported
Host IP

Address

 hostIpAddr IP Access IP (as in AccelOps CMDB) of the device whose memory utilization is being reported
Memory

utilization

 memUtil double Overall system physical memory utilization (between 0-100).
Buffer Memory

(KB)

 bufMemKB uint32 Size of buffered memory. Available for Linux (via SNMP) only.
Cache Memory

(KB)

 cacheMemKB uint32 Size of cached memory. Available for Linux (via SNMP) only.
Swap memory

Utilization

 swapMemUtil double Swap Memory Utilization. Available for Linux (via SNMP) only.
Free Swap

Memory (KB)

 freeSwapMemKB uint32 Free Swap Memory. Available for Linux (via SNMP) only.
Swap Read

Rate

(Pages/sec)

 swapInRate double Rate at which pages are swapped in. Available for Windows (WMI), Linux (SSH), HP-UX (SSH), IBM AIX (SSH).
Swap Write

Rate

(Pages/sec)

 swapOutRate double Rate at which pages are swapped out. Available for Windows (WMI), Linux (SSH), HP-UX (SSH), IBM AIX (SSH).
Poll Interval pollIntv uint32 Polling interval in seconds.

FortiSIEM Disk space Monitoring

July 9, 2017, 6:34 pm
$
0
0

Disk space Monitoring

Event Type: PH_DEV_MON_SYS_DISK_UTIL

Description: Event containing disk utilization metrics Source:

Microsoft Windows (SNMP or WMI), Linux (SNMP), Solaris (SNMP), HP-UX (SNMP), IBM AIX (SNMP) NetApp DataONTAP (SNMP)

Key Attributes:

Reporting IP reptDevIpAddr Date IP address of device reporting this event. In this case set to the device reporting the utilization (same as

Host name attribute)
Relaying IP relayDevIpAddr Date IP address of device relaying this event from the source to AccelOps. In general it could be a syslog-ng IP address but in this, since AccelOps talks to the device directly, Relaying IP is set to AccelOps IP Address.
Raw Event

Log

 rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
Host name hostName string Host name (as in AccelOps CMDB) of the device whose disk utilization is being reported
Host IP

Address

 hostIpAddr IP Access IP (as in AccelOps CMDB) of the device whose disk utilization is being reported
Disk Name diskName string Disk name
Disk

Capacity Util

 diskUtil double Disk utilization for a specific disk name (between 0-100).
Free Disk

(MB)

 freeDiskMB uint32 Size of free disk available in MBytes
Total Disk

(MB)

 totalDiskMB uint32 Size of total disk in MBytes
Used Disk

(MB)

 usedDiskMB uint32 Size of used disk in MBytes
Poll Interval pollIntv uint32 Polling interval in seconds.

FortiSIEM Disk I/O Monitoring

July 10, 2017, 2:34 am
$
0
0

Disk I/O Monitoring

Event Type: PH_DEV_MON_DISK_IO_UTIL

Description: Event containing disk utilization metrics Source:

Microsoft Windows (WMI), Linux (SSH), HP-UX (SSH), IBM AIX (SSH)

NetApp DataONTAP (SNMP)

Key Attributes:

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_MON_DISK_IO_UTIL
Event

Severity

 eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event

Severity

Category

 eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to Low, 5-8 are mapped to Medium and 9-10 are mapped to High
Event

Receive

Time

 phRecvTime Date Time at which AccelOps generated this event
Reporting

IP

 reptDevIpAddr Date IP address of device reporting this event. In this case set to the device reporting the utilization (same as Host name attribute)
Relaying IP relayDevIpAddr Date IP address of device relaying this event from the source to AccelOps. In general it could be a syslog-ng IP address but in this, since AccelOps talks to the device directly, Relaying IP is set to AccelOps IP Address.
Raw Event

Log

 rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
Host name hostName string Host name (as in AccelOps CMDB) of the device whose disk utilization is being reported
Host IP

Address

 hostIpAddr IP Access IP (as in AccelOps CMDB) of the device whose disk utilization is being reported
Disk Name diskName string Disk name
Disk Read

