Fortinet black logo

External Systems Configuration Guide

Linux Server

Linux Server

What is Discovered and Monitored

Protocol Information Discovered Metrics collected Used for
SNMP Host name, generic hardware (cpu, memory, network interface, disk), software (operating system version, installed software, running processes, open TCP/UDP ports) Uptime, CPU/Memory/Network Interface/Disk space utilization, Swap space utilization, Network Interface Errors, Running Process Count, Installed Software change, Running process CPU/memory utilization, Running process start/stop, TCP/UDP port up/down Performance Monitoring
SSH OS type, Hardware (cpu details, memory) Memory paging rate, Disk I/O utilization Performance Monitoring
Syslog Vendor, Model General logs including Authentication Success/Failure, Privileged logons, User/Group Modification Security Monitoring and Compliance
Syslog (via FortiSIEM LinuxFileMon agent)

File or directory change: User, Type of change, directory or file name Security Monitoring and Compliance

Event Types

In ADMIN > Device Support > Event, search for "linux" in the Description column to see the event types associated with this device.

Rules

In RESOURCE > Rules, search for "linux" in the Name column to see the rules associated with this device.

Reports

In RESOURCE > Reports , search for "linux" in the Name column to see the reports associated with this device.

Configuration

SNMP v1 and v2c
  1. Make sure that snmp libraries are installed. FortiSIEM has been tested to work with net-snmp libraries.
  2. Log in to your server with administrative access.
  3. Make these modifications to the /etc/snmp/snmpd.conf file:
    1. Define the community string for FortiSIEM usage and permit snmp access from FortiSIEM IP.
    2. Allow FortiSIEM read-only access to the mib-2 tree.
    3. Allow Accelops read-only access to the enterprise MIB: UCD-SNMP-MIB.
    4. Open up the entire tree for read-only view.
  4. Reduce the logging level to avoid per connection logging which may cause resource issues (see here for more details):
    1. Edit /etc/sysconfig/snmpd (on RedHat/CentOS) or /etc/defaults/snmpd (on Debian/Ubuntu)
    2. Look for the line that passes the command line options to snmpd. On RedHat Enterprise 6 this looks like:
      # snmpd command line options
      OPTIONS="-LS0-6d -Lf /dev/null -p /var/run/snmpd.pid"
    3. Change the range from 0-6 to 0-5:
      # snmpd command line options
      OPTIONS="-LS0-5d -Lf /dev/null -p /var/run/snmpd.pid"
  5. Restart the snmpd deamon by issuing /etc/init.d/snmpd restart.
  6. Add the snmpd daemon to start from boot by issuing chkconfig snmpd on.
  7. Make sure that snmpd is running.
SNMP v3
Configuring rwcommunity/rocommunity or com2sec
  1. Log in to your Linux server.
  2. Stop SNMP.
    service snmpd stop
  3. Use vi to edit the /etc/snmp/snmpd.conf file.
    Before you edit this file, make sure you have created a backup, as it is very important to have a valid version of this file so the snap daemon has correct credentials.
    vi /etc/snmp/snmpd.conf
  4. At the end of the file, add this line, substituting your username for snmpv3user and removing the <> tags: rouser <snmpv3user>.
  5. Save the file.
  6. Use vi to edit the /var/lib/snmp/snmpd.conf file.
    Before you edit this file, make sure you have created a backup, as it is very important to have a valid version of this file for the SNMP daemon to function correctly.
    vi /var/lib/snmp/snmpd.conf
  7. At the end of the file, add this line, entering the username you entered in step 4, and then passwords for that user for MD5 and DES.
    If you want to use SHA or AES, then add those credentials as well.
    createUser <snmpv3user>        MD5 <snmpv3md5password> DES <snmpv3despassword>
  8. Save the file.
  9. Reduce the logging level to avoid per connection logging which may cause resource issues (see here for more details)
    1. Edit /etc/sysconfig/snmpd (on RedHat/CentOS) or /etc/defaults/snmpd (on Debian/Ubuntu)
    2. Look for the line that passes the command line options to snmpd. On RedHat Enterprise 6 this looks like:
      # snmpd command line options
      OPTIONS="-LS0-6d -Lf /dev/null -p /var/run/snmpd.pid"


    3. Change the range from 0-6 to 0-5:
      # snmpd command line options
      OPTIONS="-LS0-5d -Lf /dev/null -p /var/run/snmpd.pid"
  10. Restart SNMP.
    service snmpd start
    chkconfig auditd on
  11. View the contents of the /var/lib/snmp/snmpd.conf file.

