Configuring Servers

AccelOps supports these servers for discovery and monitoring.

HP UX Server Configuration

IBM AIX Server Configuration

IBM OS400 Server Configuration

Linux Server Configuration

Microsoft Windows Server Configuration Sun Solaris Server Configuration

HP UX Server Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
SNMP	Host name, generic hardware (cpu, memory, network interface, disk), software (operating system version, installed software, running processes, open TCP/UDP ports)	Uptime, CPU/Memory/Network Interface/Disk space utilization, Network Interface Errors, Running Process Count, Installed Software change, Running process CPU/memory utilization, Running process start/stop, TCP/UDP port up/down	Performance Monitoring
SSH	Hardware (cpu details, memory)	Memory paging rate, Disk I/O utilization	Performance Monitoring
Syslog	Vendor, Model	General logs including Authentication Success/Failure, Privileged logons, User/Group Modification	Security Monitoring and Compliance

Event Types

In CMDB > Event Types, search for “hp_ux” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “hp_ux” in the Name column to see the reports associated with this device.

Configuration

SNMP v1 and v2c

1. Make sure that snmp libraries are installed. Accelops has been tested to work with the default HP UX package that comes with snmpd preinstalled.
2. Start snmpd deamon with the default configuration by issuing /etc/init.d/snmpd restart.
3. Make sure that snmpd is running.

SSH

1. Make sure that the vmstat and iostat commands are available. If not, install these libraries.
2. Create a user account that can issue vmstat and iostat AccelOps will use that user account to login to the server.

Settings for Access Credentials

IBM AIX Server Configuration

SSH

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
SNMP	Host name, generic hardware (cpu, memory, network interface, disk), software (operating system version, installed software, running processes, open TCP/UDP ports)	Uptime, CPU/Memory/Network Interface/Disk space utilization, Network Interface Errors, Running Process Count, Installed Software change, Running process CPU/memory utilization, Running process start/stop, TCP/UDP port up/down	Performance Monitoring
SSH	Hardware (cpu details, memory)	Memory paging rate, Disk I/O utilization	Performance Monitoring
Syslog	Vendor, Model	General logs including Authentication Success/Failure, Privileged logons, User/Group Modification	Security Monitoring and Compliance

Event Types

In CMDB > Event Types, search for “ibm_aix” in the Device Type and Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP v1 and v2c

1. Make sure that snmp libraries are installed. Accelops has been tested to work with the default AIX package that comes with snmpd preinstalled.
2. Start snmpd deamon with the default configuration by issuing /etc/init.d/snmpd restart.
3. Make sure that snmpd is running.

SSH

1. Make sure that the vmstat and iostat commands are available. If not, install these libraries.
2. Create a user account that can issue vmstat and iostat AccelOps will use that user account to log in to the server.

Syslog

1. Makes sure that /etc/syslog.conf contains a *.* entry and points to a log file.

. @<SENSORIPADDRESS>

 

2. Refresh syslogd.

# refresh -s syslogd

Settings for Access Credentials

IBM OS400 Server Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Syslog

Sample Parsed IBM OS400 Syslog Messages

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
Syslog		General logs including Authentication Success/Failure, Privileged logons, User/Group Modification	Security Monitoring and Compliance

Event Types

In CMDB > Event Types, search for “os400” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps parses IBM OS 400 logs received via the PowerTech Agent as described here. The PowerTech agent sends syslogs to AccelOps. Sample Parsed IBM OS400 Syslog Messages

Mar 18 17:49:36 ROBINSON CEF :0|PowerTech|Interact|2.0|UNA0603|A File

Server transaction was allowed for user BRENDAN.|2| src =10.0.1.60 dst

=10.0.1.180 msg=TYPE:JRN CLS :AUD JJOB :QPWFSERVSO JUSER :BRENDAN JNBR

:025355 PGM :PLKR108JEL OBJECT : LIBRARY : MEMBER: DETAIL: OB BRENDAN

*FILESRV CRTSTRMFIL QPWFSERVSO LNS0811 000112 00023

/home/BRENDAN/subfolder

Mar 18 17:48:36 ROBINSON CEF :0|PowerTech|Interact|2.0|UNA0604|A File

Server transaction was allowed for user BRENDAN.|2| src =10.0.1.60 dst

=10.0.1.180 msg=TYPE:JRN CLS :AUD JJOB :QPWFSERVSO JUSER :BRENDAN JNBR

:025355 PGM :PLKR108JEL OBJECT : LIBRARY : MEMBER: DETAIL: OB BRENDAN

*FILESRV DLTSTRMFIL QPWFSERVSO LNS0811 000112 00025

/home/BRENDAN/BoardReport

Mar 18 17:53:00 ROBINSON CEF :0|PowerTech|Interact|2.0|UNA0703|A System i FTP Client transaction was allowed for user BRENDAN.|3| src =10.0.1.180 dst =10.0.1.180 msg=TYPE:JRN CLS :AUD JJOB :QTFTP00149 JUSER :BRENDAN JNBR :029256 PGM :PLKR108JEL OBJECT : LIBRARY : MEMBER: DETAIL:

ST BRENDAN *FTPCLIENT DELETEFILE QTFTP00149 LNS0811 000112 00033

/QSYS.LIB/PAYROLL.LIB/NEVADA.FILE

Linux Server Configuration

What is Discovered and Monitored

Configuration

Settings for Access Credentials

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
SNMP	Host name, generic hardware (cpu, memory, network interface, disk), software (operating system version, installed software, running processes, open TCP/UDP ports)	Uptime, CPU/Memory/Network Interface/Disk space utilization, Swap space utilization, Network Interface Errors, Running Process Count, Installed Software change, Running process CPU/memory utilization, Running process start/stop, TCP/UDP port up/down	Performance Monitoring
SSH	OS type, Hardware (cpu details, memory)	Memory paging rate, Disk I/O utilization	Performance Monitoring
Syslog	Vendor, Model	General logs including Authentication Success/Failure, Privileged logons, User/Group Modification	Security Monitoring and Compliance
Syslog (via AccelOps LinuxFileMon agent)		File or directory change: User, Type of change, directory or file name	Security Monitoring and Compliance

Event Types

In CMDB > Event Types, search for “linux” in the Description column to see the event types associated with this device.

Rules

In Analytics > Rules, search for “linux” in the Name column to see the rules associated with this device.

Reports

In Analytics > Reports, search for “linux” in the Name column to see the reports associated with this device.

Configuration

SNMP v1 and v2c

1. Make sure that snmp libraries are installed. AccelOps has been tested to work with net-snmp libraries.
2. Log in to your server with administrative access.
3. Make these modifications to the /etc/snmp/snmpd.conf file:
   1. Define the community string for AccelOps usage and permit snmp access from AccelOps IP.
   2. Allow AccelOps read-only access to the mib-2
   3. Allow Accelops read-only access to the enterprise MIB: UCD-SNMP-MIB.
   4. Open up the entire tree for read-only view.
4. Reduce the logging level to avoid per connection logging which may cause resource issues (see here for more details)
   1. Edit /etc/sysconfig/snmpd (on RedHat/CentOS) or /etc/defaults/snmpd (on Debian/Ubuntu)
   2. Look for the line that passes the command line options to snmpd. On RedHat Enterprise 6 this looks like

 

1. Change the range from 0-6 to 0-5

 

 

5. Restart the snmpd deamon by issuing /etc/init.d/snmpd restart.
6. Add the snmpd daemon to start from boot by issuing chkconfig snmpd on.
7. Make sure that snmpd is running.

SNMP v3

Configuring rwcommunity/rocommunity or com2sec

1. Log in to your Linux server.
2. Stop SNMP.
3. Use vi to edit the /etc/snmp/snmpd.conf

Before you edit this file, make sure you have created a backup, as it is very important to have a valid version of this file so the snap daemon has correct credentials.

4. At the end of the file, add this line, substituting your username for snmpv3user and removing the <> tags: rouser <snmpv3user>.
5. Save the file.
6. Use vi to edit the /var/lib/snmp/snmpd.conf

Before you edit this file, make sure you have created a backup, as it is very important to have a valid version of this file for the SNMP daemon to function correctly.

7. At the end of the file, add this line, entering the username you entered in step 4, and then passwords for that user for MD5 and DES.

If you want to use SHA or AES, then add those credentials as well.

8. Save the file.
9. Reduce the logging level to avoid per connection logging which may cause resource issues (see here for more details)
   1. Edit /etc/sysconfig/snmpd (on RedHat/CentOS) or /etc/defaults/snmpd (on Debian/Ubuntu)
   2. Look for the line that passes the command line options to snmpd. On RedHat Enterprise 6 this looks like

 

1. Change the range from 0-6 to 0-5

 

 

10. Restart SNMP.
11. View the contents of the /var/lib/snmp/snmpd.conf

If this works, restarting snmpd will have no errors, also the entry that you created under /var/lib/snmp/snmpd.conf will be removed

12. Run snmpwalk -v 3 -u <snmpv3user> -l authpriv <IP> -a MD5 -A <snmpv3md5password> -x DES -X <snmpv3des password> .

You will see your snmpwalk if this works, if there are any errors after this please reference net-snmp for further instructions.

Configuring net-smnp-devel

If you havenet-snmp-devel on your Linux server/client, follow these steps to configure SNMP v3.

1. Stop SNMP.
2. Run net-snmp-config –create-snmpv3-user -ro -A <MD5passwordhere> -X <DESpasswordhere> -x DES -a MD5

<SNMPUSERNAME>.

3. Restart SNMP.
4. Test by following step 10 from above.

SSH

1. Make sure that the vmstat and iostat commands are available. If not, install these libraries.
2. Create a user account that can issue vmstat and iostat AccelOps will use that user account to log in to the server.

Syslog

AccelOps uses the LinuxFileMon monitoring agent to detect user activity and create syslogs. When a change as defined in the configuration file is detected, the agent gets the user information from the Audit module and sends a syslog to AccelOps. You will need to install the agent on your Linux server to send syslogs to AccelOps.

1. Log in to your server as root.
2. Install the audit service.

This is needed for obtaining user information. For more information about Linux audit files, see this blog post.

4. Copy the LinuxFileMon executable from the AccelOps /opt/phoenix/bin directory to any location on the server.

This is the agent that monitors the file changes.

5. Edit the LinuxFileMon configuration file conf as shown here.

The file should be in the same directory as the executable.

6. Start the LinuxFileMon agent.

Sample Parsed Linux Syslog Message

Settings for Access Credentials

Microsoft Windows Server Configuration

What is Discovered and Monitored

Configuration

Setting Access Credentials

What is Discovered and Monitored

Metrics in bold are unique to Microsoft Windows Server monitoring.

Installed Software Monitored via SNMP

Although information about installed software is available via both SNMP and WMI, AccelOps uses SNMP to obtain installed software information to avoid an issue in Microsoft’s WMI implementation for the Win32_Product WMI class – see Microsoft KB 974524 article for more information. Because of this bug, WMI calls to the Win32_Product class create many unnecessary Windows event log messages indicating that the Windows Installer has reconfigured all installed applications.

Winexe execution and its effect

AccelOps uses the winexe command during discovery and monitoring of Windows servers for the following purposes

1. Windows domain controller diagnostic (dcdiag) and replication monitoring (repadmin /replsummary)
2. HyperV Performance Monitoring
3. Windows Custom performance monitoring – to run a command (e.g. powershell) remotely on windows systems Note that running the winexe command remotely will automatically install the winexesvc command on the windows server.

Protocol	Information Discovered	Metrics collected	Used for
SNMP	Host name, generic hardware (cpu, memory, network interface, disk), software (operating system version, i nstalled software, running processes, open TCP/UDP ports)	Uptime, Overall CPU/Memory/Network Interface/Disk space utilization, Network Interface Errors, Running Process Count, Installed Software change, Running process CPU/memory utilization, Running process start/stop, TCP/UDP port up/down,	Performance Monitoring
SNMP	vendor specific server hardware (hardware model, hardware serial number, fans, power supply, disk, raid battery). Currently supported vendors include HP and Dell	Hardware module status – fan, power supply, thermal status, battery, disk, memory . Currently supported vendors include HP and Dell
WMI	Win32_ComputerSystem: Host name, OS Win32_WindowsProductActivation: OS Serial Number Win32_OperatingSystem: Memory, Uptime Win32_BIOS: Bios Win32_Processor: CPU Win32_LogicalDisk: Disk info Win32_NetworkAdapterConfiguration: network interface Win32_Service: Services Win32_Process: Running processes Win32_QuickFixEngineering: Installed Patches	Win32_OperatingSystem: Uptime Win32_PerfRawData_PerfOS_Processor: Detailed CPU utilization Win32_PerfRawData_PerfOS_Memory: Memory utilization, paging/swapping metrics Win32_LogicalDisk: Disk space utilization Win32_PerfRawData_PerfOS_PagingFile: Paging file utilization Win32_PerfRawData_PerfDisk_LogicalDisk: Disk I/O metrics Win32_PerfRawData_Tcpip_NetworkInterface: Network Interface utilization Win32_Service: Running process uptime, start/stop status Win32_Process, Win32_PerfRawData_PerfProc_Process: Process CPU/memory/I/O utilization	Performance Monitoring
WMI		Security, Application and System Event Logs  including logon, file/folder edits, network traffic (Win32_NTLogEvent)	Security and Compliance
Snare agent		Security, Application and System Event Logs  including logon, file/folder edits, network traffic (Win32_NTLogEvent)	Security and Compliance
Correlog agent		Security, Application and System Event Logs ncluding logon, file/folder edits, network traffic (Win32_NTLogEvent)	Security and Compliance
AccelOps Agent		Security, Application and System Event Logs, DNS, DHCP, IIS, DFS logs, Custom log files, File Integrity Monitoring, Registry Change Monitoring, Installed Software Change Monitoring, WMI and Powershell output monitoring	Security and Compliance

Supported Operating Systems

Windows Server 2003 Server

Windows Server 2008

Windows Server 2008 R2

Windows Server 2012

Windows Server 2012 R2

Windows Server 2016

Event Types

In CMDB > Event Types, search for “windows server” in the Description column to see the event types associated with this application or device.

Rules

In Analytics > Rules, search for “windows server”in the Name column to see the rules associated with this application or device.

Reports

In Analytics > Reports, search for “windows server” in the Name column to see the reports associated with this application or device.

Configuration

SNMP

Enabling SNMP on Windows Server 2003

SNMP is typically enabled by default on Windows Server 2003, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you need to make sure that the SNMP Management tool has been enabled for your device.

1. In the Start menu, go to Administrative Tools > Services.
2. Go to Control Panel > Add or Remove Programs.
3. Click Add/Remove Windows Components.
4. Select Management and Monitoring Tools and click Details.

Make sure that Simple Network Management Tool is selected.

If it isn’t selected, select it, and then click Next to install.

5. Go to Start > Administrative Tools > Services.
6. Select and open SNMP Service.
7. Click the Security
8. Select Send authentication trap.
9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
10. Select Accept SNMP packets from these hosts.
11. Click
12. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
13. Click Add.
14. Click Apply.
15. Under SNMP Service, click Restart service.

Enabling SNMP on Windows 7 or Windows Server 2008 R2

SNMP is typically enabled by default on Windows Server 2008, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you should check that SNMP Services have been enabled for your server.

1. Log in to the Windows 2008 Server where you want to enable SNMP as an administrator.
2. In the Start menu, select Control Panel.
3. Under Programs, click Turn Windows features on/off.
4. Under Features, see if SNMP Services is installed.

If not, click Add Feature, then select SMNP Service and click Next to install the service.

5. In the Server Manager window, go to Services > SNMP Services.
6. Select and open SNMP Service.
7. Click the Security
8. Select Send authentication trap.
9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
10. Select Accept SNMP packets from these hosts.
11. Click
12. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
13. Click Add.
14. Click Apply.
15. Under SNMP Service, click Restart service.

WMI

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
2. Right-click Users and select Add User.
3. Create a user.
4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
5. In the Distributed COM Users Properties dialog, click Add.
6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

7. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
8. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account
9. Go to Start > Control Panel > Administrative Tools > Component Services.
10. Right-click My Computer, and then Properties.
11. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
12. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
13. Click OK.
14. Under Access Permissions, click EditDefault.
15. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
16. Click
17. Under Launch and Activation Permissions, click Edit Limits.
18. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
19. Click OK.
20. Under Launch and Activation Permissions, click Edit Defaults.
21. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
2. Right-click Users and select Add User.
3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

4. Go to Groups, right-click Administrators, and then click Add to Group.
5. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
6. For Enter the object names to select, enter the user you created in step 3.
7. Click OK to close the Domain Admins Properties dialog.
8. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

1. Go to Start > Control Panel > Administrative Tools > Component Services.
2. Right-click My Computer, and then select Properties.
3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
5. Click OK.
6. In the Com Security tab, under Access Permissions, click Edit Defaults.
7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
8. Click OK.
9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
2. Select WMI Control, and then right-click and select Properties.
3. Select the Security
4. Expand the Root directory and select CIMV2.
5. Click Security.
6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot e Enable.
7. Click Advanced.
8. Select the user you created for the monitoring account, and then click Edit.
9. In the Apply onto menu, select This namespace and subnamespaces.
10. Click OK to close the Permission Entry for CIMV2 dialog.
11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
12. In the left-hand navigation, under Services and Applications, select Services.
13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
14. In the Start menu, select Run.
15. Run msc.
16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
18. Select Windows Firewall: Allow remote administration exception.
19. Run exe and enter these commands:
20. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

1. Go to Control Panel > Windows Firewall.
2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
3. Select Windows Management Instrumentation, and the click OK.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Syslog

Use the Windows Agent Manager to configure sending syslogs from your device to AccelOps.

Sample Windows Server Syslog

Configuring the Security Audit Logging Policy

Because Windows generates a lot of security logs, you should specify the categories of events that you want logged and available for monitoring by AccelOps.

1. Log in the machine where you want to configure the policy as an administrator.
2. Go to Programs > Administrative Tools > Local Security Policy.
3. Expand Local Policies and select Audit Policy.

You will see the current security audit settings.

4. Selet a policy and edit the Local Security Settings for the events you want audited. Recommended settings are:

Policy	Description	Settings
Audit account logon events and Audit logon events	For auditing logon activity	Select Su ccess and Failure
Audit object access events	For auditing access to files and folders. There is an additional configuration requirement for specifying which files and folders, users and user actions will be audited. See the next section, C onfiguring the File Auditing Policy.	Select Su ccess and Failure
Audit system events	Includes system up/down messages

Configuring the File Auditing Policy

When you enable the policy to audit object access events, you also need to specify which files, folders, and user actions will be logged. You should be very specific with these settings, and set their scope to be as narrow as possible to avoid excessive logging. For this reason you should also specify system-level folders for auditing.

1. Log in the machine where you want to set the policy with administrator privileges. On a domain computer, a Domain administrator account is needed
2. Open Windows Explorer, select the file you want to set the auditing policy for, right-click on it, and select Properties.
3. In the Security tab, click Advanced.
4. Select the Auditing tab, and then click Add.

This button is labeled Edit in Windows 2008.

5. In the Select User or Group dialog, click Advanced, and then find and select the users whose access to this file you want to monitor.
6. Click OK when you are done adding users.
7. In the Permissions tab, set the permissions for each user you added.

The configuration is now complete. Windows will generate audit events when the users you specified take the actions specified on the files or fold ers for which you set the audit policies.

Setting Access Credentials

 

 

Sun Solaris Server Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
SNMP	Host name, generic hardware (cpu, memory, network interface, disk), software (operating system version, installed software, running processes, open TCP/UDP ports)	Uptime, CPU/Memory/Network Interface/Disk space utilization, Network Interface Errors, Running Process Count, Installed Software change, Running process CPU/memory utilization, Running process start/stop, TCP/UDP port up/down	Performance Monitoring
SSH	Hardware (cpu details, memory)	Memory paging rate, Disk I/O utilization	Performance Monitoring
Syslog	Vendor, Model	General logs including Authentication Success/Failure, Privileged logons, User/Group Modification	Security Monitoring and Compliance

Event Types

In CMDB > Event Types, search for “solaris” in the Device Type and Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP v1 and v2c

1. Check if the netsnmp package installed. Solaris has built-in snmp packages. If the netsnmp is not installed, use pkgadd cmd to install it.
2. Start snmnp with the default configuration.

SSH

1. Make sure that the vmstat and iostat commands are available. If not, install these libraries.
2. Create a user account that can issue vmstat and iostat AccelOps will use that user account to log in to the server.

Settings for Access Credentials

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Configuring Security Gateways

AccelOps supports these security gateways for discovery and monitoring.

Barracuda Networks Spam Firewall Configuration

Blue Coat Web Proxy Configuration

Cisco IronPort Mail Gateway Configuration

Cisco IronPort Web Gateway

McAfee Web Gateway Configuration

Microsoft ISA Server Configuration

Squid Web Proxy Configuration

Websense Web Filter Configuration

Fortinet FortiWeb Fortinet FortiMail

Barracuda Networks Spam Firewall Configuration

What is Discovered and Monitored

Rules

Reports

Configuration

SNMP

Syslog

Sample Parsed Barracuda Spam Firewall Syslog Message  Settings for Access Credentials

What is Discovered and Monitored

Protocol	Information discovered	Metrics collected	Used for
SNMP	Host name, Interfaces, Serial number	CPU utilization, Memory utilization, Interface Utilization	Performance Monitoring
Syslog		Various syslogs – scenarios include – mail scanned and allowed/denied/quarantined etc; mail sent and reject/delivered/defer/expired; mail received and allow/abort/block/quarantined etc.	Security Monitoring and compliance

 

Event Types

In CMDB > Event Types, search for “barracuda” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Sample Parsed Barracuda Spam Firewall Syslog Message

Blue Coat Web Proxy Configuration

What is Discovered and Monitored

Sample Parsed Blue Coat Audit Syslog

Configure FTP in AccelOps

Configure an Epilog client in AccelOps

Configure FTP in Blue Coat

Settings for Access Credentials

What is Discovered and Monitored

Protocol	Information discovered	Metrics collected	Used for
SNMP	Host name, Interfaces, Serial number	CPU utilization, Memory utilization	Performance Monitoring
SNMP		Proxy performance: Proxy cache object count, Proxy-to-server metrics: HTTP errors, HTTP requests, HTTP traffic (KBps);  Server-to-proxy metrics: HTTP traffic (KBps), Client-to-proxy metrics: HTTP requests, HTTP Cache hit, HTTP errors, HTTP traffic (KBps); Proxy-to-client metrics: HTTP traffic (KBytes)	Performance Monitoring
SFTP		Proxy traffic: attributes include Source IP, Destination IP, Destination Name, Destination Port, URL, Web category, Proxy action, HTTP User Agent, HTTP Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration	Security Monitoring and compliance
Syslog		Admin authentication success and failure	Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “blue coat” in the Device Type and Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

The following procedures enable AccelOps to discover Bluecoat web proxy.