Rate (KBps)

 diskReadKBytesPerSec double Disk read rate in KBytes/sec.
Disk Write

Rate (KBps)

 diskWriteKBytesPerSec double Disk write rate in KBytes/sec.
Disk Read

Rate (/sec)

 diskReadReqPerSec double Disk read rate in read IO per sec.
Disk Write

Rate (/sec)

 diskWriteReqPerSec double Disk write rate in write IO per sec.
Disk IO Util diskIOUtil double Disk I/O utilization
Disk Read

Latency

(ms)

 devDiskRdLatency double Disk Read Latency – for Windows (WMI) only
Disk Write

Latency

(ms)

 devDiskWrLatency double Disk Write latency – for Windows (WMI) only
Disk Queue

Length

 diskQLen uint32 Disk Queue Length – for Windows (WMI) only
Poll Interval pollIntv uint32 Polling interval in seconds.

FortiSIEM Network Interface Monitoring

July 10, 2017, 10:34 am
$
0
0

Network Interface Monitoring

Event Type: PH_DEV_MON_NET_INTF_UTIL

Description: Event containing network interface utilization metrics Source – almost all devices via SNMP:

Cisco IOS (SNMP), , Cisco NX-OS, Extreme ExtremeOS, Foundry Ironware, HP ProCurve

Cisco ASA/PIX/FWSM (SNMP), Checkpoint FW-1, Juniper SSG/ISG, Palo Alto Firewall, Sonicwall SonicOS, Fortinet FortiOS Cisco IPS (SNMP), Tippingpoint IPS (SNMP)

NetApp DataONTAP (SNMP)

Microsoft Windows (SNMP or WMI), Linux (SNMP), Solaris (SNMP), HP-UX (SNMP), IBM AIX (SNMP)

Sample event

[PH_DEV_MON_NET_INTF_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phIn tfFilter.cpp,[lineNumber]=275,[intfName]=GigabitEthernet4/41,[intfA lias]=Connection to Internet,[hostName]=SJ-Main-Cat6500,[hostIpAddr]=192.168.0.1,[pollI ntv]=177,[recvBytes]=0,[recvBitsPerSec]=0.000000,[inIntfUtil]=0.000 000,[sentBytes]=0,[sentBitsPerSec]=0.000000,[outIntfUtil]=0.000000,

[recvPkts]=0,[sentPkts]=0,[inIntfPktErr]=0,[inIntfPktErrPct]=0.0000 00,[outIntfPktErr]=0,[outIntfPktErrPct]=0.000000,[inIntfPktDiscarde d]=0,[inIntfPktDiscardedPct]=0.000000,[outIntfPktDiscarded]=0,[outI ntfPktDiscardedPct]=0.000000,[outQLen]=0,[intfSpeed64]=1000000000,[ intfAdminStatus]=up,[intfOperStatus]=down,[daysSinceLastUse]=487,[p hLogDetail]=

Key Attributes:

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_MON_NET_INTF_UTIL
Event

Severity

 eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event

Severity

Category

 eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to Low, 5-8 are mapped to Medium and 9-10 are mapped to High
Event

Receive

Time

 phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date IP address of device reporting this event. In this case set to the device reporting the utilization (same as Host name attribute)
Relaying IP relayDevIpAddr Date IP address of device relaying this event from the source to AccelOps. In general it could be a syslog-ng IP address but in this, since AccelOps talks to the device directly, Relaying IP is set to AccelOps IP Address.

