FortiSIEM Unified Communication Server Configuration

Unified Communication Server Configuration

AccelOps supports these VoIP servers for discovery and monitoring.

Avaya Call Manager Configuration

Cisco Call Manager Configuration

Cisco Contact Center Configuration

Cisco Presence Server Configuration

Cisco Tandeberg Telepresence Video Communication Server (VCS) Configuration

Cisco Telepresence Multipoint Control Unit (MCU) Configuration

Cisco Telepresence Video Communication Server Configuration

Cisco Unity Connection Configuration

 

Avaya Call Manager Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP

SFTP

Configure AccelOps to Receive CDR Records from Cisco Call Manager

Configure Avaya Call Manager to Send CDR Records to AccelOps  Settings for Access Credentials

What is Discovered and Monitored

Protocol Information discovered Metrics collected Used for
SNMP Application type System metrics: Uptime, Interface utilization Performance Monitoring
SFTP   Call Description Records (CDR): Calling Phone IP, Called Phone IP, Call Duration Performance and Availability

Monitoring

Event Types

Avaya-CM-CDR: Avaya CDR Records

Rules

None

Reports None.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

 

SFTP

SFTP is used to send Call Description Records (CDRs) to AccelOps.

Configure AccelOps to Receive CDR Records from Cisco Call Manager

  1. Log in to your AccelOps virtual appliance as root over SSH.
  2. Change the directory.
  3. Create an FTP account for user ftpuser with the home directory /opt/phoenix/cache/avayaCM/<call-manager-ip>. If this is the first time you have created a Call Manager definition, you will be prompted for the ftpuser password. When you create subsequent Call Manager definitions, the same password will be used, and you will see a Success message when the definition is created.
  4. The CDR records do not have field definitions, they only have values. Field definitions are needed to properly interpret the values. Make sure that the CDR fields definitions matches the default one supplied by AccelOps in /opt/phoenix/config/AvayaCDRConfig.csv. AccelOps will interpret the CDR record fields according to the field definitions specified in /opt/phoenix/config/AvayaCDRConfig.csv and generate events like the following.

Wed Feb  4 14:37:41 2015 1.2.3.4 AccelOps-FileLog-AvayaCM [Time of day-hours]=”11″ [Time of day-minutes]=”36″ [Duration-hours]=”0″ [Duration-minutes]=”00″ [Duration-tenths of minutes]=”5″ [Condition code]=”9″ [Dialed number]=”5908″ [Calling number]=”2565522011″ [FRL]=”5″ [Incoming circuit ID]=”001″ [Feature flag]=”0″ [Attendant console]=”8″ [Incoming TAC]=”01 1″ [INS]=”0″ [IXC]=”00″ [Packet count]=”12″ [TSC flag]=”1″

Configure Avaya Call Manager to Send CDR Records to AccelOps

  1. Log in to Avaya Call Manager.
  2. Send CDR records to AccelOps by using this information
Field Value
Host Name/IP Address <AccelOps IP address>
User Name ftpuser
Password <The password you created for ftpuser>
Protocol SFTP
Directory Path /opt/phoenix/cache/avayaCM/<call-manager-ip>

 

 

 

 

 

Cisco Call Manager Configuration

What is Discovered and Monitored

Configuration

Settings for Access Credentials

What is Discovered and Monitored

Protocol Information discovered Metrics collected Used for
SNMP Application type System metrics: Uptime, CPU utilization, Memory utilization, Disk utilization, Interface utilization,

Process count, Per process: CPU utilization, Memory utilization

Performance

Monitoring

SNMP VoIP phones and

registration status

Call Manager metrics:

Global Info: VoIP phone count, Gateway count, Media Device count, Voice mail server count  and SIP Trunks count broken down by Registered/Unregistered/Rejected status (AccelOps Event Type:

PH_DEV_MON_CCM_GLOBAL_INFO)

SIP Trunk Info: Trunk end point, description, status (AccelOps Event Type:

PH_DEV_MON_CCM_SIP_TRUNK_STAT)

SIP Trunk Addition, Deletion: AccelOps Event Type:

PH_DEV_MON_CCM_NEW_SIP_TRUNK, PH_DEV_MON_CCM_DEL_SIP_TRUNK

Gateway Status Info: Gateway name, Gateway IP, description, status (AccelOps Event Types:

PH_DEV_MON_CCM_GW_STAT)

