SIEM

Expand all | Collapse all

No data from Event Types: PH_DEV_MON_PROC_STOP/START

  • 1.  No data from Event Types: PH_DEV_MON_PROC_STOP/START

    Posted Mar 16, 2020 04:21 AM
    Hi Everyone,

    I can't get any data from processes in FortiSIEM.

    I have configured snmp in the hosts, and when i do snmpwalk on the collectors the data is valid and shows if  that the process is running or is stopped.

    But in the SIEM no data is shown.

    Am i missing any configuration in the SIEM?

    Can you help me in this issue?


    Thanks in advance.


  • 2.  RE: No data from Event Types: PH_DEV_MON_PROC_STOP/START

    GROUP ADMIN
    Posted Mar 16, 2020 05:01 AM
    Hi Samuel,

    there are a couple of steps:

    1) Configure SNMP on the hosts - if you get a response via snmpwalk then you should be good.
    2) Configure Credentials and Discovery of the Collectors/Worker/Super
    2.1) Go to Admin / Setup /Credentials
    2.2) Define a Generic SNMP Credential with the community string 
    2.3) Associate the Credential to the IP of the Collectors/Worker/Super, make sure you also specify if the Collector or the Super/Worker is associated with the IP. You will see a drop-down to select the Super or Collect to associate with the credential only if a Collector is defined.
    2.4) Go to Admin / Setup / Discovery
    2.5) Create a Discovery for the IP's and again make sure you also specify if the Collector or the Super/Worker is associated with the IP. You will see a drop-down to select the Super or Collect to associate with the Discovery only if a Collector is defined.
    2.6) Do a Discovery!

    If you have already done all this, can you provide some screen shots of these settings or what it shows under the Admin / Monitor Performance tab for the devices?

    Or maybe you are trying to monitor a specific process?

    Hope this helps

    Dan


  • 3.  RE: No data from Event Types: PH_DEV_MON_PROC_STOP/START

    Posted Mar 16, 2020 01:56 PM
    Hello Dan,

    Thank you for your reply.

    I have done that with only snmp discovery.

    But still it only show as follows, and no process status:


    I still cant find where to configure the sys monitor.

    Do you have a clue?

    Thanks in advance.

    Sam.


  • 4.  RE: No data from Event Types: PH_DEV_MON_PROC_STOP/START

    GROUP ADMIN
    Posted Mar 16, 2020 04:13 PM
    Hi Sam,

    You may want to check this out https://help.fortinet.com/fsiem/5-2-8/Online-Help/HTML5_Help/Montioring_Settings.htm?Highlight=critical%20process

    First, you need to enable the feature under Admin / Settings / Important Processes. Note that when you enable this, it disables monitoring that isn't explicitly defined in the CMDB for all processes.

    Then go to the CMDB and enable "monitoring" and "critical" on the processes you need. 



    Creates incidents like this...



  • 5.  RE: No data from Event Types: PH_DEV_MON_PROC_STOP/START

    Posted Mar 17, 2020 02:55 AM
    Hello Dan,

    Thank you.

    I was reading about that, and i was afraid of what it would do if i turned it on.
    I will explicitly add all the processes, and check if all is ok.

    Thank you very much.

    Best regards,
    Sam


  • 6.  RE: No data from Event Types: PH_DEV_MON_PROC_STOP/START

    Posted Mar 18, 2020 10:55 AM
    Hello again Dan,

    I have been monitoring some system services like rsyslog and sshd.

    But the are constantly with the process down due to the threads they create.

    How do you handle this?

    Because the incident creation will go nuts..


    Tanks in advance,

    Best Regards,
    Sam