FortiSIEM Custom Performance Monitors

Custom Performance Monitors

Creating a custom performance monitor involves creating a performance object that specifies the monitoring access protocol to use, maps event attributes available for that protocol to FortiSIEM event attribute types, and then associates those attributes to an event type. You can use system or user-defined device types, event attribute types, and event types when creating the performance object.

Creating a Custom Performance Monitor

Monitoring Protocol Configuration Settings

JDBC Configuration Settings

JMX Configuration Settings

SNMP Configuration Settings for Custom Performance Monitors

Importing OID Definitions from a MIB File

WMI Configuration Settings for Custom Performance Monitors

Mapping Monitoring Protocol Objects to Event Attributes

Exporting a Custom Performance Monitor

Importing a Custom Performance Monitor

Examples of Custom Performance Monitors

Custom JDBC Performance Monitor for a Custom Table

Custom JMX Monitor for IBM Websphere

Custom SNMP Monitor for D-Link HostName and SysUpTime Custom SNMP Monitor for D-Link Interface Network Statistics

Custom WMI Monitor for Windows Domain and Physical Registry

Creating a Custom Performance Monitor

You create custom performance monitors by defining the performance object that you want to monitor, including the relationship between the performance object and FortiSIEM events and event attributes, and then associating the performance object to a device type.

Prerequisites

You should review the configuration settings for the monitoring protocols that you will use in your monitor, and be ready to provide the appropriate OIDs, classes, or database table attributes for the access protocol.

You should have created any new device/application types, event attribute types, or event types that you want to use in your performance monitor

You should have the IP address and access credentials for a device that you can use to test the monitor

Procedure

Creating the Performance Object and Applying it to a Device

  1. Go to Admin > Device Support > Performance Monitoring.
  2. Click New.
  3. Enter a Name for the performance monitor.
  4. For Type, select either System or Application.
  5. For Method, select the monitoring protocol for the performance monitor.

See the topics under Monitoring Protocol Configuration Settings for more information about the configuration settings for each type of monitoring protocol.

  1. Click New next to List of Attributes, and create the mapping between the performance object and FortiSIEM event attributes. Note that the Method you select will determine the name of this mapping and the configuration options that are available. See Mapping Monitoring Protocol Objects to Event Attributes for more information.
  2. Select the Event Type that will be monitored.
  3. Enter the Polling Frequency for the monitor.
  4. Enter a Description.
  5. Click Save.
  6. In Admin > Device Support > Performance Monitoring, under Enter Device Type to Performance Object Mapping, click New.
  7. Enter a Name for the mapping.
  8. In the top pane of the dialog, select the Device Type to which you want to apply the monitor.

Whenever a device belonging to the selected device type is discovered, FortiSIEM will attempt to apply the performance monitor to it.

  1. In the bottom pane of the dialog, select the custom performance monitor.
  2. Click Save.

Testing the Performance Monitor

  1. Go to Admin > Device Support > Performance Monitoring.
  2. Select the performance monitor.
  3. Click Test.
  4. For IP, enter the IP address of the device that you want to use to test the monitor.
  5. Click Test.

If the test succeeds, click Close, and then click Apply to register the new monitor with the backend module.

After you have successfully tested and applied the performance monitor, you should initiate discovery of the device that it will monitor, and then make sure that the new monitor is enabled as described in Managing Monitoring of System and Application Metrics for Devices.

 

 

 

 

 

Monitoring Protocol Configuration Settings

These topics describe the configuration settings for monitoring protocols such as SNMP, WMI, and JDBC that are used for creating custom performance monitors.

JDBC Configuration Settings

JMX Configuration Settings

SNMP Configuration Settings for Custom Performance Monitors

Importing OID Definitions from a MIB File

WMI Configuration Settings for Custom Performance Monitors

JDBC Configuration Settings

When configuring JDBC as the access protocol for a custom performance monitor, use these settings. You may also want to review the topic Cust om JDBC Performance Monitor for a Custom Table as example of how to set up a custom performance monitor using JDBC.

Field Setting/Notes
Method JDBC
Database

Type

Select the type of database to connect to
SQL

Query

The SQL Query to execute when connecting
List of

Columns

This creates the mapping between columns in the database and AccelOps event attributes. See Mapping Monitoring Protocol Objects to Event Attributes for more information.
Where

Clauses

This indicates whether the database table being queried has a fixed set of rows, or whether it is growing over time. An example of this would be a table containing logs, in which case AccelOps would keep track of the last entry and only pull the new ones. There are three options here:

1.  There is a fixed set of rows and all rows are needed.

Leave all options cleared.

2.  There is a fixed set of rows and a fixed number of rows are needed.

Select Fixed Records and enter the number of required rows.

3.  The table is growing and only new values are needed.

Select Retrieve all new values since last retrieve time of column, and enter the name of the column that represents time in the database. AccelOps will keep track of the largest value in this column and only pull entries greater than that value during the next polling interval.

 

 

JMX Configuration Settings

When configuring JMX as the monitoring protocol for a custom performance monitor, use these settings. You may also want to review the topic C ustom JMX Monitor for IBM Websphere as an example of creating a custom JMX performance monitor.

Field Setting/Notes
Method JMX
MBean Enter the MBean interface that you want to monitor, or click the downward arrow to browse the JMX tree and select it. Note that the option you select here will determine the objects that are available when you select an Object Attribute for the List of Attributes. See the next section in this topic for information on how to find

Identifying MBean Names and Attributes for Custom Applications

This section discusses how to get MBean names and attributes for custom J2EE based applications.