1. Log in to your Blue Coat management console.
2. Go to Maintenance > SNMP.
3. Under SNMP General, select Enable SNMP.
4. Under Community Strings, click Change Read Community, and then enter a community string that AccelOps can use to access your device.
5. Click OK.

Syslog

Syslog is used by Blue Coat to send audit logs to AccelOps.

1. Log in to your Blue Coat management console.
2. Go to Maintenance > Event Logging.
3. Under Level, select Severe Errors, Configuration Events, Policy Messages, and
4. Under Syslog, enter the IP address of your AccelOps virtual appliance for Loghost.
5. Select Enable syslog.
6. Click

Sample Parsed Blue Coat Audit Syslog

SFTP

SFTP is used to send access logs to AccelOps. Access logs includes the traffic that Blue Coat proxies between the client and the server. The access logs are sent via FTP, where Bluecoat is the client and AccelOps is the server. You need to configure SFTP in AccelOps first, and then on your Blue Coat web proxy server.

Configure FTP in AccelOps

1. Log in to your Supervisor node as root.
2. Run the ./phCreateBluecoatDestDir command to create an FTP user account.

The files sent from Blue Coat will be temporarily stored in this account. The script will create an user called ftpuser. If the this user already exists, you do not need to create a new one. The script will ask for the IP address of Blue Coat and the password for the user ft puser, and will then create the directory /opt/phoenix/cache/bluecoat/<Bluecoat IP>.

3. Run vi /etc/passwd to change the home directory for ftpuser to /opt/phoenix/cache/bluecoat.

Change only the home directory as shown in this screenshot, do not change any other value.

Configure an Epilog client in AccelOps

The Epilog client converts each line of the log files in the /opt/phoenix/cache/bluecoat/<Bluecoat IP> directory in real time into a syslog, and sends it to the AccelOps parser for processing.

1. Log in to your Supervisor node as root.
2. Update the Epilog configuration in /etc/snare/epilog/epilog.conf as shown in this code block, and then restart the epilog
3. Log in to your Blue Coat management console.
4. Go to Management Console > Configuration > Access Logging > General.
5. Select Enable Access Logging.
6. In the left-hand navigation, select Logs.
7. Under Upload Client, configure these settings.

Setting	Value
Log	main
Client Type	FTP Client
Encryption Certificate	No Encryption
Keyring Signing	No Signing
Save the log file as	text file
Send partial buffer after	1 seconds
Bandwidth Class	<none>

6. Next to Client Type, click Settings.
7. Configure these settings.

Setting	Value
Settings for	Primary FTP Server
Host	IP address of your AccelOps virtual appliance
Port	21
Path	/<Blue Coat IP Address>
Username	bcFtpUser
Change Primary Password	Use the password you created for ftpuser in AccelOps
Filename	SG_AccelOps_bluecoat_main.log

8. Clear the selections Use Secure Connections (SSL) and Use Local Time.
9. Select Use Pasv.
10. Click OK.
11. Follow this same process to configure the settings for im, ssl and p2p. For each of these, you will refer to a different Filename.

For im the file name is SG_AccelOps_bluecoat_im.log

For ssl the file name is SG_AccelOps_bluecoat_ssl.log

For p2p the file name is SG_AccelOps_bluecoat_p2p.log

Sample Parsed Blue Coat Access Syslog

<2> Jun 25 11:15:33 SJ-QA-W-FDR-Test-01.prospect-hills.net

BluecoatWebLog 0 2010-06-25 18:13:34 2021 192.168.22.21 200 TCP_TUNNELED

820 1075 CONNECT tcp accelops.webex.com 443 / – – – NONE 172.16.0.141 –

– “WebEx Outlook Integration Http Agent” PROXIED “none” – 25.24.23.22

Settings for Access Credentials

Cisco IronPort Mail Gateway Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP

Syslog

Sample Parsed Ironport Mail Gateway Syslog  Settings for Access Credentials

What is Discovered and Monitored

Protocol	Information discovered	Metrics collected	Used for
SNMP		Ping Status, SNMP Ping Stat, Uptime, CPU Util, Mem Util, Net Intf Stat, Hardware Status
Syslog		Mail attributes: attributes include MID, ICID, DCID, Sender address, Receiver Address, Mail Subject, Sent Bytes, Attachment, Spam indicator, Virus indicator, Quarantine indicator, SMTP delivery failures and failure codes, mail action – pass, block, clean.	Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “ironport-mail” in the Display Name column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “ironport mail” in the Name and Description columns to see the reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Syslog

1. Log in to your Ironport Mail Gateway device manager with administrator privileges.
2. Edit the Log Subscription settings.
3. For Log Name, enter IronPort-Mail.

This identifies the log to AccelOps as originating from an Ironport mail gateway device.

4. For Retrieval Method, select Syslog Push.
5. For Hostname, enter the IP address of your AccelOps virtual appliance.
6. For Protocol, select UDP.

Sample Parsed Ironport Mail Gateway Syslog

Settings for Access Credentials

Cisco IronPort Web Gateway

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Syslog

Sample Parsed Ironport Web Gateway Syslog

What is Discovered and Monitored

Protocol	Information discovered	Metrics collected	Used for
Syslog		Squid style web logs: attributes include Source IP Address, Destination Host name, Sent Bytes, Received Bytes, HTTP User Agent, HTTP Referrer, HTTP Version, HTTP Method, HTTP Status Code, URL, HTTP Content type, Web Category, HTTP Proxy Action	Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “ironport-web” in the Display Name column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

1. Log in to your Ironport gateway device manager with administrator privileges.
2. Edit the settings for Log Subscription.

Setting	Value
Log Type	Access Logs
Log Name	IronPort-Web This identifies the log to AccelOps as originating from an IronPort web gateway device
Log Style	Squid
Custom Fields	%L %B %u
Enable Log Compression	Clear the selection
Retrieval Method	Syslog Push
Hostname	The IP address of your AccelOps virtual appliance
Protocol	UDP

Sample Parsed Ironport Web Gateway Syslog

<134>Oct 09 09:19:25 IronPort-Web: Info: 1349795965.314 92 10.163.154.153 TCP_CLIENT_REFRESH_MISS/200 70798 GET http://forefrontdl.microsoft.com/server/scanengineupdate/x86/Kaspersky/P ackage/1210090007/bases/base1b1d.kdc.cab DIRECT/forefrontdl.microsoft.com application/octet-stream

ALLOW_CUSTOMCAT_11-UnAuthenticated_Applications-APU_No_Auth-NONE-NONE-NO

NE-DefaultGroup

<J_Doe,6.9,-,””-“”,-,-,-,-,””-“”,-,-,-,””-“”,-,-,””-“”,””-“”,-,-,IW_swup

,-,””-“”,””-“”,””Unknown””,””Unknown””,””-“”,””-“”,6156.35,0,-,””-“”,””-

“”> – “”09/Oct/2012:09:19:25 -0600″” 71052

“”V3S;{6ADC64A3-11F9-4B04-8257-BEB541BE2975};””

McAfee Web Gateway Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Syslog

Sample Parsed McAffee Web Gateway Syslog Message

What is Discovered and Monitored

Protocol	Information discovered	Metrics collected	Used for
Syslog		Parsed event attributes: include Source IP, Destination URL, HTTP Method, HTTP User agent, HTTP Status Code, HTTP Content Type, Blocked Reason, Risk	Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “mcafee_web” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Sample Parsed McAffee Web Gateway Syslog Message

[21/Feb/2012:11:44:19  -0500]  “”””””””””””    “”10.200.11.170 200

“”””GET http://abc.com/ HTTP/1.1″””” “”””General News”””” “”””Minimal Risk”””” “”””text/html”””” 101527 “””””””” “””””””” “”””0″”””””

[30/May/2012:10:39:44 -0400] “” 10.19.2.63 200

“GEThttp://abc.com/html.ng/site=cnn&cnn_pagetype=main&cnn_position=126×3

1_spon2&cnn_rollup=homepage&page.allowcompete=no&params.styles=fs&Params

.User.UserID=4fc6251c068c9f0aa51475025d0040b8&transactionID=717986062880 5012&tile=4893878838331&domId=135492 HTTP/1.1” “Web Ads, Forum/Bulletin

Boards” “MinimalRisk” “text/html” 1 “” “” “0”

Microsoft ISA Server Configuration

What is Discovered and Monitored

Enabling SNMP on Windows Server 2003

Enabling SNMP on Windows 7 or Windows Server 2008 R2

Creating a Generic User Who Does Not Belong to the Local Administrator Group Creating a User Who Belongs to the Domain Administrator Group

Sample Microsoft ISA Server Syslog  Settings for Access Credentials

What is Discovered and Monitored

Protocol	Information discovered	Metrics collected	Used for
SNMP	Application type	Process level metrics: CPU utilization, memory utilization	Performance Monitoring
WMI	Application type, service mappings	Process level metrics: uptime, CPU Utilization, Memory utilization, Read I/O, Write I/O	Performance Monitoring
Syslog(via SNARE)	Application type	W3C proxy logs: attributes include Service Instance, Source IP, User, Destination IP, Destination Port, Service Instance,  Sent Bytes, Received Bytes, Connection Duration, HTTP User Agent, HTTP Referrer, HTTP Version, HTTP Method, HTTP Status Code, URL, Source interface, Destination interface, Proxy action	Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “isa server” in the Device Type  andDescription column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

Enabling SNMP on Windows Server 2003

SNMP is typically enabled by default on Windows Server 2003, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you need to make sure that the SNMP Management tool has been enabled for your device.

1. In the Start menu, go to Administrative Tools > Services.
2. Go to Control Panel > Add or Remove Programs.
3. Click Add/Remove Windows Components.
4. Select Management and Monitoring Tools and click Details.

Make sure that Simple Network Management Tool is selected.

If it isn’t selected, select it, and then click Next to install.

5. Go to Start > Administrative Tools > Services.
6. Select and open SNMP Service.
7. Click the Security
8. Select Send authentication trap.
9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
10. Select Accept SNMP packets from these hosts.
11. Click
12. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
13. Click Add.
14. Click Apply.
15. Under SNMP Service, click Restart service.

Enabling SNMP on Windows 7 or Windows Server 2008 R2

SNMP is typically enabled by default on Windows Server 2008, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you should check that SNMP Services have been enabled for your server.

1. Log in to the Windows 2008 Server where you want to enable SNMP as an administrator.
2. In the Start menu, select Control Panel.
3. Under Programs, click Turn Windows features on/off.
4. Under Features, see if SNMP Services is installed.

If not, click Add Feature, then select SMNP Service and click Next to install the service.

5. In the Server Manager window, go to Services > SNMP Services.
6. Select and open SNMP Service.
7. Click the Security
8. Select Send authentication trap.
9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
10. Select Accept SNMP packets from these hosts.
11. Click
12. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
13. Click Add.
14. Click Apply.
15. Under SNMP Service, click Restart service.

WMI

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
2. Right-click Users and select Add User.
3. Create a user.
4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
5. In the Distributed COM Users Properties dialog, click Add.
6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

7. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
8. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account
9. Go to Start > Control Panel > Administrative Tools > Component Services.
10. Right-click My Computer, and then Properties.
11. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
12. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
13. Click OK.
14. Under Access Permissions, click EditDefault.
15. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
16. Click
17. Under Launch and Activation Permissions, click Edit Limits.
18. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
19. Click OK.
20. Under Launch and Activation Permissions, click Edit Defaults.
21. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
2. Right-click Users and select Add User.
3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

4. Go to Groups, right-click Administrators, and then click Add to Group.
5. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
6. For Enter the object names to select, enter the user you created in step 3.
7. Click OK to close the Domain Admins Properties dialog.
8. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

1. Go to Start > Control Panel > Administrative Tools > Component Services.
2. Right-click My Computer, and then select Properties.
3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
5. Click OK.
6. In the Com Security tab, under Access Permissions, click Edit Defaults.
7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
8. Click OK.
9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
2. Select WMI Control, and then right-click and select Properties.
3. Select the Security
4. Expand the Root directory and select CIMV2.
5. Click Security.
6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot e Enable.
7. Click Advanced.
8. Select the user you created for the monitoring account, and then click Edit.
9. In the Apply onto menu, select This namespace and subnamespaces.
10. Click OK to close the Permission Entry for CIMV2 dialog.
11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
12. In the left-hand navigation, under Services and Applications, select Services.
13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
14. In the Start menu, select Run.
15. Run msc.
16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
18. Select Windows Firewall: Allow remote administration exception.
19. Run exe and enter these commands:
20. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

1. Go to Control Panel > Windows Firewall.
2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
3. Select Windows Management Instrumentation, and the click OK.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Syslog

Use the Windows Agent Manager to configure sending syslogs from your device to AccelOps.

Sample Microsoft ISA Server Syslog

<13>Mar  6 20:56:03 ISA.test.local ISAWebLog    0    192.168.69.9   anonymous    Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12    Y    2011-03-05   21:33:55    w3proxy    ISA    –    212.58.246.82    212.58.246.82    80 156    636    634    http    TCP    GET   http://212.58.246.82/rss/newsonline_uk_edition/front_page/rss.xml   text/html; charset=iso-8859-1    Inet    301    0x41200100    Local Machine    Req ID: 07c10445; Compression: client=No, server=No, compress rate=0% decompress rate=0%    Local Host    External    0x400    Allowed 2011-03-05 21:33:55    –

Settings for Access Credentials

Squid Web Proxy Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP

Syslog

Configure syslogd (or rsyslogd) to Forward the Logs to AccelOps Sample Parsed Squid Syslog Messages

What is Discovered and Monitored

Protocol	Information discovered	Metrics collected	Used for
SNMP	Host name, Interfaces, Serial number	CPU utilization, Memory utilization	Performance Monitoring
Syslog		Proxy traffic: attributes include Source IP, Destination IP, Destination Name, Destination Port, URL, Web category, Proxy action, HTTP User Agent, HTTP Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration	Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “squid” in the Description and Device Type columns to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled on the server where Squid is running, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Syslog

1. Add this line to the logformat section in /etc/squid/squid.conf.

Configure syslogd (or rsyslogd) to Forward the Logs to AccelOps

1. Modify /etc/syslog.conf (/etc/rsyslog.conf if running rsyslog) .
2. Restart syslogd (or rsyslogd).

Sample Parsed Squid Syslog Messages

Squid on Linux with syslog locally to forward to Accelops

<166>squid[28988]: 192.168.25.15 51734 65.54.87.157 172.16.10.40 3128

5989 – – – – – [22/Apr/2011:17:17:46 -0700] GET

“http://col.stj.s-msn.com/br/sc/js/jquery/jquery-1.4.2.min.js” HTTP/1.1

200 26141 407 “http://www.msn.com/” “Mozilla/5.0 (Windows; U; Windows NT

6.1; en-US; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16” TCP_MISS:DIRECT

Squid on Linux with syslog-ng locally to forward to Accelops

<166>Oct 20 09:21:54 QA-V-CentOS-Syslog-ng squid[7082]: 192.168.20.42

1107 74.125.19.100 172.16.10.34 3128 291 – – – – – [20/Oct/2009:09:21:54

-0700] GET “http://clients1.google.com/generate_204” HTTP/1.1 204 387

603 “http://www.google.com/” “Mozilla/4.0 (compatible; MSIE 7.0; Windows

NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)”

TCP_MISS:DIRECT

Squid on Linux with syslog locally and forward to syslog-ng remotely to forward to Accelops

<166>Oct 20 10:21:42 172.16.10.40 squid[26033]: 192.168.20.42 1121

66.235.132.121 172.16.10.40 3128 117 – – – – – [20/Oct/2009:12:05:49

\-0700|] GET

“http://metrics.sun.com/b/ss/sunglobal,suncom,sunstruppdev/1/H.14/s21779

365053734?” HTTP/1.1 200 746 1177 “http://www.sun.com/” “Mozilla/4.0

(compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR

3.0.4506.2152; .NET CLR 3.5.30729)” TCP_MISS:DIRECT

Squid on Linux with syslog-ng locally and forward to syslog-ng remotely to forward to Accelops

<166>Oct 20 12:44:12 172.16.10.40 squid[26033]: 192.168.20.42 1125

64.213.38.80 172.16.10.40 3128 117 – – – – – [20/Oct/2009:12:44:12

-0700] GET

“http://www-cdn.sun.com/images/hp5/hp5b_enterprise_10-19-09.jpg”

HTTP/1.1 200 12271 520 “http://www.sun.com/” “Mozilla/4.0 (compatible;

MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152;

.NET CLR 3.5.30729)” TCP_MISS:DIRECT

Squid on Solaris with syslog locally to forward to Accelops

<166>May  6 17:55:48 squid[1773]: [ID 702911 local4.info] 192.168.20.39

1715 72.14.223.18 172.16.10.6 3128 674 – – – – – [06/May/2008:17:55:48

-0700] GET “http://mail.google.com/mail/?” HTTP/1.1 302 1061 568 “http://www.google.com/” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14” TCP_MISS:DIRECT

Squid on Solaris with syslog locally and forward to syslog-ng remotely to forward to Accelops

<166>Oct 20 13:02:19 172.16.10.6 squid[687]: [ID 702911 local4.info]

192.168.20.42 1112 208.92.236.184 172.16.10.6 3128 201 – – – – –

[20/Oct/2009:13:02:19 -0700] GET

“http://m.webtrends.com/dcs4f6vsz99k7mayiw2jzupyr_1s2e/dcs.gif?”

HTTP/1.1 200 685 1604 “http://www.microsoft.com/en/us/default.aspx”

“Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727;

.NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)” TCP_MISS:DIRECT

Websense Web Filter Configuration

What is Discovered and Monitored

Protocol	Information discovered	Metrics collected	Used for
Syslog		Parsed event attributes: include Source IP, Destination Name, Destination URL, HTTP Method, HTTP User agent, HTTP Status Code, HTTP Content Type, Blocked Reason, Website category, HTTP Disposition, Sent Bytes, Recv Bytes, Duration, File Type etc	Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “web sense_mail” in the Display Name column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

AccelOps integrates with Websense Web Filter via syslogs sent in the SIEM integration format as described in the Websense SEIM guide. See page 22 for instructions on how to install a Websense Multiplexer that integrates with Websense Policy server and creates syslog for consumption by SIEM products such as AccelOps.

Sample Parsed Websense Web Filter Syslog Message

<159>Feb 28 14:25:32 10.203.28.21 vendor=Websense product=Security product_version=7.7.0 action=permitted severity=1 category=153 user=- src_host=10.64.134.74 src_port=62189 dst_host=mail.google.com dst_ip=74.125.224.53 dst_port=443 bytes_out=197 bytes_in=76 http_response=200 http_method=CONNECT http_content_type= – http_user_agent=Mozilla/5.0_(Windows;_U;_Windows_NT_6.1;_enUS;_rv:1.9.2. 23)_Gecko/20110920_Firefox/3.6.23

http_proxy_status_code=200 reason=- disposition=1034 policy=- role=8 duration=0 url=https://mail.google.com

Fortinet FortiWeb

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

What is Discovered and Monitored

Protocol	Information discovered	Metrics collected	Used for
SNMP	Host Name, Vendor, Model, Version, Hardware Model, hardware	CPU, memory, Disk, Interface, Uptime	Performance monitoring
Syslog		System events (e.g. configuration changes), System up/down/restart events, Performance issues, Admin logon events, Security exploits	Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “fortiweb” to see the event types associated with this device.

Rules

In Analytics > Rules, search for “fortiweb” to see the rules associated with this device.

For generic availability rules, see Analytics > Rules > Availability > Network

For generic performance rules, see Analytics > Rules > Performance > Network

Reports

In CMDB > Reports, search for “fortiweb” to see the reports associated with this device.

Configuration

Syslog

Configure FortiWenb appliance to send logs to FortiSIEM. Make sure the format matches.

Sample FortiWeb Syslog

Fortinet FortiMail

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

What is Discovered and Monitored

Protocol	Information discovered	Metrics collected	Used for
Syslog		System events (e.g. configuration changes), System up/down/restart events, Performance issues, Admin logon events, malware attachments	Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “fortimail” to see the event types associated with this device.

Rules

In CMDB > Rules, search for “fortimail” to see the rules associated with this device.

For generic availability rules, see Analytics > Rules > Availability > Network

For generic performance rules, see Analytics > Rules > Performance > Network

Reports

In Analytics > Reports, search for “fortimail” to see the reports associated with this device.

Configuration

Syslog

Configure FortiMail appliance to send logs to FortiSIEM. Make sure the format matches.

Sample Parsed FortiMail Syslog

date=2012-08-17 time=12:26:41 device_id=FE100C3909600504 log_id=0001001623 type=event subtype=admin pri=information user=admin ui=GUI(172.20.120.26) action=login status=success reason=none msg=”User admin login successfully from GUI(172.20.120.26)” date=2012-07-16 time=12:22:56 device_id=FE100C3909600504 log_id=0200001075 type=statistics pri=information

session_id=”q6GJMuPu003642-q6GJMuPv003642″ client_name=”[172.20.140.94]” dst_ip=”172.20.140.92″ endpoint=”” from=”user@external.lab” to=”user5@external.lab” subject=””mailer=”mta” resolved=”OK” direction=”in” virus=”” disposition=”Reject” classifier=”Recipient

Verification” message_length=”188″

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Configuring Routers and Switches

AccelOps supports these routers and switches for discovery and monitoring.