 

Raw Event

Log

 rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
Host name hostName string Host name (as in AccelOps CMDB) of the device whose CPU utilization is being reported
Host IP

Address

 hostIpAddr IP Access IP (as in AccelOps CMDB) of the device whose CPU utilization is being reported
Host Intf

Name

 intfName string The name of the network interface for which this statistics applies
In Intf Util inIntfUtil double Inbound (or received) network utilization (between 0-100).
Received

Bytes

 recvBytes uint32 Inbound (or received) bytes during this interval
Received

Byte Rate

(/sec)

 recvBytesPerSec double Inbound (or received) byte rate during this interval
Received

Packets

 recvPkts uint32 Inbound (or received) packets received during this interval
In Packet

Error

 inIntfPktErr uint32 Inbound (or received) packet errors
In Packet

Error Pct

 inIntfPktErrPct double Inbound (or received) packet error as a percentage of total packets
In Packet

Discards

 inIntfPktDiscarded uint32 Inbound (or received) packet discarded
In Packet

Discard Pct

 inIntfPktDiscardedPct double Inbound (or received) packet discarded as a percentage of total packets
Out Intf Util outIntfUtil double Outbound (or sent) network utilization (between 0-100).
Sent Bytes sentBytes uint32 Outbound (or sent) bytes during this interval
Sent Byte

Rate (/sec)

 sentBytesPerSec double Inbound (or received) byte rate during this interval
Sent Packets sentPkts uint32 Outbound (or sent) packets sent during this interval
Out Packet

Error

 outIntfPktErr double Outbound (or sent) packet errors
Out Packet

Error Pct

 outIntfPktErrPct double Outbound (or sent) packet error as a percentage of total packets
Out Packet

Discards

 outIntfPktDiscarded uint32 Outbound (or sent) packet discarded
Out Packet

Discard Pct

 outIntfPktDiscardedPct double Outbound (or sent) packet discarded as a percentage of total packets
Out Queue

Length

 outQLen uint32 Length of output queue
Poll Interval pollIntv uint32 Polling interval in seconds

 

 

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_MON_SYS_DISK_TREND_DAY
Event Severity eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Search

FortiSIEM Disk Growth Trend – Daily

July 10, 2017, 6:36 pm
$
0
0

Disk Growth Trend – Daily

Event Type: PH_DEV_MON_SYS_DISK_TREND_DAY

Description: Event containing disk usage growth trend – daily view Source:

Microsoft Windows (SNMP or WMI), Linux (SNMP), Solaris (SNMP), HP-UX (SNMP), IBM AIX (SNMP) NetApp DataONTAP (SNMP)

Key Attributes:

Event Severity

Category

 eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to Low, 5-8 are mapped to Medium and 9-10 are mapped to High
Event Receive

Time

 phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date IP address of device reporting this event. In this case set to the device reporting the utilization (same as Host name attribute)
Relaying IP relayDevIpAddr Date IP address of device relaying this event from the source to AccelOps. In general it could be a syslog-ng IP address but in this, since AccelOps talks to the device directly, Relaying IP is set to AccelOps IP Address.
Raw Event Log rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
Host name hostName string Host name (as in AccelOps CMDB) of the device whose disk utilization is being reported
Host IP

Address

 hostIpAddr IP Access IP (as in AccelOps CMDB) of the device whose disk utilization is being reported
Disk Name diskName string Disk name
Disk Capacity

Util

 diskUtil double Disk utilization for a specific disk name (between 0-100).
Free Disk (MB) freeDiskMB uint32 Size of free disk available in MBytes
Total Disk (MB) totalDiskMB uint32 Size of total disk in MBytes
Used Disk (MB) usedDiskMB uint32 Size of used disk in MBytes
Current Daily

Disk Growth

(MB)

 diskGrowthMBDaily double Disk growth (MB) for the current day
Avg Daily Disk

Growth (MB)

 avgDiskGrowthMBDaily double Running avg of daily disk growth (MB) overall previous days
Days To Disk

Full

 timeToDiskFull uint32 Number of days until disk is full (from daily growth statistics)
Poll Interval pollIntv uint32 Polling interval in seconds.