  1. Launch JConsole on your workstation and connect to the application.
  2. Select the MBeans
  3. Browse to the application you want to monitor, and select it.
  4. In the right pane you will see the MBeanInfo. Note the ObjectName, while the attributes for the application will be listed in the tree view.

SNMP Configuration Settings for Custom Performance Monitors

When configuring SNMP as the access protocol for a custom performance monitor, use these settings. You may also want to review the topics Cu stom SNMP Monitor for D-Link Interface Network Statistics and Custom SNMP Monitor for D-Link HostName and SysUpTime as example of how to set up a custom performance monitor using SNMP.

Field Settings/Notes
Method SNMP
Parent

OID

The parent Object Identifier (OID) is used to optimize the number of SNMP GETs required for pulling the various individual OIDs. You can enter this directly, or click the downward arrow to select it from an MIB file. Several different MIB files are available to select from, see Importing OID Definitions from a MIB File for more information.
Parent

ID is table

Select is table if the OIDs you want to monitor are in a table with at least one row. An example would be interface metrics, such as i fInOctets and ifOutOctets, since there is an interface metric for each interface.
List of

OIDs

The OIDs you want to monitor mapped to AccelOps event attributes. The selection you make for Parent OID determines the options available in the OID menu when you select New.

 

 

Importing OID Definitions from a MIB File

Many devices include MIB files that you can then use to create a custom performance monitor for the device. This involves creating a

configuration file based on information in the MIB file, using that file as input for the mib2xml executable, and then placing the resulting output file in the /data/mibXml directory of your Supervisor. Once placed in this directory, you can select the file from the MIB File List menu to select the parent OID, which will then also affect which OIDs you can select for the OID to event attribute mapping.

Procedure

  1. Collect the device OID files you want to use and place them in a directory where the mib2XML
  2. Create the input config file with these fields, and name it with the .cfg file designation.

See the attached alcatel.cfg  file for an example.

Field Description
group This is the number of MIB file group. MIB files need to be analyzed as a group because of cross-references within them. The group attribute specifies an ID for each group and needs to be unique for every group.
mibFile The name of the MIB file being analyzed. There can be multiple entries. Be sure to specify the path to the MIB files.
vendor The name of the device vendor for the MIB file
model The model name or number for the device
evtPrefix As SNMP trap notification definitions in the MIB file are parsed, an event file is generated for each SNMP trap. This field specifies the event type prefix.
enterpriseId The enterprise ID number for this vendor, which is used for generating the SNMP trap parser

 

  1. Run mib2XML <filename>.cfg.
  2. Move the resulting .mib.xml file to the /data/mibXml directory of your Supervisor.

Example

In this example, a set of MIB files from an Alcatel 7×50 device are used to generate the XML output file.

  1. Sample MIB files:

TIMETRA-CHASSIS-MIB.mib

TIMETRA-GLOBAL-MIB.mib

TIMETRA-SYSTEM-MIB.mib

TIMETRA-TC-MIB.mib

  1. Information in these files, and the paths to them, are then used to create this config file. cfg
  2. Running mib2xml alcatel.cfg generates both an output and an mib2XML file.

alcatel.out

TIMETRA-TC-MIB.mib.xml

WMI Configuration Settings for Custom Performance Monitors

When configuring WMI as the monitoring protocol for a custom performance monitor, use these settings. You may also want to review the topic C ustom WMI Monitor for Windows Domain and Physical Registry as example of how to set up a custom performance monitor using WMI.

Field Settings
Method WMI
Parent

Class

WMI metrics are defined in the form of a parent class having multiple attributes. For example, the parent class Win32_ComputerSy stem has the attributes Domain and TotalPhysicalMemory.
Is Table If the parent WMI class is a table with one or more rows, select this option.

 

 

Mapping Monitoring Protocol Objects to Event Attributes

When you select a monitoring protocol for your custom performance monitor, you must also establish the relationship between the objects used by that protocol and event attributes in FortiSIEM. For example, creating a performance monitor that uses SNMP to monitor a device requires that you create a mapping between the SNMP OIDs that you want to monitor, and set of event attributes. This topic describes the configuration settings that you will use to create these object-to-event attribute relationships.

Procedure
  1. When creating your custom performance monitor, after you have selected the Method, click New next to List of Attributes.

Depending on the monitoring protocol that you select, this table may be named List of OIDs (SNMP), or List of Columns (JDBC).

  1. In the first field, enter or select the monitoring protocol object that you want to map to an FortiSIEM event attribute.

Your options depend on the monitoring protocol you selected for Method.

Monitoring

Protocol

Field

Name

Settings/Notes
SNMP OID Select an MIB file from the MIB File List, and then select the OID that you want to create the mapping for.
WMI Attribute Enter an attribute of the WMI class you entered for Parent Class.
JMX Object

Attribute

The MBean you select determines the attributes you can select. You will also have to enter a Name a nd Private Key for the MBean attribute.
JDBC Column

Name

Enter the name of the column in the SQL Query that you are using to monitor the database.
  1. Select the Format for the object attribute.

Your options will depend on the monitoring protocol you selected for Method.

  1. For Type, select Raw Value or Counter.
  2. For Event Attribute, select the FortiSIEM event attribute that the monitoring protocol object should map to.