Alcatel TiMOS and AOS Switch Configuration

Arista Router and Switch Configuration

Brocade NetIron CER Routers

Cisco 300 Series Routers

Cisco IOS Router and Switch Configuration

How CPU and Memory Utilization is Collected for Cisco IOS

Cisco Meraki Cloud Controller and Network Devices Configuration

Cisco NX-OS Router and Switch Configuration

Cisco ONS Configuration

Dell Force10 Router and Switch Configuration

Dell NSeries Switch Configuration

Dell PowerConnect Switch and Router Configuration

Foundry Networks IronWare Router and Switch Configuration

HP/3Com ComWare Switch Configuration

HP ProCurve Switch Configuration

HP Value Series (19xx) and HP 3Com (29xx) Switch Configuration

Juniper Networks JunOS Switch Configuration

Mikrotek Router Configuration

Nortel ERS and Passport Switch Configuration

 

 

 

 

 

 

Alcatel TiMOS and AOS Switch Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
SNMP (V1, V2c)	Host name, Software version, Hardware model, Network interfaces,	Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths)	Availability and Performance Monitoring
SNMP (V1, V2c)		Hardware status: Power Supply, Fan, Temperature	Availability
SNMP (V1, V2c, V3)	Layer 2 port mapping: associating switch ports to directly connected host IP/MAC addresses		Identity and location table; Topology

 

Event Types

In CMDB > Event Types, search for “alcatel” in the Device Type and Description columns to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

 

Arista Router and Switch Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
SNMP (V1, V2c)	Host name, Serial number, Software version, Hardware model, Network interfaces, Hardware Components	Uptime, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), CPU utilization, Memory utilization, Flash utilization, Hardware Status	Availability and Performance Monitoring
Telnet/SSH	Running and Startup configurations	Startup Configuration Change, Difference between Running and Startup configurations	Change monitoring

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Telnet/SSH

AccelOps uses Telnet/SSH to communicate with this device. Refer to the product documentation for your device to enable Telnet/SSH.

These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in AccelOps have the permissions necessary to execute these commands on the device.

1. show startup-config
2. show running-config
3. show version
4. show ip route
5. enable
6. terminal pager 0

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Settings for Access Credentials

Brocade NetIron CER Routers

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
SNMP (V1, V2c)	Host name, software version, Hardware model, Network interfaces	CPU, Memory, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Hardware Status, Real Server Status	Availability and Performance Monitoring

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules specifically for this device.

Reports

There are no predefined reports specifically for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

Cisco 300 Series Routers

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
SNMP (V1, V2c)	Host name, software version, Hardware model, Network interfaces	Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths)	Availability and Performance Monitoring

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules specifically for this device.

Reports

There are no predefined reports specifically for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

Protocol	Information Discovered	Metrics collected	Used for
SNMP (V1, V2c, V3)	Host name, IOS version, Hardware model, Memory size, Network interface details – name, address, mask and description	Uptime, CPU and Memory utilization, Free processor and I/O memory, Free contiguous processor and I/O memory, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths),	Availability and Performance Monitoring
SNMP (V1, V2c, V3)	Hardware component details: serial number, model, manufacturer, software firmware versions of hardware components such as chassis, CPU, fan, power supply, network cards etc.	Hardware health: temperature, fan and power supply	Availability
SNMP (V1, V2c, V3)	Trunk port connectivity between switches and VLANs carried over a trunk port, End host Layer 2 port mapping: switch interface to VLAN id, end host IP/MAC address association		Topology and end-host location
SNMP (V1, V2c, V3)	BGP connectivity, neighbors, state, AS number	BGP state change	Routing Topology, Availability Monitoring
SNMP (V1, V2c, V3)	OSPF connectivity, neighbors, state, OSPF Area	OSPF state change	Routing Topology, Availability Monitoring
SNMP (V1, V2c, V3)		IP SLA and VoIP performance metrics: Max/Min/Avg Delay and Jitter – both overall and Source->Destination and Destination->Source, Packets Lost – both overall and Source->Destination and Destination->Source, Packets Missing in Action, Packets Late, Packets out of sequence, VoIP Mean Opinion Score (MOS), VoIP Calculated Planning Impairment Factor (ICPIF) score	VoIP Performance Monitoring
SNMP (V1, V2c, V3)		Class based QoS metrics (from CISCO-CLASS-BASED-QOS-MIB): For (router interface, policy, class map) tuple: class map metrics including Pre-policy rate, post-police rate, drop rate and drop pct; police action metrics including conform rate, exceeded rate and violated rate; queue metrics including current queue length, max queue length and discarded packets	QoS performance monitoring
SNMP (V1, V2c, V3)		NBAR metrics (from CISCO-NBAR-PROTOCOL-DISCOVERY-MIB): For each interface and application, sent/receive flows, sent/receive bytes, sent/receive bits/sec	Performance Monitoring
Telnet/SSH	Running and startup configuration, Image file name, Flash memory size, Running processes	Startup configuration change, delta between running and startup configuration, Running process CPU and memory utilization	Performance Monitoring, Security and Compliance
Syslog	Device type	System logs and traffic logs matching acl statements	Availability, Security and Compliance

Event Types

Performance Monitoring events

Configuration change events

Syslog events

In CMDB > Event Types, search for “cisco_os” in the Description column to see the event types associated with this device.

Rules

 Performance Monitoring rules

Configuration change rules

Other rules

Reports

Performance Monitoring Reports

Configuration change Reports

Other Reports

Configuration

Telnet/SSH

AccelOps uses SSH and Telnet to communicate with your device. Follow the instructions in the product documentation for your device to enable SSH and Telnet.

These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in AccelOps have the permissions necessary to execute these commands on the device.

1. show startup-config
2. show running-config
3. show version
4. show flash
5. show ip route
6. show mac-address-table or show mac address-table
7. show vlan brief
8. show process cpu
9. show process mem
10. show disk0
11. enable
12. terminal pager 0

SNMP

SNMP V1/V2c

1. Log in to the Cisco IOS console or telnet to the device.
2. Enter configuration mode.

SNMP V3

1. Log in to the Cisco IOS console or telnet to the device.
2. Enter configuration mode.
3. Exit configuration mode.

Syslog

1. Login to the Cisco IOS console or telnet to the device.
2. Enter configuration mode.

Sample Cisco IOS Syslog Messages

 

NetFlow

Enable NetFlow on the Router

1. Enter configuration mode.
2. For every interface, run this command.

Set Up NetFlow Export

1. Enter configuration mode.
2. Run these commands.

On MLS switches, such as the 6500 or 7200 models, also run these commands.

You can verify that you have set up NetFlow correctly by running these commands.

Sample Flexible Netflow Configuration in IOS

IP SLA

IP SLA is a technology where a pair of routers can run synthetic tests between themselves and report detailed traffic statistics. This enables network administrators to get performance reports between sites without depending on end-host instrumentation.

Cisco provides detailed documents for configuring IP SLA for both general traffic and VoIP.

A variety of IP SLA tests can be run, for example UDP/ICMP Jitter, UDP Jitter for VoIP, UDP/ICMP Echo, TCP Connect, HTTP, etc. You can see the traffic statistics for these these tests by routing appropriate Show commands on the router. However, only these IP SLA tests are exported via

RTT-MON SNMP MIB.

UDP Jitter (reported by AccelOps event type PH_DEV_MON_IPSLA_MET)

UDP Jitter for VoIP (reported by AccelOps event type PH_DEV_MON_IPSLA_VOIP_MET)

HTTP performance (reported by AccelOps event type PH_DEV_MON_IPSLA_HTTP_MET)

ICMP Echo (reported by AccelOps event type PH_DEV_MON_IPSLA_ICMP_MET) UDP Echo (reported by AccelOps event type PH_DEV_MON_IPSLA_UDP_MET)

These are the only IP SLA tests monitored by AccelOps.

Configuring IP SLA involves choosing and configuring a router to initiate the test and a router to respond. The test statistics are automatically reported by the initiating router via SNMP, so no additional configuration is required. Bi-directional traffic statistics are also reported by the initiating router, so you don’t need to set up a reverse test between the original initiating and responding routers.  AccelOps automatically detects the presence of the IP SLA SNMP MIB (CISCO-RTTMON-MIB) and starts collecting the statistics. Configuring IP SLA Initiator for UDP Jitter

 

 

Class-Based QoS

CBQoS enables routers to enforce traffic dependent Quality of Service policies on router interfaces for to make sure that important traffic such as VoIP and mission critical applications get their allocated network resources.

Cisco provides detailed documents for configuring IP SLA for both general traffic and VoIP,

The CbQoS statistics are automatically reported by the router via SNMP, so no additional configuration is needs. AccelOps detects the presence of valid CBQoS MIBs and starts monitoring them.

NBAR

Cisco provides protocol discovery via NBAR configuration guide.

Make sure that the CISCO-NBAR-PROTOCOL-DISCOVERY-MIB is enabled.

Sample event generated by AccelOps

[PH_DEV_MON_CISCO_NBAR_STAT]:[eventSeverity]=PHL_INFO,[fileName]=deviceC isco.cpp,[lineNumber]=1644,[hostName]=R1.r1.accelops.com,[hostIpAddr]=10 .1.20.59,[intfName]=Ethernet0/0,[appTransportProto]=snmp,[totFlows]=4752

,[recvFlows]=3168,[sentFlows]=1584,[totBytes64]=510127,[recvBytes64]=277

614,[sentBytes64]=232513,[totBitsPerSec]=22528.000000,[recvBitsPerSec]=1

2288.000000,[sentBitsPerSec]=10240.000000,[phLogDetail]=

 

Settings for Access Credentials

How CPU and Memory Utilization is Collected for Cisco IOS

AccelOps follows the process for collecting information about CPU utlization that is recommended by Cisco.

Monitoring CPU

Monitoring Memory using PROCESS-MIB

Monitoring CPU

The OID is 1.3.6.1.4.1.9.9.109.1.1.1.1.8. The issue there are multiple CPUs – which ones to take? A sample SNMP walk for this OID looks like this

Note that there are 4 CPUs – indexed 1-4. We need to identify Control plane CPU and Data plane CPU

The cpu Id -> entity Id mapping from the following SNMP walk

Combining all this information, we finally obtain the CPU information for each object

The relevant OIDs are

Used memory OID = 1.3.6.1.4.1.9.9.48.1.1.1.6

Free memory OID =  1.3.6.1.4.1.9.9.48.1.1.1.5

Memory Util = (Used memory) / (Used memory + Free memory)

Therefore

Cisco Meraki Cloud Controller and Network Devices Configuration

What is Discovered and Monitored

Availability (from SNMP Trap)

Performance (Fixed threshold)

Performance (Dynamic threshold based on baselines)

Settings for Access Credentials

What is Discovered and Monitored

Cisco Meraki Devices are discoverable in either of the following ways

SNMP to the Cloud Controller

SNMP to each Network Device

SNMP Traps can be sent from the Cloud Controller. Cisco Meraki Network Devices can also send logs directly to AccelOps.

Protocol	Information Discovered	Metrics collected	Used for
SNMP (V1, V2c) to Cloud Controller or Devices	Host name, Software version, Hardware model, Network interfaces	Uptime, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths)	Availability and Performance Monitoring
Syslog from Meraki Firewalls		Firewall logs	Security Monitoring
SNMP Traps from Cloud Controller		Health	Availability Monitoring

Event Types

Interface Utilization: PH_DEV_MON_NET_INTF_UTIL

Rules

Availability (from SNMP Trap)

Meraki Device Cellular Connection Disconnected

Meraki Device Down

Meraki Device IP Conflict

Meraki Device Interface Down

Meraki Device Port Cable Error

Meraki Device VPN Connectivity Down

Meraki Foreign AP Detected

Meraki New DHCP Server

Meraki New Splash User

Meraki No DHCP lease

Meraki Rogue DHCP Server

Meraki Unreachable Device

Meraki Unreachable RADIUS Server

Meraki VPN Failover

Performance (Fixed threshold)

Network Intf Error Warning

Network Intf Error Critical

Network Intf Util Warning

Network Intf Util Critical

Performance (Dynamic threshold based on baselines)

Sudden Increase in Network Interface Traffic

Sudden Increase in Network Interface Errors

Reports

None

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

Cisco NX-OS Router and Switch Configuration

What is Discovered and Monitored

Enable NetFlow on the Router

Create a Flow Template and Define the Fields to Export

Set up Netflow Exporter

Associate the Record to the Exporter Using a Flow Monitor

Apply the Flow Monitor to Every Interface  Settings for Access Credentials

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
SNMP (V1, V2c, V3)	Host name, IOS version, Hardware model, Memory size, Network interface details name, address, mask and description	Uptime, CPU and Memory utilization, Free processor and I/O memory, Free contiguous processor and I/O memory, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths)	Availability and Performance Monitoring
SNMP (V1, V2c, V3)	Hardware component details: serial number, model, manufacturer, software and firmware versions of hardware components such as chassis, CPU, fan, power supply, network cards etc.	Hardware health: temperature, fan and power supply	Availability
SNMP (V1, V2c, V3)	Trunk port connectivity between switches and VLANs carried over a trunk port (via CDP MIB), ARP table		Topology and end-host location
SNMP (V1, V2c, V3)	BGP connectivity, neighbors, state, AS number	BGP state change	Routing Topology, Availability Monitoring
SNMP (V1, V2c, V3)	OSPF connectivity, neighbors, state, OSPF Area	OSPF state change	Routing Topology, Availability Monitoring
SNMP (V1, V2c, V3)		Class based QoS metrics: For (router interface, policy, class map) tuple: class map metrics including Pre-policy rate, post-police rate, drop rate and drop pct; po lice action metrics including conform rate, exceeded rate and violated rate; queu e metrics including current queue length, max queue length and discarded packets	QoS performance monitoring
Telnet/SSH	Running and startup configuration, Image file name, Flash memory size, Running processes	Startup configuration change, delta between running and startup configuration, Running process CPU and memory utilization	Performance Monitoring, Security and Compliance
Telnet/SSH	End host Layer 2 port mapping: switch interface to VLAN id, end host IP/MAC address association
Syslog	Device type	System logs and traffic logs matching acl statements	Availability, Security and Compliance

Event Types

In CMDB > Event Types, search for “nx-os” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Telnet/SSH

AccelOps uses Telnet/SSH to communicate with this device. Refer to the product documentation for your device to enable Telnet/SSH.

These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in AccelOps have the permissions necessary to execute these commands on the device.

1. show startup-config
2. show running-config
3. show version
4. show flash
5. show context
6. show ip route
7. show cam dynamic
8. show mac-address-table
9. show mac address-table (for Nexus 1000v)
10. show vlan brief
11. show process cpu
12. show process mem
13. show disk0
14. enable
15. terminal length 0

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

NetFlow

Enable NetFlow on the Router

1. Enter configuration mode.
2. Run this command.

Create a Flow Template and Define the Fields to Export You can can also try using the pre-defined NetFlow template.

Set up Netflow Exporter Run these commands.

Associate the Record to the Exporter Using a Flow Monitor In this example the flow monitor is called AccelOpsMonitoring.

Run these commands.

Apply the Flow Monitor to Every Interface Run these commands.

You can now check the configuration using the show commands.

Settings for Access Credentials

Cisco ONS Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
SNMP (V1, V2c)	Host name, Serial Number, software version, Hardware model, Network interfaces, Hardware Components	Uptime, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths)	Availability and Performance Monitoring
SNMP Trap		Alerts	Availability and Performance Monitoring

Event Types

Over 1800 event types defined – search for “Cisco-ONS” in CMDB > Event Types

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

Dell Force10 Router and Switch Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
SNMP (V1, V2c)	Host name, Serial number, Software version, Hardware model, Network interfaces, Hardware Components	Uptime, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), CPU utilization, Hardware Status	Availability and Performance Monitoring
Telnet/SSH	Running and Startup configurations	Startup Configuration Change, Difference between Running and Startup configurations	Change monitoring

Event Types

In CMDB > Event Types, search for “force10” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

TelNet/SSH

AccelOps uses Telnet/SSH to communicate with this device. Refer to the product documentation for your device to enable Telnet/SSH.

These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in AccelOps have the permissions necessary to execute these commands on the device. To initiate discovery and monitoring of your device over this protocol, follow the instructions in Setting Access Credentials for Device Discovery.

1. show startup-config
2. show running-config
3. show version
4. show ip route
5. enable
6. terminal pager 0

Settings for Access Credentials

Dell NSeries Switch Configuration

Configuration

SNMP

Settings for Access Credentials

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
SNMP (V1, V2c)	Host name, software version, Hardware model, Network interfaces,	Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths)	Availability and Performance Monitoring
SNMP (V1, V2c)		Hardware Status (Power Supply, Fan)	Availability Monitoring
SSH		Configuration	Change management

Event Types

CPU Monitoring: PH_DEV_MON_SYS_CPU_UTIL

Memory Monitoring: PH_DEV_MON_SYS_MEM_UTIL

Interface Utilization: PH_DEV_MON_NET_INTF_UTIL

Hardware Status: PH_DEV_MON_HW_STATUS

Configuration Change: PH_DEV_MON_CHANGE_STARTUP_CONFIG

Rules

Availability

Network Device Degraded – Lossy Ping Response

Network Device Down – no ping response

Network Device Interface Flapping

Critical Network Device Interface Staying Down

Non-critical Network Device Interface Staying Down

Network Device Hardware Warning

Network Device Hardware Critical

Performance (Fixed threshold)

Network CPU Warning

Network CPU Critical

Network Memory Warning

Network Memory Critical

Network Intf Error Warning

Network Intf Error Critical

Network Intf Util Warning

Network Intf Util Critical

Performance (Dynamic threshold based on baselines)

Sudden Increase In System CPU Usage

Sudden Increase in System Memory Usage

Sudden Increase in Network Interface Traffic

Sudden Increase in Network Interface Errors

Change

Startup Config Change

Reports

Availability

Availability: Router/Switch Ping Monitor Statistics

Performance

Performance: Top Routers Ranked By CPU Utilization

Performance: Top Routers By Memory Utilization

Performance: Top Router Network Intf By Util, Error, Discards

Top Routers/Switches by Business Hours Network Ping Uptime Pct (Achieved Network Ping SLA)

Top Routers/Switches by Business Hours System Uptime Pct (Achieved System SLA)

Top Routers/Switches by Network Ping Uptime Pct (Achieved Network Ping SLA)

Top Routers/Switches by System Uptime Pct (Achieved System SLA)

Top Router Interfaces by Days-since-last-use

Change

Change: Router Config Changes Detected Via Login

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

Dell PowerConnect Switch and Router Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
SNMP (V1, V2c)	Host name, Serial number, Software version, Hardware model, Network interfaces, Hardware Components	Uptime, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), CPU utilization, Hardware Status	Availability and Performance Monitoring
Telnet/SSH	Running and Startup configurations	Startup Configuration Change, Difference between Running and Startup configurations	Change monitoring

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Telnet/SSH

AccelOps uses Telnet/SSH to communicate with this device. Refer to the product documentation for your device to enable Telnet/SSH.

These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in AccelOps have the permissions necessary to execute these commands on the device. To initiate discovery and monitoring of your device over this protocol, follow the instructions in Setting Access Credentials for Device Discovery.

1. show startup-config
2. show running-config
3. show version
4. show ip route
5. enable
6. terminal pager 0

Settings for Access Credentials

 

Foundry Networks IronWare Router and Switch Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP

Telnet/SSH

Syslog

Sample Parsed PowerConnect Syslog Message  Settings for Access Credentials

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
SNMP (V1, V2c)	Host name, Ironware version, Hardware model, Network interfaces,	Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths)	Availability and Performance Monitoring
Telnet/SSH	Running and startup configuration	Startup configuration change, delta between running and startup configuration	Performance Monitoring, Security and Compliance
SNMP (V1, V2c)	Trunk port connectivity between switches and VLANs carried over a trunk port, End host Layer 2 port mapping: switch interface to VLAN id, end host IP/MAC address association		Topology and end-host location
Syslog	Device type	System logs and traffic logs matching acl statements	Availability, Security and Compliance

Event Types

In CMDB > Event Types, search for “foundry_ironware” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

1. Log in to the device manager for your switch or router with administrative privileges.
2. Enter configuration mode.
3. Run these commands to set the community string and enable the SNMP service.
4. Exit config mode.
5. Save the configuration.

Telnet/SSH

AccelOps uses Telnet/SSH to communicate with this device. Refer to the product documentation for your device to enable Telnet/SSH. Syslog

1. Log in to the device manager for your switch or router with administrative privileges.
2. Enter configuration mode.
3. Run this command to set your AccelOps virtual appliance as the recipient of syslogs from your router or switch.
4. Exit config mode.
5. Save the configuration.

Sample Parsed PowerConnect Syslog Message

Settings for Access Credentials

HP/3Com ComWare Switch Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP

Syslog

Example Syslog for ComWare Switch Messages  Settings for Access Credentials

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
SNMP (V1, V2c)	Host name, software version, Hardware model, Network interfaces,	Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Hardware status: Power Supply, Fan, Temperature	Availability and Performance Monitoring
SNMP (V1, V2c, V3)		Hardware status: Temperature	Availability
Syslog		System logs	Availability, Security and Compliance

Event Types

In CMDB > Event Types, search for “compare” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Example Syslog for ComWare Switch Messages

%Apr 2 11:38:11:113 2010 H3C DEVD/3/BOARD REBOOT:Chasis 0 slot 2 need be rebooted automatically! %Sep 22 20:38:32:947 2009 H3C DEVD/4/BRD MISPLUG: The board or subcard in slot 1 is not supported. %Sep 22 20:38:32:947 2009 H3C DEVD/4/BRD MISPLUG: The board type of MR in 1 is different from the Mate MR’s, so the MR can’t work properly. %Sep 22 20:38:32:947 2009 H3C DEVD/2/BRD TOO HOT:Temperature of the board is too high! %Sep 22 20:38:32:947 2009 H3C DEVD/2/ FAN CHANGE: Chassis 1: Fan communication state changed: Fan 1 changed to fault.

