FortiSIEM Discussions
samuelcorreia
New Contributor

No data from Event Types: PH_DEV_MON_PROC_STOP/START

Hi Everyone,

I can't get any data from processes in FortiSIEM.

I have configured snmp in the hosts, and when i do snmpwalk on the collectors the data is valid and shows if  that the process is running or is stopped.

But in the SIEM no data is shown.

Am i missing any configuration in the SIEM?

Can you help me in this issue?


Thanks in advance.
5 REPLIES 5
DanielHanman
Staff
Staff

Hi Samuel,

there are a couple of steps:

1) Configure SNMP on the hosts - if you get a response via snmpwalk then you should be good.
2) Configure Credentials and Discovery of the Collectors/Worker/Super
2.1) Go to Admin / Setup /Credentials
2.2) Define a Generic SNMP Credential with the community string 
2.3) Associate the Credential to the IP of the Collectors/Worker/Super, make sure you also specify if the Collector or the Super/Worker is associated with the IP. You will see a drop-down to select the Super or Collect to associate with the credential only if a Collector is defined.
2.4) Go to Admin / Setup / Discovery
2.5) Create a Discovery for the IP's and again make sure you also specify if the Collector or the Super/Worker is associated with the IP. You will see a drop-down to select the Super or Collect to associate with the Discovery only if a Collector is defined.
2.6) Do a Discovery!

If you have already done all this, can you provide some screen shots of these settings or what it shows under the Admin / Monitor Performance tab for the devices?

Or maybe you are trying to monitor a specific process?

Hope this helps

Dan-------------------------------------------
Original Message:
Sent: 03-16-2020 07:20
From: samuel correia
Subject: No data from Event Types: PH_DEV_MON_PROC_STOP/START

Hi Everyone,

I can't get any data from processes in FortiSIEM.

I have configured snmp in the hosts, and when i do snmpwalk on the collectors the data is valid and shows if  that the process is running or is stopped.

But in the SIEM no data is shown.

Am i missing any configuration in the SIEM?

Can you help me in this issue?


Thanks in advance.
samuelcorreia

Hello Dan,

Thank you for your reply.

I have done that with only snmp discovery.

But still it only show as follows, and no process status:


I still cant find where to configure the sys monitor.

Do you have a clue?

Thanks in advance.

Sam.-------------------------------------------
Original Message:
Sent: 03-16-2020 08:01
From: Daniel Hanman
Subject: No data from Event Types: PH_DEV_MON_PROC_STOP/START

Hi Samuel,

there are a couple of steps:

1) Configure SNMP on the hosts - if you get a response via snmpwalk then you should be good.
2) Configure Credentials and Discovery of the Collectors/Worker/Super
2.1) Go to Admin / Setup /Credentials
2.2) Define a Generic SNMP Credential with the community string 
2.3) Associate the Credential to the IP of the Collectors/Worker/Super, make sure you also specify if the Collector or the Super/Worker is associated with the IP. You will see a drop-down to select the Super or Collect to associate with the credential only if a Collector is defined.
2.4) Go to Admin / Setup / Discovery
2.5) Create a Discovery for the IP's and again make sure you also specify if the Collector or the Super/Worker is associated with the IP. You will see a drop-down to select the Super or Collect to associate with the Discovery only if a Collector is defined.
2.6) Do a Discovery!

If you have already done all this, can you provide some screen shots of these settings or what it shows under the Admin / Monitor Performance tab for the devices?

Or maybe you are trying to monitor a specific process?

Hope this helps

Dan
Original Message:
Sent: 03-16-2020 07:20
From: samuel correia
Subject: No data from Event Types: PH_DEV_MON_PROC_STOP/START

Hi Everyone,

I can't get any data from processes in FortiSIEM.

I have configured snmp in the hosts, and when i do snmpwalk on the collectors the data is valid and shows if  that the process is running or is stopped.

But in the SIEM no data is shown.

Am i missing any configuration in the SIEM?

Can you help me in this issue?


Thanks in advance.
DanielHanman

Hi Sam,

You may want to check this out https://help.fortinet.com/fsiem/5-2-8/Online-Help/HTML5_Help/Montioring_Settings.htm?Highlight=criti...

