Configuring Cloud Applications

AccelOps supports these cloud applications for monitoring.

AWS Access Key IAM Permissions and IAM Policies

AWS CloudTrail API Configuration

AWS EC2 CloudWatch API Configuration

AWS RDS Configuration

Box.com Configuration

Cisco FireAMP Cloud Configuration

Google Apps Audit Configuration

Microsoft Azure AuditTrail Configuration

Microsoft Office365 Audit Configuration

Okta Configuration

Salesforce CRM Audit Configuration

 

 

AWS Access Key IAM Permissions and IAM Policies

In order to monitor AWS resources in AccelOps, an access key and a corresponding secret access key is needed. Prior to the availability of AWS IAM users, the recommendation was to create an access key at the level of root AWS account. This practice has been deprecated since the availability of AWS IAM users as you can read from the AWS Security Credentials best practice guide. If you were monitoring AWS using such access keys, the first step is to delete such keys and create keys based on a standalone IAM user dedicated for monitoring purposes in AccelOps. This document explains how to create such a user, and what permissions and policies to add to allow AccelOps to monitor your AWS environment.

Create IAM user for AccelOps monitoring

1. Login to the IAM Console – Users Tab.
2. Click Create Users
3. Type in a username, e.g. aomonitoring under Enter User Names.
4. Leave the checkbox Generate an access key for each user selected or select it if it is not selected
5. Click Download Credentials and click on Close button
6. The downloaded CSV file contains the Access Key ID and Secret Access Key that you can use in AccelOps to monitor various AWS services. You will need to add permissions before you can actually add them in AccelOps.

Change permissions for IAM user

1. Select the user aomonitoring 2. Switch to tab Permissions
2. Click Attach Policy.
3. Select AmazonEC2ReadOnlyAccess, AWSCloudTrailReadOnlyAccess, AmazonRDSReadOnlyAccess, CloudWatchReadOnlyAccess, A mazonSQSFullAccess and click Attach Policy

You can choose to skip attaching some policies if you do not use that service or plan on monitoring that service. For instance, if you do not use RDS, then you do not need to attach AmazonRDSReadOnlyAccess

5. You can choose to provide blanket read-only access to all S3 buckets by attaching the policy AmazonS3ReadOnlyAccess. Alternatively, you can specificy a more restricted policy as described in the next step
6. Now, identify the set of S3 bucket(s) that you have configured to store Cloudtrail logs for each region. You can create an inline policy, ch oose custom policy, then paste the sample policy below. Make sure you replace the actual S3 bucket names below aocloudtrail1, aoclo udtrail2 with the ones you have configured

 

 

 

AWS CloudTrail API Configuration

What is Discovered and Monitored

Configuration

Settings for Access Credentials

Sample Events for AWS CloudTrail

What is Discovered and Monitored

Protocol	Information Discovered	Metrics Collected	Used For
CloudTrail API	None	None	Security Monitoring

Event Types

In CMDB > Event Types, search for “Cloudtrail” in the Device Type column to see the event types associated with this device. See the Amazon API reference for more information about the event types available for CloudTrail monitoring.

Rules

There are no predefined rules for this device. However,

Reports

In Analytics > Reports, search for “cloudtrail” in the Name column to see the rules associated with this device.

Configuration

 

 

AccelOps receives information about AWS events through the CloudTrail API. After creating an S3 bucket for the storage of log files on AWS, you then configure the Simple Notification Service (SNS) and Simple Queue Service (SQS) to create a notification for the log file and have it delivered by SQS. In your AccelOps virtual appliance you then enter access credentials so AccelOps can communicate with CloudTrail as it would any other device.

Create a new Cloudtrail

1. Log in to https://console.aws.amazon.com/cloudtrail.
2. Switch to the region for which you want to generate cloud trail logs.
3. Click Trails.
4. Click on Add New Trail
5. Enter a Trail name such as aocloudtrail
6. Select No for Apply Trail to all regions

You will need to create a cloudtrail for each region by following all the steps mentioned here for cloudtrail, SQS, and SNS. You cannot use ‘Apply Trail to all regions’ to collect trails for all regions in one S3 bucket and have AccelOps pull these logs. In the future, AccelOps will be enhanced to support this capability

7. Select Yes for Create a new S3 bucket. ‘
8. For S3 bucket, enter a name like s3aocloudtrail.
9. Click Advanced.
10. Select Yes for Create a new SNS topic.
11. For SNS topic, enter a name like snsaocloudtrail.
12. Leave the rest of advanced settings to the default values
13. Click Create.

A dialog will confirm that logging is turned on.

Configure Simple Queue Service (SQS) Delivery

1. Log in to https://console.aws.amazon.com/sqs.
2. Switch to the region in which you created a new cloudtrail above
3. Click Create New Queue.
4. Enter a Queue Name such as sqsaocloudtrail
5. Enter the Queue Settings.

Setting	Value
Default Visibility Timeout	0 seconds
Message Retention Period This must be set for between 5 and 50 minutes. A lower value is recommended for high event rates to avoid event loss.	10 minutes
Maximum Message Size	256KB
Delivery Delay	0 seconds
Receive Message Wait Time	5 seconds

 

6. Click Create Queue.
7. When the queue is created, click the Details tab and make note of the ARN (Amazon Resource Name), as you will need this when configuring the Simple Notification Service below and when configuring the access credentials for AccelOps.

Set Up Simple Notification Service (SNS)

1. Log in to https://console.aws.amazon.com/sns.
2. Select Topics
3. Select the SNS topic snsaocloudtrail that you specified when creating a cloudtrail 4. Click Actions > Subscribe to topic from the menu to launch the popup Create Subscription.
4. For Protocol, select Amazon SQS.
5. For Endpoint, enter the ARN of the queue that you created when setting up SQS.
6. Click Create Subscription.

Give Permission for Amazon SNS to Send Messages to SQS

1. Log in to https://console.aws.amazon.com/sqs.
2. Select the queue you created, sqsaocloudtrail
3. In the Queue Actions menu, select Subscribe Queue to SNS Topic.
4. From the Choose a Topic dropdown, select the SNS topic snsaocloudtrail that you created earlier. 5. The Topic ARN will be automatically filled
5. Click Subscribe.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device

Discovery. You do not need to initiate discovery of AWS Cloud Trail, but should check that AccelOps is pulling events for AWS by checking for an amazon.com entry in Admin > Setup Wizard > Event Pulling.

Settings for Access Credentials

Sample Events for AWS CloudTrail

Fri Oct 10 14:44:23 2014 AccelOps-CloudTrail [additionalEventData/LoginTo]=https://console.aws.amazon.com/console/hom e?state=hashArgs%23&isauthcode=true [additionalEventData/MFAUsed]=No [additionalEventData/MobileVersion]=No [awsRegion]=us-east-1

[eventID]=fdf8f837-7e75-46a0-ac95-b6d15993ebf7 [eventName]=ConsoleLogin

[eventSource]=SIGNIN [eventTime]=2014-10-10T06:38:11Z

[eventVersion]=1.01 [requestParameters]=null

[responseElements/ConsoleLogin]=Success [sourceIPAddress]=211.144.207.10

[userAgent]=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36

[userIdentity/accountId]=623885071509

[userIdentity/arn]=arn:aws:iam::623885071509:user/John.Adams

[userIdentity/principalId]=AIDAIUSNMEIUYBS7AN4UW

[userIdentity/type]=IAMUser [userIdentity/userName]=John.Adams

Fri Oct 10 14:19:45 2014 AccelOps-CloudTrail [awsRegion]=us-east-1

[eventID]=351bda80-39d4-41ed-9e4d-86d6470c2436

[eventName]=DescribeInstances [eventSource]=EC2

[eventTime]=2014-10-10T06:12:24Z [eventVersion]=1.01

[requestID]=2d835ae2-176d-4ea2-8523-b1a09585e803

[requestParameters/filterSet/items/0/name]=private-ip-address

[requestParameters/filterSet/items/0/valueSet/items/0/value]=10.0.0.233

[responseElements]=null [sourceIPAddress]=211.144.207.10

[userAgent]=aws-sdk-php2/2.4.7 Guzzle/3.7.1 curl/7.19.7 PHP/5.3.3

[userIdentity/accessKeyId]=AKIAI2MUUCROHFSLLT3A

[userIdentity/accountId]=623885071509

[userIdentity/arn]=arn:aws:iam::623885071509:root

[userIdentity/principalId]=623885071509 [userIdentity/type]=Root

[userIdentity/userName]=accelops

AWS EC2 CloudWatch API Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Settings for Access Credentials

Sample events

What is Discovered and Monitored

Protocol	Information Discovered	Metrics Collected	Used For
CloudWatch API	Machine name Internal Access IP Instance ID Image ID Availability Zone Instance Type Volume ID Status Attach Time	CPU Utilization Received Bits/sec Sent Bits/sec Disk reads (Instance Store) Disk writes (Instance Store) Disk reads/sec (Instance Store) Disk writes/sec (Instance Store) Packet loss Read Bytes (EBS) Write Bytes (EBS) Read Ops (EBS) Write Ops (EBS) Disk Queue (EBS)	Performance Monitoring

Event Types

PH_DEV_MON_EBS_METRIC  captures EBS metrics

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure. You should also be sure to read the topic Discovering Amazon Web Services (AWS) Infrastructure.

