FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
Andy_G
Staff
Staff
Article Id 189880

Description

Summary of Topic

This article will illustrate how to implement file size monitoring via SNMP on AO

Solution Steps

On Devices you want to monitor File Size: 

*Need to modify /etc/snmp/snmpd.conf on each device that you want to pull this info FROM (does NOT need to be on Super unless you are monitoring a file on Super):

# FILE Directive: File to monitor
 FILE /opt/phoenix/log/phoenix.log
 
# need to ensure there is a view into this MIB/OID
 view    systemview    included   .1.3.6.1.4.1.2021
 
# this needs to allow to view the new MIB….can make as restrictive as necessary but is access to the applicable view is required
 access  notConfigGroup ""      any       noauth    exact  systemview none none
 

On AccelOps: 

You need to follow the steps under Customer Performance Monitor section of User’s Guide.  I have summarized the steps, with screenshots, from my “proof of concept”.
 
  • Create New Event Attribute Definition:
agodwin_FD39424_tn_FD39424-1.jpg
  • Create new SNMP Performance Object
agodwin_FD39424_tn_FD39424-2.jpg
  • Create new “Device to Performance Object”  (Enter Device Type to Performance Object Association).
  • Test Performance Monitor
  • Rediscover the devices you want to capture this new info for.  Ensure SNMP is one of the monitoring protocols.
  • Run Analytics Search to verify you are pulling this new Event Type.
Some useful background information

http://www.net-snmp.org/docs/mibs/ucdavis.html
http://support.ipmonitor.com/downloads/ebf2918c82e8414fb6bbbe74473b19ad.aspx
http://net-snmp.sourceforge.net/docs/man/snmpd.conf.html#lbBL

Log File Monitoring

This requires that the agent was built with support for either the ucd-snmp/file or ucd-snmp/logmatch modules respectively (both of which are included as part of the default build configuration).

file FILE [MAXSIZE]

monitors the size of the specified file (in kB). If MAXSIZE is specified, and the size of the file exceeds this threshold, then the corresponding fileErrorFlag instance will be set to 1, and a suitable description message reported via the fileErrorMsg instance.

Note: This situation will not automatically trigger a trap to report the problem - see the DisMan Event MIB section later.

Note: A maximum of 20 files can be monitored.

Note: If no file directives are defined, then walking the fileTable will fail (noSuchObject).

Version Application

All
 

 

Contributors