First, you need to enable the feature under Admin / Settings / Important Processes. Note that when you enable this, it disables monitoring that isn't explicitly defined in the CMDB for all processes.

Then go to the CMDB and enable "monitoring" and "critical" on the processes you need. 



Creates incidents like this...
-------------------------------------------
Original Message:
Sent: 03-16-2020 16:56
From: samuel correia
Subject: No data from Event Types: PH_DEV_MON_PROC_STOP/START

Hello Dan,

Thank you for your reply.

I have done that with only snmp discovery.

But still it only show as follows, and no process status:


I still cant find where to configure the sys monitor.

Do you have a clue?

Thanks in advance.

Sam.
Original Message:
Sent: 03-16-2020 08:01
From: Daniel Hanman
Subject: No data from Event Types: PH_DEV_MON_PROC_STOP/START

Hi Samuel,

there are a couple of steps:

1) Configure SNMP on the hosts - if you get a response via snmpwalk then you should be good.
2) Configure Credentials and Discovery of the Collectors/Worker/Super
2.1) Go to Admin / Setup /Credentials
2.2) Define a Generic SNMP Credential with the community string 
2.3) Associate the Credential to the IP of the Collectors/Worker/Super, make sure you also specify if the Collector or the Super/Worker is associated with the IP. You will see a drop-down to select the Super or Collect to associate with the credential only if a Collector is defined.
2.4) Go to Admin / Setup / Discovery
2.5) Create a Discovery for the IP's and again make sure you also specify if the Collector or the Super/Worker is associated with the IP. You will see a drop-down to select the Super or Collect to associate with the Discovery only if a Collector is defined.
2.6) Do a Discovery!

If you have already done all this, can you provide some screen shots of these settings or what it shows under the Admin / Monitor Performance tab for the devices?

Or maybe you are trying to monitor a specific process?

Hope this helps

Dan
Original Message:
Sent: 03-16-2020 07:20
From: samuel correia
Subject: No data from Event Types: PH_DEV_MON_PROC_STOP/START

Hi Everyone,

I can't get any data from processes in FortiSIEM.

I have configured snmp in the hosts, and when i do snmpwalk on the collectors the data is valid and shows if  that the process is running or is stopped.

But in the SIEM no data is shown.

Am i missing any configuration in the SIEM?

Can you help me in this issue?


Thanks in advance.
samuelcorreia

Hello Dan,

Thank you.

I was reading about that, and i was afraid of what it would do if i turned it on.
I will explicitly add all the processes, and check if all is ok.

Thank you very much.

Best regards,
Sam-------------------------------------------
Original Message:
Sent: 03-16-2020 19:13
From: Daniel Hanman
Subject: No data from Event Types: PH_DEV_MON_PROC_STOP/START

Hi Sam,

You may want to check this out https://help.fortinet.com/fsiem/5-2-8/Online-Help/HTML5_Help/Montioring_Settings.htm?Highlight=criti...

First, you need to enable the feature under Admin / Settings / Important Processes. Note that when you enable this, it disables monitoring that isn't explicitly defined in the CMDB for all processes.

Then go to the CMDB and enable "monitoring" and "critical" on the processes you need. 



Creates incidents like this...

Original Message:
Sent: 03-16-2020 16:56
From: samuel correia
Subject: No data from Event Types: PH_DEV_MON_PROC_STOP/START

Hello Dan,

Thank you for your reply.

I have done that with only snmp discovery.

But still it only show as follows, and no process status:


I still cant find where to configure the sys monitor.

Do you have a clue?

Thanks in advance.

Sam.
Original Message:
Sent: 03-16-2020 08:01
From: Daniel Hanman
Subject: No data from Event Types: PH_DEV_MON_PROC_STOP/START

Hi Samuel,

there are a couple of steps:

1) Configure SNMP on the hosts - if you get a response via snmpwalk then you should be good.
2) Configure Credentials and Discovery of the Collectors/Worker/Super
2.1) Go to Admin / Setup /Credentials
2.2) Define a Generic SNMP Credential with the community string 
2.3) Associate the Credential to the IP of the Collectors/Worker/Super, make sure you also specify if the Collector or the Super/Worker is associated with the IP. You will see a drop-down to select the Super or Collect to associate with the credential only if a Collector is defined.
2.4) Go to Admin / Setup / Discovery
2.5) Create a Discovery for the IP's and again make sure you also specify if the Collector or the Super/Worker is associated with the IP. You will see a drop-down to select the Super or Collect to associate with the Discovery only if a Collector is defined.
2.6) Do a Discovery!