Settings for Access Credentials

HP ProCurve Switch Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
SNMP (V1, V2c)	Host name, version, Hardware model, Network interfaces,	Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Hardware status: Power Supply, Fan, Temperature	Availability and Performance Monitoring
Telnet/SSH	Running and startup configuration	Startup configuration change, delta between running and startup configuration	Performance Monitoring, Security and Compliance
SNMP (V1, V2c)	Trunk port connectivity between switches and VLANs carried over a trunk port, End host Layer 2 port mapping: switch interface to VLAN id, end host IP/MAC address association		Topology and end-host location

Event Types

In CMDB > Event Types, search for “procurve” in the Device Type and Description columns to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

1. Go to Configuration > SNMP Community > V1/V2 Community.
2. Enter a Community Name.
3. For MIB-View, select Operator.
4. For Write-Access, leave the selection cleared.
5. Click Add.

SSH/Telnet

1. Log into the device manager for your ProCurve switch.
2. Go to Security > Device Passwords.
3. Create a user and password for Read-Write Access.

Although AccelOps does not modify any configurations for your switch, Read-Write Access is needed to read the device configuration.

4. Go to Security > Authorized Addresses and add the AccelOps IP to Telnet/SSH. This is an optional step.

Settings for Access Credentials

HP Value Series (19xx) and HP 3Com (29xx) Switch Configuration

Configuration

SNMP

Settings for Access Credentials

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
SNMP (V1, V2c)	Host name, software version, Hardware model, Network interfaces,	Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths)	Availability and Performance Monitoring
SSH		Configuration	Change management

Event Types

CPU Monitoring: PH_DEV_MON_SYS_CPU_UTIL

Memory Monitoring: PH_DEV_MON_SYS_MEM_UTIL

Interface Utilization: PH_DEV_MON_NET_INTF_UTIL

Configuration Change: PH_DEV_MON_CHANGE_STARTUP_CONFIG

Rules

Availability

Network Device Degraded – Lossy Ping Response

Network Device Down – no ping response

Network Device Interface Flapping

Critical Network Device Interface Staying Down

Non-critical Network Device Interface Staying Down

Performance (Fixed threshold)

Network CPU Warning

Network CPU Critical

Network Memory Warning

Network Memory Critical

Network Intf Error Warning

Network Intf Error Critical

Network Intf Util Warning

Network Intf Util Critical

Performance (Dynamic threshold based on baselines)

Sudden Increase In System CPU Usage

Sudden Increase in System Memory Usage

Sudden Increase in Network Interface Traffic

Sudden Increase in Network Interface Errors

Change

Startup Config Change

Reports

Availability

Availability: Router/Switch Ping Monitor Statistics

Performance

Performance: Top Routers Ranked By CPU Utilization

Performance: Top Routers By Memory Utilization

Performance: Top Router Network Intf By Util, Error, Discards

Top Routers/Switches by Business Hours Network Ping Uptime Pct (Achieved Network Ping SLA)

Top Routers/Switches by Business Hours System Uptime Pct (Achieved System SLA)

Top Routers/Switches by Network Ping Uptime Pct (Achieved Network Ping SLA)

Top Routers/Switches by System Uptime Pct (Achieved System SLA)

Top Router Interfaces by Days-since-last-use

Change

Change: Router Config Changes Detected Via Login

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

Juniper Networks JunOS Switch Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP

Syslog

Sample JunOS Syslog Messages sFlow

Settings for Access Credentials

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
SNMP (V1, V2c)	Host name, JunOS version, Hardware model, Network interfaces,	Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Hardware status: Power Supply, Fan, Temperature	Availability and Performance Monitoring
Telnet/SSH	Running and startup configuration	Startup configuration change, delta between running and startup configuration	Performance Monitoring, Security and Compliance
SNMP (V1, V2c, V3)	Trunk port connectivity between switches and VLANs carried over a trunk port, End host Layer 2 port mapping: switch interface to VLAN id, end host IP/MAC address association		Topology and end-host location
Syslog		System logs and traffic logs matching acl statements	Availability, Security and Compliance
sflow		Traffic flow	Availability, Security and Compliance

Event Types

In CMDB > Event Types, search for “junos” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

1. Log in to the device manager for your JunOS switch with administrator privileges.
2. Go to Configure > Services > SNMP.
3. Under Communities, click Add.
4. Enter a Community Name.
5. Set Authorization to read-only.
6. Click OK.

Syslog

1. Log in to the device manager for your JunOS switch with administrator privileges.
2. Go to Dashboard > CLI Tools > CLI Editor.
3. Edit the syslog section to send syslogs to AccelOps.
4. Click Commit. Sample JunOS Syslog Messages

sFlow

Routing the sFlow Datagram in EX Series Switches

According to Juniper documentation, the sFlow datagram cannot be routed over the management Ethernet interface (me0) or virtual management interface (vme0) in an EX Series switch implementation. It can only be exported over the network Gigabit Ethernet or 10-Gigabit Ethernet ports using valid route information in the routing table.

1. Log in to the device manager for your JunOS switch with administrator privileges.
2. Go to Configure > CLI Tools > Point and Click CLI.
3. Expand Protocols and select slow.
4. Next to Collector, click Add new entry.
5. Enter the IP address for your AccelOps virtual appliance.
6. For UDP Port, enter 6343.
7. Click Commit.
8. Next to Interfaces, click Add new entry.
9. Enter the Interface Name for all interfaces that will send traffic over sFlow.
10. Click Commit.
11. To disable the management port, go to Configure > Management Access, and remove the address of the management port. You can also disconnect the cable.

Settings for Access Credentials

Mikrotek Router Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
SNMP (V1, V2c)	Host name, software version, Hardware model, Network interfaces	Uptime, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths)	Availability and Performance Monitoring

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

Nortel ERS and Passport Switch Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
SNMP (V1, V2c)	Host name, software version, Hardware model, Network interfaces,	Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths)	Availability and Performance Monitoring
SNMP (V1, V2c)		Hardware status: Temperature
SNMP (V1, V2c, V3)		Layer 2 port mapping: associating switch ports to directly connected host IP/MAC addresses	Identity and location table; Topology

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Configuring Network Intrusion Protection Systems (IPS)

AccelOps supports these intrusion protection systems for discovery and monitoring.

AirTight Networks SpectraGuard

Cisco FireSIGHT

Cisco Intrusion Protection System Configuration

Cylance Protect Endpoint Protection

Cyphort Cortex Endpoint Protection

FireEye Malware Protection System (MPS)

FortiDDoS

Fortinet FortiSandbox Configuration

IBM Internet Security Series Proventia Configuration

Juniper DDoS Secure Configuration

Juniper Networks IDP Series Configuration

McAfee IntruShield Configuration

McAfee Stonesoft IPS

Motorola AirDefense Configuration

Snort Intrusion Protection System Configuration

Sourcefire 3D and Defense Center Configuration

TippingPoint Intrusion Protection System Configuration

AirTight Networks SpectraGuard

What is Discovered and Monitored Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Metrics Collected	Used For
Syslog

Event Types

In CMDB > Event Types, search for “airtight” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Example Syslog

<30><2013.09.09 19:45:16>CEF:0|AirTight|SpectraGuard Enterprise|6.7|5.51.515|Authorized AP operating on non-allowed channel|3|msg=Stop: Authorized AP [AP2.12.c11d] is operating on non-allowed channel. rt=Sep 09 2013 19:45:16 UTC dvc=10.255.1.36 externalId=726574 dmac=58:BF:EA:FA:26:EF cs1Label=TargetDeviceName cs1=AP2.12.c11d cs2Label=SSID cs2=WiFiHiSpeed cs3Label=SecuritySetting cs3=802.11i cn1Label=RSSI_dBm cn1=-50 cn2Label=Channel cn2=149 cs4Label=Location cs4=//FB/FBFL2

Cisco FireSIGHT

This section describes how AccelOps collects logs from Cisco FireSIGHT console.

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Logs Collected	Used For
eStreamer API		Intrusion Events Malware Events File Events Discovery Events User Activity Events Impact Flag Events	Security Monitoring

Event Types

Intrusion events: PH_DEV_MON_FIREAMP_INTRUSION

[PH_DEV_MON_FIREAMP_INTRUSION]:[eventSeverity]=PHL_CRITICAL,[fileNa me]=phFireAMPAgent.cpp,[lineNumber]=381,[reptDevIpAddr]=10.1.23.177 ,[envSensorId]=6,[snortEventId]=393258,[deviceTime]=1430501705,[eve ntType]=Snort-1,[compEventType]=PH_DEV_MON_FIREAMP_INTRUSION,[ipsGe neratorId]=137,[ipsSignatureId]=2,[ipsClassificationId]=32,[srcIpAd dr]=10.131.10.1,[destIpAddr]=10.131.10.120,[srcIpPort]=34730,[destI pPort]=443,[ipProto]=6,[iocNum]=0,[fireAmpImpactFlag]=7,[fireAmpImp act]=2,[eventAction]=1,[mplsLabel]=0,[hostVLAN]=0,[userId]=3013,[we bAppId]=0,[clientAppId]=1296,[appProtoId]=1122,[fwRule]=133,[ipsPol icyId]=63098,[srcIntfName]=b16c69fc-cd95-11e4-a8b0-b61685955f02,[de stIntfName]=b1a1f900-cd95-11e4-a8b0-b61685955f02,[srcFwZone]=9e3405 2a-9b4f-11e4-9b83-efa88d47586f,[destFwZone]=a7bd89cc-9b4f-11e4-8260 -63a98d47586f,[connEventTime]=1430501705,[connCounter]=371,[srcGeoC ountryCode]=0,[destGeoCountryCode]=0,[phLogDetail]=

Malware events:  PH_DEV_MON_FIREAMP_MALWARE

[PH_DEV_MON_FIREAMP_MALWARE]:[eventSeverity]=PHL_INFO,[fileName]=ph FireAMPAgent.cpp,[lineNumber]=487,[reptDevIpAddr]=10.1.23.177,[envS ensorId]=6,[deviceTime]=1430502934,[srcIpAddr]=10.110.10.73,[destIp Addr]=10.0.112.132,[srcIpPort]=21496,[destIpPort]=80,[ipProto]=6,[f ileName]=CplLnk.exe ,[filePath]=,[fileSize64]=716325,[fileType]=1,[fileTimestamp]=0,[ha shAlgo]=SHA,[hashCode]=f1bfab10090541a2c3e58b4b93c504be8b65cdc82320 9c7f4def24acc38d7fd1 ,[fileDirection]=1,[fireAmpFileAction]=3,[parentFileName]=,[parentF ileHashCode]=,[infoURL]=http://wrl/wrl/CplLnk.exe ,[threatScore]=0,[fireAmpDisposition]=3,[fireAmpRetrospectiveDispos ition]=3,[iocNum]=1,[accessCtlPolicyId]=125870424,[srcGeoCountryCod e]=0,[destGeoCountryCode]=0,[webAppId]=0,[clientAppId]=638,[applica tionId]=676,[connEventTime]=1430502933,[connCounter]=409,[cloudSecI ntelId]=0,[phLogDetail]=

File events: PH_DEV_MON_FIREAMP_FILE

[PH_DEV_MON_FIREAMP_FILE]:[eventSeverity]=PHL_INFO,[fileName]=phFir eAMPAgent.cpp,[lineNumber]=541,[reptDevIpAddr]=10.1.23.177,[envSens orId]=6,[deviceTime]=1430497343,[srcIpAddr]=10.131.15.139,[destIpAd dr]=10.0.112.137,[srcIpPort]=1587,[destIpPort]=80,[ipProto]=6,[file Name]=Locksky.exe

,[hashAlgo]=SHA,[hashCode]=aa999f5d948aa1a731f6717484e1db32abf92fdb

5f1e7ed73ad6f5a21b0737c1,[fileSize64]=60905,[fileDirection]=1,[fire AmpDisposition]=3,[fireAmpSperoDisposition]=4,[fireAmpFileStorageSt atus]=11,[fireAmpFileAnalysisStatus]=0,[threatScore]=0,[fireAmpFile Action]=3,[fileType]=17,[applicationId]=676,[destUserId]=2991,[info

URL]=http://wrl/wrl/Locksky.exe

,[signatureName]=,[accessCtlPolicyId]=125869976,[srcGeoCountryCode] =0,[destGeoCountryCode]=0,[webAppId]=0,[clientAppId]=638,[connCount er]=103,[connEventTime]=1430497343,[phLogDetail]=

Discovery events:

PH_DEV_MON_FIREAMP_DISCOVERY_NETWORK_PROTOCOL

PH_DEV_MON_FIREAMP_DISCOVERY_NETWORK_PROTOCOL]:[eventSeverity]= PHL_INFO,[fileName]=phFireAMPAgent.cpp,[lineNumber]=815,[reptDe vIpAddr]=10.1.23.177,[destIpPort]=2054,[ipProto]=54,[phLogDetai l]=

PH_DEV_MON_FIREAMP_DISCOVERY_OS_FINGERPRINT

There are no predefined rules for this device.

Reports

The following reports are provided

1. Top Cisco FireAMP Malware Events
2. Top Cisco FireAMP File Analysis Events
3. Top Cisco FireAMP Vulnerable Intrusion Events
4. Top Cisco FireAMP Discovered Login Events
5. Top Cisco FireAMP Discovered Network Protocol
6. Top Cisco FireAMP Discovered Client App
7. Top Cisco FireAMP Discovered OS

Configuration

AccelOps obtains events from Cisco FireSIGHT via eStreamer protocol.

Cisco FireSIGHT Configuration

1. Logon to Cisco FIRESIGHT console
2. Go to System > Local > Registration > eStreamer
3. Click Create Client
   1. Enter IP address and password for AccelOps
   2. Click Save
4. Select the types of events that should be forwarded to AccelOps
5. Click Download Certificate and save the certificate to a local file

AccelOps Configuration

1. Go to Admin > Setup > Credentials
2. Create a credential
   1. Set Device Type to Cisco FireAMP
   2. Set Access Method to eStreamer
   3. Enter the Password as in Step 3a above
   4. Click Certificate File > Upload and enter the certificate downloaded in Step 5
   5. Click Save
3. Create an IP range to Credential Association
   1. Enter IP address of the FireSIGHT Console
   2. Enter the credential created in Step 2 above
4. Click Test Connectivity – AccelOps will start collecting events from the FIRESIGHT console

 

 

 

Cisco Intrusion Protection System Configuration

What is Discovered and Monitored

 

Protocol	Information Discovered	Metrics Collected	Used For
SNMP			Performance and Availability Monitoring
SDEE		Alerts	Security Monitoring

Event Types

In CMDB > Event Types, search for “cisco ips” in the Device Type and Description columns to see the event types associated with this device.

Rules

In Analytics > Rules, search for “cisco ips” in the Name column to see the rules associated with this device.

Reports

In Analytics > Reports, search for “cisco ips” in the Name column to see the reports associated with this device.

Configuration

SNMP

1. Log in to the device manager for your Cisco IPS.
2. Go to Configuration > Allowed Hosts/Networks.
3. Click Add.
4. Enter the IP address of your AccelOps virtual appliance to add it to the access control list, and then click OK.
5. Go to Configuration > Sensor Management > SNMP > General Configuration.
6. For Read-Only Community String, enter public.
7. For Sensor Contact and Sensor Location, enter Unknown.
8. For Sensor Agent Port, enter 161.
9. For Sensor Agent Protocol, select udp.

If you need to create an SDEE account for AccelOps to use, go to Configuration > Users and Add a new administrator. Sample XML-Formatted Alert

<os idSource=”unknown” type=”unknown” relevance=”relevant”></os>          </victim>

<victim>

<addr locality=”OUT”>171.66.255.87</addr>            <os idSource=”unknown” type=”unknown” relevance=”relevant”></os>          </victim>

<victim>

<addr locality=”OUT”>171.66.255.86</addr>            <os idSource=”unknown” type=”unknown” relevance=”relevant”></os>          </victim>

<victim>

<addr locality=”OUT”>171.66.255.84</addr>            <os idSource=”unknown” type=”unknown” relevance=”relevant”></os>          </victim>

<victim>

<addr locality=”OUT”>171.66.255.85</addr>            <os idSource=”unknown” type=”unknown” relevance=”relevant”></os>         </victim>

<victim>

<addr locality=”OUT”>171.66.255.82</addr>            <os idSource=”unknown” type=”unknown” relevance=”relevant”></os>         </victim>

</attack>

</participants>

 

Cylance Protect Endpoint Protection

What is Discovered and Monitored Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Metrics Collected	Used For
Syslog		End point malware alerts	Security Monitoring

Event Types

In CMDB > Event Types, search for “cylance” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via CEF formatted syslog sent by the device. Configure the device to send syslog to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example Syslog

Cyphort Cortex Endpoint Protection

What is Discovered and Monitored Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Metrics Collected	Used For
Syslog		End point malware alerts	Security Monitoring

Event Types

In CMDB > Event Types, search for “cyphort” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via CEF formatted syslog sent by the device. Configure the device to send syslog to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example Syslog

FireEye Malware Protection System (MPS)

What is Discovered and Monitored Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Metrics Collected	Used For
Syslog

Event Types

In CMDB > Event Types, search for “fireeye mps” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example. Example Syslog

<164>fenotify-45640.alert:

CEF:0|FireEye|MPS|6.0.0.62528|MC|malware-callback|9|rt=Apr 16 2012 15:54:41 src=192.168.26.142 spt=0 smac=00:14:f1:90:c8:01 dst=2.2.2.2 dpt=80 dmac=00:10:db:ff:50:00 cn1Label=vlan cn1=202 cn2Label=sid cn2=33335390 cs1Label=sname cs1=Trojan.Gen.MFC cs4Label=link cs4=https://10.10.10.10/event_stream/events_for_bot?ev_id\=45640 cs5Label=ccName cs5=3.3.3.3 cn3Label=ccPort cn3=80 proto=tcp cs6Label=ccChannel cs6= shost=abc.org <http://abc.org> dvchost=ALAXFEYE01 dvc=10.10.10.10 externalId=45640

FortiDDoS

What is Discovered and Monitored

Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Information Collected	Used For
Syslog	Host Name, Access IP, Vendor/Model	Over 150 event types to include Protocol Anomaly, Traffic Volume Anomaly, DoS Attacks,	Security Monitoring

Event Types

In CMDB > Event Types, search for “FortiDDoS” to see the event types associated with this device.

Rules

There are many IPS correlation rules for this device under Rules > Security > Exploits

Reports

There are many reports for this device under Reports > Function > Security

Configuration

Syslog

FortiSIEM processes FortiDDoS events via syslog. Configure FortiDDoS to send syslog to FortiSIEM as directed in the device’s product documentation.

Example Syslog

Jan 10 16:01:50 172.30.84.114 devid=FI400B3913000032 date=2015-01-23 time=17:42:00 type=attack SPP=1 evecode=1 evesubcode=8 dir=0 protocol=1 sIP=0.0.0.0 dIP=0.0.0.0 dropCount=312

devid=FI800B3913000055 date=2017-01-27 time=18:24:00 tz=PST type=attack spp=0 evecode=2 evesubcode=61 description=”Excessive Concurrent Connections Per Source flood” dir=1 sip=24.0.0.2 dip=24.255.0.253 subnet_name=default dropcount=40249 facility=Local0 level=Notice

Fortinet FortiSandbox Configuration

What is Discovered and Monitored Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Metrics Collected	Used For
SNMP	Host Name, OS, version, Hardware	CPU, Memory, Disk, Interface utilization	Performance Monitoring
Syslog		Malware found/cleaned, Botnet, Malware URL, System Events	Log Management, Security Compliance, SIEM
HTTP(S)	Threat feed – Malware URL, Malware Hash		Log Management, Security Compliance, SIEM

Event Types

In CMDB > Event Types, search for “fortisandbox-” to see the event types associated with this device.

Rules

In CMDB > Rules, search for “fortisandbox-” to see the rules associated with this device.

Also, basic availability rules in CMDB > Rules> Availability > Network and performance rules in CMDB > Rules> Performance > Network also trigger

Reports

In CMDB > Reports, search for “fortisandbox-” to see the rules associated with this device.

Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog format is the same as that shown in the example.

Example Syslog

Oct 12 14:35:12 172.16.69.142

devname=turnoff-2016-10-11-18-46-05-172.16.69.142

device_id=FSA3KE3A13000011 logid=0106000001 type=event subtype=system pri=debug user=system ui=system action= status=success  reason=none letype=9 msg=”Malware package: urlrel version 2.88897 successfully released, total 1000″

<14>2016-08-19T06:48:51 devhost=turnoff-2016-08-15-19-24-55-172.16.69.55 devid=FSA35D0000000006 tzone=-25200 tz=PDT  date=2016-08-19 time=06:48:51 logid=0106000001 type=event subtype=system level=information user=admin ui=GUI action=update status=success reason=none letype=9 msg=”Remote log server was successfully added”

IBM Internet Security Series Proventia Configuration

What is Discovered and Monitored

Configure IBM/ISS Proventia Appliances to Send SNMP Notifications to IBM/ISS SiteProtector Management Console

Define AccelOps as a Response Object for SNMP Traps

Define a Response Rule to Forward SNMP Traps to AccelOps

What is Discovered and Monitored

Protocol	Information Discovered	Metrics Collected	Used For
SNMP Traps

Event Types

In CMDB > Event Types, search for “proventia” in the Device Type and Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP Trap

AccelOps receives SNMP traps from IBM/ISS Proventia IPS appliances that are sent by IBM/ISS SiteProtector Management Console. You need to first configure IBM/ISS Proventia to send alerts to IBM/ISS SiteProtector, then configure IBM/ISS SiteProtector to send those alerts as SNMP traps to AccelOps.