If you need to create a new event attribute, see Creating Event Attribute Types.

  1. Create any Transforms of the values returned for the monitoring protocol object.

See the next section for more information how to configure transforms.

  1. Click Save when you are done creating the mappings, and then complete the configuration of your custom performance monitor.

Creating Transforms

You can use a transform to convert the value returned for your monitoring project object into a more physically meaningful or usable metric. You an create multiple transforms, and they will be evaluated in the order shown in the table. Multiple transforms can be selected – they are evaluated in sequential order as shown in the display table

  1. Next to Transforms, click New.
  2. For Type, select System or Custom.
  3. For Formula, either select a system-defined transformation formula from the menu if you selected System for Type, or enter a formula if you selected Custom.
  4. Click Save.

Exporting a Custom Performance Monitor

To export a parser, you must also export XML files for the device/app types, event attribute types, event types, and then the monitor.

  1. Go to Admin > Device Support > Device/App Types.
  2. Select the device/application types used in your monitor, and then click Export.
  3. Go to Admin > Device Support > Event Attribute Types.
  4. Select the event attribute types used in your monitor, and then click Export.
  5. Go to Admin > Device Support > Event Types.
  6. Select the event types used in your monitor, and then click Export.
  7. Go to Admin > Device Support > Performance Monitoring.
  8. Select the monitor, and then click Export.

Importing a Custom Performance Monitor

Importing a custom performance monitor involves importing four XML files: the XML files containing any device/app types, event attribute types, or event types that you have created for this parser, followed by the custom performance monitor file.

  1. For each device/app type, event attribute type, or event type XML file that is required for your monitor, go to the appropriate tab in Admin > Device Support, and then click Import.
  2. Browse to the location of your XML file, and then click Upload.
  3. Go to Admin > Device Support > Performance Monitors, and then click Import.
  4. Browse to the location of your performance monitor file, and then click Upload.
  5. Follow the instructions in Creating a Custom Performance Monitor to test and apply your performance monitor.

Examples of Custom Performance Monitors

Custom JDBC Performance Monitor for a Custom Table

Custom JMX Monitor for IBM Websphere

Custom SNMP Monitor for D-Link HostName and SysUpTime Custom SNMP Monitor for D-Link Interface Network Statistics

Custom WMI Monitor for Windows Domain and Physical Registry

Custom JDBC Performance Monitor for a Custom Table

Planning

Examining the Table Structure

Creating New Device Types, Event Attribute Types, and Event Types Event Types

Adding New JDBC Performance Objects

Performance Object Configuration for Static Table HEALTH_STATIC_DEMO

Performance Object Configuration for Dynamic Table HEALTH_DYNAMIC_DEMO

Associating Device Types to Performance Objects Edit Device to Performance Object

Testing the Performance Monitor

Enabling the Performance Monitor

Writing Queries for the Performance Metrics

Planning

Examining the Table Structure

For this example, consider two custom Oracle tables that you want to monitor.

  • A table called HEALTH_STATIC_DEMO that does not have time stamp as a column. The table does not grow with time, and the HEALTH c olumn is updated by the application.
  1. A table called HEALTH_DYNAMIC_DEMO that has a time-stamp in the column create_time. Only records with a more recent time-stamp than previous ones have to be pulled in, and every time a new record is written, it includes a time stamp.

Creating New Device Types, Event Attribute Types, and Event Types

In this case, you only need to create two new event types to handle the contents of the two tables.

Event Types

Name Device Type Severity
PH_DEV_MON_CUST_JDBC_PERFORMANCE_STATIC Generic Low
PH_DEV_MON_CUST_JDBC_PERFORMANCE_DYNAMIC Generic Low

Adding New JDBC Performance Objects

Each table requires its own performance object for monitoring.

Performance Object Configuration for Static Table HEALTH_STATIC_DEMO

Field Setting
Name jdbc_static_perfObj
Type Application
Method JDBC
Database Type Oracle Database Server
SQL Query select * from health_static_demo
List of Columns  
Column Name Name Format Event Attribute  
host_name   STRING hostName
health   STRING health
 
Where Clauses Not applicable, since the table doesn’t grow over time
Event Type PH_DEV_MON_CUST_JDBC_PERFORMANCE_STATIC
Polling Frequency 180 seconds

Performance Object Configuration for Dynamic Table HEALTH_DYNAMIC_DEMO

Field Setting
Name jdbc_dynamic_perfObj
Type Application
Method JDBC
Database Type Oracle Database Server
SQL Query select * from health_dynamic_demo
List of Columns  
Column Name Name Format Event Attribute  
host_name   STRING hostName
cpu_util   DOUBLE cpuUtil
mem_util   DOUBLE memUtil
create_time   STRING createTime
 
Where Clauses retrieve all new values since last retrieve time of column create_time
Event Type PH_DEV_MON_CUST_JDBC_PERFORMANCE_STATIC
Polling Frequency 180 seconds

Associating Device Types to Performance Objects

In this example, the Oracle database runs on Microsoft Windows, so you would need to associate Microsoft Windows device types to the two performance objects. Because the discovered device type has to exactly match one of device types in this association in order for the discovery module to initiate monitoring, you would need to add other device types, such as Linux, if you also wanted to monitor Oracle databases over JDBC on those devices.