Gateway Status Change, Addition, Deletion: AccelOps Event Type:

PH_DEV_MON_CCM_GW_STAT_CHANGE, PH_DEV_MON_CCM_NEW_GW, PH_DEV_MON_CCM_DEL_GW

H323 Device Info: H323 Device name, H323 Device IP, description, status (AccelOps Event Types:

PH_DEV_MON_CCM_H323_STAT)

Gateway Status Change, Addition, Deletion: AccelOps Event Type:

PH_DEV_MON_CCM_H323_STAT_CHANGE, PH_DEV_MON_CCM_NEW_H323, PH_DEV_MON_CCM_DEL_H323

Voice Mail Device Info: Voice Mail Device name, Voice Mail Device IP, description, status (AccelOps Event Types: PH_DEV_MON_CCM_VM_STAT)

Voice Mail Device Status Change, Addition, Deletion: AccelOps Event Type: PH_DEV_MON_CCM_VM_STAT_CHANGE, PH_DEV_MON_CCM_NEW_VM, PH_DEV_MON_CCM_DEL_VM

Media Device Info: Media Device name, Media Device IP, description, status (AccelOps Event Types:

PH_DEV_MON_CCM_MEDIA_STAT)

Media Device Status Change, Addition, Deletion: AccelOps Event Type:

PH_DEV_MON_CCM_MEDIA_STAT_CHANGE, PH_DEV_MON_CCM_NEW_MEDIA,

PH_DEV_MON_CCM_DEL_MEDIA

Computer Telephony Integration (CTI) Device Info: CTI Device name, CTI Device IP, description, status (AccelOps Event Types: PH_DEV_MON_CCM_CTI_STAT)

CTI Device Status Change, Addition, Deletion: AccelOps Event Type:

PH_DEV_MON_CCM_CTI_STAT_CHANGE, PH_DEV_MON_CCM_NEW_CTI, PH_DEV_MON_CCM_DEL_CTI

Availability

Monitoring

WMI (for

Windows based

Call Managers)

Application type, service mappings Process level metrics: Per process: Uptime, CPU utilization, Memory utilization, Read I/O KBytes/sec,

Write I/O KBytes/sec

Performance

Monitoring

SFTP   Call Description Records (CDR): Calling Phone IP, Called Phone IP, Calling Party Number, Original

Called Party Number, Final Called Party Number, Call Connect Time, Call Disconnect Time, Call Duration

Call Management Records (CMR): Latency, Jitter, Mos Score – current, average, min, max for each call in CDR

Performance

and Availability

Monitoring

Syslog   Syslog messages from Cisco Call Manager as well as Cisco Unified Real Time Monitoring Tool (RTMT)  

Event Types

In CMDB > Event Types, search for “cisco_uc” and “cisco_uc_rtmt” in the Display Name column to see the event types associated with this device.

Rules

In Analytics > Rules, search for “cisco call manager” in the Name column to see the rules associated with this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

WMI (for Call Manager installed under Windows)

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
  2. Right-click Users and select Add User.
  3. Create a user.
  4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
  5. In the Distributed COM Users Properties dialog, click Add.
  6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

  1. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
  2. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account
  3. Go to Start > Control Panel > Administrative Tools > Component Services.
  4. Right-click My Computer, and then Properties.
  5. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
  6. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
  7. Click OK.
  8. Under Access Permissions, click EditDefault.
  9. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
  10. Click
  11. Under Launch and Activation Permissions, click Edit Limits.
  12. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  13. Click OK.
  14. Under Launch and Activation Permissions, click Edit Defaults.
  15. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

  1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
  2. Right-click Users and select Add User.
  3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

  1. Go to Groups, right-click Administrators, and then click Add to Group.
  2. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
  3. For Enter the object names to select, enter the user you created in step 3.
  4. Click OK to close the Domain Admins Properties dialog.
  5. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

  1. Go to Start > Control Panel > Administrative Tools > Component Services.
  2. Right-click My Computer, and then select Properties.
  3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
  4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
  5. Click OK.
  6. In the Com Security tab, under Access Permissions, click Edit Defaults.
  7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
  8. Click OK.
  9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
  10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
  12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
  2. Select WMI Control, and then right-click and select Properties.
  3. Select the Security
  4. Expand the Root directory and select CIMV2.
  5. Click Security.
  6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot e Enable.
  7. Click Advanced.
  8. Select the user you created for the monitoring account, and then click Edit.
  9. In the Apply onto menu, select This namespace and subnamespaces.
  10. Click OK to close the Permission Entry for CIMV2 dialog.
  11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
  12. In the left-hand navigation, under Services and Applications, select Services.
  13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
  14. In the Start menu, select Run.
  15. Run msc.
  16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
  17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
  18. Select Windows Firewall: Allow remote administration exception.
  19. Run exe and enter these commands:
  20. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

  1. Go to Control Panel > Windows Firewall.
  2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
  3. Select Windows Management Instrumentation, and the click OK.