Settings for Access Credentials

 

Sample events

[PH_DEV_MON_EC2_METRIC]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cp p,[lineNumber]=6571,[hostName]=ec2-54-81-216-218.compute-1.amazonaws.com ,[hostIpAddr]=10.144.18.131,[cpuUtil]=0.334000,[diskReadKBytesPerSec]=0. 000000,[diskWriteKBytesPerSec]=0.000000,[diskReadReqPerSec]=0.000000,[di skWriteReqPerSec]=0.000000,[sentBytes]=131,[recvBytes]=165,[sentBitsPerS ec]=17.493333,[recvBitsPerSec]=22.026667,[phLogDetail]=

[PH_DEV_MON_EBS_METRIC]:[eventSeverity]=PHL_INFO,[fileName]=deviceAws.cp p,[lineNumber]=133,[hostName]=ec2-52-69-215-178.ap-northeast-1.compute.a mazonaws.com,[hostIpAddr]=172.30.0.50,[diskName]=/dev/sda1,[volumeId]=vo l-63287d9f,[diskReadKBytesPerSec]=7.395556,[diskWriteKBytesPerSec]=7.395 556,[ioReadsPerSec]=0.000000,[ioWritesPerSec]=0.010000,[diskQLen]=0,[phL ogDetail]=

 

 

AWS RDS Configuration

What is Discovered and Monitored

Configuration

What is Discovered and Monitored

Type	Protocol	Information Discovered	Metrics Collected	Used For
Relational Database Storage (RDS)	CloudWatch API		CPU Utilization User Connections Free Memory Free Storage Used Swap Read Latency Write Latency Read Ops Write Ops	Performance Monitoring

Event Types

PH_DEV_MON_RDS_METRIC  captures RDS metrics

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

1. Create a AWS credential
   1. Go to Admin > Credentials > Step 1: Enter Credentials
   2. Click Add
      1. Set Device Type to Amazon AWS RDS
      2. Set Access Protocol as AWS SDK

• Set Region as the region in which your AWS instance is located

1. Set Access Key ID as the access key for your EC2 instance v. Set Secret Key as the secret key for your EC2 instance

1. Click Save

2. Create a IP to credential mapping
   1. Set IP/IP Range to com
   2. Choose Credentials to the one created in Step 1b
3. Click test Connectivity to make sure the credential is working correctly
4. Go to Admin > Discovery
   1. Set Discovery Type as AWS Scan
   2. Click OK to Save
   3. Select the entry and Click Discover
5. After Discovery finishes, check CMDB > Amazon Web Services > AWS Database

Sample Events

[PH_DEV_MON_RDS_METRIC]:[eventSeverity]=PHL_INFO,[fileName]=deviceAwsRDS .cpp,[lineNumber]=104,[hostName]=mysql1.cmdzvvce07ar.ap-northeast-1.rds. amazonaws.com,[hostIpAddr]=54.64.131.93,[dbCpuTimeRatio]=1.207500,[dbUse rConn]=0,[dbEnqueueDeadlocksPerSec]=0.000587,[freeMemKB]=489,[freeDiskMB ]=4555,[swapMemUtil]=0.000000,[ioReadsPerSec]=0.219985,[ioWritesPerSec]= 0.213329,[devDiskRdLatency]=0.08,[devDiskWrLatency]=0.4029,[phLogDetail]

=

Box.com Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Metrics Collected	Used For
Box.com API	Ccreation, deletion, and modification activity for specific files or folders File-sharing properties, including whether the file is shared, password protected, or preview/download enabled, and how many times the file was downloaded or viewed

Event Types

In CMDB > Event Types, search for “box.com” and look for BOX events in the Name column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

AccelOps can monitor a directory or subdirectory, for example /All Files or /All Files/my files, or a single file , for example /All Files/my files/user guide.pdf. When you set up the access credentials for AccelOps to communicate with Box.com, you provide the path to the folder or files you want to monitor, so you should have your Box.com storage set up before you set up your access credentials. You also won’t need to initiate discovery of Box.com as you would with other devices, but should go to to Admin > Setup wizard > Event Pulling and make sure that a Box.com event pulling job is created after you have successfully set up access credentials.

Settings for Access Credentials

Sample Box.com Events

//the following event is generated when a folder called share was created using the box.usage@gmail.com account [PH_DEV_MON_BOX_FILE_CREATE]:[eventSeverity]=PHL_INFO,[fileName]=phBoxAg ent.cpp,[lineNumber]=625,[fileType]=folder, [targetName]=share,[fileSize64]=0,[filePath]=/All Files,[fileOwner]=box usage,[fileDesc]=,[user]=box usage, [userId]=225282673,[accessTime]=1412700374,[accountName]=box.usage@gmail

.com,[fileId]=2541809279,[fileVersion]=1,

[targetHashCode]=,[phLogDetail]=

//the following event is generated when a file called  All

Files/share/b.txt was created using the box.usage@gmail.com account [PH_DEV_MON_BOX_FILE_CREATE]:[eventSeverity]=PHL_INFO,[fileName]=phBoxAg ent.cpp,[lineNumber]=625,[fileType]=file, [targetName]=b.txt,[fileSize64]=0,[filePath]=/All

Files/share,[fileOwner]=box usage,[fileDesc]=,[user]=box usage,

[userId]=225282673,[accessTime]=1412700377,[accountName]=box.usage@gmail .com,[fileId]=21701906465,[fileVersion]=1,[targetHashCode]=da39a3ee5e6b4 b0d3255bfef95601890afd80709,[phLogDetail]=

//the following event is generated when a file called  All

Files/share/b.txt was deleted using the box.usage@gmail.com account [PH_DEV_MON_BOX_FILE_DELETE]:[eventSeverity]=PHL_INFO,[fileName]=phBoxAg ent.cpp,[lineNumber]=503,[fileType]=file, [targetName]=b.txt,[fileSize64]=0,[filePath]=/All

Files/share,[fileOwner]=box usage,[fileDesc]=,[user]=box usage, [userId]=225282673,[accessTime]=0,[accountName]=box.usage@gmail.com,[fil eId]=21701844673,[fileVersion]=1,[targetHashCode]=da39a3ee5e6b4b0d3255bf ef95601890afd80709,[phLogDetail]=

//the following event is generated when a file called  All

Files/share/a.txt was modified using the box.usage@gmail.com account [PH_DEV_MON_BOX_FILE_MODIFY]:[eventSeverity]=PHL_INFO,[fileName]=phBoxAg ent.cpp,[lineNumber]=652,[fileType]=file, [targetName]=a.txt,[fileSize64]=8,[filePath]=/All Files,[fileOwner]=box usage,[fileDesc]=,[user]=box usage, [userId]=225282673,[accessTime]=1412700491,[accountName]=box.usage@gmail

.com,[fileId]=21701903189,[fileVersion]=2,[targetHashCode]=0a74245f78b73

39ea8cdfc4ac564ed14dc5c22ad,[phLogDetail]=

//the following event is generated periodically for each monitored file

and folder [PH_DEV_MON_BOX_FILE_SHARE]:[eventSeverity]=PHL_INFO,[fileName]=phBoxAge nt.cpp,[lineNumber]=601,[fileType]=folder, [targetName]=share,[fileSize64]=0,[filePath]=/All Files,[fileOwner]=box usage,[fileDesc]=,[accountName]=box.usage@gmail.com,

[fileId]=2541809279,[fileVersion]=1,[infoURL]=https://app.box.com/s/zine

f627pyuexdcxir1q,[downloadURL]=,[filePasswordEnabled]=no, [filePreviewEnabled]=yes,[fileDownloadEnabled]=yes,[fileUnshareAtTime]=-

1,[filePreviewCount]=0,[fileDownloadCount]=0,[phLogDetail]=

Cisco FireAMP Cloud Configuration

What is Discovered and Monitored

Configuration

Sample Events for Salesforce Audit

What is Discovered and Monitored

Protocol	Logs Collected	Used For
CloudAMP API	End point malware activity	Security Monitoring

Event Types

In CMDB > Event Types, search for “Cisco FireAMP Cloud” in the Search column to see the event types associated with this device.

Rules

There are no predefined rules for Cisco FireAMP Cloud

Reports

There are no predefined reports for Cisco FireAMP Cloud.

Configuration

Create Cisco FireAMP Cloud Credential

1. Log in to AccelOps Supervisor node.
2. Go to Admin > Setup Wizard > Credentials.
3. In Step 1, Click Add to create a new credential
4. For Device Type, select Cisco FireAMP Cloud
5. For Access Protocol, select FireAMP Cloud API
6. For Password Configuration, select Manual or CyberArk For Manual credential method, enter Client ID and Client Secret.
7. For CyberArk credential method, specify CyberArk properties.
8. Click Save.

Test Connectivity

1. Log in to AccelOps Supervisor node.
2. Go to Admin > Setup Wizard > Credentials.
3. In Step 2, Click Add to create a new association
4. For Name/IP/IP Range, enter amp.sourcefire.com
5. For Credentials, enter the name of credential created in the “Salesforce Audit Credential” step.
6. Click Save
7. Select the entry just created and Click Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
8. Go to Admin > Setup Wizard > Pull Events and make sure an entry is created for Microsoft Audit Log Collection

Sample Events for Salesforce Audit

[FireAMP_Cloud_Threat_Detected]:[eventSeverity]=PHL_CRITICAL,[connectorG UID]=d2f5d61f-feb0-4b67-80fd-073655b86425,[date]=2015-11-25T19:17:39+00: 00,[detection]=W32.DFC.MalParent,[detectionId]=6159251516445163587,[even tId]=6159251516445163587,[eventType]=Threat Detected,[eventTypeId]=1090519054,[fileDispostion]=Malicious,[fileName]= rjtsbks.exe,[fileSHA256]=3372c1edab46837f1e973164fa2d726c5c5e17bcb888828 ccd7c4dfcc234a370,[hostName]=Demo_TeslaCrypt

Google Apps Audit Configuration

What is Discovered and Monitored

Configuration

Sample Events for Google Apps Audit

What is Discovered and Monitored

Protocol	Logs Collected	Used For
Google Apps Admin SDK	Configuration Change, Account Create/Delete/Modify, Account Group Create/Delete/Modify, Document Create/Delete/Modify/Download, Document Permission Change, Logon Success, Logon Failure, Device compromise	Security Monitoring

Event Types

In CMDB > Event Types, search for “Google_Apps” in the Search column to see the event types associated with this device.