If you have already done all this, can you provide some screen shots of these settings or what it shows under the Admin / Monitor Performance tab for the devices?

Or maybe you are trying to monitor a specific process?

Hope this helps

Dan
Original Message:
Sent: 03-16-2020 07:20
From: samuel correia
Subject: No data from Event Types: PH_DEV_MON_PROC_STOP/START

Hi Everyone,

I can't get any data from processes in FortiSIEM.

I have configured snmp in the hosts, and when i do snmpwalk on the collectors the data is valid and shows if  that the process is running or is stopped.

But in the SIEM no data is shown.

Am i missing any configuration in the SIEM?

Can you help me in this issue?


Thanks in advance.
samuelcorreia

Hello again Dan,

I have been monitoring some system services like rsyslog and sshd.

But the are constantly with the process down due to the threads they create.

How do you handle this?

Because the incident creation will go nuts..


Tanks in advance,

Best Regards,
Sam-------------------------------------------
Original Message:
Sent: 03-17-2020 05:54
From: samuel correia
Subject: No data from Event Types: PH_DEV_MON_PROC_STOP/START

Hello Dan,

Thank you.

I was reading about that, and i was afraid of what it would do if i turned it on.
I will explicitly add all the processes, and check if all is ok.

Thank you very much.

Best regards,
Sam
Original Message:
Sent: 03-16-2020 19:13
From: Daniel Hanman
Subject: No data from Event Types: PH_DEV_MON_PROC_STOP/START

Hi Sam,

You may want to check this out https://help.fortinet.com/fsiem/5-2-8/Online-Help/HTML5_Help/Montioring_Settings.htm?Highlight=criti...

First, you need to enable the feature under Admin / Settings / Important Processes. Note that when you enable this, it disables monitoring that isn't explicitly defined in the CMDB for all processes.

Then go to the CMDB and enable "monitoring" and "critical" on the processes you need. 



Creates incidents like this...

Original Message:
Sent: 03-16-2020 16:56
From: samuel correia
Subject: No data from Event Types: PH_DEV_MON_PROC_STOP/START

Hello Dan,

Thank you for your reply.

I have done that with only snmp discovery.

But still it only show as follows, and no process status:


I still cant find where to configure the sys monitor.

Do you have a clue?

Thanks in advance.

Sam.
Original Message:
Sent: 03-16-2020 08:01
From: Daniel Hanman
Subject: No data from Event Types: PH_DEV_MON_PROC_STOP/START

Hi Samuel,

there are a couple of steps:

1) Configure SNMP on the hosts - if you get a response via snmpwalk then you should be good.
2) Configure Credentials and Discovery of the Collectors/Worker/Super
2.1) Go to Admin / Setup /Credentials
2.2) Define a Generic SNMP Credential with the community string 
2.3) Associate the Credential to the IP of the Collectors/Worker/Super, make sure you also specify if the Collector or the Super/Worker is associated with the IP. You will see a drop-down to select the Super or Collect to associate with the credential only if a Collector is defined.
2.4) Go to Admin / Setup / Discovery
2.5) Create a Discovery for the IP's and again make sure you also specify if the Collector or the Super/Worker is associated with the IP. You will see a drop-down to select the Super or Collect to associate with the Discovery only if a Collector is defined.
2.6) Do a Discovery!

If you have already done all this, can you provide some screen shots of these settings or what it shows under the Admin / Monitor Performance tab for the devices?

Or maybe you are trying to monitor a specific process?

Hope this helps

Dan
Original Message:
Sent: 03-16-2020 07:20
From: samuel correia
Subject: No data from Event Types: PH_DEV_MON_PROC_STOP/START

Hi Everyone,

I can't get any data from processes in FortiSIEM.

I have configured snmp in the hosts, and when i do snmpwalk on the collectors the data is valid and shows if  that the process is running or is stopped.

But in the SIEM no data is shown.

Am i missing any configuration in the SIEM?

Can you help me in this issue?


Thanks in advance.
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"