FortiSIEM Disk Growth Trend – Weekly

July 11, 2017, 2:34 am
$
0
0

Disk Growth Trend – Weekly

Event Type: PH_DEV_MON_SYS_DISK_TREND_WEEK

Description: Event containing disk usage growth trend – weekly view Source:

Microsoft Windows (SNMP or WMI), Linux (SNMP), Solaris (SNMP), HP-UX (SNMP), IBM AIX (SNMP) NetApp DataONTAP (SNMP)

Key Attributes:

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_MON_SYS_DISK_TREND_DAY
Event Severity eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event Severity

Category

 eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to Low, 5-8 are mapped to Medium and 9-10 are mapped to High
Event Receive

Time

 phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date IP address of device reporting this event. In this case set to the device reporting the utilization (same as Host name attribute)
Relaying IP relayDevIpAddr Date IP address of device relaying this event from the source to AccelOps. In general it could be a syslog-ng IP address but in this, since AccelOps talks to the device directly, Relaying IP is set to AccelOps IP Address.
Raw Event Log rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
Host name hostName string Host name (as in AccelOps CMDB) of the device whose disk utilization is being reported
Host IP

Address

 hostIpAddr IP Access IP (as in AccelOps CMDB) of the device whose disk utilization is being reported
Disk Name diskName string Disk name

FortiSIEM Disk Growth Trend – Monthly

July 11, 2017, 10:35 am
$
0
0

Disk Growth Trend – Monthly

Event Type: PH_DEV_MON_SYS_DISK_TREND_MONTH

Disk Capacity

Util

 diskUtil double Disk utilization for a specific disk name (between 0-100).
Free Disk (MB) freeDiskMB uint32 Size of free disk available in MBytes
Total Disk (MB) totalDiskMB uint32 Size of total disk in MBytes
Used Disk (MB) usedDiskMB uint32 Size of used disk in MBytes
Current Week

Disk Growth

(MB)

 diskGrowthMBWeekly double Disk growth (MB) for the current week
Avg Weekly

Disk Growth

(MB)

 avgDiskGrowthMBWeekly double Running avg of weekly disk growth (MB) overall previous days
Days To Disk

Full

 timeToDiskFull uint32 Number of days until disk is full (from weekly growth statistics)
Poll Interval pollIntv uint32 Polling interval in seconds.

Description: Event containing disk usage growth trend – monthly view Source:

Microsoft Windows (SNMP or WMI), Linux (SNMP), Solaris (SNMP), HP-UX (SNMP), IBM AIX (SNMP) NetApp DataONTAP (SNMP)

Key Attributes:

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_MON_SYS_DISK_TREND_DAY
Event Severity eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event Severity

Category

 eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to Low, 5-8 are mapped to Medium and 9-10 are mapped to High
Event Receive

Time

 phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date IP address of device reporting this event. In this case set to the device reporting the utilization (same as Host name attribute)
Relaying IP relayDevIpAddr Date IP address of device relaying this event from the source to AccelOps. In general it could be a syslog-ng IP address but in this, since AccelOps talks to the device directly, Relaying IP is set to AccelOps IP Address.
Raw Event Log rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
Host name hostName string Host name (as in AccelOps CMDB) of the device whose disk utilization is being reported
Host IP Address hostIpAddr IP Access IP (as in AccelOps CMDB) of the device whose disk utilization is being reported
Disk Name diskName string Disk name
Disk Capacity

Util

 diskUtil double Disk utilization for a specific disk name (between 0-100).
Free Disk (MB) freeDiskMB uint32 Size of free disk available in MBytes
Total Disk (MB) totalDiskMB uint32 Size of total disk in MBytes
Used Disk (MB) usedDiskMB uint32 Size of used disk in MBytes
Current Monthly

Disk Growth

(MB)

 diskGrowthMBMonthly double Disk growth (MB) for the current month
Avg Monthly

Disk Growth

(MB)

 avgDiskGrowthMBMonthly double Running avg of monthly disk growth (MB) overall previous months
Days To Disk

Full

 timeToDiskFull uint32 Number of days until disk is full (from monthly growth statistics)
Poll Interval pollIntv uint32 Polling interval in seconds.

