Performance Monitoring Log

adem_netsys · ‎08-05-2024

Hi,

We want to extract PAM logs to lower EPS values, is there anyone who will advise us on this issue, SIEM can create correlation with these logs, but what are the ones that you do not consider important?

sioannou · ‎08-06-2024

Hi @adem_netsys ,

Very difficult question to answer, it all depends on your objectives and what the PAM platform is trying to protect.

For example an organisation might want to keep all possible logs on a SIEM to verify that there is no data manipulation or for reporting reasons.

A different approach might be to send logs that deviate from what the allow procedures on a PAM are.

It all depends on what you are trying to achieve.

In general if it is not strictly necessary, you can exclude performance and general system health logs.

Regards,

S

adem_netsys · ‎08-09-2024

Hi @sioannou

For this I can extract all logs starting with PH_DEV_MON, right? Maybe the event of this can be excluded here because of the "No logs from device" rule.

sioannou · ‎08-12-2024

Hi @adem_netsys ,

Yes if you do not want to monitor the system performance PH_DEV_MON can be excluded from collection and that will lower your EPS count or you can change the polling interval to make it less aggressive, hence collecting less data.

The link below specifies what counts towards the EPS license.

https://help.fortinet.com/fsiem/7-2-1/Online-Help/HTML5_Help/Event-categories-handling.htm

Regards,

S

Performance Monitoring Log

Nominate a Forum Post for Knowledge Article Creation