    If this works, restarting snmpd will have no errors, also the entry that you created under /var/lib/snmp/snmpd.conf will be removed:

    cat /var/lib/snmp/snmpd.conf
  12. Run snmpwalk -v 3 -u <snmpv3user> -l authpriv <IP> -a MD5 -A <snmpv3md5password> -x DES -X <snmpv3despassword>
    You will see your snmpwalk if this works. If there are any errors, see net-snmp for further instructions.
Configuring net-smnp-devel

If you have net-snmp-devel on your Linux server/client, follow these steps to configure SNMP v3.

  1. Stop SNMP.
    service snmpd stop
  2. Run net-snmp-config --create-snmpv3-user -ro -A <MD5passwordhere> -X <DESpasswordhere> -x DES -a MD5 <SNMPUSERNAME>.
  3. Restart SNMP.
    service snmpd start
  4. Test by following step 10 from above.
SSH
  1. Make sure that the vmstat and iostat commands are available. If not, install these libraries.
  2. Create a user account that can issue vmstat and iostat commands. FortiSIEM will use that user account to log in to the server.
Syslog Logging

Syslog forwarding can be configured on Linux servers to send the logs to FortiSIEM. There are different options regarding syslog configuration, including Syslog over TLS.

There are typically two commonly-used Syslog demons:

Basic Syslog-ng Configuration

Follow these steps to enable basic Syslog-ng:

  1. Add the following line to your Syslog-ng configuration:

    { udp("Collector IP" port(514));};

  2. Restart the syslog-ng service or reload the configuration.
Basic rsyslog Configuration

Follow these steps to enable ryslog:

  1. Add the following lines to your ryslog configuration:

    # Send logs to the FortiSIEM Collector

    *.* @Collector IP:514

  2. Restart the rsyslog service or reload the configuration.
Basic Linux File Monitoring over Syslog

FortiSIEM has licensed Linux agents that provide additional capabilities. such as custom log forwarding and central management. See the “Linux Agent Installation Guide” for details on this agent.

FortiSIEM uses the LinuxFileMon monitoring agent to detect user activity and create syslogs. When a change as defined in the configuration file is detected, the agent gets the user information from the Audit module and sends a syslog to FortiSIEM. You must install the agent on your Linux server to send syslogs to FortiSIEM.

  1. Log in to your server as root.
  2. Install the audit service.
    This is needed for obtaining user information. For more information about Linux audit files, see this blog post.
    yum install audit
  3. Start the audit service.
    service auditd start
    chkconfig auditd on
  4. Copy the LinuxFileMon executable from the FortiSIEM /opt/phoenix/bin directory to any location on the server.
    This is the agent that monitors the file changes.
  5. Edit the LinuxFileMon configuration file linuxFileMon.conf as shown here.
    The file should be in the same directory as the executable.
    # destIP is the IP address of FortiSIEM and must be the first line
    [destIP]=127.0.0.1
    # directories or files to monitor - path must be absolute
    # Monitored Actions are All, Open, Close, Create, Modify, Delete, Attrib
    # Multiple lines must be in different lines
    [object]=/tmp/test2/,Open,Delete,Close
    [object]=/tmp/test/,All
    [object]=/home/bin/LinuxFileMon/test,All
    
  6. Start the LinuxFileMon agent.

Sample Parsed Linux Syslog Message

Mon Oct 18 16:26:25 2010 PowerEdgeSC440A: [LINUX_FILE_CHANGE|LINUX_FILE_CHANGE]: [objectType]=Dir,[objectName]=/home/phoenix_dev/projects/phoenix/src/cpp/extAgents/linuxFileMon/,[objectAction]=ACCESS,[targetObjType]=File,[targetObjName]="test",[user]=admin

Settings for Access Credentials

SNMP Access Credentials for All Devices

Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.

Setting Value
Name <set name>
Device Type Generic
Access Protocol SNMP
Community String <your own>
SSH Access Credentials for All Devices

These are the generic settings for providing SSH access to your device from FortiSIEM.