SFTP

SFTP is used to send Call Description Records (CDRs) to AccelOps.

Configure AccelOps to Receive CDR Records from Cisco Call Manager

  1. Log in to your Accelops virtual appliance as root over SSH.
  2. Change the directory.

This creates an FTP account  for user ftpuser with the home directory /opt/phoenix/cache/ccm/<call-manager-ip>. If this is the first time you have created a Call Manager definition, you will be prompted for the ftpuser password. When you create subsequent Call Manager definitions, the same password will be used, and you will see a Success message when the definition is created.

  1. Switch user to admin by issuing “su – admin”
  2. Modify phoenix_config.txt entry
  3. Restart phParser by issuing “killall -9 phParser”

Configure Cisco Call Manager to Send CDR Records to AccelOps

  1. Log in to Cisco Call Manager.
  2. Go to Tools > CDR Management Configuration.

The CDR Management Configuration window will open.

  1. Click Add New.
  2. Enter this information.
Field Value
Host Name/IP Address <AccelOps IP address>
User Name ftpuser
Password <The password you created for ftpuser>
Protocol SFTP
Directory Path /opt/phoenix/cache/ccm/<call-manager-ip>
  1. Click Save.

 

 

 

 

 

 

Cisco Contact Center Configuration

What is Discovered and Monitored

Protocol Information discovered Metrics collected Used for
SNMP Application type System metrics: CPU utilization, Memory utilization, Disk utilization, Interface utilization, Hardware Status,

Process count, Process level CPU and memory utilization, Install software change

Performance

Monitoring

SSH   Disk I/O monitoring  

Event Types

There are no event types defined specifically for this device.

Rules

In Analytics > Rules, search for “cisco contact center” in the Name column to see the rules associated with this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

 

Cisco Presence Server Configuration

What is Discovered and Monitored

Protocol Information discovered Metrics collected Used for
SNMP Application type System metrics: CPU utilization, Memory utilization, Disk utilization, Interface utilization, Hardware Status,

Process count, Process level CPU and memory utilization, Install software change

Performance

Monitoring

SSH   Disk I/O monitoring  

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

 

Cisco Tandeberg Telepresence Video Communication Server (VCS) Configuration

What is Discovered and Monitored

Protocol Information discovered Metrics collected Used for
SNMP Application type System metrics: CPU utilization, Memory utilization, Disk utilization, Interface utilization, Hardware Status,

Process count, Process level CPU and memory utilization, Install software change

Performance

Monitoring

SSH   Disk I/O monitoring  

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

 

 

Cisco Telepresence Multipoint Control Unit (MCU) Configuration

What is Discovered and Monitored

The following protocols are used to discover and monitor various aspects of Cisco Tandeberg VCS

Protocol Information discovered Metrics collected Used for
SNMP Application type System metrics: Uptime, Interface utilization Performance Monitoring

Event Types

In CMDB > Event Types, search for “cisco telepresence” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device. .

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Cisco Telepresence Video Communication Server Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

What is Discovered and Monitored

Protocol Logs parsed Used for
Syslog Call attempts, Call rejects, Media stats, Request, response, Search Log Analysis

Event Types

In CMDB > Event Types, search for “Cisco-TVCS” in the Description column to see the event types associated with this device.

Rules

There are no predefined reports for this device.

Reports

There are no predefined reports for this device.

 

Cisco Unity Connection Configuration

What is Discovered and Monitored

Protocol Information discovered Metrics collected Used for
SNMP Application type System metrics: CPU utilization, Memory utilization, Disk utilization, Interface utilization, Hardware Status, Process count, Process level CPU and memory utilization Performance

Monitoring

Event Types

In CMDB > Event Types, search for “cisco unity” in the Description column to see the event types associated with this device.

Rules

In Analytics > Rules, search for “cisco unity” in the Name column to see the rules associated with this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.