Rules

There are no predefined rules for Google Apps

Reports

There are many reports defined in Analytics > Reports > Device > Application > Document Mgmt. Search for ” Google Apps”.

Configuration

Create a Google App Credential in Google API Console

1. Logon to Google API Console
2. Under Dashboard, create a Google Apps Project
   1. Project Name – enter a name
   2. Click Create
3. Under Dashboard, click Enable API to activate Reports API service for this project
4. Create a Service Account Key for this project
   1. Under Credentials, click Create Credentials > Create Service Account Key
   2. Choose Key type as JSON
   3. Click Create
   4. A JSON file containing the Service Account credentials will be stored in your computer
5. Enable Google Apps Domain-wide delegation
   1. Under IAM & Admin section, choose the Service account
   2. Check Enable Google Apps Domain-wide Delegation
   3. Click Save
6. View Client ID
   1. Under IAM & Admin section, choose the Service account
   2. Click View Client ID
7. Delegate domain-wide authority to the service account created in Step 4
   1. Go to your Google Apps domain’s Admin console
   2. Select Security from the list of controls. If you don’t see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls.
   3. Select Advanced settings from the list of options.
   4. Select Manage API Client access in the Authentication section
   5. In the Client name field enter the service account’s Client ID (Step 6)
   6. In the One or More API Scopes field enter the list of scopes that your application should be granted access to.

Define Google App Credential in FortiSIEM

1. Log in to AccelOps Supervisor node.
2. Go to Admin > Setup Wizard > Credentials.
3. In Step 1, Click Add to create a new credential
4. For Device Type, select Google Google Apps
5. For Access Protocol, select Google Apps Admin SDK
6. Enter the User Name
7. For Service Account Key, upload the JSON credential file (Step 4d above)
8. Click Save.

Test Connectivity

1. Log in to AccelOps Supervisor node.
2. Go to Admin > Setup Wizard > Credentials.
3. In Step 2, Click Add to create a new association
4. For Name/IP/IP Range, enter com
5. For Credentials, enter the name of credential created in the “Google App Credential” step.
6. Click Save
7. Select the entry just created and Click Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
8. Go to Admin > Setup Wizard > Pull Events and make sure an entry is created for Salesforce Audit Log Collection

Sample Events for Google Apps Audit

Logon Success

<134>Jan 21 19:29:21 google.com java: [Google_Apps_login_login_success]:[eventSeverity]=PHL_INFO,[actor.profil eId]=117858279951236905887,[id.time]=2016-09-09T06:53:58.000Z,[id.applic ationName]=login,[kind]=admin#reports#activity,[id.customerId]=C01lzy8ye ,[id.uniqueQualifier]=8830301951515521023,[event.parameters.login_type]= google_password,[event.type]=login,[ipAddress]=45.79.100.103,[actor.emai l]=api1@accelops.net,[event.name]=login_success,[etag]=””6KGrH_UY2JDZNpg jPKUOF8yJF1A/Nfrg2SFjlC2gR6pJtpP2scVidmc”””,Google_Apps_login_login_succ ess,login_success,1,45.79.100.103,

Logon Failure

<134>Jan 21 19:29:21 google.com java: [Google_Apps_login_login_failure]:[eventSeverity]=PHL_INFO,[actor.profil eId]=117858279951236905887,[id.applicationName]=login,[kind]=admin#repor ts#activity,[event.parameters.login_type]=google_password,[ipAddress]=45 .79.100.103,[event.name]=login_failure,[id.time]=2016-09-19T09:27:51.000 Z,[id.customerId]=C01lzy8ye,[id.uniqueQualifier]=4795688196368428241,[ev ent.type]=login,[actor.email]=api1@accelops.net,[etag]=””6KGrH_UY2JDZNpg jPKUOF8yJF1A/v5zsUPNoEdXLLK79zQpBcuxNbQU””,[event.parameters.login_failu re_type]=login_failure_invalid_password”,Google_Apps_login_login_failure ,login_failure,1,45.79.100.103,

Create User

<134>Jan 21 19:29:20 google.com java: [Google_Apps_USER_SETTINGS_CREATE_USER]:[eventSeverity]=PHL_INFO,[actor. callerType]=USER,[actor.profileId]=117858279951236905887,[id.application Name]=admin,[kind]=admin#reports#activity,[ipAddress]=45.79.100.103,[eve nt.name]=CREATE_USER,[id.time]=2016-09-19T09:22:44.646Z,[id.customerId]= C01lzy8ye,[id.uniqueQualifier]=-8133102622954793216,[event.type]=USER_SE

TTINGS,[event.parameters.USER_EMAIL]=test-user@accelops.org,[actor.email ]=api1@accelops.net,[etag]=””6KGrH_UY2JDZNpgjPKUOF8yJF1A/R5GJyWG9YHSiGRv o3-8ZBM0ZlL0″””,Google_Apps_USER_SETTINGS_CREATE_USER,CREATE_USER,1,45.7 9.100.103,

Delete user

<134>Jan 21 19:29:20 google.com java: [Google_Apps_USER_SETTINGS_DELETE_USER]:[eventSeverity]=PHL_INFO,[actor. callerType]=USER,[actor.profileId]=117858279951236905887,[id.application Name]=admin,[kind]=admin#reports#activity,[ipAddress]=45.79.100.103,[eve nt.name]=DELETE_USER,[id.time]=2016-09-19T09:22:28.582Z,[id.customerId]= C01lzy8ye,[id.uniqueQualifier]=-4630441819990099585,[event.type]=USER_SE

TTINGS,[event.parameters.USER_EMAIL]=test-user@accelops.org,[actor.email ]=api1@accelops.net,[etag]=””6KGrH_UY2JDZNpgjPKUOF8yJF1A/08MaodxPU6Zv7s6 vJtuUQW9ugx0″””,Google_Apps_USER_SETTINGS_DELETE_USER,DELETE_USER,1,45.7 9.100.103,

Move user settings

<134>Jan 21 19:29:20 google.com java:

[Google_Apps_USER_SETTINGS_MOVE_USER_TO_ORG_UNIT]:[eventSeverity]=PHL_IN FO,[actor.callerType]=USER,[actor.profileId]=117858279951236905887,[even t.parameters.ORG_UNIT_NAME]=/test,[id.applicationName]=admin,[kind]=admi n#reports#activity,[ipAddress]=45.79.100.103,[event.name]=MOVE_USER_TO_O RG_UNIT,[id.time]=2016-09-19T09:24:25.285Z,[id.customerId]=C01lzy8ye,[id

.uniqueQualifier]=-6704816947489240452,[event.type]=USER_SETTINGS,[event .parameters.USER_EMAIL]=test-user@accelops.org,[actor.email]=api1@accelo ps.net,[event.parameters.NEW_VALUE]=/,[etag]=””6KGrH_UY2JDZNpgjPKUOF8yJF 1A/r1v9DiPZbL06fXFFjJlrWf2s3qI”””,Google_Apps_USER_SETTINGS_MOVE_USER_TO

_ORG_UNIT,MOVE_USER_TO_ORG_UNIT,1,45.79.100.103,,

Microsoft Azure AuditTrail Configuration

What is Discovered and Monitored

Configuration

Sample Events for Microsoft Azure Audit Trail

What is Discovered and Monitored

Protocol	Information Discovered	Metrics Collected	Used For
Azure CLI	None	None	Security Monitoring

Event Types

In CMDB > Event Types, search for “Microsoft Azure Auditl” in the Search column to see the event types associated with this device.

Rules

There are no predefined rules for Microsoft Azure Audit

Reports

There are no predefined reports for Microsoft Azure Audit.

Configuration

Create Microsoft Azure Audit Credential

1. Log in to AccelOps Supervisor node.
2. Go to Admin > Setup Wizard > Credentials.
3. In Step 1, Click Add to create a new credential
4. For Device Type, select Microsoft Azure Audit
5. For Access Protocol, select Azure CLI
6. For Password Configuration, select Manual or CyberArk
7. For Manual credential method, enter the user name and credentials 8. For CyberArk credential method, specify CyberArk properties.
8. Click Save.

Test Connectivity

1. Log in to AccelOps Supervisor node.
2. Go to Admin > Setup Wizard > Credentials.
3. In Step 2, Click Add to create a new association
4. For Name/IP/IP Range, enter some IP Address
5. For Credentials, enter the name of credential created in the “Microsoft Azure Audit Credential” step.
6. Click Save
7. Select the entry just created and Click Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
8. Go to Admin > Setup Wizard > Pull Events and make sure an entry is created for Microsoft Audit Log Collection

Sample Events for Microsoft Azure Audit Trail

2016-02-26 15:19:10 AccelOps-Azure,[action]=Microsoft.ClassicCompute/virtualmachines/shutdow n/action,[caller]=Cuiping.Wang@shashiaccelops.onmicrosoft.com,[level]=Er ror,[resourceId]=/subscriptions/3ed4ee1c-1a83-4e02-a928-7ff5e0008e8a/res ourcegroups/china/providers/Microsoft.ClassicCompute/virtualmachines/chi na,[resourceGroupName]=china,[eventTimestamp]=2016-02-14T06:12:18.553970 9Z,[status]=Failed,[subStatus]=Conflict,[resourceType]=Microsoft.Classic