Configure IBM/ISS Proventia Appliances to Send SNMP Notifications to IBM/ISS SiteProtector Management Console

1. Log in to the IBM Proventia IPS web interface.
2. Click Manage System Settings > SiteProtector Management.
3. Click and select Register withSiteProtector.
4. Click and select Local Settings Override SiteProtector Group Settings.
5. Specify the Group, Heartbeat Interval, and Logging Level.
6. Configure these settings:

Setting	Description
Authentication Level	Use the default first-time trust
Agent Manager Name	Enter the Agent Manager name exactly as it appears in SiteProtector. This setting is case-sensitive.
Agent Manager Address	Enter the Agent Manager’s IP address
Agent Manager Port	Use the default value 3995
User Name	If the appliance has to log into an account access the Agent Manager, enter the user name for that account here
User Password	Click Set Password, enter and confirm the password, and then click OK.
Use Proxy Settings	If the appliance has to go through a proxy to access the Agent Manager, select the Use Proxy Settings option, and then enter the Proxy Server Address and Proxy Server Port.

Define AccelOps as a Response Object for SNMP Traps

1. Log in to IBM SiteProtector console.
2. Go to Grouping > Site Management > Central Responses > Edit settings.
3. Select Response Objects > SNMP.
4. Click Add.
5. Enter a Name for your AccelOps virtual appliance.
6. For Manager, enter the IP address of your virtual appliance.
7. For Community, enter public.
8. Click OK.

Define a Response Rule to Forward SNMP Traps to AccelOps

1. Go to Response Rules.
2. Click Add.
3. Select Enabled.
4. Enter a Name and Comment for the response rule.
5. In the Responses tab, select SNMP.
6. Select Enabled for the response object that represents your AccelOps virtual appliance.
7. Click OK.

Sample SNMP trap

2013-02-07 16:52:18 100.0.0.218(via UDP: [192.168.64.218]:55545) TRAP,

SNMP v1, community public SNMPv2-SMI::enterprises.2499 Enterprise

Specific Trap (4) Uptime: 0:00:00.15 SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.1 = STRING:

“SiteProtector_Central_Response (Response1)”

SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.2 = STRING: “16:52:18

2013-02-07” SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.3 = STRING: “6”

SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.4 = STRING: “100.0.0.216”

SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.5 = STRING: “100.0.0.218”

SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.6 = “”

SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.7 = “”

SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.8 = STRING: “48879”

SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.9 = STRING: “80” SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.10 = STRING:

“DISPLAY=WithoutRaw:0,BLOCK=Default:0″ SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.11 = STRING: ” SensorName:

IBM-IPS ObjectName: 80 DestinationAddress: 100.0.0.218 AlertName:

HTTP_OracleAdmin_Web_Interface AlertTarget: 100.0.0.218 AlertCount: 1 VulnStatus: Simulated block (blocking not enabled) AlertDateTime:

16:52:17 2013-02-07 ObjectType: Target Port SourceAddress: 100.0.0.216

SensorAddress: 192.168.64.15″

Juniper DDoS Secure Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Metrics Collected	Used For
Syslog		DDoS Alerts	Security Monitoring

Event Types

In CMDB > Event Types, search for “juniper ddos” in the Device Type and Description columns to see the event types associated with this device.

Juniper-DDoS-Secure-WorstOffender

Juniper-DDoS-Secure-Blacklisted

Juniper-DDoS-Secure-Generic

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Configure the device to send syslog to AccelOps. Make sure that the event matches the format specified below.

Juniper Networks IDP Series Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Syslog

Example Syslog from NSM

What is Discovered and Monitored

Protocol	Information Discovered	Metrics Collected	Used For
Syslog

Event Types

In CMDB > Event Types, search for “juniper_idp” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Example Syslog from NSM

<25>Oct 11 14:29:27 10.146.68.68 20101011, 58420089, 2010/10/11

18:29:25, 2010/10/11 18:33:12, global.IDP, 1631, par-real-idp200, 10.146.68.73, traffic, udp port scan in progress, (NULL), (NULL), 161.178.223.221, 0, 0.0.0.0, 0, (NULL), (NULL), 10.248.8.110, 0, 0.0.0.0, 0, udp, global.IDP, 1631, Metro IDP IP / Port Scan Policy, traffic anomalies, 2, accepted, info, yes, ‘interface=eth3’, (NULL), (NULL), (NULL), 0, 0, 0, 0, 0, 0, 0, 0, no, 25, Not

McAfee IntruShield Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Syslog

Sample Parsed Syslog Message

What is Discovered and Monitored

Protocol	Information Discovered	Metrics Collected	Used For
Syslog

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps handles custom syslog messages from McAfee Intrushield.

1. Log in to McAfee Intrushield Manager.
2. Create a customer syslog format with these fields:
   1. AttackName
   2. AttackTime
   3. AttackSeverity
   4. SourceIp
   5. SourcePort
   6. DestinationIp
   7. DestinationPort
   8. AlertId
   9. AlertType
   10. AttackId
   11. AttackSignature
   12. AttackConfidence
   13. AdminDomain
   14. SensorName:ASCDCIPS01
   15. Interface
   16. Category
   17. SubCategory
   18. Direction
   19. ResultStatus
   20. DetectionMechanism
   21. ApplicationProtocol
   22. NetworkProtocol
   23. Relevance
3. Set the message format as a sequence of Attribute:Value pairs as in this example.

AttackName:$IV_ATTACK_NAME$,AttackTime:$IV_ATTACK_TIME$,AttackSever ity::$IV_ATTACK_SEVERITY$,SourceIp:$IV_SOURCE_IP$,SourcePort:$IV_SO URCE_PORT$,

DestinationIp:$IV_DESTINATION_IP$,DistinationPort:$IV_DESTINATION_P ORT$,AlertId:$IV_ALERT_ID$,AlertType:$IV_ALERT_TYPE$,AttackId$IV_AT

TACK_ID$,

AttackSignature:$IV_ATTACK_SIGNATURE$,AttackConfidence:$IV_ATTACK_C ONFIDENCE$,AdminDomain:$IV_ADMIN_DOMAIN$,SensorName:$IV_SENSOR_NAME

$,

Interface:$IV_INTERFACE$,Category:$IV_CATEGORY$,SubCategory:$IV_SUB _CATEGORY$,Direction:$IV_DIRECTION$,ResultStatus:$IV_RESULT_STATUS$

,

DetectionMechanism:$IV_DETECTION_MECHANISM$,ApplicationProtocol:$IV _APPLICATION_PROTOCOL$,NetworkProtocol:$IV_NETWORK_PROTOCOL$,Releva nce:$IV_RELEVANCE$

4. Set AccelOps as the syslog recipient.

Sample Parsed Syslog Message

Mar 24 16:23:18 SyslogAlertForwarder: AttackName:Invalid Packets detected,AttackTime:2009-03-24 16:23:17 EDT,AttackSeverity:Low,SourceIp:127.255.106.236,

SourcePort:N/A,DestinationIp:127.255.106.252,DistinationPort:N/A,AlertId :5260607647261334188,AlertType:Signature,AttackId:0x00009300,AttackSigna ture:N/A, AttackConfidence:N/A,AdminDomain:ASC,SensorName:ASCDCIPS01,Interface:1A-

1B,Category:Exploit,SubCategory:protocol-violation,Direction:Outbound, ResultStatus:May be successful,DetectionMechanism:signature,ApplicationProtocol:N/A,NetworkP rotocol:N/A,Relevance:N/A,HostIsolationEndTime:N/A

McAfee Stonesoft IPS

What is Discovered and Monitored Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Metrics Collected	Used For
Syslog		Network IPS alerts	Security Monitoring

Event Types

In CMDB > Event Types, search for “stonesoft” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via CEF formatted syslog sent by the device. Configure the device to send syslog to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example Syslog

<6>CEF:0|McAfee|IPS|5.4.3|70018|Connection_Allowed|0|spt=123 deviceExternalId=STP-NY-FOO01 node 1 dmac=84:B2:61:DC:E1:31 dst=169.132.200.3 cat=System Situations app=NTP (UDP) rt=Apr 08 2016 00:26:13 deviceFacility=Inspection act=Allow deviceOutboundInterface=Interface #5 deviceInboundInterface=Interface #4 proto=17 dpt=123 src=10.64.9.3 dvc=12.17.2.17 dvchost=12.17.2.17 smac=78:DA:6E:0D:FF:C0 cs1Label=RuleId cs1=2097152.6

Motorola AirDefense Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Metrics Collected	Used For
Syslog		Wireless IDS logs	Security Monitoring

Event Types

About 37 event types covering various Wireless attack scenarios – search for them by entering “Motorola-AirDefense” in CMDB > EventType.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Configure the device to send logs to AccelOps. Make sure that the format is as follows.

Snort Intrusion Protection System Configuration

What is Discovered and Monitored

Example Parsed Snort Syslog

Supported Databases and Snort Database Schemas

SNMP Access to the Database Server

Debugging Snort Database Connectivity

Examples of Snort IPS Events Pulled over JDBC

Viewing Snort Packet Payloads in Reports

Exporting Snort IPS Packets as a PCAP File  Settings for Access Credentials

What is Discovered and Monitored

Protocol	Information Discovered	Metrics Collected	Used For
Syslog
JDBC	Generic information: signature ID, signature name, sensor ID, event occur time, signature priority TCP: packet header, including source IP address, destination IP address, Source Port, Destination Port, TCP Sequence Number, TCP Ack Number, TCP Offset, TCP Reserved, TCP Flags, TCP Window size, TCP Checksum, tTCP Urgent Pointer; and  packet payload UDP: packet header, including source IP address, destination IP address, Source Port, Destination Port, UDP Length,  checksum; and  packet payload ICMP: packet header, including source IP address, destination IP address, ICMP Type, ICMP Code, Checksum, ICMP ID, Sequence Number; and  packet payload
SNMP (for access to the database server hosting the Snort database)

Event Types

In CMDB > Event Types, search for “snort_ips” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

There are no predefined reports for this device.

Configuration

Syslog

Collecting event information from Snort via syslog has two drawbacks:

1. It is not reliable because it is sent over UDP.
2. Information content is limited because of UDP packet size limit.

For these reasons, you should consider using JDBC to collect event information from Snort.

These instructions illustrate how to configure Snort on Linux to send syslogs to AccelOps. For further information, you should consult the Snort product documentation.

1. Log in to your Linux server where Snort is installed.
2. Navigate to and open the file /etc/snort/snort.conf.
3. Modify alert_syslog to use a local log facility.
4. Navigate to and open the file /etc/syslog.conf.
5. Add a redirector to send syslogs to AccelOps.

 

6. Restart the Snort daemon.

Example Parsed Snort Syslog

<161>snort[2242]: [1:206:9] BACKDOOR DeepThroat 3.1 CD ROM Open Client

Request [Classification: Misc activity] [Priority: 3]: {UDP}

192.168.19.1:6555 -> 172.16.2.5:514 <161>snort[5774]: [1:1560:6] WEB-MISC /doc/ access [Classification:

access to a potentially vulnerable web application] [Priority: 2]: {TCP} 192.168.20.53:41218 -> 192.168.0.26:80 <161>snort[5774]: [1:466:4] ICMP L3retriever Ping [Classification:

Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.20.49 ->

192.168.0.10

<161>snort[5774]: [1:1417:9] SNMP request udp [Classification: Attempted

Information Leak] [Priority: 2]: {UDP} 192.168.20.40:1061 ->

192.168.20.2:161

JDBC

Supported Databases and Snort Database Schemas

When using JDBC to collect IPS information from Snort, AccelOps can capture a full packet that is detailed enough to recreate the packet via a PCAP file.

AccelOps supports collecting Snort event information over JDBC these database types:

Oracle

MS SQL

MySql

PostgreSQL

AccelOps supports Snort database schema 107 or higher.

SNMP Access to the Database Server

You will need to set up an SNMP access credential for the server that hosts the Snort database. See the topics under Database Server Configuration for information on setting up SNMP for communication with AccelOps for several common types of database servers.

Once you have set up SNMP on your database server, you can configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Debugging Snort Database Connectivity

Snort IPS alert are pulled over JDBC by a Java agent, which has to join multiple database tables to create the events. An internal log file is created for each pull.

At most 1000 database records (IPS Alerts) are pulled at a time. If AccelOps finds more than 1000 new records, then it begins to fall behind and this log is created.

Examples of Snort IPS Events Pulled over JDBC

UDP Event

<134>Feb 25 14:27:56 10.1.2.36 java: [Snort-1417]:[eventSeverity]=PHL_INFO,[relayDevIpAddr]=10.1.2.36,[ipsSen sorId]=1,[snortEventId]=10343430,[sensorHostname]=10.1.2.36,[signatureId ]=1417,[eventName]=SNMP request udp,[eventSeverity]=2,[eventTime]=2012-11-07 17:56:51.0,[srcIpAddr]=10.1.2.245,[destIpAddr]=10.1.2.36,[ipVersion]=4,[ ipHeaderLength]=5,[tos]=0,[ipTotalLength]=75,[ipId]=0,[ipFlags]=0,[ipFra gOffset]=0,[ipTtl]=64,[ipProto]=17,[ipChecksum]=8584,[srcIpPort]=35876,[ destIpPort]=161,[udpLen]=55,[checksum]=39621,[dataPayload]=302D020101040 67075626C6963A520…

TCP Event

<134>Aug 08 09:30:59 10.1.20.51 java: [Snort-1000001]:[eventSeverity]=PHL_INFO,[hostIpAddr]=10.1.20.51,[sensor

Id]=1,[eventId]=17897184,[signatureId]=1000001,[signatureName]=Snort

Alert [1:1000001:0],[signaturePri]=null,[eventTime]=2012-08-08

09:26:24.0,[srcIpAddr]=10.1.2.99,[destIpAddr]=10.1.20.51,[srcIpPort]=523

14,[destIpPort]=80,[seqNum]=967675661,[tcpAckNum]=3996354107,[tcpOffset] =5,[tcpReserved]=0,[tcpFlags]=24,[tcpWin]=16695,[checksum]=57367,[tcpUrg entPointer]=0,[dataPayload]=474554202F66617669636F6E2E69636F204…

Viewing Snort Packet Payloads in Reports

 

AccelOps creates an event for each IPS alert in Snort database. You can view the full payload packet associated with a Snort event when you run a report.

1. Set up a structured historical search.
2. Set these conditions, where Reporting IP is an IP belonging to the Snort Application group.

Attribute	Operator	Value
Reporting IP	IN	Applications: Network IPS App

3. For Display Fields, include Data Payload.

When you run the query, Data Payload will be one one of the display columns.

4. When the query runs, select an event, and the data payload will display at the bottom of the search results in a byte-by-byte ethereal/wireshark format.

 

Exporting Snort IPS Packets as a PCAP File

After running a report, click the Export button and choose the PCAP option.

Settings for Access Credentials

 

 

Sourcefire 3D and Defense Center Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Syslog

Sample Syslogs from SourceFire3D IPS

Sample Syslogs from SourceFire DefenseCenter

What is Discovered and Monitored

Protocol	Information Discovered	Metrics Collected	Used For
Syslog

Event Types

In CMDB > Event Types, search for “sourcefire” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps handles SourceFire alerts via syslog either from IPS appliances themselves or from DefenseCenter. Events are classified as Snort event types.

Simply configure SourceFire appliances or DefenseCenter to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Sample Syslogs from SourceFire3D IPS

Sample Syslogs from SourceFire DefenseCenter

TippingPoint Intrusion Protection System Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Metrics Collected	Used For
SNMP		CPU, memory, Interface utilization	Performance and Availability Monitoring
Syslog		IPS Alerts	Security Monitoring

Event Types

In CMDB > Event Types, search for “tippingpoint” in the Device Type and Description columns to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

 SNMP

1. Log in to the TippingPoint appliance or the SMS Console.
2. Go to System > Configuration > SMS/NMS.
3. For SMS Authorized IP Address/CIDR, make sure any is entered.
4. Select Enabled for SNMP V2.
5. For NMS Community String, enter public.
6. Click Apply.

Syslog

1. Log in to the TippingPoint appliance or the SMS Console.
2. Go to System > Configuration > Syslog Servers.
3. Under System Log, enter the IP Address of the AccelOps virtual appliance.
4. Select Enable syslog offload for System Log.
5. Under Aud Log, enter the IP Address of the AccelOps virtual appliance.
6. Select Enable syslog offload for Audit Log.
7. Click Apply.

Configure the Syslog Forwarding Policy (Filter Notification Forwarding)

The filter log can be configured to generate events related to specific traffic on network segments that need to pass through the device. This log includes three categories of events.

Event Category	Description
Alert	Alert events indicate that the IPS has detected suspicious activity in the packet, but still permits the packet to pass through (specific settings are controlled by administrator profile)
Block	Block events are malicious packets not permitted to pass
P2P	Refers to peer-to-peer traffic events

In addition, filter events contain a UUID, which is a unique numerical identifier that correlates with the exact security threat defined by Tipping Point Digital Vaccine Files. The Accelops Virtual Appliance will correlate these with authoritative databases of security threats.

1. Go to IPS > Action Sets.
2. Click Permit + Notify.
3. Under Contacts, click Remote Syslog.
4. Under Remote Syslog Information, enter the IP Address of the Accelops virtual appliance.
5. Make sure the Port is set to 514.
6. Make sure Delimiter is set to tab, comma, or semicolon.
7. Click Add to Table Below.

You should now see the IP address of the Accelops virtual appliance appear as an entry in the Remote Syslogs table.

Sample parsed syslog messages

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Configuring Network Compliance Management Applications

AccelOps supports these Network Compliance Management applications and monitoring.

Cisco Network Compliance Manager Configuration

Cisco Network Compliance Manager Configuration

What is Discovered and Monitored

Protocol	Information discovered	Metrics/Logs collected	Used for
Syslog		Network device software update, configuration analysis for compliance, admin login	Log analysis and compliance

Event Types

Over 40 event types are generated by parsing Cisco Network Configuration Manager logs. The complete list can be found in CMDB > Event Types by searching for Cisco-NCM. Some important ones are

Cisco-NCM-Device-Software-Change

Cisco-NCM-Software-Update-Succeeded

Cisco-NCM-Software-Update-Failed

Cisco-NCM-Policy-Non-Compliance

Cisco-NCM-Device-Configuration-Deployment

Cisco-NCM-Device-Configuration-Deployment-Failure

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

AccelOps processes events from this device via syslog.  Configure the device to send syslog to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example Syslog

Note that each JSON formatted syslog contains many logs.

490998571 Mon Mar 03 03:09:31 EST 2014 Savvy Device Command Script

Completed Successfully server01.foo.com 10.4.161.32 Script ‘Re-enable

EasyTech port for Cisco IOS configuration’ completed.  Connect –

Succeeded Connected via ssh to 10.170.30.9 [in realm Default Realm]   Login / Authentication – Succeeded Successfully used: Last successful password  (Password rule Retail TACACS NCM Login)    Optional:Script Succeeded Successfully executed: prepare configuration for deployment Script – Succeeded Successfully executed: deploy to running configuration via TFTP through CLI Bypassed: deploy to running configuration via SCP through CLI.  (Requires SCP, CLI to be enabled.) Tried: deploy to running configuration via FTP through CLI (Warning: SSH server username or password not specified in NA admin settings.) Optional:Script – Succeeded Successfully executed: determine result of deployment operation  Script run: ———————————————————— ! interface fast0/16 no shut

491354611 Tue Mar 04 03:38:22 EST 2014 FooA Software Update Succeeded server01.foo.com 1.1.1.32  44571 10.173.30.9 $OrignatorEmail$ FooA Update Device Software 2014-03-04 03:30:00.0 usmist_1699295009

(1.13.3.9) Succeeded

 

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Configuring Load Balancers and Application Firewalls

AccelOps supports these load balancers and application firewalls for discovery and monitoring.

Brocade ServerIron ADX Configuration

Citrix Netscaler Application Delivery Controller (ADC) Configuration

F5 Networks Application Security Manager

F5 Networks Local Traffic Manager Configuration

F5 Networks Web Accelerator

Qualys Web Application Firewall

Brocade ServerIron ADX Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP

What is Discovered and Monitored

Protocol	Information discovered	Metrics/Logs collected	Used for
SNMP	Host name, serial number, hardware (CPU, memory, network interface etc)	Uptime, CPU, Memory, Interface Utilization, Hardware status, Real Server Statistics	Performance/Availability Monitoring

There are no predefined rules for this device other than covered by generic network devices.

Reports

There are no predefined reports for this device other than covered by generic network devices.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Citrix Netscaler Application Delivery Controller (ADC) Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Syslog

Example Syslog

What is Discovered and Monitored

Protocol	Information discovered	Metrics/Logs collected	Used for
Syslog		Permitted and Denied traffic	Log analysis and compliance

Event Types

In CMDB > Event Types, search for “netscaler” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “nestler” in the Name column to see the reports associated with this device.

Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Example Syslog

<182> 07/25/2012:19:56:41   PPE-0 : UI CMD_EXECUTED 473128 :  User nsroot – Remote_ip 10.13.8.75 – Command “show ns hostName” – Status “Success” <181> 07/25/2012:19:56:05  NS2-MAIL PPE-0 : EVENT DEVICEUP 33376 : Device “server_vip_NSSVC_SSL_172.17.102.108:443(accellion:443)” – State

UP <181> 07/25/2012:19:55:35  NS2-MAIL PPE-0 : EVENT DEVICEDOWN 33374 : Device “server_vip_NSSVC_SSL_172.17.102.108:443(accellion:443)” – State

DOWN

<182> 07/24/2012:15:37:08   PPE-0 : EVENT MONITORDOWN 472795 :  Monitor

Monitor_http_of_Domapps:80(10.50.15.14:80) – State DOWN

F5 Networks Application Security Manager

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Syslog

Example Syslog

What is Discovered and Monitored

Protocol	Information discovered	Metrics/Logs collected	Used for
Syslog		Various application level attack scenarios – invalid directory access, SQL injections, cross site exploits.	Log analysis and compliance

Event Types

In CMDB > Event Types, search for “f5-asm” in the Name column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Example Syslog

<134>Jun 26 14:18:56 f5virtual.tdic.ae

ASM:CEF:0|F5|ASM|10.2.1|Successful Request|Successful Request|2|dvchost=f5virtual.adic.com dvc=192.168.1.151 cs1=master-key_default cs1Label=policy_name cs2=master-key cs2Label=web_application_name deviceCustomDate1=Jul 13 2011 16:24:25 deviceCustomDate1Label=policy_apply_date externalId=3601068286554428885 act=passed cn1=404 cn1Label=response_code src=10.10.77.54 spt=49399 dst=10.10.175.82 dpt=443 requestMethod=POST app=HTTPS request=/ipp/port1 cs5=N/A cs5Label=x_forwarded_for_header_value rt=Jun 26 2012 14:18:55 deviceExternalId=0 cs4=N/A cs4Label=attack_type cs6=N/A cs6Label=geo_location cs3Label=full_request cs3=POST /ipp/port1 HTTP/1.1\r\nHost: 127.0.0.1:631\r\nCache-Control: no-cache\r\nContent-Type: application/ipp\r\nAccept: application/ipp\r\nUser-Agent: Hewlett-Packard IPP\r\nContent-Length: 9\r\n\r\n

 

F5 Networks Local Traffic Manager Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP

SNMP Trap

Example SNMP Trap

Syslog

Example Syslog

Settings for Access Credentials

What is Discovered and Monitored

Protocol	Information discovered	Metrics/Logs collected	Used for
SNMP	Host name, serial number, hardware (CPU, memory, network interface, disk etc) and software information (running and installed software)	Uptime, CPU, Memory, Disk utilization, Interface Utilization, Hardware status, process level CPU and memory urilization	Performance/Availability Monitoring
SNMP Trap		Exception situations including hardware failures, certain security attacks, Policy violations etc	Performance/Availability Monitoring
Syslog		Permitted and Denied traffic	Log analysis and compliance

Event Types

In CMDB > Event Types, search for “f5-LTM” in the Name column to see the event types associated with this device.

Search for “f5-BigIP” in  CMDB > Event Types to see event types associated with SNMP traps for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

SNMP Trap

AccelOps processes events from this device via SNMP traps sent by the device. Configure the device to send send SNMP traps to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example SNMP Trap

2012-01-18 14:13:43 0.0.0.0(via UDP: [192.168.20.243]:161) TRAP2, SNMP v2c, community public                . Cold Start Trap (0) Uptime: 0:00:00.00         DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks:

(33131) 0:05:31.31                SNMPv2-MIB::snmpTrapOID.0 = OID:

SNMPv2-SMI::enterprises.3375.2.4.0.1

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Example Syslog

Settings for Access Credentials

F5 Networks Web Accelerator

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Syslog

Example Syslog

What is Discovered and Monitored

Protocol	Information discovered	Metrics/Logs collected	Used for
Syslog		Permitted traffic	Log analysis and compliance

Event Types

In CMDB > Event Types, search for “f5-web” in the Name column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Example Syslog

Qualys Web Application Firewall

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Example Syslog

What is Discovered and Monitored

Protocol	Information discovered	Metrics/Logs collected	Used for
Syslog		Permitted and Denied Web traffic	Log analysis and compliance

Event Types

The following event types are generated by parsing Qualys Web Application Firewall traffic logs and analyzing the HTTP error code.

Qualys-WAF-Web-Request-Success

Qualys-WAF-Web-Bad-Request

Qualys-WAF-Web-Client-Access-Denied

Qualys-WAF-Web-Client-Error

Qualys-WAF-Web-Forbidden-Access-Denied

Qualys-WAF-Web-Length-Reqd-Access-Denied

Qualys-WAF-Web-Request

Qualys-WAF-Web-Request-Redirect

Qualys-WAF-Web-Server-Error

Rules

There are no predefined rules for this device.

Reports

Relevant reports are defined in CMDB > Reports > Device > Network > Web Gateway

Configuration

AccelOps processes events from this device via syslog sent in JSON format.  Configure the device to send syslog to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example Syslog

Note that each JSON formatted syslog contains many logs.

<1350>1 2015-05-15T12:57:30.945000+00:00 localhost qualys_waf –

QUALYS_WAF –

{“timestamp”:”2015-05-15T12:57:30.945-00:00″,”duration”:6011,”id”:”487c1

16c-4908-4ce3-b05c-eda5d5bb7045″,”clientIp”:”172.27.80.170″,”clientPort”

:9073,”sensorId”:”d3acc41f-d1fc-43be-af71-e7e10e9e66e2″,”siteId”:”41db09 70-8413-4648-b7e2-c50ed53cf355″,”connection”:{“id”:”bc1379fe-317e-4bae-a e30-2a382e310170″,”clientIp”:”172.27.80.170″,”clientPort”:9073,”serverIp “:”192.168.60.203″,”serverPort”:443},”request”:{“method”:”POST”,”uri”:”/ “,”protocol”:”HTTP/1.1″,”host”:”esers-test.foo.org”,”bandwidth”:0,”heade rs”:[{“name”:”Content-Length”,”value”:”645″},{“name”:”Accept”,”value”:”t ext/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0. 8″},{“name”:”User-Agent”,”value”:”Mozilla/5.0 (Windows NT 6.1; WOW64)

AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36″},{“name”:”Content-Type”,”value”:”application/x-www-form-u rlencoded”},{“name”:”Referer”,”value”:”https://esers-test.ohsers.org/”}, {“name”:”Accept-Encoding”,”value”:”gzip, deflate”},{“name”:”Accept-Language”,”value”:”en-US,en;q=0.8″}],”headerOr der”:”HILCAUTRELO”},”response”:{“protocol”:”HTTP/1.1″,”status”:”200″,”me ssage”:”OK”,”bandwidth”:0,”headers”:[{“name”:”Content-Type”,”value”:”tex t/html; charset=utf-8″},{“name”:”Server”,”value”:”Microsoft-IIS/8.5″},{“name”:”C ontent-Length”,”value”:”10735″}],”headerOrder”:”CTXSDL”},”security”:{“au ditLogRef”:”b02f96e9-2649-4a83-9459-6a02da1a5f05″,”threatLevel”:60,”even ts”:[{“tags”:[“qid/226015″,”cat/XPATHi”,”cat/SQLi”,”qid/150003″,”loc/req /body/txtUserId”,”cfg/pol/applicationSecurity”],”type”:”Alert”,”rule”:”m ain/qrs/sqli/xpathi/condition_escaping/boolean/confidence_high/3″,”messa ge”:”Condition escaping detected (SQL or XPATH injection) txtUserId.”,”confidence”:80,”severity”:60,”id”:”262845566″},{“tags”:[“ca t/correlation”,”qid/226016″],”type”:”Observation”,”rule”:”main/correlati on/1″,”message”:”Info: Threat level exceeded blocking threshold (60).”,”confidence”:0,”severity”:0,”id”:”262846018″},{“tags”:[“cat/corre lation”,”qid/226016″],”type”:”Observation”,”rule”:”main/correlation/1″,” message”:”Info: Blocking refused as blocking mode is

disabled.”,”confidence”:0,”severity”:0,”id”:”262846167″},{“tags”:[“cat/c orrelation”,”cat/XPATHi”,”qid/226015″],”type”:”Alert”,”rule”:”main/corre lation/1″,”message”:”Detected:

XPATHi.”,”confidence”:80,”severity”:60,”id”:”268789851″}]}}

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Configuring Firewalls

AccelOps supports these firewalls for discovery and monitoring.

Check Point FireWall-1 Configuration

Check Point Provider-1 Firewall Configuration

Configuring MDS for Check Point Provider-1 Firewalls

Configuring MLM for Check Point Provider-1 Firewalls

Configuring CMA for Check Point Provider-1 Firewalls

Configuring CLM for Check Point Provider-1 Firewalls

Check Point VSX Firewall Configuration

Cisco Adaptive Security Appliance (ASA) Configuration

Dell SonicWALL Firewall Configuration

Fortinet FortiGate Firewall Configuration

Juniper Networks SSG Firewall Configuration

McAfee Firewall Enterprise (Sidewinder) Configuration

Palo Alto Firewall Configuration

Sophos UTM Firewall Configuration

WatchGuard Firebox Firewall Configuration

Check Point FireWall-1 Configuration

What is Discovered and Monitored

Add AccelOps as a Managed Node

Create an OPSEC Application for AccelOps

Create a Firewall Policy for AccelOps  Settings for Access Credentials

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
SNMP	Host name, Firewall model and version, Network interfaces	Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count	Availability and Performance Monitoring
LEA		All traffic and system logs	Security and Compliance

Event Types

In CMDB > Event Types, search for “firewall-1” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

LEA

Add AccelOps as a Managed Node

1. Log in to your Check Point SmartDomain Manager.
2. In the Global Policies tab, select Multi-Domain Security Management, and then right-click to select Launch Global SmartDashboard

.

3. Select the Firewall
4. Click the Network Objects
5. Select Nodes, and then right-click to select Node > Host… .
6. Select General Properties.
7. Enter a Name for your AccelOps host, like AccelOpsVA. 8. Enter the IP Address of your AccelOps virtual appliance.
8. Click OK.

Create an OPSEC Application for AccelOps

1. In the Firewall tab, click the Servers and OPSEC
2. Select OPSEC Applications, and then right-click to select New > OPSEC Application.
3. Click the General
4. Enter a Name for your OPSEC application, like OPSEC_AccelOpsVA.
5. For Host, select the AccelOps host.
6. Under Client Entities, select LEA and CPMI.

For Check Point FireWall-1, also select SNMP.

7. Click Communication.
8. Enter a one-time password.

This is the password you will use in setting up access credentials for your firewall in AccelOps.

9. Click Initialize.
10. Close and re-open the application.
11. In the General tab, next to Communication, the DN field will now contain a value like CN=OPSEC_AccelOpsVA,0=MDS..i6g4zq. This is the AccelOps Client SIC DN that you will need when you copy the secure internal communication certificates and set the access credentials for your firewall in AccelOps.

Create a Firewall Policy for AccelOps

1. In Servers and Opsec > OPSEC Applications, select your AccelOps application.
2. In the Rules menu, select Top.
3. Right-click SOURCE, then click Add and select your AccelOps virtual appliance.
4. Right-click DESTINATION, then click Add and select your Check Point firewall.
5. Right-click SERVICE, then click Add and select FW1_lea, and CPMI.

Also select snmp if you are configuring a Check Point FireWall-1 firewall.

6. Right-click ACTION and select Accept.
7. Right-click TRACK and select Log.
8. Go to Policy > Install.
9. Click OK.
10. Go to OPSEC Applications and select your AccelOps application.
11. In the General tab of the Properties window, make sure that the communications have been enabled between your firewall and AccelOps.

Settings for Access Credentials

 

Check Point Provider-1 Firewall Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration Overview

Component Configuration for Domain-Level Audit Logs

Component Configuration for Firewall Logs

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
SNMP	Host name, Firewall model and version, Network interfaces	Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count	Availability and Performance Monitoring
LEA		All traffic and system logs	Security and Compliance

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration Overview

The configuration of  Check Point Provider-1 depends on the type of log that you want sent to AccelOps. There are two options:

 Domain level audit logs, which contain information such as domain creation, editing, etc.

Firewall logs, which include both audit log for firewall policy creation, editing, etc., and traffic logs

These logs are generated and stored among four different components:

Multi-Domain Server (MDS), where domains are configured and certificates have to be generated

Multi-Domain Log Module (MLM), where domain logs are stored

Customer Management Add-on (CMA), the customer management module

Customer Log Module (CLM), which consolidates logs for an individual customer/domain

Discover Paired Components on the Same Collector or Supervisor

Discovery of the MLM requires the certificate of the MDS, and discovery of the CLM requires the certificate of the CMA. Make sure that you discover the MDS & MLM pair, and the CMA & CLM pair, on the same Supervisor or Collector. If you attempt to discover them on separate Collectors, discovery will fail.

Component Configuration for Domain-Level Audit Logs

1. Configure MDS.
2. Use the Client SIC obtained while configuring MDS to configure MLM.
3. Pull logs from MLM.

Component Configuration for Firewall Logs

1. Configure CMA.
2. Use the Client SIC obtained while configuring CMA to configure CLM.
3. Pull logs from CLM.

If you want to pull firewall logs from a domain, you have to configure CLM for that domain.

See these topics for instructions on how to configure each component for Check Point Provider-1 firewalls.

Configuring MDS for Check Point Provider-1 Firewalls

Configuring MLM for Check Point Provider-1 Firewalls

Configuring CMA for Check Point Provider-1 Firewalls

Configuring CLM for Check Point Provider-1 Firewalls

Configuring MDS for Check Point Provider-1 Firewalls

Configuration

Get the MDS Server SIC for AccelOps Access Credentials

Add AccelOps as a Managed Node

Create an OPSEC Application for AccelOps

Create a Firewall Policy for AccelOps

Copy Secure Internal Communication (SIC) certificates Settings for Access Credentials

The Check Point Provider-1 firewall Multi-Domain Server (MDS) is where domains are configured and certificates are generated for communicating with AccelOps. if you want to have domain logs from the Multi-Domain Log Module (MLM) sent from your firewall to AccelOps, you must first configure and discover MDS, then use the AO Client SIC created for your AccelOps OPSEC application to configure the access credentials for MLM.

Discover Paired Components on the Same Collector or Supervisor

Discovery of the MLM requires the certificate of the MDS, and discovery of the CLM requires the certificate of the CMA. Make sure that you discover the MDS & MLM pair, and the CMA & CLM pair, on the same Supervisor or Collector. If you attempt to discover them on separate Collectors, discovery will fail.

Configuration

Get the MDS Server SIC for AccelOps Access Credentials

You will use the MDS Server SIC to create access credentials in AccelOps for communicating with your server.

1. Log in to your Check Point SmartDomain Manager.
2. Select Multi-Domain Server Contents.
3. Select MDS, and then right-click to select Configure Multi-Domain Server… .
4. In the General tab, under Secure Internet Communication, note the value for DN.

Add AccelOps as a Managed Node

1. Log in to your Check Point SmartDomain Manager.
2. In the Global Policies tab, select Multi-Domain Security Management, and then right-click to select Launch Global SmartDashboard

.

3. Select the Firewall
4. Click the Network Objects
5. Select Nodes, and then right-click to select Node > Host… .
6. Select General Properties.
7. Enter a Name for your AccelOps host, like AccelOpsVA. 8. Enter the IP Address of your AccelOps virtual appliance.
8. Click OK.

Create an OPSEC Application for AccelOps

1. In the Firewall tab, click the Servers and OPSEC
2. Select OPSEC Applications, and then right-click to select New > OPSEC Application.
3. Click the General
4. Enter a Name for your OPSEC application, like OPSEC_AccelOpsVA.
5. For Host, select the AccelOps host.
6. Under Client Entities, select LEA and CPMI.

For Check Point FireWall-1, also select SNMP.

7. Click Communication.
8. Enter a one-time password.

This is the password you will use in setting up access credentials for your firewall in AccelOps.

9. Click Initialize.
10. Close and re-open the application.
11. In the General tab, next to Communication, the DN field will now contain a value like CN=OPSEC_AccelOpsVA,0=MDS..i6g4zq. This is the AccelOps Client SIC DN that you will need when you copy the secure internal communication certificates and set the access credentials for your firewall in AccelOps.

Create a Firewall Policy for AccelOps

1. In Servers and Opsec > OPSEC Applications, select your AccelOps application.
2. In the Rules menu, select Top.
3. Right-click SOURCE, then click Add and select your AccelOps virtual appliance.
4. Right-click DESTINATION, then click Add and select your Check Point firewall.
5. Right-click SERVICE, then click Add and select FW1_lea, and CPMI.

Also select snmp if you are configuring a Check Point FireWall-1 firewall.

6. Right-click ACTION and select Accept.
7. Right-click TRACK and select Log.
8. Go to Policy > Install.
9. Click OK.
10. Go to OPSEC Applications and select your AccelOps application.
11. In the General tab of the Properties window, make sure that the communications have been enabled between your firewall and AccelOps.

Copy Secure Internal Communication (SIC) certificatesCopy Client SIC

1. Go to Manage > Server and OPSEC Applications.
2. Select OPSEC Application and then right-click to select accelops.
3. Click
4. Enter the SIC DN of your application. Copy Server SIC
5. In the Firewall tab, go to Manage.
6. Click the Network Object icon, and then right-click to select Check Point Gateway.
7. Click Edit.
8. Enter the SIC DN.
9. If there isn’t a field to enter the SIC DN, click Test SIC Status and a dialog will display the SIC DN.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

1. Configure Checkpoint Provider-1 MDS credential as shown below.

Activation key was the one-time password you input in Step 2f above.

AO Client SIC was generated in Step 2g above

MDS Server SIC was generated in Step 1 above

1. Click “Generate Certificate”. It should be successful. Note that the button will be labeled ‘Regenerate Certificate’ if you have

Configuring MLM for Check Point Provider-1 Firewalls

Prerequisites

Configuration

Get MLM Server SIC for Setting Up AccelOps Access Credentials

Settings for Access Credentials

Prerequisites

You need to have configured and discovered your Check Point Provider-1 MDS before you configure the Multi-Domain Log Module (MLM). You will need the AO Client SIC that was generated when you created your AccelOps OPSEC application in the MDS to set up the access credentials for your MLM in AccelOps.

Discover Paired Components on the Same Collector or Supervisor

Discovery of the MLM requires the certificate of the MDS, and discovery of the CLM requires the certificate of the CMA. Make sure that you discover the MDS & MLM pair, and the CMA & CLM pair, on the same Supervisor or Collector. If you attempt to discover them on separate Collectors, discovery will fail.

Configuration

 Get MLM Server SIC for Setting Up AccelOps Access Credentials

1. Log in to your Check Point SmartDomain Manager.
2. In the General tab, click Multi-Domain Server Contents.
3. Right-click MLM and select Configure Multi-Domain Server… .
4. Next to Communication, note the value for DN.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

 

 

Configuring CMA for Check Point Provider-1 Firewalls

The Check Point Provider-1 Customer Management Add-On (CMA) creates logs that are then consolidated by the Customer Log Module (CLM). If you want the CLM to send logs to AccelOps, you need to first configure the CMA and obtain the AO Client SIC to configure access credentials for communication between the CLM and AccelOps.

Configuration

Get CMA Server SIC for Setting Up AccelOps Access Credentials

1. Log in to your Check Point SmartDomain Manager.
2. Click the General
3. Select Domain Contents.
4. Select the Domain Management Server and right-click to select Launch Application > Smart Dashboard.
5. Select the Desktop
6. Select the Network Objects
7. Double-click on the Domain Management Server to view the General Properties
8. Click Test SIC Status… .

Note the value for DN. You will use this for the CMA Server SIC setting when creating the access credentials for AccelOps to access your CMA server.

Add AccelOps as a Managed Node

1. Log in to your Check Point SmartDomain Manager.
2. In the Global Policies tab, select Multi-Domain Security Management, and then right-click to select Launch Global SmartDashboard

.

3. Select the Firewall
4. Click the Network Objects
5. Select Nodes, and then right-click to select Node > Host… .
6. Select General Properties.
7. Enter a Name for your AccelOps host, like AccelOpsVA. 8. Enter the IP Address of your AccelOps virtual appliance.
8. Click OK.

Create an OPSEC Application for AccelOps

1. In the Firewall tab, click the Servers and OPSEC
2. Select OPSEC Applications, and then right-click to select New > OPSEC Application.
3. Click the General
4. Enter a Name for your OPSEC application, like OPSEC_AccelOpsVA.
5. For Host, select the AccelOps host.
6. Under Client Entities, select LEA and CPMI.

For Check Point FireWall-1, also select SNMP.

7. Click Communication.
8. Enter a one-time password.

This is the password you will use in setting up access credentials for your firewall in AccelOps.

9. Click Initialize.
10. Close and re-open the application.
11. In the General tab, next to Communication, the DN field will now contain a value like CN=OPSEC_AccelOpsVA,0=MDS..i6g4zq. This is the AccelOps Client SIC DN that you will need when you copy the secure internal communication certificates and set the access credentials for your firewall in AccelOps.

Create a Firewall Policy for AccelOps

1. In Servers and Opsec > OPSEC Applications, select your AccelOps application.
2. In the Rules menu, select Top.
3. Right-click SOURCE, then click Add and select your AccelOps virtual appliance.
4. Right-click DESTINATION, then click Add and select your Check Point firewall.
5. Right-click SERVICE, then click Add and select FW1_lea, and CPMI.

Also select snmp if you are configuring a Check Point FireWall-1 firewall.

6. Right-click ACTION and select Accept.
7. Right-click TRACK and select Log.
8. Go to Policy > Install.
9. Click OK.
10. Go to OPSEC Applications and select your AccelOps application.
11. In the General tab of the Properties window, make sure that the communications have been enabled between your firewall and AccelOps.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Configuring CLM for Check Point Provider-1 Firewalls

Prequisites

Configuration

Get CLM Server SIC for Creating AccelOps Access Credentials

Settings for Access Credentials

Prequisites

You must first configure and discover the Check Point CLA and obtain the AO Client SIC before you can configure the Customer Log Module (CLM). The AO Client SIC is generated when you create the AccelOps OPSEC application.

Discover Paired Components on the Same Collector or Supervisor

Discovery of the MLM requires the certificate of the MDS, and discovery of the CLM requires the certificate of the CMA. Make sure that you discover the MDS & MLM pair, and the CMA & CLM pair, on the same Supervisor or Collector. If you attempt to discover them on separate Collectors, discovery will fail.

Configuration

Get CLM Server SIC for Creating AccelOps Access Credentials

1. Log in to your Check Point SmartDomain Manager.
2. Click the General
3. Select Domain Contents.
4. Select the Domain Management Server and right-click to select Launch Application > Smart Dashboard.
5. Select the Desktop
6. Click the Network Objects
7. Under Check Point, select the CLM host and double-click to open the General Properties
8. Under Secure Internal Communication, click Test SIC Status… .
9. In the SIC Status dialog, note the value for DN.

This is the CLM Server SIC that you will use in setting up access credentials for the CLM in AccelOps.

