Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

samuelcorreia
New Contributor

Created on ‎03-16-2020 04:21 AM

No data from Event Types: PH_DEV_MON_PROC_STOP/START

Hi Everyone,

I can't get any data from processes in FortiSIEM.

I have configured snmp in the hosts, and when i do snmpwalk on the collectors the data is valid and shows if  that the process is running or is stopped.

But in the SIEM no data is shown.

Am i missing any configuration in the SIEM?

Can you help me in this issue?


Thanks in advance.
Labels:
509
0 Kudos
1 Solution
FSM_FTNT
Staff
Staff
In response to samuelcorreia

Created on ‎03-16-2020 04:13 PM

Hi Sam,

You may want to check this out https://help.fortinet.com/fsiem/5-2-8/Online-Help/HTML5_Help/Montioring_Settings.htm?Highlight=criti...

First, you need to enable the feature under Admin / Settings / Important Processes. Note that when you enable this, it disables monitoring that isn't explicitly defined in the CMDB for all processes.

Then go to the CMDB and enable "monitoring" and "critical" on the processes you need. 

UploadedImages_cf7RQe5LQoeaipWLGNfn_temp.png

Creates incidents like this...
UploadedImages_4kAJYl2AQamn8YXvpEmy_temp.png

View solution in original post

481
0 Kudos
5 REPLIES 5
FSM_FTNT
Staff
Staff

Created on ‎03-16-2020 05:01 AM

Hi Samuel,

there are a couple of steps:

1) Configure SNMP on the hosts - if you get a response via snmpwalk then you should be good.
2) Configure Credentials and Discovery of the Collectors/Worker/Super
2.1) Go to Admin / Setup /Credentials
2.2) Define a Generic SNMP Credential with the community string 
2.3) Associate the Credential to the IP of the Collectors/Worker/Super, make sure you also specify if the Collector or the Super/Worker is associated with the IP. You will see a drop-down to select the Super or Collect to associate with the credential only if a Collector is defined.
2.4) Go to Admin / Setup / Discovery
2.5) Create a Discovery for the IP's and again make sure you also specify if the Collector or the Super/Worker is associated with the IP. You will see a drop-down to select the Super or Collect to associate with the Discovery only if a Collector is defined.
2.6) Do a Discovery!

If you have already done all this, can you provide some screen shots of these settings or what it shows under the Admin / Monitor Performance tab for the devices?

Or maybe you are trying to monitor a specific process?

Hope this helps

Dan
481
0 Kudos
samuelcorreia
New Contributor
In response to FSM_FTNT

Created on ‎03-16-2020 01:56 PM

Hello Dan,

Thank you for your reply.

I have done that with only snmp discovery.

But still it only show as follows, and no process status:

UploadedImages_xYskUraGQYyUy9MFXiZ1_temp-T.jpg

I still cant find where to configure the sys monitor.

Do you have a clue?

Thanks in advance.

Sam.
481
0 Kudos
FSM_FTNT
Staff
Staff
In response to samuelcorreia

Created on ‎03-16-2020 04:13 PM

Hi Sam,

You may want to check this out https://help.fortinet.com/fsiem/5-2-8/Online-Help/HTML5_Help/Montioring_Settings.htm?Highlight=criti...

First, you need to enable the feature under Admin / Settings / Important Processes. Note that when you enable this, it disables monitoring that isn't explicitly defined in the CMDB for all processes.

Then go to the CMDB and enable "monitoring" and "critical" on the processes you need. 

UploadedImages_cf7RQe5LQoeaipWLGNfn_temp.png

Creates incidents like this...
UploadedImages_4kAJYl2AQamn8YXvpEmy_temp.png
482
0 Kudos
samuelcorreia
New Contributor
In response to FSM_FTNT

Created on ‎03-17-2020 02:55 AM

Hello Dan,

Thank you.

I was reading about that, and i was afraid of what it would do if i turned it on.
I will explicitly add all the processes, and check if all is ok.

Thank you very much.

Best regards,
Sam
481
0 Kudos
samuelcorreia
New Contributor
In response to samuelcorreia

Created on ‎03-18-2020 10:55 AM

Hello again Dan,

I have been monitoring some system services like rsyslog and sshd.

But the are constantly with the process down due to the threads they create.

How do you handle this?

Because the incident creation will go nuts..


Tanks in advance,

Best Regards,
Sam
481
0 Kudos
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.