Compute/virtualmachines,[category]=Administrative

Microsoft Office365 Audit Configuration

What is Discovered and Monitored

Configuration

Sample Events for Google Apps Audit

What is Discovered and Monitored

Office 365 Activity Type	Operation
File and folder activities	FileAccessed, FileCheckedIn, FileCheckedOut, FileCopied, FileDeleted,FileCheckOutDiscarded, FileDownloaded, FileModified, FileMoved, FileRenamed, FileRestored, FileUploaded
Sharing and access request activities	AccessRequestAccepted, SharingInvitationAccepted, CompanyLinkCreated, AccessRequestCreated, AnonymousLinkCreated, SharingInvitationCreated, AccessRequestDenied, CompanyLinkRemoved, AnonymousLinkRemoved, SharingSet, AnonymousLinkUpdated, AnonymousLinkUsed, SharingRevoked, CompanyLinkUsed, SharingInvitationRevoked
Synchronization activities	ManagedSyncClientAllowed, UnmanagedSyncClientBlocked, FileSyncDownloadedFull, FileSyncDownloadedPartial, FileSyncUploadedFull, FileSyncUploadedPartial
Site administration activities	ExemptUserAgentSet, SiteCollectionAdminAdded, AddedToGroup, AllowGroupCreationSet, CustomizeExemptUsers, SharingPolicyChanged, GroupAdded, SendToConnectionAdded, SiteCollectionCreated, GroupRemoved, SendToConnectionRemoved, PreviewModeEnabledSet, LegacyWorkflowEnabledSet, OfficeOnDemandSet, NewsFeedEnabledSet, PeopleResultsScopeSet, SitePermissionsModified, RemovedFromGroup, SiteRenamed, SiteAdminChangeRequest, HostSiteSet, GroupUpdated
Exchange mailbox activities	Copy, Create, SoftDelete, Move, MoveToDeletedItems, HardDelete, SendAs, SendOnBehalf, Update, MailboxLogin
Sway activities	SwayChangeShareLevel, SwayCreate, SwayDelete, SwayDisableDuplication, SwayDuplicate, SwayEdit, EnableDuplication, SwayRevokeShare, SwayShare, SwayExternalSharingOff, SwayExternalSharingOn, SwayServiceOff, SwayServiceOn, SwayView
User administration activities	Add user, Change user license, Change user password, Delete user, Reset user password, Set force change user password, Set license properties, Update user
Group administration activities	Add group, Add member to group, Delete group, Remove member from group, Update group
Application administration activities	Add delegation entry, Add service principal, Add service principal credentials, Remove delegation entry, Remove service principal, Remove service principal credentials, Set delegation entry
Role administration activities	Add role member to role, Remove role member from role, Set company contact information
Directory administration activities	Add domain to company, Add partner to company, Remove domain from company, Remove partner from company, Set company information, Set domain authentication, Set federation settings on domain, Set password policy, Set DirSyncEnabled flag on company, Update domain, Verify domain, Verify email verified domain

Event Types

In CMDB > Event Types, search for “MS_Office365” in the Search column to see the event types associated with Office 365.

Rules

There are no predefined rules for Office 365

Reports

There are many reports defined in Analytics > Reports > Device > Application > Document Mgmt. Search for “Office365”

Configuration

Create Office365 API Credential

1. Check Office365 Account
   1. Login to Microsoft Online with your Office account
   2. Navigate to office home->admin center->Billing->Purchase services->Office 365 Business Premium
   3. Make sure the you have Office365 Business Premium subscription
2. Create a X.509 certificate and extract some values
   1. Download Windows SDK and install on your workstation
   2. In windows PowerShell run these commands and make sure they succeed
   3. Open certmgr.msc, and export the new X.509 certificate (office365Cert) by clicking Action->All Tasks-> Export Choose Do not export private key
      1. Choose Base-64 encoding

• Specify the file name to export

1. Run the following power shell commands to get values $base64Value, $base64Thumbprint, $keyid from the X.509 certificate for use in next step

After running these commands, the values will be set as follows

(prompt)> $keyid a8a98039-aa56-4497-ab82-d7c419e70eca (prompt)> $base64Thumbprint

A7DP44d3q++M+Cq5MQdFZDcwbr4=

(prompt)>$base64Value

MIIC/zCCAeugAwIBAgIQTdQI9aEaZ4FP/zTqmOXZrzAJBgUrDgMCHQUAMBgxFjA UBgNVBAMTDU9mZmljZTM2NUNlcnQwHhcNMTYwMzE1MDgwMDAwWhcNMTg wMzE1MDgwMDAwWjAYMRYwFAYDVQQDEw1PZmZpY2UzNjVDZXJ0MIIBIjANBgkqhk iG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp9IG5ZNQ9xrtolAc2jUItRhwjm FKsdST+GTlzax7bXiQl8Zp905DUBgfSyAQr77r/2cDRkf0mV7wW/2i+Pqbfi9CY wzjINLyzqxBL5lJPwzVo8aqi/ykILCsbBX6prGvc/TJXjWHbP90AHfZU t6cDPN3CrE98s3gZlWwz7wDnJP5AU/FXx4Cf4gPZOMEBPRdJqQwIZgLzHk0oDg9 kXFoiwDKORsTiamSMd34nncmmNivrqjKM57pa6jacxWFwbXDov6TlxLm tniHuH1psMRj/+jkmucoF2c2cRvTdqFePEqoWemB/np7Zwjj6VTruI5Zld22CcN IJY4ZbheAgYMXmwIDAQABo00wSzBJBgNVHQEEQjBAgBBekE2Kf2vBlJd fJmP+pAtAoRowGDEWMBQGA1UEAxMNT2ZmaWNlMzY1Q2VydIIQTdQI9aEaZ4FP/z TqmOXZrzAJBgUrDgMCHQUAA4IBAQANiw//Vxe04mUInzJUSNXCOUJFj9

HWDzQfbfBOWQQ9YiVm7o0qmSHR8bkaKTxNDl4ng0i6WpMnzmodJjtDpn4I7ZmwA

YehBiFWlUVhAW+M00bvOezcROiscOBuvWd6dQ7Op0XDpYGRnBctCv3w+

YWs0f3odrLCECvO3dk5QJbk500+S8QkLmoVv31/T1BEHnIaY3YudiVO/EpM8n7I /o8YlThHqqSQ6WGeMxYA+ts7yi+Jm++mV6xScK9qWdCbB4BW4ePZWxXi t5Bod+kC9iSco3o44hmmZdohUpF0t08Gu27dMXsaltd7djb7KeqxZrXihfFC8Xe FRBoPALIB52Ud

3. Create FortiSIEM application in Azure
   1. Login to Azure
   2. Click Active Directory in left panel
   3. Click Default Directory in the right
   4. Select APPLICATIONS tab, then click ADD.
   5. Fill application details and click Next
      1. Name – FortiSIEM
      2. Type – Choose WEB Application AND/OR API
      3. Fill in App properties and Click Done
      4. Sign-on URL – https://<Supervisor IP>
      5. App ID URL – https://<Supervisor IP>
      6. Click the application (FortiSIEM) in left panel, choose Configure tab
      7. Client ID is displayed
      8. User assignment required – No

• Keys – Select time duration

1. Save
2. Key is now displayed – copy this key to local workstation. You would not be able to retrieve it once you leave this page. In the command bar, click Manage Manifest and select Download Manifest

4. Edit the downloaded JSON file in Step 3.g.vi and
   1. Enter the following in the “keyCredentials” section
   2. The credential file looks like this
5. Store the JSON file. Click Upload Manifest to upload it to Azure

Permit Office365 Monitoring

1. Continue with Step 5 above
2. Choose Office 365 Activities
   1. Microsoft 265 Management APIs – Yes
   2. Microsoft Sharepoint Online – Yes
3. Allow read permission to chosen Office365 activities

Define Office365 Management Credential in FortiSIEM

1. Log in to AccelOps Supervisor node.
2. Go to Admin > Setup Wizard > Credentials.
3. In Step 1, Click Add to create a new credential
   1. For Name, provide a name for reference
   2. For Device Type, select Microsoft Office365
   3. For Access Protocol, select Office365 Mgmt Activity API
   4. For Tenant ID, use the ID from Azure Login URL

 

1. For Password Configuration, select Manual or
2. For Client ID, choose from Step 3.g.i in Create Office365 API Credential
3. For Client Secret, choose from Step 3.g.v in Create Office365 API Credential

4. For Manual credential method, enter the user name, password and Security Token.
5. For CyberArk credential method, specify CyberArk properties.
6. Click Save.

Test Connectivity

1. Log in to AccelOps Supervisor node.
2. Go to Admin > Setup Wizard > Credentials.
3. In Step 2, Click Add to create a new association
4. For Name/IP/IP Range, enter office.com
5. For Credentials, enter the name of credential created in the Define Office365 Management Credential step 3a 6. Click Save
6. Select the entry just created and Click Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
7. Go to Admin > Setup Wizard > Pull Events and make sure an entry is created for Office365 Log Collection

Sample Events for Google Apps Audit

Okta Configuration

AccelOps can integrate with Okta as a single-sign service for AccelOps users, discover Okta users and import them into the CMDB, and collect audit logs from Okta. See Setting Up External Authentication for information on configuring Okta to use as a single-sign on service, and Adding Users from Okta for discovering users and associating them with the Okta authentication profile. Once you have discovered Okta users, AccelOps will begin to monitor Okta events.

What is Discovered and Monitored

Event Types

Rules

Reports

Sample Okta Event

What is Discovered and Monitored

Protocol	Information Discovered	Metrics Collected	Used For
Okta API

Event Types

In CMDB > Event Types, search for “okta” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

 Sample Okta Event

Mon Jul 21 15:50:26 2014 AccelOps-Okta [action/message]=Sign-in successful [action/objectType]=core.user_auth.login_success [action/requestUri]=/login/do-login [actors/0/displayName]=CHROME

[actors/0/id]=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36

[actors/0/ipAddress]=211.144.207.10

[actors/0/login]=YaXin.Hu@accelops.com [actors/0/objectType]=Client

[eventId]=tev-UlpTnWJRI2vXNRKTJHE4A1405928963000

[eventName]=USER-AUTH-LOGIN-SUCCESS [published]=2014-07-21T07:49:23.000Z

[requestId]=U8zGA0zxVNXabfCeka9oGAAAA [sessionId]=s024bi4GPUkRaegPXuA1IFEDQ [targets/0/displayName]=YaXin Hu

[targets/0/id]=00uvdkhrxcPNGYWISAGK

[targets/0/login]=YaXin.Hu@accelops.com [targets/0/objectType]=User

Salesforce CRM Audit Configuration

What is Discovered and Monitored

Configuration

Sample Events for Salesforce Audit

What is Discovered and Monitored

Protocol	Logs Collected	Used For
Salesforce API	Successful/Failed Login, API Query Activity, Dashboard Activity, Opportunity Activity, Report Export Activity, Report Activity, Document Download Activity	Security Monitoring

Event Types

In CMDB > Event Types, search for “Salesforce Audit” in the Search column to see the event types associated with this device.