Edit Device to Performance Object

Field Settings
Name windows_oracle_perf_association
Device Types Microsoft Windows

Microsoft Windows 7

Microsoft Windows 98

Microsoft Windows ME

Microsoft Windows NT

Microsoft Windows Server 2000 Microsoft Windows Server 2003

Microsoft Windows Server 2008

Microsoft Windows Vista

Microsoft Windows XP

Perf Objects jdbc_static_perfObj(JDBC) – Default Interval:3mins jdbc_dynamic_perfObj(JDBC) – Default Interval:3mins

Testing the Performance Monitor

Before testing the monitor, make sure you have defined the access credentials for the database server, created the IP address to credentials mapping, and tested connectivity to the server.

  1. Go to Admin > Device Support > Performance Monitoring.
  2. Select one of the performance monitors you created, and then click Test.
  3. For IP, enter the address of the Oracle database server, and select either the Supervisor or Collector node that will retrieve the information for this monitor.
  4. Click Test.

You should see succeed under Result, and a parsed event attributes in the test result pane.

  1. When the test succeeds, click Close, and then click Apply to register the new monitor with the backend module.

Enabling the Performance Monitor

  1. Discover or re-discover the device you want to monitor.
  2. Once the device is successfully discovered, make sure that the monitor is enabled and pulling metrics.

Writing Queries for the Performance Metrics

You can now use a simple query to make sure that that the metrics are pulled correctly. The search results should display the metrics for the event attributes you defined.

  1. Create a structured historical search, and in the Filter Criteria, enter Event Type =

“PH_DEV_MON_CUST_JDBC_PERFORMANCE_STATIC”; Group by: [None] This should show the entries in the HEALTH_STATIC_DEMO table

  1. Create a structured historical search, and in the Filter Criteria, enter Event Type =

“PH_DEV_MON_CUST_JDBC_PERFORMANCE_SDynamic”; Group by: [None] This should show the entries in the HEALTH_DYNAMIC_DEMO table .

Custom JMX Monitor for IBM Websphere

Creating New Device Types, Event Attribute Types, and Event Types

Event Attribute Types

Event Types

Adding New IBM WebSphere Performance Objects

Performance Object Configuration for Event Type PH_DEV_MON_CUST_WEBSPHERE_HEAPMEMORY

Performance Object Configuration for Event Type PH_DEV_MON_CUST_WEBSPHERE_THREAD

Transform Formula for websphere_threadPCT Event Attribute

Performance Object Configuration for Event Type PH_DEV_MON_CUST_WEBSPHERE_NON_HEAPMEMORY Associating Device Types to Performance Objects Edit Device to Performance Object

Testing the Performance Monitor

Enabling the Performance Monitor

Writing Queries for the Performance Metrics

This example illustrates how to write a custom performance monitor for retrieving IBM Websphere thread, heap memory, and non-heap memory metrics.

Planning

Creating New Device Types, Event Attribute Types, and Event Types

In this case, the IBM Websphere device type is already supported by FortiSIEM, but you need to create new event attributes and event types for the metrics you want to retrieve.

Event Attribute Types

Name Display Name Value Type Display Format Type
websphere_heapPCT WebSphere HeapPct INT64  
websphere_numThreads WebSphere NumThreads INT64  
websphere_maxThreads WebSphere MaxThreads INT64  
websphere_threadPct WebSphere ThreadPct INT64  
websphere_numClass WebSphere NumClass INT64  
websphere_heapUsed WebSphere HeapUsed INT64 Bytes
websphere_heapMax WebSphere HeapMax INT64 Bytes
websphere_heapCommitted WebSphere HeapCommitted INT64 Bytes
websphere_nonHeapUsed WebSphere NonHeapUsed INT64 Bytes
websphere_nonHeapMax WebSphere NonHeapMax INT64 Bytes
websphere_nonHeapCommitted WebSphere NonHeapCommitted INT64 Bytes

Event Types

Name Device Type Severity
PH_DEV_MON_CUST_WEBSPHERE_HEAPMEMORY IBM WebSphere App Server Low
PH_DEV_MON_CUST_WEBSPHERE_NON_HEAPMEMORY IBM WebSphere App Server Low
PH_DEV_MON_CUST_WEBSPHERE_THREAD IBM WebSphere App Server Low

Adding New IBM WebSphere Performance Objects

Each of the event types requires creating a performance object for monitoring.

Performance Object Configuration for Event Type PH_DEV_MON_CUST_WEBSPHERE_HEAPMEMORY

Field Setting  
Name websphere_heapMemory_perfObj  
Type Application  
Method JMX  
MBean java.lang:type=Memory  
List of Attributes    
Object Attribute Private Key Name Format Event Attribute
HeapMemoryUsage committed committed Long websphere_heapCommitted
HeapMemoryUsage used used Long websphere_heapUsed
HeapMemoryUsage max max Long websphere_heapMax
      Long websphere_heapPCT
   
Event Type PH_DEV_MON_CUST_WEBSPHERE_HEAPMEMORY  
Polling Frequency 180 seconds  

Performance Object Configuration for Event Type PH_DEV_MON_CUST_WEBSPHERE_THREAD

For the webSphere_threadPct Event Attribute, you will enter a transform as shown in the second table.