 

FortiSIEM Availability Monitoring Events

July 11, 2017, 6:35 pm
$
0
0
Availability Monitoring Events

Availability Monitoring Events

AccelOps generates the following events related to availability monitoring

Ping Stat Monitoring

Synthetic Monitoring Success Synthetic Monitoring Failure

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_MON_SYS_PING_STAT
Event

Severity

 eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event

Severity

Category

 eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to

Low, 5-8 are mapped to Medium and 9-10 are mapped to High
Event

Receive

Time

 phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date IP address of device reporting this event. In this case set to the device reporting the utilization (same as

Host name attribute)
Relaying IP relayDevIpAddr Date IP address of device relaying this event from the source to AccelOps. In general it could be a syslog-ng IP address but in this, since AccelOps talks to the device directly, Relaying IP is set to AccelOps IP Address.
Raw Event

Log

 rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
Host name hostName string Host name (as in AccelOps CMDB) of the device whose CPU utilization is being reported
Host IP

Address

 hostIpAddr IP Access IP (as in AccelOps CMDB) of the device whose CPU utilization is being reported
Avg Round

Trip Time

 avgDurationMSec uint32 Average Round trip time from the ping tests done during this interval
Max Round

Trip Time

 maxDurationMSec uint32 Max Round trip time from the ping tests done during this interval
Min Round

Trip Time

 minDurationMSec uint32 Min Round trip time from the ping tests done during this interval
Packet Loss

Pct

 pktLossPct double Packet loss percentage from the ping tests done during this interval
System

Down Time

 sysDownTime uint32 Amount of time during this polling interval that there was 100% ping loss
System

Degraded

Time

 sysDegradedTime uint32 Amount of time during this polling interval that there was 50%+ ping loss
Poll Interval pollIntv uint32 Polling interval in seconds

Synthetic Transaction Monitoring Success

Event Type: PH_DEV_MON_EUM_SUCCESS

Description: Successful Synthetic transaction monitoring test Source: All Key Attributes:

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_MON_SYS_EUM_SUCCESS
Event Severity eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event Severity

Category

 eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to Low, 5-8 are mapped to Medium and 9-10 are mapped to High
Event Receive

Time

 phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date IP address of device reporting this event. In this case set to the device reporting the utilization (same as Host name attribute)
Relaying IP relayDevIpAddr Date IP address of device relaying this event from the source to AccelOps. In general it could be a syslog-ng IP address but in this, since AccelOps talks to the device directly, Relaying IP is set to AccelOps IP Address.
Raw Event Log rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
Host name hostName string Host name (as in AccelOps CMDB) of the device whose CPU utilization is being reported
Host IP Address hostIpAddr IP Access IP (as in AccelOps CMDB) of the device whose CPU utilization is being reported
Synthetic

Transaction

Monitor Name

 endUserMonitorName string Name of the Synthetic Transaction Monitor
Synthetic

Transaction

Monitor Step

 endUserMonitorStep string Particular step of the Synthetic Transaction Monitor, in case the transaction monitor involves multiple steps.
Application

Protocol

 appTransportProto string Application protocol such as HTTP
Application Port appPort string Port number such as 443
Application

Response Time

 appResponseTimeMSec uint32 Synthetic transaction response time (ms)
Poll Interval pollIntv uint32 Polling interval in seconds

Synthetic Transaction Monitoring Failure

Event Type: PH_DEV_MON_EUM_FAIL

Description: Failed Synthetic transaction monitoring test Source: All Key Attributes:

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_MON_SYS_EUM_SUCCESS
Event Severity eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event Severity

Category

 eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to Low, 5-8 are mapped to Medium and 9-10 are mapped to High
Event Receive

Time

 phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date IP address of device reporting this event. In this case set to the device reporting the utilization (same as Host name attribute)

 

Relaying IP relayDevIpAddr Date IP address of device relaying this event from the source to AccelOps. In general it could be a syslog-ng IP address but in this, since AccelOps talks to the device directly, Relaying IP is set to AccelOps IP Address.
Raw Event Log rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
Host name hostName string Host name (as in AccelOps CMDB) of the device whose CPU utilization is being reported
Host IP Address hostIpAddr IP Access IP (as in AccelOps CMDB) of the device whose CPU utilization is being reported
Synthetic

Transaction

Monitor Name

 endUserMonitorName string Name of the Synthetic Transaction Monitor test
Synthetic