Rules

There are no predefined rules for Salesforce CRM Audit

Reports

There are many reports defined in Analytics > Reports > Device > Application > CRM

Salesforce Failed Logon Activity

Salesforce Successful Logon Activity

Top Browsers By Failed Login Count

Top Browsers By Successful Login Count Top Salesforce Users By Failed Login Count

Top Salesforce Users By Successful Login Count

Top Successful Salesforce REST API Queries By Count, Run Time

Top Failed Salesforce Failed REST API Queries By Count, Run Time

Top Salesforce API Queries By Count, Run Time

Top Salesforce Apex Executions By Count, Run Time

Top Salesforce Dashboards Views By Count

Top Salesforce Document Downloads By Count

Top Salesforce Opportunity Reports By Count

Top Salesforce Report Exports By Count

Top Salesforce Reports By Count, Run Time Top Salesforce Events

Configuration

Create Salesforce Audit Credential

1. Log in to AccelOps Supervisor node.
2. Go to Admin > Setup Wizard > Credentials.
3. In Step 1, Click Add to create a new credential
4. For Device Type, select Salesforce Salesforce Audit
5. For Access Protocol, select Salesforce API
6. For Password Configuration, select Manual or CyberArk
7. For Manual credential method, enter the user name, password and Security Token.
8. For CyberArk credential method, specify CyberArk properties.
9. Click Save.

Test Connectivity

1. Log in to AccelOps Supervisor node.
2. Go to Admin > Setup Wizard > Credentials.
3. In Step 2, Click Add to create a new association
4. For Name/IP/IP Range, enter salesforce.com
5. For Credentials, enter the name of credential created in the “Salesforce Audit Credential” step.
6. Click Save
7. Select the entry just created and Click Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
8. Go to Admin > Setup Wizard > Pull Events and make sure an entry is created for Salesforce Audit Log Collection

Sample Events for Salesforce Audit

Configuring Console Access Devices

AccelOps supports these console access devices for discovery and monitoring.

Lantronix SLC Console Manager Configuration

 

 

 

Lantronix SLC Console Manager Configuration

What is Discovered and Monitored

Protocol	Information discovered	Metrics/Logs collected	Used for
Syslog		Admin access, Updates, Commands run	Log analysis and compliance

Event Types

Around 10 event types are generated by parsing Lantronix SLC logs. The complete list can be found in CMDB > Event Types by searching for Lantronix-SLC. Some important ones are

Lantronix-SLC-RunCmd

Lantronix-SLC-Update

Lantronix-SLC-User-Logon-Success

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

AccelOps processes events from this device via syslog.  Configure the device to send syslog to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example Syslog

 

 

 

 

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

HP BladeSystem Configuration

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
SNMP	Host name, Access IP, Hardware components – processors, chassis, blades, board, cpu, memory, storage, power supply unit, fan unit	Hardware status: Fan status, Power supply status, power enclosure status, Overall status	Availability and Performance Monitoring

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover the HP BladeSystem and collect hardware statistics. See the instructions on configuring SNMP in your Bladesystem documentation to enable communications with AccelOps.

After you have configured SNMP on your BladeSystem blade server, you can configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discover ing Infrastructure.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Configuring Blade Servers

AccelOps supports these blade servers for discovery and monitoring.

Cisco UCS Server Configuration

HP BladeSystem Configuration

 

Cisco UCS Server Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

UCS XML API

Settings for Access Credentials

Sample Cisco UCS Events

Power Supply Status Event

Processor Status Event

Chassis Status Event

Memory Status Event

Fan Status Event

What is Discovered and Monitored

Protocol	Information Discovered	Metrics collected	Used for
Cisco UCS API	Host name, Access IP, Hardware components processors, chassis, blades, board, cpu, memory, storage, power supply unit, fan unit	Chassis status: Input Power, Input Avg Power, Input Max Power, Input Min Power, Output Power, Output Avg Power, Output Max Power, Output Min Power Memory status: Temp (C), Avg Temp (C), Max Temp (C), Min Temp (C) Processor status:  Input Current, Input Avg Current, Input Max Current, Input Min Current, Temp (C), Avg Temp (C), Max Temp (C), Min Temp (C) Power supply status: Temp (C), Max Temp (C), Avg Temp (C), Min Temp (C),  Input 210Volt, Avg Input 210Volt, Max Input 210Volt, Min Input 210Volt, Output 12Volt, Avg Output 12Volt, Max Output 12Volt, Min Output 12Volt, Output 3V3Volt, Avg Output 3V3Volt, Max Output 3V3Volt, Min Output 3V3Volt, Output Current, Avg Output Current, Max Output Current, Min Output Current, Output Power, Avg Output Power, Max Output Power,Min Output Power Fan status:  Fan Speed, Average Fan Speed, Max Fan Speed, Min Fan Speed	Availability and Performance Monitoring

 

Event Types

In CMDB > Event Types, search for “cisco us” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “cisco us” in the Name column to see the reports associated with this application or device.

Configuration

UCS XML API

AccelOps uses Cisco the Cisco UCS XML API to discover Cisco UCS and to collect hardware statistics. See the Cisco UCS documentation for information on how to configure your device to connect to AccelOps over the API.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Settings for Access Credentials

Sample Cisco UCS Events

Power Supply Status Event

[PH_DEV_MON_UCS_HW_PSU_STAT]:[eventSeverity]=PHL_INFO,[hostName]=machine

,[hostIpAddr]=10.1.2.36,[hwComponentName]=sys/chassis-1/psu-2, [envTempdDegC]=47.764706,[envTempAvgDegC]=36.176472,[envTempMaxDegC]=47.

764706,[envTempMinDegC]=25.529411,[input210Volt]=214.294113, [input210AvgVolt]=210.784317,[input210MaxVolt]=214.294113,[input210MinVo lt]=207.823532,[ouput12Volt]=12.188235,[ouput12AvgVolt]=12.109803, [ouput12MaxVolt]=12.376471,[ouput12MinVolt]=11.905882,[ouput3V3Volt]=3.1

41176,[ouput3V3AvgVolt]=3.374510,[ouput3V3MaxVolt]=3.458823, [ouput3V3MinVolt]=3.141176,[outputCurrentAmp]=15.686275,[outputCurrentAv gAmp]=20.261436,[outputCurrentMaxAmp]=24.509804, [outputCurrentMinAmp]=15.686275,[outputPowerWatt]=191.188004,[outputPowe rAvgWatt]=245.736252,[outputPowerMaxWatt]=303.344879, [outputPowerMinWatt]=191.188004

Processor Status Event

[PH_DEV_MON_UCS_HW_PROCESSOR_STAT]:[eventSeverity]=PHL_INFO,

[hostName]=machine,[hostIpAddr]=10.1.2.36,

[hwComponentName]=sys/chassis-1/blade-3/board/cpu-2,

[inputCurrentAmp]=101.101959,[inputCurrentAvgAmp]=63.420914,

[inputCurrentMaxAmp]=101.101959,[inputCurrentMinAmp]=44.580391, [envTempdDegC]=5.788235,[envTempAvgDegC]=6.216993,[envTempMaxDegC]=6.431

373,[envTempMinDegC]=5.788235,

Chassis Status Event

[PH_DEV_MON_UCS_HW_CHASSIS_STAT]:[eventSeverity\]=PHL_INFO,[hostName]=ma chine,[hostIpAddr]=10.1.2.36,[hwComponentName]=sys/chassis-1, [inputPowerWatt]=7.843137,[inputPowerAvgWatt]=7.843137,[inputPowerMaxWat t]=7.843137,[inputPowerMinWatt]=7.843137,

outputPowerWatt]=0.000000,[outputPowerAvgWatt]=0.000000,[outputPowerMaxW att]=0.000000,[outputPowerMinWatt]=0.000000

Memory Status Event

Fan Status Event

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Nginx Web Server Configuration

Event Types

Rules

Reports

Configuration

SNMP

Syslog

Settings for Access Credentials

The following protocols are used to discover and monitor various aspects of Nginx webserver.

Protocol	Information discovered	Metrics collected	Used for
SNMP	Application type	Process level metrics: CPU utilization, Memory utilization	Performance Monitoring
Syslog		W3C access logs: attributes include Client IP, URL, User Agent, Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration	Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “nginx” in the Device Type and Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Example nginx Syslog

<29>Jun 15 07:59:03 ny-n1-p2 nginx: “200.158.115.204”,”-“,”Mozilla/5.0

(Windows NT 5.1 WOW64; rv:9.0.1) Gecko/20100178 Firefox/9.0.1″,”/images/design/header-2-logo.jpg”,”GET”,”http://wm-cente r.com/images/design/header-2-logo.jpg”,”200″,”0″,”/ypf-cookie_auth/index .html”,”0.000″,”877″,”-“,”10.4.200.203″,”80″,”wm-center.com”,”no-cache, no-store, must-revalidate”,”-“,”1.64″,”_”,”-“,”-”

Settings for Access Credentials

SNMP Access Credentials for All Devices

When setting the Access Method Definition for allowing AccelOps to communicate with your device over SNMP, use these settings.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Reports

There are no predefined reports for this device.