Field Setting    
Name websphere_thread_perfObj    
Type Application    
Method JMX    
MBean java.lang:type=Threading    
List of Attributes      
Object Attribute Private Key Name Format Event Attribute
ThreadCount   ThreadCount Long websphere_numThreads
PeakThreadCount   PeakThreadCount Long websphere_maxThreads
      Long websphere_threadPCT
     
Event Type PH_DEV_MON_CUST_WEBSPHERE_THREAD    
Polling Frequency 180 seconds    

Transform Formula for websphere_threadPCT Event Attribute

Click New next to Transforms in the dialog to enter the formula.

Field Settings
Object Attribute <blank>
Name <blank>
Private Key <blank>
Format Long
Event Attribute websphere_threadPct
Transforms  

Type Formula
custom ThreadCount*100/PeakThreadcount

Performance Object Configuration for Event Type PH_DEV_MON_CUST_WEBSPHERE_NON_HEAPMEMORY

Field Setting
Name websphere_nonHeapMemory_perfObj
Type Application
Method JMX
MBean java.lang:type=Memory
List of Attributes  
Object Attribute Private Key Name Format Event Attribute  
NonHeapMemoryUsage  used   Long websphere_nonHeapUsed
NonHeapMemoryUsage  committed   Long websphere_nonHeapCommitted
 NonHeapMemoryUsage  max   Long websphere_nonHeapMax
 
Event Type PH_DEV_MON_CUST_WEBSPHERE_NON_HEAPMEMORY
Polling Frequency 180 seconds

Associating Device Types to Performance Objects

In this example, IBM WebSphere runs on Microsoft Windows, so you would need to associate Microsoft Windows device types to the three performance objects. Because the discovered device type has to exactly match one of device types in this association in order for the discovery module to initiate these monitors, you would need to add other device types, such as Linux, if you also wanted to monitor IBM Websphere over JMX on those devices.

Edit Device to Performance Object

Field Settings
Name windows_oracle_perf_association
Device Types Microsoft Windows

Microsoft Windows 7

Microsoft Windows 98

Microsoft Windows ME

Microsoft Windows NT

Microsoft Windows Server 2000

Microsoft Windows Server 2003

Microsoft Windows Server 2008

Microsoft Windows Vista

Microsoft Windows XP

Perf Objects websphere_thread_perfObj(JMX) – Default Interval:3mins websphere_thread_perfObj(JMX) – Default Interval:3mins websphere_nonHeapMemory_perfObj(JMX) – Default Interval:3mins

 

Testing the Performance Monitor

Before testing the monitor, make sure you have defined the access credentials for the server, created the IP address to credentials mapping, and tested connectivity.

  1. Go to Admin > Device Support > Performance Monitoring.
  2. Select one of the performance monitors you created, and then click Test.
  3. For IP, enter the address of the Oracle database server, and select either the Supervisor or Collector node that will retrieve the information for this monitor.
  4. Click Test.

You should see succeed under Result, and the parsed event attributes in the test result pane.

  1. When the test succeeds, click Close, and then click Apply to register the new monitor with the backend module.

Enabling the Performance Monitor

  1. Discover or re-discover the device you want to monitor.
  2. Once the device is successfully discovered, make sure that the monitor is enabled and pulling metrics.

Writing Queries for the Performance Metrics

You can now use a simple query to make sure that that the metrics are pulled correctly. The search results should display the metrics for the event attributes you defined.

Create a structured historical search with these settings:

Filter Criteria Display Columns Time For

Organizations

Structured

Reporting IP IN <IP Range> AND Event Type CONTAIN

“ph_dev_mon_cust_web”; Group by: [None]

Event Receive Time,Reporting

IP, Event

Last 60

Minutes

All

 

 

Custom SNMP Monitor for D-Link HostName and SysUpTime

Although D-link switches and routers are not supported in this release of AccelOps, you can still use the custom monitor feature to create a system uptime event that will collect basic performance metrics like hostName and SysUpTime.

Planning

Mapping SNMP OIDs to AccelOps Event Attribute Types

If you run the command snmpwalk -v 1 -c <community> <ip> .1.3.6.1.2.1.1 against the D-Link switch, you should see an output similar to this:

From these outputs you can see that if you want to create a performance monitor for D-Link switch uptime, you need to:

  1. Create a new device type, since D-Link switches are not supported in this release
  2. Create an event type, PH_DEV_MON_CUST_DLINK_UPTIME, that will contain the event attribute types hostName and SysUpTime, which are already part of the AccelOps event attribute type library.
  3. Create the mapping between the SNMP OIDs and the event attributes:
    1. OID .1.3.6.1.2.1.1.5 and hostName.
    2. OID .1.3.6.1.2.1.1.5 and SysUpTime.

Creating New Device Types, Event Attribute Types, and Event Types

Device Type

Create a new device type with these attributes:

Field Setting
Vendor D-Link
Model DGS
Version Any
Device/App Group Devices > Network Devices > Router Switch
Biz Service Group <no selection>
Description D-Link Switch

Event Attribute Types and Event Types

Both sysUptime and hostName are included in the Event Attribute Types, so you only need to create a new event type, PH_DEV_MON_CUST_ DLINK_UPTIME, that will contain them.

Name Device Type Severity Description
PH_DEV_MON_CUST_DLINK_UPTIME D-Link DGS 0 – Low D-Link Uptime

Adding the D-Link SNMP Performance Object

In this case, you will create one performance object that will map the SNMP OIDs to the AccelOps event attribute types hostName and SysUpti me, and then associate them with the PH_DEV_MON_CUST_DLINK_UPTIME event type. When you create the SysUpTime mapping you will also a dd a transform to convert system time to centiseconds to seconds as shown in the second table.