10. Click Close.
11. Click OK.

Install the Database

1. In the Actions menu, select Policy > Install Database… .
2. Select the MDS Server and the CLM, and then OK. The database will install in both locations.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Check Point VSX Firewall Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

SNMP

Add AccelOps as a Managed Node

Create an OPSEC Application for AccelOps

Create a Firewall Policy for AccelOps

Copy Secure Internal Communication (SIC) certificates Settings for Access Credentials

What is Discovered and Monitored

AccelOps uses SNMP, LEA to discover the device and to collect logs, configurations and performance metrics.

Protocol	Information Discovered	Metrics collected	Used for
SNMP	Host name, Firewall model and version, Network interfaces	Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count	Availability and Performance Monitoring
LEA		All traffic and system logs	Security and Compliance

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

LEA

Add AccelOps as a Managed Node

1. Log in to your Check Point SmartDomain Manager.
2. In the Global Policies tab, select Multi-Domain Security Management, and then right-click to select Launch Global SmartDashboard

.

3. Select the Firewall
4. Click the Network Objects
5. Select Nodes, and then right-click to select Node > Host… .
6. Select General Properties.
7. Enter a Name for your AccelOps host, like AccelOpsVA. 8. Enter the IP Address of your AccelOps virtual appliance.
8. Click OK.

Create an OPSEC Application for AccelOps

1. In the Firewall tab, click the Servers and OPSEC
2. Select OPSEC Applications, and then right-click to select New > OPSEC Application.
3. Click the General
4. Enter a Name for your OPSEC application, like OPSEC_AccelOpsVA.
5. For Host, select the AccelOps host.
6. Under Client Entities, select LEA and CPMI.

For Check Point FireWall-1, also select SNMP.

7. Click Communication.
8. Enter a one-time password.

This is the password you will use in setting up access credentials for your firewall in AccelOps.

9. Click Initialize.
10. Close and re-open the application.
11. In the General tab, next to Communication, the DN field will now contain a value like CN=OPSEC_AccelOpsVA,0=MDS..i6g4zq. This is the AccelOps Client SIC DN that you will need when you copy the secure internal communication certificates and set the access credentials for your firewall in AccelOps.

Create a Firewall Policy for AccelOps

1. In Servers and Opsec > OPSEC Applications, select your AccelOps application.
2. In the Rules menu, select Top.
3. Right-click SOURCE, then click Add and select your AccelOps virtual appliance.
4. Right-click DESTINATION, then click Add and select your Check Point firewall.
5. Right-click SERVICE, then click Add and select FW1_lea, and CPMI.

Also select snmp if you are configuring a Check Point FireWall-1 firewall.

6. Right-click ACTION and select Accept.
7. Right-click TRACK and select Log.
8. Go to Policy > Install.
9. Click OK.
10. Go to OPSEC Applications and select your AccelOps application.
11. In the General tab of the Properties window, make sure that the communications have been enabled between your firewall and AccelOps.

Copy Secure Internal Communication (SIC) certificates

Copy Client SIC

1. Go to Manage > Server and OPSEC Applications.
2. Select OPSEC Application and then right-click to select accelops.
3. Click
4. Enter the SIC DN of your application. Copy Server SIC
5. In the Firewall tab, go to Manage.
6. Click the Network Object icon, and then right-click to select Check Point Gateway.
7. Click Edit.
8. Enter the SIC DN.
9. If there isn’t a field to enter the SIC DN, click Test SIC Status and a dialog will display the SIC DN.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure. Settings for Access Credentials

 

Cisco Adaptive Security Appliance (ASA) Configuration

What is Discovered and Monitored

Sample Cisco ASA Syslog

Commands Used During Telnet/SSH Communication

Set Up AccelOps as a NetFlow Receiver

Create a NetFlow Service Policy

Configure the Template Refresh Rate

Settings for Access Credentials

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
SNMP (V1, V2c, V3)	Host name, Hardware model, Network interfaces, Hardware component details: serial number, model, manufacturer, software and firmware versions of components such as fan, power supply, network cards etc., Operating system version, SSM modules such as IPS	Uptime, CPU and Memory utilization, Free processor and I/O memory, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count	Availability and Performance Monitoring
SNMP (V1, V2c, V3)		Hardware health: temperature, fan and power supply status
SNMP (V1, V2c, V3)	OSPF connectivity, neighbors, state, OSPF Area	OSPF state change	Routing Topology, Availability Monitoring
SNMP (V1, V2c, V3)		IPSec VPN Phase 1 tunnel metrics: local and remote Vpn Ip addresses, Tunnel status, Tunnel Uptime, Received/Sent BitsPerSec, Received/Sent Packets, Received/Sent BitsPerSec, Received/Sent Dropped Packets, Received/Sent Rejected Exchanges, Received/Sent Invalid Exchanges Invalid Received Pkt Dropped, Received Exchanges Rejected, Received Exchanges Invalid IPSec VPN Phase 2 tunnel metrics: local and remote Vpn Ip addresses, Tunnel status, Tunnel Uptime, Received/Sent BitsPerSec, Received/Sent Packets, Received/Sent BitsPerSec, Received/Sent Dropped Packets, Received/Sent Auth Failed, Sent Encrypted Failed, Received Decrupt failed, Received Replay Failed	Performance Monitoring
Telnet/SSH	Running and startup configuration, Interface security levels, Routing tables, Image file name, Flash memory size	Startup configuration change, delta between running and startup configuration	Performance Monitoring, Security and Compliance
Telnet/SSH		Virtual context for multi-context firewalls, ASA interface security levels needed for setting source and destination IP address in syslog based on interface security level comparisons, ASA name mappings from IP addresses to locally unique names needed for converting names in syslog to IP addresses
Netflow (V9)	Open server ports	Traffic logs (for ASA 8.x and above)	Security and Compliance
Syslog	Device type	All traffic and system logs	Security and Compliance

Event Types

In CMDB > Event Types, search for “asa” in the Device Type column to see the event types associated with this device.

Rules

In Analytics > Rules, search for “asa” in the Description column to see the rules associated with this device.

Reports

In Analytics > Reports, search for “asa” in the Description column to see the reports associated with this device.

Configuration

1. Log in to your ASA with administrative privileges.

Configure SNMP with this command.

Syslog

1. Log in to your ASA with administrative privileges.
2. Enter configuration mode (config terminal).
3. Enter the following commands: no names logging enable logging timestamp logging monitor errors logging buffered errors logging trap debugging logging debug-trace logging history errors logging asdm errors logging mail emergencies

logging facility 16 logging host <ASA interface name> <AccelOps IP>

Sample Cisco ASA Syslog

SSH

1. Log in to your ASA with administrative privileges.
2. Configure SSH with this command.

Telnet

1. Log in to your ASA with administrative privileges.
2. Configure telnet with this command.

Commands Used During Telnet/SSH Communication

The following commands are used for discovery and performance monitoring via SSH. Make sure that the accounts associated with the ASA access credentials you set up in AccelOps have permission to execute these commands.

2. show running-config
3. show version
4. show flash
5. show context
6. show ip route
7. enable
8. terminal pager 0
9. terminal length 0

NetFlow

NetFlow is an optimized protocol for collecting high volume traffic logs. You should configure NetFlow with ASM, the ASA device manager.

Set Up AccelOps as a NetFlow Receiver

1. Login to ASDM.
2. Go to Configuration > Device Management > Logging > Netflow.
3. Under Collectors, click
4. For Interface, select the ASA interface over which NetFlow will be sent to AccelOps.
5. For IP Address or Host Name, enter the IP address or host name for your AccelOps virtual appliance that will receive the NetFlow logs.
6. For UDP Port, enter 2055.
7. Click OK.
8. Select Disable redundant syslog messages.

This prevents the netflow equivalent events from being also sent via syslog.

9. Click Apply.

Create a NetFlow Service Policy

1. Go to Configuration > Firewall > Service Policy Rules.
2. Click Add.

The Service Policy Wizard will launch.

3. Select Global – apply to all interfaces, and then click Next.
4. For Traffic Match Criteria, select Source and Destination IP Address, and then click Next.
5. For Source and Destination, select Any, and then click Next.
6. For Flow Event Type, select All.
7. For Collectors, select the AccelOps virtual appliance IP address.
8. Click OK.

Configure the Template Refresh Rate

This is an optional step. The template refresh rate is the number of minutes between sending a template record to AccelOps. The default is 30 minutes, and in most cases this is sufficient. Since flow templates are dynamic, AccelOps cannot process a flow until it knows the details of the corresponding template. This command may not always be needed, but if flows are not showing up in AccelOps, even if tcpdump indicates that  they are, this is worth trying.

You can find out more about configuring NetFlow in the Cisco support forum.

Settings for Access Credentials

Dell SonicWALL Firewall Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP

Syslog

Example Syslog

Settings for Access Credentials

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
SNMP	Host name, Hardware model, Network interfaces,  Operating system version	CPU Utilization, Memory utilization and Firewall Session Count	Availability and Performance Monitoring
Syslog	Device type	All traffic and system logs	Availability, Security and Compliance

Event Types

In CMDB > Event Types, search for “sonicwall” in the Device Type column to see the event types associated with Dell SonicWALL firewalls.

Rules

There are no predefined rules for Dell SonicWALL firewalls.

Reports

There are no predefined reports for Dell SonicWALL firewalls.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Dell SonicWALL Firewall Administrator’s Guide (PDF)

Syslog

1. Log in to your SonicWALL appliance.
2. Go to Log > Syslog.

Keep the default settings.

3. Under Syslog Servers, click Add.

The Syslog Settings wizard will open.

4. Enter the IP Address of your AccelOps Supervisor or Collector.

Keep the default Port setting of 514.

5. Click OK.
6. Go to Firewall > Access Rules.
7. Select the rule that you want to use for logging, and then click Edit.
8. In the General tab, select Enable Logging, and then click OK.

Repeat for each rule that you want to enable for sending syslogs to AccelOps.

Your Dell SonicWALL firewall should now send syslogs to AccelOps.

Example Syslog

Settings for Access Credentials

Fortinet FortiGate Firewall Configuration

What is Discovered and Monitored

Configuration

Settings for Access Credentials

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
SNMP	Host name, Hardware model, Network interfaces,  Operating system version	Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths). For 5xxx series firewalls, per CPU utilization (event PH_DEV_MON_FORTINET_PROCESSOR_USGE)	Availability and Performance Monitoring
Telnet/SSH	Running configuration	Configuration Change	Performance Monitoring, Security and Compliance
Syslog	Device type	All traffic and system logs	Availability, Security and Compliance

Event Types

In CMDB > Event Types, search for “fortigate” in the Name and Description columns to see the event types associated with this device.

Rules

In Analytics > Rules, search for “fortigate” in the Name column to see the rules associated with this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP and SSH

1. Log in to your firewall as an administrator.
2. Go to System > Network.
3. Select the FortiGate interface IP that AccelOps will use to communicate with your device, and then click Edit.
4. For Administrative Access, makes sure that SSH and SNMP are selected.
5. Click OK
6. Go to System > Config > SNMP v1/v2c.
7. Click Create New to enable the public

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in AccelOps have the permissions necessary to execute these commands on the device.

1. show firewall address
2. show full-configuration
3. Log in to your firewall as an administrator.
4. Go to Log &Report > Log Config > syslog.
5. Enter the IP Address, Port Number, and Minimum Log Level and Facility for your AccelOps virtual appliance.
6. Make sure that CSV format is not selected. With the CLI note th
7. Connect to the Fortigate firewall over SSH and log in.
8. To configure your firewall to send syslog over UDP, enter this command, replacing the IP address 168.53.2 with the IP address of your AccelOps virtual appliance.

Example FortiGate Syslog

Settings for Access Credentials

Juniper Networks SSG Firewall Configuration

What is Discovered and Monitored

SNMP and SSH

Create SNMP Community String and Management Station IP

Modify Policies so Traffic Matching a Policy is Sent via Syslog to AccelOps

Set AccelOps as a Destination Syslog Server

Set the Severity of Syslogs to Send to AccelOps

Sample Parsed FortiGate Syslog

Settings for Access Credentials

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
SNMP	Host name, Hardware model, Network interfaces,  Operating system version	Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count	Availability and Performance Monitoring
Telnet/SSH	Running configuration	Configuration Change	Performance Monitoring, Security and Compliance
Syslog	Device type	Traffic log, Admin login activity logs, Interface up/down logs	Availability, Security and Compliance

Event Types

In CMDB > Event Types, search for “SSG” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP and SSH

Enable SNMP, SSH, and Ping

1. Log in to your firewall’s device manager as an administrator.
2. Go to Network > Interfaces > List.
3. Select the interface and click Edit.
4. Under Service Options, for Management Services, select SNMP and SSH.
5. For Other Services, select Ping.

Create SNMP Community String and Management Station IP

1. Go to Configuration > Report Settings > SNMP.
2. If the public community is not available, create it and provide it with read-only access.
3. Enter the Host IP address and Netmask of your AccelOps virtual appliance.
4. Select the Source Interface that your firewall will use to communicate with AccelOps.
5. Click OK.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Syslog

Modify Policies so Traffic Matching a Policy is Sent via Syslog to AccelOps

1. Go to Policies.
2. Select a policy and click Options.
3. Select Logging.
4. Click OK.

Set AccelOps as a Destination Syslog Server

1. Go to Configuration > Report Settings > Syslog.
2. Select Enable syslog messages.
3. Select the Source Interface that your firewall will use to communicate with AccelOps.
4. Under Syslog servers, enter the IP/Hostname of your AccelOps virtual appliance.
5. For Port, enter 514.
6. For Security Facility, select LOCALD.
7. For Facility, select LOCALD.
8. Select Event Log and Traffic Log.
9. Select Enable.
10. Click Apply.

Set the Severity of Syslogs to Send to AccelOps

1. Go to Configuration > Report Setting > Log Settings.
2. Click Syslog.
3. Select the Severity Levels of the syslogs you want sent to AccelOps.
4. Click Apply.

Sample Parsed FortiGate Syslog

<129>Aug 26 11:09:45 213.181.33.233 20090826, 6219282, 2009/08/26

09:09:40, 2009/08/26 08:09:49, global.CoX, 1363,

CoX-eveTd-fw1, 213.181.41.226, traffic, traffic log, untrust, (NULL),

81.243.104.82, 64618, 81.243.104.82,

64618, dmz, (NULL), 213.181.36.162, 443, 213.181.36.162, 443, tcp, global.CoX, 1363, Workaniser_cleanup, fw/vpn, 34, accepted, info, no, (NULL), (NULL), (NULL), (NULL), 3, 858, 1323, 2181, 0, 0, 14, 1, no, 0, Not

<129>Aug 26 11:09:45 213.181.33.233 20090826, 6219282, 2009/08/26

09:09:40, 2009/08/26 08:09:49, global.CoX, 1363,

CoX-eveTd-fw1, Category, Sub-Category, untrust, (NULL), 81.243.104.82,

64618, 81.243.104.82, 64618, dmz,

(NULL), 213.181.36.162, 443, 213.181.36.162, 443, tcp, global.Randstad, 1363, Workaniser_cleanup, fw/vpn, 34, accepted,

info, no, (NULL), (NULL), (NULL), (NULL), 3, 858, 1323, 2181, 0, 0, 14, 1, no, 0, Not

Settings for Access Credentials

McAfee Firewall Enterprise (Sidewinder) Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Syslog

Sample Parsed Sidewinder Syslog

What is Discovered and Monitored

Protocol	Information Discovered	Metrics Collected	Used For
Syslog

Event Types

In CMDB > Event Types, search for “sidewinder” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Sample Parsed Sidewinder Syslog

Jun 18 10:34:08 192.168.2.10 wcrfw1 auditd: date=”2011-06-18 14:34:08 +0000″,fac=f_http_proxy,area=a_libproxycommon, type=t_nettraffic,pri=p_major,pid=2093,logid=0,cmd=httpp,hostname=wcrfw1 .community.int,event=”session end”,app_risk=low,

app_categories=infrastructure,netsessid=1adc04dfcb760,src_geo=US,srcip=7 4.70.205.191,srcport=3393,srczone=external,protocol=6,

dstip=10.1.1.27,dstport=80,dstzone=dmz1,bytes_written_to_client=572,byte s_written_to_server=408,rule_name=BTC-inbound, cache_hit=1,start_time=”2011-06-18 14:34:08 +0000″,application=HTTP

Palo Alto Firewall Configuration

What is Discovered and Monitored

SNMP, SSH, and Ping

Set AccelOps as a Syslog Destination

Set the Severity of Logs to Send to AccelOps

Create a Log Forwarding Profile

Use the Log Forwarding Profile in Firewall Policie

Sample Parsed Palo Alto Syslog Mesage  Settings for Access Credentials

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
SNMP	Host name, Hardware model, Network interfaces,  Operating system version	Uptime, CPU utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count	Availability and Performance Monitoring
Telnet/SSH	Running configuration	Configuration Change	Performance Monitoring, Security and Compliance
Syslog	Device type	Traffic log, Threat log (URL, Virus, Spyware, Vulnerability, File, Scan, Flood and data subtypes), config and system logs	Availability, Security and Compliance

Event Types

In CMDB > Event Types, search for “palo alto” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “palo alto” in the Description column to see the reports associated with this device.

Configuration

SNMP, SSH, and Ping

1. Log in to the management console for your firewall with administrator privileges.
2. In the Device tab, clickSetup.
3. Click Edit.
4. Under MGMT Interface Services, make sure SSH, Ping, and SNMP are selected.
5. For SNMP Community String, enter public.
6. If there are entries in the Permitted IP list, Add the IP address of your AccelOps virtual appliance.
7. Click OK.
8. Go to Setup > Management and check that SNMP is enabled on the management interface

Syslog

Set AccelOps as a Syslog Destination

1. Log in to the management console for your firewall with administrator privileges.
2. In the Device tab, go to Log Destinations > Syslog.
3. Click New.
4. Enter a Name for your AccelOps virtual appliance.
5. For Server, enter the IP address of your virtual appliance.
6. For Port, enter 514.
7. For Facility, select LOG_USER.
8. Click OK.

Set the Severity of Logs to Send to AccelOps

1. In the Device tab, go to Log Settings > System.
2. Click .. .
3. For each type of log you want sent to AccelOps, select the AccelOps virtual appliance in the Syslog
4. Click OK.

Create a Log Forwarding Profile

1. In the Objects tab, go to Log Forwarding > System.
2. Create a new log forwarding profile by entering a Name for the profile, and then setting Syslog to the IP address of your AccelOps virtual appliance for each type of log you want send to AccelOps.
3. Click OK.

Use the Log Forwarding Profile in Firewall Policie

1. In the Policies tab, go to Security > System.
2. For each security rule that you want to send logs to AccelOps, click Options.
3. For Log Forwarding Profile, select the profile you created for AccelOps.
4. Click OK.

Settings for Access Credentials

 

Sophos UTM Firewall Configuration

What is Discovered and Monitored

Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Metrics Collected	Used For
Syslog		Configuration change, command execution	Log Management, Compliance and SIEM

Event Types

In CMDB > Event Types, search for “sophos-utm” to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

FortiSIEM processes events from this device via syslogs sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device’s product documentation, and FortiSIEM will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance. For Port, enter 514.

Sample Syslog Message

<30>2016:07:05-16:57:39 c-server-1 httpproxy[15760]: id=”0001″ severity=”info” sys=”SecureWeb” sub=”http” name=”http access” action=”pass” method=”GET” srcip=”10.10.10.10″ dstip=”1.1.1.1″ user=”” group=”” ad_domain=”” statuscode=”302″ cached=”0″ profile=”REF_DefaultHTTPProfile (Default Web Filter Profile)” filteraction=”REF_HttCffCustoConteFilte (Custom_Default content filter action)” size=”0″ request=”0xdc871600″ url=”http://a.com” referer=”http://foo.com/bar/” error=”” authtime=”0″ dnstime=”1″ cattime=”24080″ avscantime=”0″ fullreqtime=”52627″ device=”0″ auth=”0″ ua=”Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko” exceptions=”” category=”154″ reputation=”unverified” categoryname=”Web Ads”

WatchGuard Firebox Firewall Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Syslog

Sample Parsed Firebox Syslog Message

What is Discovered and Monitored

Protocol	Information Discovered	Metrics Collected	Used For
Syslog

Event Types

In CMDB > Event Types, search for “firebox” in the Device Type  andDescription column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Configuring End point Security Software

The following anti-virus and host security (HIPS) applications are supported for discovery and monitoring by AccelOps.

Bit9 Security Platform Configuration

Cisco Security Agent (CSA) Configuration

ESET NOD32 Anti-Virus Configuration

MalwareBytes Configuration

McAfee ePolicy Orchestrator (ePO) Configuration

Sophos Endpoint Security and Control Configuration

Symantec Endpoint Protection Configuration

Trend Micro Intrusion Defense Firewall (IDF) Configuration Trend Micro OfficeScan Configuration

Bit9 Security Platform Configuration

What is Discovered and Monitored

Bit9 Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Metrics Collected	Used For
Syslog		Logs	Security Monitoring

Event Types

In CMDB > Event Types, search for “Bit9” in the Device Type columns to see the event types associated with this device.

Rules

Bit9 Agent Uninstalled or File Tracking Disabled

Bit9 Fatal Errors

Blocked File Execution

Unapproved File Execution

Reports

Bit9 Account Group Changes

Bit9 Fatal and Warnings Issues

Bit9 Functionality Stopped

Bit9 Security Configuration Downgrades

Bit9 Configuration

Syslog

AccelOps processes events from this device via syslog. Configure the device to send syslog to AccelOps on port 514.