Configuration

SNMP

Enabling SNMP on Windows Server 2003

SNMP is typically enabled by default on Windows Server 2003, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you need to make sure that the SNMP Management tool has been enabled for your device.

1. In the Start menu, go to Administrative Tools > Services.
2. Go to Control Panel > Add or Remove Programs.
3. Click Add/Remove Windows Components.
4. Select Management and Monitoring Tools and click Details.

Make sure that Simple Network Management Tool is selected.

If it isn’t selected, select it, and then click Next to install.

5. Go to Start > Administrative Tools > Services.
6. Select and open SNMP Service.
7. Click the Security
8. Select Send authentication trap.
9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
10. Select Accept SNMP packets from these hosts.
11. Click
12. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
13. Click Add.
14. Click Apply.
15. Under SNMP Service, click Restart service.

Enabling SNMP on Windows 7 or Windows Server 2008 R2

SNMP is typically enabled by default on Windows Server 2008, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you should check that SNMP Services have been enabled for your server.

1. Log in to the Windows 2008 Server where you want to enable SNMP as an administrator.
2. In the Start menu, select Control Panel.
3. Under Programs, click Turn Windows features on/off.
4. Under Features, see if SNMP Services is installed.

If not, click Add Feature, then select SMNP Service and click Next to install the service.

5. In the Server Manager window, go to Services > SNMP Services.
6. Select and open SNMP Service.
7. Click the Security
8. Select Send authentication trap.
9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
10. Select Accept SNMP packets from these hosts.
11. Click
12. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
13. Click Add.
14. Click Apply.
15. Under SNMP Service, click Restart service.

WMI

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
2. Right-click Users and select Add User.
3. Create a user.
4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
5. In the Distributed COM Users Properties dialog, click Add.
6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

7. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
8. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account
9. Go to Start > Control Panel > Administrative Tools > Component Services.
10. Right-click My Computer, and then Properties.
11. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
12. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
13. Click OK.
14. Under Access Permissions, click EditDefault.
15. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
16. Click
17. Under Launch and Activation Permissions, click Edit Limits.
18. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
19. Click OK.
20. Under Launch and Activation Permissions, click Edit Defaults.
21. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
2. Right-click Users and select Add User.
3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

4. Go to Groups, right-click Administrators, and then click Add to Group.
5. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
6. For Enter the object names to select, enter the user you created in step 3.
7. Click OK to close the Domain Admins Properties dialog.
8. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

1. Go to Start > Control Panel > Administrative Tools > Component Services.
2. Right-click My Computer, and then select Properties.
3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
5. Click OK.
6. In the Com Security tab, under Access Permissions, click Edit Defaults.
7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
8. Click OK.
9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
2. Select WMI Control, and then right-click and select Properties.
3. Select the Security
4. Expand the Root directory and select CIMV2.
5. Click Security.
6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot e Enable.
7. Click Advanced.
8. Select the user you created for the monitoring account, and then click Edit.
9. In the Apply onto menu, select This namespace and subnamespaces.
10. Click OK to close the Permission Entry for CIMV2 dialog.
11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
12. In the left-hand navigation, under Services and Applications, select Services.
13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
14. In the Start menu, select Run.
15. Run msc.
16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
18. Select Windows Firewall: Allow remote administration exception.
19. Run exe and enter these commands:
20. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

1. Go to Control Panel > Windows Firewall.
2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
3. Select Windows Management Instrumentation, and the click OK.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Syslog

Use Windows Agent Manager to configure the sending of syslogs from this device.

Sample IIS Syslog

<13>Oct  9 12:19:05 ADS-Pri.ACME.net IISWebLog              0

2008-10-09 19:18:43 W3SVC1 ADS-PRI 192.168.0.10 GET /iisstart.htm – 80 –

192.168.20.80 HTTP/1.1

Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.0.3)+Gecko/200809

2417+Firefox/3.0.3 – – 192.168.0.10 200 0 0 2158 368 156

<46>Mar 29 12:21:03 192.168.0.40 FTPSvcLog 0 2010-03-29 19:20:32

127.0.0.1 – MSFTPSVC1 FILER 127.0.0.1 21 [1]PASS IEUser@ – 530 1326 0 0

0 FTP – – – –

Microsoft IIS for Windows 2008 Configuration

What is Discovered and Monitored

Enabling SNMP on Windows Server 2003

Enabling SNMP on Windows 7 or Windows Server 2008 R2

Creating a Generic User Who Does Not Belong to the Local Administrator Group Creating a User Who Belongs to the Domain Administrator Group

Sample IIS Syslog

Setting Access Credentials

What is Discovered and Monitored

Protocol	Information discovered	Metrics collected	Used for
SNMP	Application type	Process level metrics: CPU utilization, memory utilization	Performance Monitoring
WMI	Application type, service mappings	Process level metrics: uptime, CPU Utilization, Memory utilization, Read I/O, Write I/O IIS metrics: Current Connections, Max Connections, Sent Files, Received Files, Sent Bytes, Received Bytes, ISAPI Requests, Not Found Errors	Performance Monitoring
Syslog	Application type	W3C access logs: attributes include IIS Service Instance, Client IP, URL, User Agent, Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration	Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “microsoft is” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

Enabling SNMP on Windows Server 2003

SNMP is typically enabled by default on Windows Server 2003, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you need to make sure that the SNMP Management tool has been enabled for your device.

1. In the Start menu, go to Administrative Tools > Services.
2. Go to Control Panel > Add or Remove Programs.
3. Click Add/Remove Windows Components.
4. Select Management and Monitoring Tools and click Details.

Make sure that Simple Network Management Tool is selected.

If it isn’t selected, select it, and then click Next to install.

5. Go to Start > Administrative Tools > Services.
6. Select and open SNMP Service.
7. Click the Security
8. Select Send authentication trap.
9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
10. Select Accept SNMP packets from these hosts.
11. Click
12. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
13. Click Add.
14. Click Apply.
15. Under SNMP Service, click Restart service.

Enabling SNMP on Windows 7 or Windows Server 2008 R2

SNMP is typically enabled by default on Windows Server 2008, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you should check that SNMP Services have been enabled for your server.

1. Log in to the Windows 2008 Server where you want to enable SNMP as an administrator.
2. In the Start menu, select Control Panel.
3. Under Programs, click Turn Windows features on/off.
4. Under Features, see if SNMP Services is installed.

If not, click Add Feature, then select SMNP Service and click Next to install the service.

5. In the Server Manager window, go to Services > SNMP Services.
6. Select and open SNMP Service.
7. Click the Security
8. Select Send authentication trap.
9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
10. Select Accept SNMP packets from these hosts.
11. Click
12. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
13. Click Add.
14. Click Apply.
15. Under SNMP Service, click Restart service.

WMI

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
2. Right-click Users and select Add User.
3. Create a user.
4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
5. In the Distributed COM Users Properties dialog, click Add.
6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

7. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
8. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account
9. Go to Start > Control Panel > Administrative Tools > Component Services.
10. Right-click My Computer, and then Properties.
11. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
12. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
13. Click OK.
14. Under Access Permissions, click EditDefault.
15. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
16. Click
17. Under Launch and Activation Permissions, click Edit Limits.
18. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
19. Click OK.
20. Under Launch and Activation Permissions, click Edit Defaults.
21. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
2. Right-click Users and select Add User.
3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

4. Go to Groups, right-click Administrators, and then click Add to Group.
5. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
6. For Enter the object names to select, enter the user you created in step 3.
7. Click OK to close the Domain Admins Properties dialog.
8. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

1. Go to Start > Control Panel > Administrative Tools > Component Services.
2. Right-click My Computer, and then select Properties.
3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
5. Click OK.
6. In the Com Security tab, under Access Permissions, click Edit Defaults.
7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
8. Click OK.
9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
2. Select WMI Control, and then right-click and select Properties.
3. Select the Security
4. Expand the Root directory and select CIMV2.
5. Click Security.
6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot e Enable.
7. Click Advanced.
8. Select the user you created for the monitoring account, and then click Edit.
9. In the Apply onto menu, select This namespace and subnamespaces.
10. Click OK to close the Permission Entry for CIMV2 dialog.
11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
12. In the left-hand navigation, under Services and Applications, select Services.
13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
14. In the Start menu, select Run.
15. Run msc.
16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
18. Select Windows Firewall: Allow remote administration exception.
19. Run exe and enter these commands:
20. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

1. Go to Control Panel > Windows Firewall.
2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
3. Select Windows Management Instrumentation, and the click OK.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Syslog

Use the Windows Agent Manager to configure sending syslogs from your device to AccelOps.

Sample IIS Syslog

<13>Oct  9 12:19:05 ADS-Pri.ACME.net IISWebLog              0

2008-10-09 19:18:43 W3SVC1 ADS-PRI 192.168.0.10 GET /iisstart.htm – 80 –

192.168.20.80 HTTP/1.1

Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.0.3)+Gecko/200809

2417+Firefox/3.0.3 – – 192.168.0.10 200 0 0 2158 368 156

<46>Mar 29 12:21:03 192.168.0.40 FTPSvcLog 0 2010-03-29 19:20:32

127.0.0.1 – MSFTPSVC1 FILER 127.0.0.1 21 [1]PASS IEUser@ – 530 1326 0 0

0 FTP – – – –

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Web Server Configuration

AccelOps supports these web servers for discovery and monitoring.