Performance Object Configuration for Event Type PH_DEV_MON_CUST_DLINK_UPTIME

Field Setting    
Name D-LinkUptime    
Type System    
Method SNMP    
Parent OID .1.3.6.1.1.2.1.1    
Parent OID is Table <left cleared>    
List of OIDs      
Object Attribute Name Format Type Event Attribute  
.1.3.6.1.1.2.1.1.5 Host Name String RawValue hostName
.1.3.6.1.1.2.1.1.3 Uptime Timeticks RawValue SysUpTime
     
Event Type PH_DEV_MON_CUST_DLINK_UPTIME    
Polling Frequency 10 seconds    

Transform Formula for SysUptime Event Attribute

Type Formula
custom uptime/100

Associating Device Types to Performance Objects

In this case you would only need to make one association with the D-Link DGS device you created.

Field Settings
Name D-LinkPerfObj
Device Types  D-Link DGS
Perf Objects  D-LinkUptime(SNMP) – Default Interval:0.17mins

Testing the Performance Monitor

Before testing the monitor, make sure you have defined the access credentials for the D-Link device, created the IP address to credentials mapping, and tested connectivity.

  1. Go to Admin > Device Support > Performance Monitoring.
  2. Select the performance monitor you created, and then click Test.
  3. For IP, enter the address of the device, and select either the Supervisor or Collector node that will retrieve the information for this monitor.
  4. Click Test.

You should see succeed under Result, and the parsed event attributes in the test result pane.

  1. When the test succeeds, click Close, and then click Apply to register the new monitor with the backend module.

Enabling the Performance Monitor

  1. Discover or re-discover the device you want to monitor.
  2. Once the device is successfully discovered, make sure that the monitor is enabled and pulling metrics.

Writing Queries for the Performance Metrics

You can now use a simple query to make sure that that the metrics are pulled correctly. The search results should display the metrics for the event attributes you defined.

Create a structured historical search with these settings:

Filter Criteria Display

Columns

Time For

Organizations

Structured

Reporting IP IN <IP Range> AND Event Type = “PH_DEV_MON_CUST_DLINK_UPTIME”;

Group by: [None]

Event Last 10

Minutes

All

 

 

Custom SNMP Monitor for D-Link Interface Network Statistics

This example shows how to create a custom performance monitor for network interface statistics for D-link switches. In this case, the result is a table, with one set of metrics for each interface.

Planning

Matching SNMP OIDs to AccelOps Event Attribute Types

Creating New Device Types, Event Attributes, and Event Types

Device Type

Event Attribute Types

Event Types

Adding the D-Link SNMP Performance Object

Performance Object Configuration for Event Type PH_DEV_MON_CUST_INTF_STAT

Transform Formula for recvBitsPerSec and sentBitsPerSec Event Attributes

Associating Device Types to Performance Objects

Testing the Performance Monitor

Enabling the Performance Monitor

Writing Queries for the Performance Metrics

Planning

Matching SNMP OIDs to AccelOps Event Attribute Types

If you run the command snmpwalk -v 1 -c <community> <ip> .1.3.6.1.2.1.2.2.1 against the D-Link switch, you should see an output similar to this:

To get interface queue length (the outQLen event attribute in AccelOps), you would run snmpwalk -v 1 -c <community> <ip>

To get interface speed, you would run snmpwalk -v 1 -c <community> <ip> .1.3.6.1.2.1.2.2.1.5:

To get received bytes (the recvBitsPerSec event attribute in AccelOps), you would run snmpwalk -v 1 -c <community> <ip>

Finall,y to get sent bytes (the sentBitsPerSec event attribute in AccelOps ), you would  run snmpwalk -v 1 -c <community> <ip>

From these outputs you can see that if you want to create a performance monitor for D-Link switch uptime, you need to:

  1. Create a new device type, since D-Link switches are not supported in this release.
  2. Create an event type, PH_DEV_MON_CUST_DLINK_INTF_STAT, that will contain the event attribute types outQLen, recvBitsPerSec, and sentBitsPerSec, which are already part of the AccelOps event attribute library, and hostNameSnmpIndx and intfSpeed, which you need to create.
  3. Create the mapping between the SNMP OIDs and the event attributes:
    1. OID .1.3.6.1.2.1.2.2.1.1 and hostNameSnmpIndx
    2. OID .1.3.6.1.2.1.2.2.1.5 and intfSpeed
    3. OID .1.3.6.1.2.1.2.2.1.21 and outQLen
    4. OID .1.3.6.1.2.1.2.2.1.10 and recvBitsPerSec
    5. OID .1.3.6.1.2.1.2.2.1.16 and sentBitsPerSec

Creating New Device Types, Event Attributes, and Event Types

Device Type

Create a new device type with these attributes:

Field Setting
Vendor D-Link
Model DGS
Version Any
Device/App Group Devices > Network Devices > Router Switch
Biz Service Group <no selection>
Description D-Link Switch

Event Attribute Types

Create these event attribute types:

Name Display Name Value Type Display Format Type
hostSnmpIndex Host Interface SNMP Index INT64  <left blank>
intfSpeed Interface Speed in bits/sec INT64  <left blank>
Name Device Type Severity
PH_DEV_MON_CUST_INTF_STAT D-Link DGS Low

Adding the D-Link SNMP Performance Object

In this case, you will create one performance object that will map the SNMP OIDs to the AccelOps event attribute types, and then associate them with the PH_DEV_MON_CUST_INTF_STAT event type. When you create the recvBitsPerSec and sentBitsPerSec mapping you will also add a sequential transform to convert the cumulative metric to a rate, and then convert bytes per second to bits per second. .