Transaction

Monitor Step

 endUserMonitorStep string Particular step of the Synthetic Transaction Monitor, in case the transaction monitor involves multiple steps.
Application

Protocol

 appTransportProto string Application protocol such as HTTP
Application Port appPort string Port number such as 443
Reason for Error errReason uint32 Reason for failed Synthetic Transaction Monitor test
Poll Interval pollIntv uint32 Polling interval in seconds

 

 

FortiSIEM Hardware Monitoring Events

July 12, 2017, 2:34 am
$
0
0
Hardware Monitoring Events

AccelOps generates the following events related to hardware monitoring

Overall Hardware Status

Individual Hardware Component Status

Temperature Measurement

Humidity Measurement

Dew point Measurement

Air flow Measurement

Audio Measurement

Ampere Measurement

Dry Contact Measurement

Camera Motion Measurement

Power Supply Measurement

Chassis Component Measurement

Overall Hardware Status Event

This event is generated by AccelOps as a overall hardware status. Sometimes this overall status is provided the device. In other times, AccelOps derives the overall health from that of the individual hardware components.

Event Type: PH_DEV_MON_HW_STAT

Description: Event containing overall hardware status as detected by AccelOps

Cisco IOS (SNMP),Cisco Nx-OS (SNMP), Juniper JunOS (SNMP), Juniper SRX JunOS (SNMP), Alcatel TiMOS (SNMP), Alcatel

AOS (SNMP),Avaya/Nortel ERS (SNMP), Huawei VRP (SNMP), H3C Comware,

EMC Clariion (NavisecCli), NetApp DataONTAP Filer (SNMP), Dell EqualLogic (SNMP)

F5 Big-IPOS (SNMP), Riverbed Steelhead (SNMP), InfoBlox NiOS (SNMP)

Virtual Machines on VMWare ESX (VMSDK), Windows/Linux Servers on Dell hardware with OpenManage installed (SNMP),

Windows/Linux Servers on HP hardware with HP Insight Manager installed (SNMP),

APC NetBotz (SNMP)

Cisco UPS (UCS API)

HP BladeSystem (SNMP)

Key Attributes: Varies depending on the source. The global set of attributes is shown below

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_MON_HW_STAT
Event Severity eventSeverity uint16 0 if the event attribute hwStatusCode is 0 (Normal), 5  if hwStatusCode is 1 (Warning) and 10  if hwStatusCode is 2 (Critical)
Event Severity

Category

 eventSeverityCat string Set to Low. In general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to

Low, 5-8 are mapped to Medium and 9-10 are mapped to High
Event Receive

Time

 phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date IP address of device reporting this event. In this case set to the device reporting the utilization (same as Host name attribute)
Relaying IP relayDevIpAddr Date IP address of device relaying this event from the source to AccelOps. In general it could be a syslog-ng IP address but in this, since AccelOps talks to the device directly, Relaying IP is set to AccelOps IP Address.
Raw Event Log rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
Host name hostName string Host name (as in AccelOps CMDB) of the device whose overall hardware health is being reported
Host IP Address hostIpAddr IP Access IP (as in AccelOps CMDB) of the device whose overall hardware health is being reported
Hardware Status hwStatusCode uint16 Overall hardware status: 0 for Normal, 1 for Warning and 2 for Critical
Hardware Power

Supply Status

 hwPowerSupplyStatus uint16 Overall hardware status: 0 for Normal, 1 for Warning and 2 for Critical
Hardware

Battery Status

 hwBatteryStatus uint16 Battery status: 0 for Normal, 1 for Warning and 2 for Critical
Hardware Disk

Status

 hwDiskStatus uint16 Disk status: 0 for Normal, 1 for Warning and 2 for Critical
Hardware RAID

Status

 hwRaidStatus uint16 Hardware RAID status: 0 for Normal, 1 for Warning and 2 for Critical
Hot Spare Disk