Apache Web Server Configuration

Microsoft IIS for Windows 2000 and 2003 Configuration

Microsoft IIS for Windows 2008 Configuration Nginx Web Server Configuration

Apache Web Server Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP

HTTPS

Syslog

Define the Apache Log Format

Apache Syslog Log Format

Settings for Access Credentials

What is Discovered and Monitored

Protocol	Information discovered	Metrics collected	Used for
SNMP	Application type	Process level metrics: CPU utilization, Memory utilization	Performance Monitoring
HTTP(S) via the mod-status module		Apache metrics: Uptime, CPU load, Total Accesses, Total Bytes Connections, Requests/sec, Bytes/sec, Bytes/req, Busy Workers, Idle Workers	Performance Monitoring
Syslog	Application type	W3C access logs: attributes include Client IP, URL, User Agent, Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration	Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “apache” in the Device Type and Description column to see the event types associated with this device.

Rules here are no predefined rules for this device.

Reports

In Analytics > Reports, search for “apache” in the Name column to see the reports associated with this device. Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

HTTPS

To communicate with AccelOps over HTTPS, you need to configure the mod_status module in your Apache web server.

1. Log in to your web server as an administrator.
2. Open the configuration file /etc/Httpd.conf.
3. Modify the file as shown in these code blocks, depending on whether you are connecting over HTTP without authentication, or over HTTPS with authentication.
4. If you are using authentication, you will have to add user authentication credentials.
   1. Go to /etc/httpd, and if necessary, create an account
   2. In the account directory, create two files, users and groups.
   3. In the groups file, enter admin:admin.
   4. Create a password for the admin user.
5. Reload Apache.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Syslog

Install and configure Epilog application to send syslog to AccelOps

1. Download Epilog from Epilog download site and install it on your Windows Server.
2. For Windows, launch Epilog from StartAll ProgramsInterSect AllianceEpilog for windows
3. For Linux, type http://<yourApacheServerIp>:6162
4. Configure Epilog application as follows
   1. Go to Log Configuration. Click Add button and add the following log files to be sent to AccelOps

/etc/httpd/logs/access_log /etc/httpd/logs/ssl_access_log

1. Go to Network Configuration
   10. Set AO System IP(all-in-1 or collector) in Destination Server address (10.1.2.20 here);
   11. Set 514 in Destination Port text area

• Click Change Configuration to save the configuration

1. Apply the Latest Audit Configuration. Apache logs will now sent to AccelOps in real time.

Define the Apache Log Format

You need to define the format of the logs that Apache will send to AccelOps.

1. Open the file /etc/httpd/conf.d/ssl.conf for editing.

<142>Sep 17 13:27:37 SJ-Dev-S-RH-VMW-01.prospecthills.net ApacheLog

192.168.20.35 – – [17/Sep/2009:13:27:37 -0700] “GET

/icons/apache_pb2.gif HTTP/1.1” 200 2414 “http://192.168.0.30/”

“Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)”

<134>Mar  4 17:08:04 137.146.28.68 httpd: [ID 702911 local0.info]

192.168.20.38 – – [04/Mar/2010:16:35:21 -0800] “GET /bugzilla-3.0.4/ HTTP/1.1” 200 10791 “-” “Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 GTB6”

<142>Sep 17 13:27:37 135.134.33.23 HTTP: [ID 702911 local0.info]

192.168.20.38 – – [04/Mar/2010:16:35:21 -0800] “GET /bugzilla-3.0.4/ HTTP/1.1” 200 10791 “-” “Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 GTB6”

Microsoft IIS for Windows 2000 and 2003 Configuration

What is Discovered and Monitored

Enabling SNMP on Windows Server 2003

Enabling SNMP on Windows 7 or Windows Server 2008 R2

Creating a Generic User Who Does Not Belong to the Local Administrator Group Creating a User Who Belongs to the Domain Administrator Group

Sample IIS Syslog

Settings for Access Credentials

What is Discovered and Monitored

Protocol	Information discovered	Metrics collected	Used for
SNMP	Application type	Process level metrics: CPU utilization, memory utilization	Performance Monitoring
WMI	Application type, service mappings	Process level metrics: uptime, CPU Utilization, Memory utilization, Read I/O, Write I/O IIS metrics: Current Connections, Max Connections, Sent Files, Received Files, Sent Bytes, Received Bytes, ISAPI Requests, Not Found Errors	Performance Monitoring
Syslog	Application type	W3C access logs: attributes include IIS Service Instance, Client IP, URL, User Agent, Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration	Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “microsoft is” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Unified Communication Server Configuration

AccelOps supports these VoIP servers for discovery and monitoring.

Avaya Call Manager Configuration

Cisco Call Manager Configuration

Cisco Contact Center Configuration

Cisco Presence Server Configuration

Cisco Tandeberg Telepresence Video Communication Server (VCS) Configuration

Cisco Telepresence Multipoint Control Unit (MCU) Configuration

Cisco Telepresence Video Communication Server Configuration

Cisco Unity Connection Configuration

 

Avaya Call Manager Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP

SFTP

Configure AccelOps to Receive CDR Records from Cisco Call Manager

Configure Avaya Call Manager to Send CDR Records to AccelOps  Settings for Access Credentials

What is Discovered and Monitored

Protocol	Information discovered	Metrics collected	Used for
SNMP	Application type	System metrics: Uptime, Interface utilization	Performance Monitoring
SFTP		Call Description Records (CDR): Calling Phone IP, Called Phone IP, Call Duration	Performance and Availability Monitoring

Event Types

Avaya-CM-CDR: Avaya CDR Records

Rules

None

Reports None.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

 

SFTP

SFTP is used to send Call Description Records (CDRs) to AccelOps.

Configure AccelOps to Receive CDR Records from Cisco Call Manager

1. Log in to your AccelOps virtual appliance as root over SSH.
2. Change the directory.
3. Create an FTP account for user ftpuser with the home directory /opt/phoenix/cache/avayaCM/<call-manager-ip>. If this is the first time you have created a Call Manager definition, you will be prompted for the ftpuser password. When you create subsequent Call Manager definitions, the same password will be used, and you will see a Success message when the definition is created.
4. The CDR records do not have field definitions, they only have values. Field definitions are needed to properly interpret the values. Make sure that the CDR fields definitions matches the default one supplied by AccelOps in /opt/phoenix/config/AvayaCDRConfig.csv. AccelOps will interpret the CDR record fields according to the field definitions specified in /opt/phoenix/config/AvayaCDRConfig.csv and generate events like the following.

Wed Feb  4 14:37:41 2015 1.2.3.4 AccelOps-FileLog-AvayaCM [Time of day-hours]=”11″ [Time of day-minutes]=”36″ [Duration-hours]=”0″ [Duration-minutes]=”00″ [Duration-tenths of minutes]=”5″ [Condition code]=”9″ [Dialed number]=”5908″ [Calling number]=”2565522011″ [FRL]=”5″ [Incoming circuit ID]=”001″ [Feature flag]=”0″ [Attendant console]=”8″ [Incoming TAC]=”01 1″ [INS]=”0″ [IXC]=”00″ [Packet count]=”12″ [TSC flag]=”1″

Configure Avaya Call Manager to Send CDR Records to AccelOps

1. Log in to Avaya Call Manager.
2. Send CDR records to AccelOps by using this information

Field	Value
Host Name/IP Address	<AccelOps IP address>
User Name	ftpuser
Password	<The password you created for ftpuser>
Protocol	SFTP
Directory Path	/opt/phoenix/cache/avayaCM/<call-manager-ip>

 

 

 

 

 

Cisco Call Manager Configuration

What is Discovered and Monitored

Configuration

Settings for Access Credentials

What is Discovered and Monitored

Protocol	Information discovered	Metrics collected	Used for
SNMP	Application type	System metrics: Uptime, CPU utilization, Memory utilization, Disk utilization, Interface utilization, Process count, Per process: CPU utilization, Memory utilization	Performance Monitoring
SNMP	VoIP phones and registration status	Call Manager metrics: Global Info: VoIP phone count, Gateway count, Media Device count, Voice mail server count  and SIP Trunks count broken down by Registered/Unregistered/Rejected status (AccelOps Event Type: PH_DEV_MON_CCM_GLOBAL_INFO) SIP Trunk Info: Trunk end point, description, status (AccelOps Event Type: PH_DEV_MON_CCM_SIP_TRUNK_STAT) SIP Trunk Addition, Deletion: AccelOps Event Type: PH_DEV_MON_CCM_NEW_SIP_TRUNK, PH_DEV_MON_CCM_DEL_SIP_TRUNK Gateway Status Info: Gateway name, Gateway IP, description, status (AccelOps Event Types: PH_DEV_MON_CCM_GW_STAT) Gateway Status Change, Addition, Deletion: AccelOps Event Type: PH_DEV_MON_CCM_GW_STAT_CHANGE, PH_DEV_MON_CCM_NEW_GW, PH_DEV_MON_CCM_DEL_GW H323 Device Info: H323 Device name, H323 Device IP, description, status (AccelOps Event Types: PH_DEV_MON_CCM_H323_STAT) Gateway Status Change, Addition, Deletion: AccelOps Event Type: PH_DEV_MON_CCM_H323_STAT_CHANGE, PH_DEV_MON_CCM_NEW_H323, PH_DEV_MON_CCM_DEL_H323 Voice Mail Device Info: Voice Mail Device name, Voice Mail Device IP, description, status (AccelOps Event Types: PH_DEV_MON_CCM_VM_STAT) Voice Mail Device Status Change, Addition, Deletion: AccelOps Event Type: PH_DEV_MON_CCM_VM_STAT_CHANGE, PH_DEV_MON_CCM_NEW_VM, PH_DEV_MON_CCM_DEL_VM Media Device Info: Media Device name, Media Device IP, description, status (AccelOps Event Types: PH_DEV_MON_CCM_MEDIA_STAT) Media Device Status Change, Addition, Deletion: AccelOps Event Type: PH_DEV_MON_CCM_MEDIA_STAT_CHANGE, PH_DEV_MON_CCM_NEW_MEDIA, PH_DEV_MON_CCM_DEL_MEDIA Computer Telephony Integration (CTI) Device Info: CTI Device name, CTI Device IP, description, status (AccelOps Event Types: PH_DEV_MON_CCM_CTI_STAT) CTI Device Status Change, Addition, Deletion: AccelOps Event Type: PH_DEV_MON_CCM_CTI_STAT_CHANGE, PH_DEV_MON_CCM_NEW_CTI, PH_DEV_MON_CCM_DEL_CTI	Availability Monitoring
WMI (for Windows based Call Managers)	Application type, service mappings	Process level metrics: Per process: Uptime, CPU utilization, Memory utilization, Read I/O KBytes/sec, Write I/O KBytes/sec	Performance Monitoring
SFTP		Call Description Records (CDR): Calling Phone IP, Called Phone IP, Calling Party Number, Original Called Party Number, Final Called Party Number, Call Connect Time, Call Disconnect Time, Call Duration Call Management Records (CMR): Latency, Jitter, Mos Score – current, average, min, max for each call in CDR	Performance and Availability Monitoring
Syslog		Syslog messages from Cisco Call Manager as well as Cisco Unified Real Time Monitoring Tool (RTMT)

Event Types

In CMDB > Event Types, search for “cisco_uc” and “cisco_uc_rtmt” in the Display Name column to see the event types associated with this device.