Sample Syslog

<14>1 2015-04-06T16:24:02Z server1.foo.com – – – – Bit9 event: text=”Server discovered new file ‘c:\usersacct\appdata\local\temp\3cziegdd.dll’ [361aa7fbd5d00aa9952e94adc01d6f8d4cb08766eb03ff522ba5c7a2f9e99f9f].” type=”Discovery” subtype=”New file on network” hostname=”SVR123″ username=”SVR123\acct” date=”4/6/2015 4:22:52 PM” ip_address=”10.168.1.1″

process=”c:\abc\infrastructure\bin\scannerreset.exe” file_path=”c:\users\acct\appdata\local\temp\3cziegdd.dll” file_name=”3cziegdd.dll” file_hash=”361aa7fbd5d00aa9952e94adc01d6f8d4cb08766eb03ff522ba5c7a2f9e99 f9f” installer_name=”csc.exe” policy=”High Enforce” process_key=”00000000-0000-1258-01d0-7085edb50080″ server_version=”7.2.0.1395″ file_trust=”-2″ file_threat=”-2″ process_trust=”-1″ process_threat=”-1″

Cisco Security Agent (CSA) Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Metrics Collected	Used For
SNMP Trap

Events

There are no specific events defined for this device.

Rules

AccelOps uses these rules to monitor events for this device:

Rule	Description
Agent service control	Attempts to modify agent configuration
Agent UI control	Attempts to modify agent UI default settings, security settings, configuration, contact information
Application control	Attempts to invoke processes in certain application classes
Buffer overflow attacks
Clipboard access control	Attempts to acccess clipboard data written by sensitive data applications
COM component access control	Unusual attempts to access certain COM sets including Email objects
Connection rate limit	Excessive connections to web servers or from email clients
Data access control	Unusual attempts to access restricted data sets such as configuration files, password etc. by suspect applications
File access control	Unusual attempts to read or write restricted files sets such as system executables, boot files etc. by suspect applications
Kernel protection	Unusual attempts to modify kernel functionality by suspect applications
Network access control	Attempts to connect to local network services
Network interface control	Attempts by local applications to open a stream connection to the NIC driver
Network shield	Attacks based on bad IP/TCP/UDP/ICMP headers, port and host scans etc
Windows event log
Registry access control	Attempts to write certain registry entries
Resource access control	Symbolic link protection
Rootkit/kernel protection	Unusual attempts to load files after boot
Service restart	Service restarts
Sniffer and protocol detection	Attempts by packet/protocol sniffer to receive packets
Syslog control	Syslog events
System API control	Attempts to access Windows Security Access Manager (SAM)

Reports

There are no predefined reports for Cisco Security Agent.

Configuration

SNMP Trap

AccelOps processes events from this device via SNMP traps sent by the device. Configure the device to send send SNMP traps to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example SNMP Trap

2008-05-13 11:00:36 192.168.1.39 [192.168.1.39]:SNMPv2-MIB::sysUpTime.0

= Timeticks: (52695748) 6 days, 2:22:37.48

SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.8590.3.1

SNMPv2-SMI::enterprises.8590.2.1 = INTEGER: 619

SNMPv2-SMI::enterprises.8590.2.2 = INTEGER: 261 SNMPv2-SMI::enterprises.8590.2.3 = STRING:

“sjdevVwindb06.ProspectHills.net”

SNMPv2-SMI::enterprises.8590.2.4 = STRING: “2008-05-13 19:03:21.157”

SNMPv2-SMI::enterprises.8590.2.5 = INTEGER: 5

SNMPv2-SMI::enterprises.8590.2.6 = INTEGER: 452

SNMPv2-SMI::enterprises.8590.2.7 = STRING: “C:\\Program

Files\\RealVNC\\VNC4\\winvnc4.exe”

SNMPv2-SMI::enterprises.8590.2.8 = NULL SNMPv2-SMI::enterprises.8590.2.9

= STRING: “192.168.20.38”

SNMPv2-SMI::enterprises.8590.2.10 = STRING: “192.168.1.39”

SNMPv2-SMI::enterprises.8590.2.11 = STRING: “The process ‘C:\\Program

Files\\RealVNC\\VNC4\\winvnc4.exe’ (as user NT AUTHORITY\\SYSTEM) attempted to accept a connection as a server on TCP port 5900 from 192.168.20.38 using interface Wired\\VMware Accelerated AMD PCNet Adapter. The operation was denied.”

SNMPv2-SMI::enterprises.8590.2.12 = INTEGER: 109

SNMPv2-SMI::enterprises.8590.2.13 = STRING: “192.168.1.39”

SNMPv2-SMI::enterprises.8590.2.14 = STRING: “W”

SNMPv2-SMI::enterprises.8590.2.15 = INTEGER: 3959

SNMPv2-SMI::enterprises.8590.2.16 = INTEGER: 5900

SNMPv2-SMI::enterprises.8590.2.17 = STRING: “Network access control” SNMPv2-SMI::enterprises.8590.2.18 = STRING: “Non CSA applications, server for TCP or UDP services” SNMPv2-SMI::enterprises.8590.2.19 = INTEGER: 33

SNMPv2-SMI::enterprises.8590.2.20 = STRING: “CSA MC Security Module”

SNMPv2-SMI::enterprises.8590.2.21 = NULL

SNMPv2-SMI::enterprises.8590.2.22 = STRING: “NT AUTHORITY\\SYSTEM”

SNMPv2-SMI::enterprises.8590.2.23 = INTEGER: 2

ESET NOD32 Anti-Virus Configuration

What is Discovered and Monitored

ESET NOD32 Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Metrics Collected	Used For
Syslog

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

ESET NOD32 Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps Supervisor.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Example Syslog

MalwareBytes Configuration

What is Discovered and Monitored

Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Metrics Collected	Used For
Syslog		Malware detection log	Security Monitoring

Event Types

In CMDB > Event Types, search for “malwarebytes” to see the event types associated with this device.

Rules

Malware found but not remediated

Reports

In Analytics > Reports, search for “malware found” to see the reports associated with this device.

Configuration

Syslog

AccelOps processes events from this device via syslog. Configure the device to send syslog to AccelOps on port 514.

Sample Syslog

<45>1 2016-09-23T14:40:35.82-06:00 reportDeviceName

Malwarebytes-Endpoint-Security 1552 – {“security_log”:{“client_id”:”ef5f8fc8-ad0e-46f8-b6d7-1a85d5f73e64″,”hos t_name”:”Abc-cbd”,”domain”:”abc.com”,”mac_address”:”FF-FF-FF-FF-FF”,”ip_ address”:”10.1.1.1″,”time”:”2016-09-23T14:40:14″,”threat_level”:”Moderat e”,”object_type”:”FileSystem”,”object”:”HKLM\\SOFTWARE\\POLICIES\\GOOGLE \\UPDATE”,”threat_name”:”PUM.Optional.DisableChromeUpdates”,”action”:”Qu arantine”,”operation”:”QUARANTINE”,”resolved”:true,”logon_user”:”dsamuel s”,”data”:”data”,”description”:”No

description”,”source”:”MBAM”,”payload”:null,”payload_url”:null,”payload_ process”:null,”application_path”:null,”application”:null}}

McAfee ePolicy Orchestrator (ePO) Configuration

What is Discovered and Monitored ePO Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Metrics Collected	Used For
SNMP Traps

Event Types

In CMDB > Event Types, search for “mcafee epolicy” in the Description column to see the event types associated with this application or device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

ePO Configuration

SNMP Trap

AccelOps processes events from this device via SNMP traps sent by the device.

1. Log in to the McAfee EPO console.
2. Go to Menu > Configuration > Registered Servers, and then click New Server.

The Registered Server Builder opens.

3. For Server type, enter SNMP Server.
4. For Name, enter the IP address of your SNMP server.
5. Enter any Notes, and then click Next to go to the Details
6. For Address, enter the IP address or DNS Name for the AccelOps virtual appliance that will receive the SNMP trap.
7. For SNMP Version, select SNMPv1.
8. For Community, enter public.
9. Click Send Test Trap, and then click OK.
10. Log in to your Supervisor node and use Real Time Search to see if AccelOps received the trap.

Example SNMP Trap

2011-04-14 01:28:46 192.168.20.214(via UDP: [192.168.20.214]:45440)

TRAP, SNMP v1, community public SNMPv2-SMI::enterprises.3401 Enterprise Specific Trap (5) Uptime:

0:00:00.30

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.9.245 = STRING: “To

SJ-Dev-S-RH-DNS-01”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.11.245 = STRING: “My

Organization”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.12.245 = STRING: “Directory”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.18.245 = STRING: “Any”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.19.245 = STRING: “Any”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.33.245 = STRING: “(Any)”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.15.245 = STRING: “4/16/08

3:07:04 AM”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.31.245 = STRING: “1278” SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.32.245 = STRING: “file infected.  No cleaner  available, file deleted successfully” SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.16.245 = STRING: “1”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.17.245 = STRING: “1”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.13.245 = STRING: “VirusScan” SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.14.245 = STRING: “Virus detected and removed” SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.22.245 = STRING: “EICAR test file” SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.23.245 = STRING: “Not

Available” SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.24.245 = STRING:

“192.168.1.6” SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.25.245 = STRING:

“SJDEVSWINIIS01” SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.26.245 = STRING:

“C:\Documents and

Settings\administrator.PROSPECTHILLS\Desktop\eicar.com”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.27.245 = STRING: “3”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.6.245 = STRING: “4/16/08

3:07:04 AM”

Sophos Endpoint Security and Control Configuration

What is Discovered and Monitored

Sophos Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Metrics Collected	Used For
SNMP Trap

Event Types

In CMDB > Event Types, search for “sophos endpoint” in the Device Type column to see the event types associated with this application or device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device. .

Sophos Configuration

SNMP Trap

AccelOps processes Sophos Endpoint control events via SNMP traps sent from the management console. Configure the management console to send SNMP traps to AccelOps, and the system will automatically recognize the messages.

SNMP Traps are configured within the Sophos policies.

1. In the Policies pane, double-click the policy you want to change.
2. In the policy dialog, in the Configure panel, click Messaging.
3. In the Messaging dialog, go to the SNMP messaging tab and select Enable SNMP messaging.
4. In the Messages to send panel, select the types of event for which you want Sophos Endpoint Security and Control to send SNMP messages.
5. In the SNMP trap destination field, enter the IP address of the recipient.
6. In the SNMP community name field, enter the SNMP community name.

Sample SNMP Trap

Symantec Endpoint Protection Configuration

What is Discovered and Monitored

Symantec Endpoint Protection Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Metrics Collected	Used For
Syslog		Logs	Security Monitoring

Event Types

In CMDB > Event Types, search for “symantec endpoint” in the Device Type and Description columns to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Symantec Endpoint Protection Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device.

Configuring Log Transmission to AccelOps

1. Log in to Symantec Endpoint Protection Manager.
2. Go to Admin> Configure External Logging > Servers > General.
3. Select Enable Transmission of Logs to a Syslog Server.
4. For Syslog Server, enter the IP address of the AccelOps virtual appliance.
5. For UDP Destination Port, enter 514.

Configuring the Types of Logs to Send to AccelOps

1. Go to Admin> Configure External Logging > Servers > Log Filter.
2. Select the types of logs and events you want to send to AccelOps.

Sample Syslog

<13>Feb 23 12:36:37 QA-V-Win03-App1.ProspectHills.net SymAntiVirus  0   2701170C2410,3,2,1,QA-V-WIN03-APP1,Administrator,,,,,,,16777216,”Scan started on selected drives and folders and all

extensions.”,1235421384,,0,,,,,0,,,,,,,,,,,{C11B44CF-35C9-4342-AB3D-E0E9 E3756510},,(IP)-0.0.0.0,,ACME,00:50:56:A3:30:2F,11.0.1000.1112,,,,,,,,,,

,,,,,,0,,,,,

<54>Jun 11 12:24:38 SymantecServer sjdevswinapp05: Site: Site sjdevswinapp05,Server: sjdevswinapp05,Domain: Default,Admin: admin,Administrator  log on failed

<54>Jun 11 12:24:51 SymantecServer sjdevswinapp05: Site: Site sjdevswinapp05,Server: sjdevswinapp05,Domain: Default,Admin:

admin,Administrator  log on succeeded

<54>Feb 23 13:08:29 SymantecServer sjdevswinapp05: Virus found,Computer name: Filer,Source: Real Time Scan,Risk name: EICAR Test String,Occurrences: 1,C:/Documents and

Settings/Administrator.PROSPECTHILLS/Local Settings/Temp/vpqz3cxj.com,””,Actual action: Cleaned by deletion,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2009-02-23 21:06:51,Inserted: 2009-02-23 21:08:29,End: 2009-02-23 21:06:51,Domain: Default,Group: Global\Prospecthills,Server:

sjdevswinapp05,User: Administrator,Source computer:  ,Source IP: 0.0.0.0

Mar 16 15:11:06 SymantecServer aschq97: NF77088-PCA,Local:

192.168.128.255,Local: 138,Local: FFFFFFFFFFFF,Remote:

192.168.128.86,Remote: ,Remote: 138,Remote:

0015C53B9216,UDP,Inbound,Begin: 2009-03-16 15:05:02,End: 2009-03-16 15:05:02,Occurrences: 1,Application: C:/WINDOWS/system32/ntoskrnl.exe,Rule: Allow local file sharing,Location: Default,User: ,Domain: ASC

<54>Feb 24 11:51:19 SymantecServer sjdevswinapp05: QA-V-Win03-App2,[SID: 20352] HTTP Whisker/Libwhisker Scan (1) detected.  Traffic has been allowed from this application: C:\WINDOWS\system32 toskrnl.exe,Local: 0.0.0.0,Local: 000000000000,Remote: ,Remote: 192.168.1.4,Remote:

000000000000,Inbound,TCP,Intrusion ID: 0,Begin: 2009-02-24 11:50:01,End:

2009-02-24 11:50:01,Occurrences: 1,Application:

C:/WINDOWS/system32/ntoskrnl.exe,Location: Default,User:

Administrator,Domain: PROSPECTHILLS

<54>Jul 28 08:08:52 SymantecServer corpepp01: 6910p-X751008R,Category:

2,Symantec AntiVirus,New virus definition file loaded. Version:

130727ag.

<54>Jul 28 08:09:32 SymantecServer corpepp01: CORPMIO-H4VYWB1,Category: 2,Symantec AntiVirus,Symantec Endpoint Protection services shutdown was successful.

<52>Jul 28 08:10:13 SymantecServer corpepp01: TEMPEXP02,Category:

0,Smc,Failed to disable Windows firewall

<54>Jul 28 08:08:52 SymantecServer corpepp01: 8440p-X0491JYR,Category:

0,Smc,Connected to Symantec Endpoint Protection Manager (10.0.11.17)

<54>Jul 28 08:08:52 SymantecServer corpepp01: 8440p-X0491JYR,Category:

0,Smc,Disconnected from Symantec Endpoint Protection Manager

(10.0.11.17)

<54>Jul 28 08:09:52 SymantecServer corpepp01: CORPES-3042,Category:

0,Smc,Connected to Symantec Endpoint Protection Manager (corphqepp01) <54>Jul 28 08:09:52 SymantecServer corpepp01: CORPES-3042,Category: 0,Smc,Disconnected from Symantec Endpoint Protection Manager (corpepp01)

<54>Jul 28 08:09:32 SymantecServer corpepp01: CORPMIO-H4VYWB1,Category:

0,Smc,Network Threat Protection – – Engine version: 11.0.480  Windows

Version info:  Operating System: Windows XP (5.1.2600 Service Pack 3)

Network  info:  No.0  “Local Area Connection 3”  00-15-c5-46-58-1e

“Broadcom NetXtreme 57xx Gigabit Controller” 10.0.208.66

<54>Jul 28 07:55:32 SymantecServer corpepp01: tol-afisk,Blocked,Unauthorized NT call rejected by protection driver.,System,Begin: 2011-07-27 15:29:57,End: 2011-07-27 15:29:57,Rule:

Trend Micro Intrusion Defense Firewall (IDF) Configuration

What is Discovered and Monitored

Trend Micro Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Metrics Collected	Used For
Syslog

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Trend Micro Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Example Syslog

Trend Micro OfficeScan Configuration

What is Discovered and Monitored

Trend Micro Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Metrics Collected	Used For
SNMP Trap

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Trend Micro Configuration

SNMP Trap

AccelOps processes events from this device via SNMP traps sent by the device. Configure the device to send send SNMP traps to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example SNMP Trap

2011-04-14 02:17:54 192.168.20.214(via UDP: [192.168.20.214]:45440)

TRAP, SNMP v1, community public    SNMPv2-SMI::enterprises.6101

Enterprise Specific Trap (5) Uptime: 0:00:00.30   SNMPv2-SMI::enterprises.6101.141 = STRING: “Virus/Malware:

Eicar_test_file Computer: SJDEVVWINDB05 Domain: ABC File:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\yc8eayj0.com Date/Time: 4/10/2008 14:23:26 Result: Virus successfully detected, cannot perform the Clean action (Quarantine) ”

Configuring Environmental Sensors

AccelOps supports these devices for monitoring.

APC Netbotz Environmental Monitor Configuration

APC UPS Configuration

Generic UPS Configuration

Liebert FPC Configuration

Liebert HVAC Configuration Liebert UPS Configuration

APC Netbotz Environmental Monitor Configuration

What is Monitored and Collected

Event Types

Rules

Reports

Configuration

SNMP

SNMP Trap

Example SNMP Trap

Setting Access Credentials

What is Monitored and Collected

 

Protocol	Information Discovered	Metrics collected	Used for
SNMP (V1, V2c)	Host name, Hardware model, Network interfaces	Temperature: Sensor Id, Sensor label, Enclosure Id, Temperature Relative Humidity: Sensor Id, Sensor label, Enclosure Id, Relative Humidity Air Flow: Sensor Id, Sensor label, Enclosure Id, Air Flow Dew Point Temperature: Sensor Id, Sensor label, Enclosure Id, Dew Point Temperature Current: Sensor Id, Sensor label, Enclosure Id, Current Audio Sensor Reading: Sensor Id, Sensor label, Enclosure Id, Audio Sensor Reading Dry Contact Sensor Reading: Sensor Id, Sensor label, Enclosure Id, Dry Contact Sensor Reading Door Switch Sensor Reading: Sensor Id, Sensor label, Enclosure Id, Door Switch Sensor Reading (Open/Close) Camera Motion Sensor Reading: Sensor Id, Sensor label, Enclosure Id, Camera Motion Sensor Reading (Motion/No Motion) Hadware Status (for NBRK0200): Contact Status, Output Relay Status, Outlet Status, Alarm Device Status, Memory Sensor Status, Memory Output Status, Memory Outlet Status, memory Beacon Status EMS Status (for NBRK0200): EMS Hardware Status, Connection State Hardware Probe (for NBRK0200): Sensor Id, Temperature, Relative Humidity, Connection State Code Module Sensor (for NBRK0200): Sensor Name, Sensor location, Temperature, Relative Humidity, Connection State Code	Availability and Performance Monitoring
SNMP Trap (V1, V2c)	SNMP Trap	See Event Types for more information about viewing the SNMP traps collected by AccelOps for this device.	Availability and Performance Monitoring

 

Event Types

In CMDB > Event Types, search for “NetBotz” in the Name column to see the event types associated with this application or device.

 

Event types for NetBotz NBRK0200

In Analytics > Rules, search for “NetBotz” in the Name column to see the rules associated with this application or device.

Reports

In Analytics > Reports, search for “Netbotz” in the Name column to see the reports associated with this application or device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

SNMP Trap

AccelOps processes events from this device via SNMP traps sent by the device. Configure the device to send send SNMP traps to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example SNMP Trap

Setting Access Credentials

 

APC UPS Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP

SNMP Trap

Example SNMP Trap

Setting Access Credentials

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
SNMP (V1, V2c)	Host name, Hardware model, Network interfaces	UPS metrics: Remaining battery charge, Battery status, Replace battery indicator, Time on battery, Output status, Output load, Output voltage, Output frequency	Availability and Performance Monitoring
SNMP Trap			Availability and Performance Monitoring

Event Types

In CMDB > Event Types, search for “apc” in the Device Type column to see the event types associated with this device.

Rules

In Analytics > Rules, search for “apc” in the Name column to see the rules associated with this device.

Reports

In Analytics > Reports, search for “apc” in the Name column to see the reports associated with this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

SNMP Trap

AccelOps processes events from this device via SNMP traps sent by the device. Configure the device to send send SNMP traps to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example SNMP Trap

Setting Access Credentials

Generic UPS Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
SNMP (V1, V2c)	Host name, Hardware model, Network interfaces	UPS metrics: Remaining battery charge, Battery status, Time on battery, Estimated Seconds Remaining, Output voltage, Output current, Temperature	Availability and Performance Monitoring

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Setting Access Credentials

Liebert FPC Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
SNMP (V1, V2c)	Host name, Hardware model, Network interfaces	Output voltage (X-N, Y-N, Z-N), Output current (X, Y. Z), Neutral Current, Ground current, Output power, Power Factor, Output Frequency, Output Voltage THD (Vx, Vy, Vz), Output Current THD (Lx, Ly. Lz), Output KWh, Output Crest factor (Lx, Ly, Lz), Output K-factor (Lx, Ly, Lz), Output Lx Capacity, output Ly capacity	Availability and Performance Monitoring

Event Types

In CMDB > Event Types, search for “LIebert FPC” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “Liebert FPC” in the Name column to see the reports associated with this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

 

Liebert HVAC Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
SNMP (V1, V2c)	Host name, Hardware model, Network interfaces	HVAC metrics: Temperature: current value, upper threshold, lower threshold, Relative Humidity: current value, upper threshold, lower threshold, System state, Cooling state, Heating state, Humidifying state, Dehumidifying state, Economic cycle, Fan state, Heating capacity, Cooling capacity	Availability and Performance Monitoring

AccelOps uses SNMP to discover and collector metrics from Generic UPS devices – requires the presence of UPS-MIB on the UPS device.

Follow Liebert HVAC documentation to enable AccelOps to poll the device via SNMP.

Event Types

In CMDB > Event Types, search for “Liebert HVAC” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “Liebert HVAC” in the Name column to see the reports associated with this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

 

Liebert UPS Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
SNMP (V1, V2c)	Host name, Hardware model, Network interfaces	UPS metrics: Remaining battery charge, Battery status, Time on battery, Estimated Seconds Remaining, Output voltage, Output current, Temperature	Availability and Performance Monitoring

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!