Performance Object Configuration for Event Type PH_DEV_MON_CUST_INTF_STAT

Field Setting      
Name D-LinkIntStat      
Type System      
Method SNMP      
Parent OID .1.3.6.1.2.1.2.2.1      
Parent OID is Table Selected      
List of OIDs        
Object Attribute Name Format Type Event Attribute  
.1.3.6.1.1.2.1.2.2.1.1 IntfIndex INTEGER RawValue hostSnmpIndex
.1.3.6.1.1.2.1.1.2.1.5 intfSpeed Gauge32 RawValue intfSpeed
.1.3.6.1.1.2.1.1.2.1.10 recvBitsPerSec Counter32 Counter recvBitsPerSec
.1.3.6.1.1.2.1.1.2.1.16 sentBitsPerSect Counter32 Counter sentBitsPerSect
.1.3.6.1.1.2.1.1.2.1.21 outInftQ Gauge32 RawValue OutQLen
       
Event Type PH_DEV_MON_CUST_INTF_STAT      
Polling Frequency 60 seconds      

Transform Formula for recvBitsPerSec and sentBitsPerSec Event Attributes

Type Formula
system toRate
system BytesPerSecToBitsPerSec

Associating Device Types to Performance Objects

In this case you would only need to make one association with the D-Link DGS device you created.

Field Settings
Name D-LinkPerfObj
Device Types  D-Link DGS
Perf Objects  D-LinkIntfStat(SNMP) – Default Interval:1mins

Testing the Performance Monitor

Before testing the monitor, make sure you have defined the access credentials for the D-Link device, created the IP address to credentials mapping, and tested connectivity.

  1. Go to Admin > Device Support > Performance Monitoring.
  2. Select the performance monitor you created, and then click Test.
  3. For IP, enter the address of the device, and select either the Supervisor or Collector node that will retrieve the information for this monitor.
  4. Click Test.

You should see succeed under Result, and the parsed event attributes in the test result pane.

  1. When the test succeeds, click Close, and then click Apply to register the new monitor with the backend module.

Enabling the Performance Monitor

  1. Discover or re-discover the device you want to monitor.
  2. Once the device is successfully discovered, make sure that the monitor is enabled and pulling metrics.

Writing Queries for the Performance Metrics

You can now use a simple query to make sure that that the metrics are pulled correctly. The search results should display the metrics for the event attributes you defined.

Create a structured historical search with these settings:

Filter Criteria Display Columns Time For

Organizations

Structured

Reporting IP IN <IP Range> AND Event Type =”PH_DEV_

MON_CUST_INTF_STAT”; Group by: Host Name, Host Interface

Host Name,Host Interface SNMP Index,MAX(Out Intf

Queue), AVG(Intf Speed), AVG(Sent Bit Rate),

AVG(Received Bit Rate)

Last 10

Minutes

All
Custom WMI Monitor for Windows Domain and Physical Registry

Planning

Mapping Windows WMI Classes to FortiSIEM Event Attribute Types

If you run the command wmic -U <domain>/<user>%<pwd> //<ip> “select * from Win32_ComputerSystem against a Windows server, you will see an output similar to this:

CLASS: Win32_ComputerSystem AdminPasswordStatus::SEP::AutomaticManagedPagefile::SEP::AutomaticResetB ootOption::SEP::AutomaticResetCapability::SEP::BootOptionOnLimit::SEP::B ootOptionOnWatchDog::SEP::BootROMSupported::SEP::BootupState::SEP::Capti on::SEP::ChassisBootupState::SEP::CreationClassName::SEP::CurrentTimeZon e::SEP::DaylightInEffect::SEP::Description::SEP::DNSHostName::SEP::Domai n::SEP::DomainRole::SEP::EnableDaylightSavingsTime::SEP::FrontPanelReset Status::SEP::InfraredSupported::SEP::InitialLoadInfo::SEP::InstallDate::

SEP::KeyboardPasswordStatus::SEP::LastLoadInfo::SEP::Manufacturer::SEP:: Model::SEP::Name::SEP::NameFormat::SEP::NetworkServerModeEnabled::SEP::N umberOfLogicalProcessors::SEP::NumberOfProcessors::SEP::OEMLogoBitmap::S EP::OEMStringArray::SEP::PartOfDomain::SEP::PauseAfterReset::SEP::PCSyst emType::SEP::PowerManagementCapabilities::SEP::PowerManagementSupported: :SEP::PowerOnPasswordStatus::SEP::PowerState::SEP::PowerSupplyState::SEP ::PrimaryOwnerContact::SEP::PrimaryOwnerName::SEP::ResetCapability::SEP: :ResetCount::SEP::ResetLimit::SEP::Roles::SEP::Status::SEP::SupportConta ctDescription::SEP::SystemStartupDelay::SEP::SystemStartupOptions::SEP:: SystemStartupSetting::SEP::SystemType::SEP::ThermalState::SEP::TotalPhys icalMemory::SEP::UserName::SEP::WakeUpType::SEP::Workgroup