Rules

In Analytics > Rules, search for “cisco call manager” in the Name column to see the rules associated with this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

WMI (for Call Manager installed under Windows)

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
2. Right-click Users and select Add User.
3. Create a user.
4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
5. In the Distributed COM Users Properties dialog, click Add.
6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

7. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
8. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account
9. Go to Start > Control Panel > Administrative Tools > Component Services.
10. Right-click My Computer, and then Properties.
11. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
12. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
13. Click OK.
14. Under Access Permissions, click EditDefault.
15. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
16. Click
17. Under Launch and Activation Permissions, click Edit Limits.
18. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
19. Click OK.
20. Under Launch and Activation Permissions, click Edit Defaults.
21. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
2. Right-click Users and select Add User.
3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

4. Go to Groups, right-click Administrators, and then click Add to Group.
5. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
6. For Enter the object names to select, enter the user you created in step 3.
7. Click OK to close the Domain Admins Properties dialog.
8. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

1. Go to Start > Control Panel > Administrative Tools > Component Services.
2. Right-click My Computer, and then select Properties.
3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
5. Click OK.
6. In the Com Security tab, under Access Permissions, click Edit Defaults.
7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
8. Click OK.
9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
2. Select WMI Control, and then right-click and select Properties.
3. Select the Security
4. Expand the Root directory and select CIMV2.
5. Click Security.
6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot e Enable.
7. Click Advanced.
8. Select the user you created for the monitoring account, and then click Edit.
9. In the Apply onto menu, select This namespace and subnamespaces.
10. Click OK to close the Permission Entry for CIMV2 dialog.
11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
12. In the left-hand navigation, under Services and Applications, select Services.
13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
14. In the Start menu, select Run.
15. Run msc.
16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
18. Select Windows Firewall: Allow remote administration exception.
19. Run exe and enter these commands:
20. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

1. Go to Control Panel > Windows Firewall.
2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
3. Select Windows Management Instrumentation, and the click OK.

SFTP

SFTP is used to send Call Description Records (CDRs) to AccelOps.

Configure AccelOps to Receive CDR Records from Cisco Call Manager

1. Log in to your Accelops virtual appliance as root over SSH.
2. Change the directory.

This creates an FTP account  for user ftpuser with the home directory /opt/phoenix/cache/ccm/<call-manager-ip>. If this is the first time you have created a Call Manager definition, you will be prompted for the ftpuser password. When you create subsequent Call Manager definitions, the same password will be used, and you will see a Success message when the definition is created.

4. Switch user to admin by issuing “su – admin”
5. Modify phoenix_config.txt entry
6. Restart phParser by issuing “killall -9 phParser”

Configure Cisco Call Manager to Send CDR Records to AccelOps

1. Log in to Cisco Call Manager.
2. Go to Tools > CDR Management Configuration.

The CDR Management Configuration window will open.

3. Click Add New.
4. Enter this information.

Field	Value
Host Name/IP Address	<AccelOps IP address>
User Name	ftpuser
Password	<The password you created for ftpuser>
Protocol	SFTP
Directory Path	/opt/phoenix/cache/ccm/<call-manager-ip>

5. Click Save.

 

 

 

 

 

 

Cisco Contact Center Configuration

What is Discovered and Monitored

Protocol	Information discovered	Metrics collected	Used for
SNMP	Application type	System metrics: CPU utilization, Memory utilization, Disk utilization, Interface utilization, Hardware Status, Process count, Process level CPU and memory utilization, Install software change	Performance Monitoring
SSH		Disk I/O monitoring

Event Types

There are no event types defined specifically for this device.

Rules

In Analytics > Rules, search for “cisco contact center” in the Name column to see the rules associated with this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

 

Cisco Presence Server Configuration

What is Discovered and Monitored

Protocol	Information discovered	Metrics collected	Used for
SNMP	Application type	System metrics: CPU utilization, Memory utilization, Disk utilization, Interface utilization, Hardware Status, Process count, Process level CPU and memory utilization, Install software change	Performance Monitoring
SSH		Disk I/O monitoring

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

 

Cisco Tandeberg Telepresence Video Communication Server (VCS) Configuration

What is Discovered and Monitored

Protocol	Information discovered	Metrics collected	Used for
SNMP	Application type	System metrics: CPU utilization, Memory utilization, Disk utilization, Interface utilization, Hardware Status, Process count, Process level CPU and memory utilization, Install software change	Performance Monitoring
SSH		Disk I/O monitoring

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

 

 

Cisco Telepresence Multipoint Control Unit (MCU) Configuration

What is Discovered and Monitored

The following protocols are used to discover and monitor various aspects of Cisco Tandeberg VCS

Protocol	Information discovered	Metrics collected	Used for
SNMP	Application type	System metrics: Uptime, Interface utilization	Performance Monitoring

Event Types

In CMDB > Event Types, search for “cisco telepresence” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device. .

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Cisco Telepresence Video Communication Server Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

What is Discovered and Monitored

Protocol	Logs parsed	Used for
Syslog	Call attempts, Call rejects, Media stats, Request, response, Search	Log Analysis

Event Types

In CMDB > Event Types, search for “Cisco-TVCS” in the Description column to see the event types associated with this device.

Rules

There are no predefined reports for this device.

Reports

There are no predefined reports for this device.

 

Cisco Unity Connection Configuration

What is Discovered and Monitored

Protocol	Information discovered	Metrics collected	Used for
SNMP	Application type	System metrics: CPU utilization, Memory utilization, Disk utilization, Interface utilization, Hardware Status, Process count, Process level CPU and memory utilization	Performance Monitoring

Event Types

In CMDB > Event Types, search for “cisco unity” in the Description column to see the event types associated with this device.

Rules

In Analytics > Rules, search for “cisco unity” in the Name column to see the rules associated with this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Remote Desktop Configuration

AccelOps supports these remote desktop applications for discovery and monitoring.

Citrix Receiver (ICA) Configuration

 

Citrix Receiver (ICA) Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

WMI

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

What is Discovered and Monitored

Protocol	Information Discovered	Metrics Collected	Used For
WMI		From PH_DEV_MON_APP_ICA_SESS_MET: ICA Latency Last Recorded ICA Latency Session Average ICA Latency Session Deviation ICA Input Session Bandwidth ICA Input Session Line Speed ICA Input Session Compression ICA Input Drive Bandwidth ICA Input Text Echo Bandwidth ICA Input SpeedScreen Data  Bandwidth Input Audio Bandwidth ICA Input VideoFrame Bandwidth ICA Output Session Bandwidth ICA Output Session Line Speed ICA Output Session Compression ICA Output Drive Bandwidth ICA Output Text Echo Bandwidth ICA Output SpeedScreen Data  Bandwidth ICA Output Audio Bandwidth ICA Output VideoFrame Bandwidth

Event Types

In CMDB > Event Types, search for “citrix ICA” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “citrix ICA” in the Name column to see the reports associated with this application or device. Configuration

WMI

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
2. Right-click Users and select Add User.
3. Create a user.
4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
5. In the Distributed COM Users Properties dialog, click Add.
6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

7. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
8. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account
9. Go to Start > Control Panel > Administrative Tools > Component Services.
10. Right-click My Computer, and then Properties.
11. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
12. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
13. Click OK.
14. Under Access Permissions, click EditDefault.
15. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
16. Click
17. Under Launch and Activation Permissions, click Edit Limits.
18. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
19. Click OK.
20. Under Launch and Activation Permissions, click Edit Defaults.
21. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
2. Right-click Users and select Add User.
3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

4. Go to Groups, right-click Administrators, and then click Add to Group.
5. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
6. For Enter the object names to select, enter the user you created in step 3.
7. Click OK to close the Domain Admins Properties dialog.
8. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

1. Go to Start > Control Panel > Administrative Tools > Component Services.
2. Right-click My Computer, and then select Properties.
3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
5. Click OK.
6. In the Com Security tab, under Access Permissions, click Edit Defaults.
7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
8. Click OK.
9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
2. Select WMI Control, and then right-click and select Properties.
3. Select the Security
4. Expand the Root directory and select CIMV2.
5. Click Security.
6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot

e Enable.

7. Click Advanced.
8. Select the user you created for the monitoring account, and then click Edit.
9. In the Apply onto menu, select This namespace and subnamespaces.
10. Click OK to close the Permission Entry for CIMV2 dialog.
11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
12. In the left-hand navigation, under Services and Applications, select Services.
13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
14. In the Start menu, select Run.
15. Run msc.
16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
18. Select Windows Firewall: Allow remote administration exception.
19. Run exe and enter these commands:
20. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

1. Go to Control Panel > Windows Firewall.
2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
3. Select Windows Management Instrumentation, and the click OK.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!