Configuring Applications FortiSIEM

Configuring Applications

This section describes how to configure applications for discovery and for providing information to AccelOps.

What is Discovered and Monitored

Protocol Information discovered Metrics collected Used for
JMX   Generic information: Application version, Application port

Availability metrics: Uptime, Application Server State

CPU metrics: CPU utilization

Memory metrics: Total memory, Free memory, Memory utilization, Virtual committed memory, Total Swap

Memory, Free Swap Memory, Swap memory utilization, Heap Utilization, Heap Used Memory, Heap max memory,  Heap commit memory, Non-heap Utilization, Non-heap used memory, Non-heap max memory, Non-heap commit memory

Servlet metrics: Web application name, Servlet Name, Count allocated, Total requests, Request errors, Load time, Avg Request Processing time

Session metrics: Web context path, Peak active sessions, Current active sessions, Duplicate sessions, Expired sessions, Rejected sessions, Average session lifetime, Peak session lifetime, Session processing time, Session create rate, Session expire rate, Process expire frequency, Max session limited, Max inactive Interval

Database metrics: Web context path, Data source, Database driver, Peak active sessions, Current active sessions, Peak idle sessions, Current idle sessions

Thread pool metrics: Thread pool name, Application port, Total threads, Busy threads, Keep alive threads, Max threads, Thread priority, Thread pool daemon flag

Request processor metrics: Request processor name, Received Bytes, Sent Bytes, Average Request Process time, Max Request Processing time, Request Rate, Request Errors

Performance

Monitoring

 

Event Types

In CMDB > Event Types, search for “tomcat” in the Device Type and Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “tomcat” in the Name column to see the reports associated with this application or device. Configuration

JMX

  1. Add the necessary parameters to the Tomcat startup script.

Windows

Modify the file ${CATALINA_BASE}\bin\catalina.bat by adding these arguments for JVM before the comment rem

—-Execute The Requested Command ——

Linux

Modify the file ${CATALINA_BASE}/bin/catalina.sh by adding these arguments for JVM before the comment # —-Execute

  1. Edit the password file password.

The first column is user name and the second column is password). AccelOps only needs monitor access.

  1. In Linux, set permissions for the access and jmxremote.password files so that they are read-only and accessible only by the Tomcat operating system user.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Sample Event for Tomcat Metrics

<134>Jan 22 01:57:32 10.1.2.16 java:

[PH_DEV_MON_TOMCAT_CPU]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.16,

[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=9218,[app

Version]=Apache

Tomcat/7.0.27,[appServerState]=STARTED,[sysUpTime]=2458304,[cpuUtil]=0

<134>Jan 22 01:57:32 10.1.2.16 java:

[PH_DEV_MON_TOMCAT_MEMORY]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2. 16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=9218,[ appVersion]=Apache Tomcat/7.0.27,[appServerState]=STARTED,[freeMemKB]=116504,[freeSwapMemKB

]=2974020,[memTotalMB]=4095,[swapMemTotalMB]=8189,[virtMemCommitKB]=1699 00,[memUtil]=98,[swapMemUtil]=65,[heapUsedKB]=18099,[heapMaxKB]=932096,[ heapCommitKB]=48896,[heapUtil]=37,[nonHeapUsedKB]=22320,[nonHeapMaxKB]=1 33120,[nonHeapCommitKB]=24512,[nonHeapUtil]=91

<134>Jan 22 01:57:33 10.1.2.16 java:

[PH_DEV_MON_TOMCAT_SERVLET]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2

.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=9218,

[appVersion]=Apache

Tomcat/7.0.27,[webAppName]=//localhost/host-manager,[servletName]=HTMLHo stManager,[countAllocated]=0,[totalRequests]=0,[reqErrors]=0,[loadTime]= 0,[reqProcessTimeAvg]=0,[maxInstances]=20,[servletState]=STARTED

<134>Jan 22 01:57:33 10.1.2.16 java:

[PH_DEV_MON_TOMCAT_SESSION]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2

.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=9218,

[appVersion]=Apache Tomcat/7.0.27,[webContextPath]=/host-manager,[activeSessionsPeak]=0,[act iveSessions]=0,[duplicateSession]=0,[expiredSession]=0,[rejectedSession] =0,[sessionLifetimeAvg]=0,[sessionLifetimePeak]=0,[sessionProcessTimeMs] =0,[sessionCreateRate]=0,[sessionExpireRate]=0,[webAppState]=STARTED,[pr ocessExpiresFrequency]=6,[maxSessionLimited]=-1,[maxInactiveInterval]=18 00

<134>Jan 22 01:57:33 10.1.2.16 java: [PH_DEV_MON_TOMCAT_DB]:[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.16,[ hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=9218,[appV ersion]=Apache Tomcat/7.0.27,[webContextPath]=/host-manager,[dataSource]=”jdbc/postgres 1″,[dbDriver]=org.postgresql.Driver,[activeSessionsPeak]=20,[activeSessi ons]=0,[idleSessionsPeak]=10,[idleSessions]=0

<134>Jan 22 01:57:33 10.1.2.16 java:

[PH_DEV_MON_TOMCAT_THREAD_POOL]:[eventSeverity]=PHL_INFO,[destIpAddr]=10

.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=9

218,[appVersion]=Apache Tomcat/7.0.27,[threadPoolName]=ajp-apr-18009,[appPort]=18009,[totalThrea ds]=0,[busyThreads]=0,[keepAliveThreads]=0[maxThreads]=200,[threadPriori ty]=5,[threadPoolIsDaemon]=true

<134>Jan 22 01:57:33 10.1.2.16 java: [PH_DEV_MON_TOMCAT_REQUEST_PROCESSOR]:[eventSeverity]=PHL_INFO,[destIpAd dr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevP ort]=9218,[appVersion]=Apache

IBM WebSphere Configuration

What is Discovered and Monitored

Install the perfServletApp Application

Configure Security for the Application

Start the Application

Settings for Access Credentials

Protocol Information discovered Metrics collected Used for
HTTP /

HTTP(S)

  Generic information: Application version, Application port

Availability metrics: Uptime, Application Server State

CPU metrics: Application server instance, CPU utilization

Memory metrics: Heap utilization, Heap used memory, Heap free memory, Heap max memory,  Heap commit memory

Servlet metrics: Application name, Web application name, Servlet Name, Invocation count

Database pool metrics: Application server instance, JDBC provider, Data source, Pool size, Closed connections, Active Connections, Requests wait for connections, Connection use time, Connection factory type, Peak connections

Thread pool metrics: Application server instance, Thread pool name, Execute threads, Peak execute threads

Transaction metrics: Application server instance, Active Transaction, Committed Transaction, Rolled back Transaction

Authentication metrics: Application name, Application server instance, Authentication Method, Count

Performance

Monitoring

JMX   Generic information: Application version, Application port

Availability metrics: Uptime, Application Server State

CPU metrics: Application server instance, CPU utilization

Memory metrics: Heap utilization, Heap used memory, Heap free memory, Heap max memory,  Heap commit memory, Max System dumps on disk, Max heap dumps on disk

Servlet metrics: Application name, Web application name, Servlet Name, Invocation count, Request errors

Database pool metrics: Application server instance, JDBC provider, Data source, Pool size, Closed connections, Active Connections, Requests wait for connections, Connection use time, Connection factory type, Peak connections

Thread pool metrics: Application server instance, Thread pool name, Execute threads, Peak execute threads

Application level metrics: Application name, Web application name, Application server instance, Web application context root, Active sessions, Peak active sessions

EJB metrics: Application name, Application server instance, EJB component name

Performance

Monitoring

Syslog     Log analysis

Event Types

In CMDB > Event Types, search for “websphere” in the Description column to see the event types associated with this device.

PH_DEV_MON_WEBSPHERE_CPU (from HTTPS)

 

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “websphere” in the Name column to see the reports associated with this device.

Configuration

HTTP(S)

Install the perfServletApp Application

  • Log in to your Websphere administration console.
  1. Go to Applications > Application Types > WebSphere enterprise application.
  2. Click Install.
  3. Select Remote file system and browse to {WebSphere_Home}/AppServer/installableApps/PerfServletApp.ear.
  4. Click Next.

The Context Root for the application will be set to /wasPerfTool, but you can edit this during installation.  Configure Security for the Application

  1. Go to Security > Global Security.
  2. Select Enable application security.
  3. Go to Applications > Application Types > Websphere Enterprise Applications.
  4. Select perfServletApp.
  5. Click Security role to user/group mapping.
  6. Click Map Users/Groups.

 

  1. Use the Search feature to find and select the AccelOps user you want to provide with access to the application,
  2. Click Map Special Subjects.
  3. Select All Authenticated in Application’s Realm.
  4. Click OK.

Start the Application

  1. Go to Applications > Application Types > WebSphere enterprise application.
  2. Select perfServletApp.
  3. Click Start.
  4. In a web browser, launch the application by going to http://<ip>:<port>/wasPerfTool/servlet/perfservlet.

JMX

Configuring the Default JMX Port

By default, your Websphere application server uses port 8880 for JMX. You can change this by logging in to your application server console and going to Application servers > {Server Name} > Ports > SOAP_CONNECTOR_ADDRESS. The username and password for JMX are the same as the credentials logging into the console.

To configure JMX communications between your Websphere application server and AccelOps, you need to copy several files from your application server to the Websphere configuration directory for each AccelOps virtual appliance that will be used for discovery and performance monitoring jobs. AccelOps does not include these files because of licensing restrictions.

  1. Copy these files to the directory /opt/phoenix/config/websphere/ for each Supervisor, Worker, and Collector in your AccelOps deployment.
File Type Location
Client Jars a.  ${WebSphere_Home}/AppServer/runtimes/com.ibm.ws.admin.client.jar

b.  ${WebSphere_Home}/AppServer/plugins/com.ibm.ws.security.crypto.jar

SSL files a.  ${WebSphere_Home}/AppServer/profiles/${Profile_Name}/etc/DummyClientKeyFile.jks

b.  ${WebSphere_Home}/AppServer/profiles/${Profile_Name}/etc/DummyClientTrustFile.jks

  1. Install IBM JDK 1.6 or higher in the location /opt/phoenix/config/websphere/java for each Supervisor, Worker, and Collector in your AccelOps deployment.

You can now configure AccelOps to communicate with your IBM Websphere device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

You can now configure AccelOps to communicate with your IBM Websphere device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.