FortiSIEM Web Server Configuration

Web Server Configuration

AccelOps supports these web servers for discovery and monitoring.

Apache Web Server Configuration

Microsoft IIS for Windows 2000 and 2003 Configuration

Microsoft IIS for Windows 2008 Configuration Nginx Web Server Configuration

Apache Web Server Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP

HTTPS

Syslog

Define the Apache Log Format

Apache Syslog Log Format

Settings for Access Credentials

What is Discovered and Monitored

Protocol Information discovered Metrics collected Used for
SNMP Application type Process level metrics: CPU utilization, Memory utilization Performance

Monitoring

HTTP(S) via the mod-status module   Apache metrics: Uptime, CPU load, Total Accesses, Total Bytes Connections, Requests/sec, Bytes/sec, Bytes/req, Busy Workers, Idle Workers Performance

Monitoring

Syslog Application type W3C access logs: attributes include Client IP, URL, User Agent, Referrer, HTTP Version, HTTP

Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration

Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “apache” in the Device Type and Description column to see the event types associated with this device.

Rules here are no predefined rules for this device.

Reports

In Analytics > Reports, search for “apache” in the Name column to see the reports associated with this device. Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

HTTPS

To communicate with AccelOps over HTTPS, you need to configure the mod_status module in your Apache web server.

  1. Log in to your web server as an administrator.
  2. Open the configuration file /etc/Httpd.conf.
  3. Modify the file as shown in these code blocks, depending on whether you are connecting over HTTP without authentication, or over HTTPS with authentication.
  4. If you are using authentication, you will have to add user authentication credentials.
    1. Go to /etc/httpd, and if necessary, create an account
    2. In the account directory, create two files, users and groups.
    3. In the groups file, enter admin:admin.
    4. Create a password for the admin user.
  5. Reload Apache.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Syslog

Install and configure Epilog application to send syslog to AccelOps

  1. Download Epilog from Epilog download site and install it on your Windows Server.
  2. For Windows, launch Epilog from StartAll ProgramsInterSect AllianceEpilog for windows
  3. For Linux, type http://<yourApacheServerIp>:6162
  4. Configure Epilog application as follows
    1. Go to Log Configuration. Click Add button and add the following log files to be sent to AccelOps

/etc/httpd/logs/access_log /etc/httpd/logs/ssl_access_log

  1. Go to Network Configuration
    1. Set AO System IP(all-in-1 or collector) in Destination Server address (10.1.2.20 here);
    2. Set 514 in Destination Port text area
  • Click Change Configuration to save the configuration
  1. Apply the Latest Audit Configuration. Apache logs will now sent to AccelOps in real time.

Define the Apache Log Format

You need to define the format of the logs that Apache will send to AccelOps.

  1. Open the file /etc/httpd/conf.d/ssl.conf for editing.

<142>Sep 17 13:27:37 SJ-Dev-S-RH-VMW-01.prospecthills.net ApacheLog

192.168.20.35 – – [17/Sep/2009:13:27:37 -0700] “GET

/icons/apache_pb2.gif HTTP/1.1” 200 2414 “http://192.168.0.30/”

“Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)”

<134>Mar  4 17:08:04 137.146.28.68 httpd: [ID 702911 local0.info]

192.168.20.38 – – [04/Mar/2010:16:35:21 -0800] “GET /bugzilla-3.0.4/ HTTP/1.1” 200 10791 “-” “Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 GTB6”

<142>Sep 17 13:27:37 135.134.33.23 HTTP: [ID 702911 local0.info]

192.168.20.38 – – [04/Mar/2010:16:35:21 -0800] “GET /bugzilla-3.0.4/ HTTP/1.1” 200 10791 “-” “Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 GTB6”

Microsoft IIS for Windows 2000 and 2003 Configuration

What is Discovered and Monitored

Enabling SNMP on Windows Server 2003

Enabling SNMP on Windows 7 or Windows Server 2008 R2

Creating a Generic User Who Does Not Belong to the Local Administrator Group Creating a User Who Belongs to the Domain Administrator Group

Sample IIS Syslog

Settings for Access Credentials

What is Discovered and Monitored

Protocol Information discovered Metrics collected Used for
SNMP Application type Process level metrics: CPU utilization, memory utilization Performance

Monitoring

WMI Application type, service mappings Process level metrics: uptime, CPU Utilization, Memory utilization, Read I/O, Write I/O

IIS metrics: Current Connections, Max Connections, Sent Files, Received Files, Sent Bytes, Received Bytes, ISAPI Requests, Not Found Errors

Performance

Monitoring

Syslog Application type W3C access logs: attributes include IIS Service Instance, Client IP, URL, User Agent, Referrer, HTTP

Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration

Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “microsoft is” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To Buy Your Fortinet Hardware From The Fortinet GURU

Leave a Reply

Name *
Email *
Website

This site uses Akismet to reduce spam. Learn how your comment data is processed.