Count

 hwHotSpareDiskCount uint16 Number of hot spare disks
Hardware

Memory Status

 hwMemoryStatus uint16 Memory status: 0 for Normal, 1 for Warning and 2 for Critical
Hardware Status hwPowerSupplyStatus uint16 Power supply status: 0 for Normal, 1 for Warning and 2 for Critical
Failed Power

Supply Count

 hwFailedPowerSupplyCount uint16 Number of failed power supplies
Hardware Temp

Sensor Status

 hwTempSensorStatus uint16 Temperature sensor status: 0 for Normal, 1 for Warning and 2 for Critical
Hardware Status hwFanStatus uint16 Fan status: 0 for Normal, 1 for Warning and 2 for Critical
Failed Fan

Count

 hwFailedFanCount uint16 Failed fan count
Hardware Amp

Status

 hwAmpStatus uint16 Current (Amp) status: 0 for Normal, 1 for Warning and 2 for Critical
Hardware

Voltage Status

 hwVoltageStatus uint16 Voltage status: 0 for Normal, 1 for Warning and 2 for Critical
Storage LCC

Status

 hwLCCStatus uint16 Hardware LCC status: 0 for Normal, 1 for Warning and 2 for Critical
Storage Link

Status

 hwLinkStatus uint16 Hardware link status: 0 for Normal, 1 for Warning and 2 for Critical
Storage Port

Status

 hwPortStatus uint16 Hardware port status: 0 for Normal, 1 for Warning and 2 for Critical
Relative

Humidity Status

 hwRelHumidStatus uint16 Relative humidity status: 0 for Normal, 1 for Warning and 2 for Critical
Dew Point

Status

 hwDewPtStatus uint16 Dew Point status: 0 for Normal, 1 for Warning and 2 for Critical
Audio Status hwAudioStatus uint16 Audio status: 0 for Normal, 1 for Warning and 2 for Critical
Air Flow Status hwAirFlowStatus uint16 AIr flow status: 0 for Normal, 1 for Warning and 2 for Critical
Generic

Numeric Sensor

Status

 hwGenNumericSensorStatus uint16 Generic Numeric sensor status: 0 for Normal, 1 for Warning and 2 for Critical
Dry Contact

Status

 hwDryContactStatus uint16 Dry Contact status: 0 for Normal, 1 for Warning and 2 for Critical
Door Switch

Status

 hwDoorSwitchStatus uint16 Door switch status: 0 for Normal, 1 for Warning and 2 for Critical
Camera Motion

Status

 hwCameraMotionStatus uint16 Camera motion status: 0 for Normal, 1 for Warning and 2 for Critical
Generic State

Sensor Status

 hwGenStateSensorStatus uint16 Generic state sensor status: 0 for Normal, 1 for Warning and 2 for Critical

The following table indicates sources of various hardware status events.

Device

Type

(Method)

 Overall Temp Power

Supply

 Fan Chassis Memory Disk RAID Battery Amp Voltage LCC Storage

Link

 Storage

Port

 Humidity Air flow Dew

Point

 Audio Gen

Numeric

Sensor

 Dry

Contact

 Door

Swit
Cisco IOS

(SNMP)

 x x x x
Cisco Nx-OS

(SNMP)

 x x
Juniper

JunOS

(SNMP),

 x x x x
Juniper SRX

JunOS

(SNMP)

 x x x x
Alcatel TiMOS

(SNMP)

 x x x x
Alcatel AOS

(SNMP)

 x x
Huawei VRP

(SNMP)
H3C

Comware

(SNMP)

 x x
EMC Clariion

(NavisecCli)

 x x x x x x x

c

NetApp

DataONTAP

Filer (SNMP)

 x x x x x x x x x
Dell

EqualLogic

(SNMP)

 x x x x x x
F5 Big-IPOS

(SNMP)

 x x x
Riverbed

Steelhead

(SNMP)

 x
InfoBlox NiOS

(SNMP)

 x x x x x x

 
VMs on ESX

(VMSDK)
Dell Servers x x x x x x x x x
HP Servers x x x x x x x x x
APC NetBotz x x x x x x x x x
Cisco UCS
HP

BladeSystem

 x x x
Viewing all 2380 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>