1::SEP::True::SEP::True::SEP::True::SEP::3::SEP::3::SEP::True::SEP::Norm al

boot::SEP::WIN2008-ADS::SEP::3::SEP::Win32_ComputerSystem::SEP::-420::SE P::True::SEP::AT/AT

COMPATIBLE::SEP::WIN2008-ADS::SEP::FortiSIEM.net::SEP::5::SEP::True::SEP ::3::SEP::False::SEP::NULL::SEP::(null)::SEP::3::SEP::(null)::SEP::VMwar e, Inc.::SEP::VMware Virtual Platform::SEP::WIN2008-ADS::SEP::(null)::SEP::True::SEP::1::SEP::1::SEP:

:NULL::SEP::([MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7],

Welcome to the Virtual

Machine)::SEP::True::SEP::3932100000::SEP::0::SEP::NULL::SEP::False::SEP

::0::SEP::0::SEP::3::SEP::(null)::SEP::Windows User::SEP::1::SEP::-1::SEP::-1::SEP::(LM_Workstation,LM_Server,Primary_D omain_Controller,Timesource,NT,DFS)::SEP::OK::SEP::NULL::SEP::0::SEP::NU LL::SEP::0::SEP::X86-based PC::SEP::3::SEP::4293496832::SEP::FortiSIEM\Administrator::SEP::6::SEP::

(null)

From this output you can see that the Win32_ComputerSystem WMI class has two attributes: 1.  Domain

  1. TotalPhysicalMemory

From these outputs you can see that if you want to create a performance monitor for Windows Domain and Physical Registry, you need to

  1. Create an event type, PH_DEV_MON_CUST_WIN_MEM, that will contain the event attribute types Domain and memTotalMB, both of which are already contained in the FortiSIEM event attribute types library.
  2. Create the mapping between the WMI class attributes and the FortiSIEM event attribute types:
    1. WMI class attribute Domain and Domain.
    2. WMI class attribute TotalPhysicalMemory (Bytes) and memTotalMB (type INT64). Because TotalPhysicalMemory return s in bytes, and memTotalMB is in INT64, a transform will be required to convert the metrics.

Creating New Device Types, Event Attributes, and Event Types

Device Type

Since Microsoft Windows is supported by FortiSIEM, you don’t need to create a new device type. Event Attribute Types and Event Types

Both Domain and memTotalMB are included in the FortiSIEM event attribute type library, so you only need to create a new event type, PH_DEV_ MON_CUST_WIN_MEM, that will contain them.

Name Device Type Severity Description
PH_DEV_MON_CUST_WIN_MEM Microsoft Windows 0 – Low Windows Domain and Memory

Adding the Microsoft Windows WMI Performance Object

In this case, you will create one performance object that will map the WMI Class attributes to the FortiSIEM event attribute types Domain and mem

TotalMB, and then associate them with the PH_DEV_MON_CUST_WIN_MEM event type. When you create the memTotalMB mapping you will also add a transform to convert bytes to INT64 as shown in the second table.

Performance Object Configuration for Event Type PH_DEV_MON_CUST_DLINK_UPTIME

Field Setting  
Name WinMem  
Type System  
Method WMI  
Parent Class Win32_ComputerSystem  
Parent Class is Table <left cleared>  
List of Attributes    
Attribute Format Type Event Attribute  
Domain String RawValue domain
TotalPhysicalMemory Integer RawValue memTotalMB
   
Event Type PH_DEV_MON_CUST_WIN_MEM  
Polling Frequency 20 seconds  

Transform Formula for TotalPhysicalMemory Event Attribute Type

Type Formula
custom TotalPhysicalMemory/1024/1024

Associating Device Types to Performance Objects

In this example, you would need to associate Microsoft Windows device types to the performance object. Edit Device to Performance Object

Field Settings
Name WinMisc
Device Types Microsoft Windows

Microsoft Windows NT

Microsoft Windows Server 2000

Microsoft Windows Server 2003

Microsoft Windows Server 2008

Microsoft Windows Vista

Microsoft Windows XP

Perf Objects  WinMem(WMI) – DefaultInterval:0.33mins

Testing the Performance Monitor

Before testing the monitor, make sure you have defined the access credentials for the server, created the IP address to credentials mapping, and tested connectivity.

  1. Go to Admin > Device Support > Performance Monitoring.
  2. Select one of the performance monitors you created, and then click Test.
  3. For IP, enter the address of the Microsoft Windows server, and select either the Supervisor or Collector node that will retrieve the information for this monitor.
  4. Click Test.

You should see succeed under Result, and the parsed event attributes in the test result pane.

  1. When the test succeeds, click Close, and then click Apply to register the new monitor with the backend module.

Enabling the Performance Monitor

  1. Discover or re-discover the device you want to monitor.
  2. Once the device is successfully discovered, make sure that the monitor is enabled and pulling metrics.

Writing Queries for the Performance Metrics

You can now use a simple query to make sure that that the metrics are pulled correctly. The search results should display the metrics for the event attributes you defined.

Create a structured historical search with these settings:

Filter Criteria Display Columns Time For

Organizations

Host IP = <IP> AND Event Type = “PH_DEV_MON_CUST_WIN_MEM

“;Group by:[None]

Event Receive Time,Reporting IP,Domain,Total

Memory (MB)

Last 10

Minutes

All

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.