Setting Value
Name ssh-generic
Device Type Generic
Access Protocol SSH
Port 22
User Name A user who has access credentials for your device over SSH
Password The password for the user

Linux Server

What is Discovered and Monitored

Protocol Information Discovered Metrics collected Used for
SNMP Host name, generic hardware (cpu, memory, network interface, disk), software (operating system version, installed software, running processes, open TCP/UDP ports) Uptime, CPU/Memory/Network Interface/Disk space utilization, Swap space utilization, Network Interface Errors, Running Process Count, Installed Software change, Running process CPU/memory utilization, Running process start/stop, TCP/UDP port up/down Performance Monitoring
SSH OS type, Hardware (cpu details, memory) Memory paging rate, Disk I/O utilization Performance Monitoring
Syslog Vendor, Model General logs including Authentication Success/Failure, Privileged logons, User/Group Modification Security Monitoring and Compliance
Syslog (via FortiSIEM LinuxFileMon agent)

File or directory change: User, Type of change, directory or file name Security Monitoring and Compliance

Event Types

In ADMIN > Device Support > Event, search for "linux" in the Description column to see the event types associated with this device.

Rules

In RESOURCE > Rules, search for "linux" in the Name column to see the rules associated with this device.

Reports

In RESOURCE > Reports , search for "linux" in the Name column to see the reports associated with this device.

Configuration

SNMP v1 and v2c
  1. Make sure that snmp libraries are installed. FortiSIEM has been tested to work with net-snmp libraries.
  2. Log in to your server with administrative access.
  3. Make these modifications to the /etc/snmp/snmpd.conf file:
    1. Define the community string for FortiSIEM usage and permit snmp access from FortiSIEM IP.
    2. Allow FortiSIEM read-only access to the mib-2 tree.
    3. Allow Accelops read-only access to the enterprise MIB: UCD-SNMP-MIB.
    4. Open up the entire tree for read-only view.
  4. Reduce the logging level to avoid per connection logging which may cause resource issues (see here for more details):
    1. Edit /etc/sysconfig/snmpd (on RedHat/CentOS) or /etc/defaults/snmpd (on Debian/Ubuntu)
    2. Look for the line that passes the command line options to snmpd. On RedHat Enterprise 6 this looks like:
      # snmpd command line options
      OPTIONS="-LS0-6d -Lf /dev/null -p /var/run/snmpd.pid"
    3. Change the range from 0-6 to 0-5:
      # snmpd command line options
      OPTIONS="-LS0-5d -Lf /dev/null -p /var/run/snmpd.pid"
  5. Restart the snmpd deamon by issuing /etc/init.d/snmpd restart.
  6. Add the snmpd daemon to start from boot by issuing chkconfig snmpd on.
  7. Make sure that snmpd is running.
SNMP v3
Configuring rwcommunity/rocommunity or com2sec
  1. Log in to your Linux server.
  2. Stop SNMP.
    service snmpd stop
  3. Use vi to edit the /etc/snmp/snmpd.conf file.
    Before you edit this file, make sure you have created a backup, as it is very important to have a valid version of this file so the snap daemon has correct credentials.
    vi /etc/snmp/snmpd.conf
  4. At the end of the file, add this line, substituting your username for snmpv3user and removing the <> tags: rouser <snmpv3user>.
  5. Save the file.
  6. Use vi to edit the /var/lib/snmp/snmpd.conf file.
    Before you edit this file, make sure you have created a backup, as it is very important to have a valid version of this file for the SNMP daemon to function correctly.
    vi /var/lib/snmp/snmpd.conf
  7. At the end of the file, add this line, entering the username you entered in step 4, and then passwords for that user for MD5 and DES.
    If you want to use SHA or AES, then add those credentials as well.
    createUser <snmpv3user>        MD5 <snmpv3md5password> DES <snmpv3despassword>
  8. Save the file.
  9. Reduce the logging level to avoid per connection logging which may cause resource issues (see here for more details)
    1. Edit /etc/sysconfig/snmpd (on RedHat/CentOS) or /etc/defaults/snmpd (on Debian/Ubuntu)
    2. Look for the line that passes the command line options to snmpd. On RedHat Enterprise 6 this looks like:
      # snmpd command line options
      OPTIONS="-LS0-6d -Lf /dev/null -p /var/run/snmpd.pid"


    3. Change the range from 0-6 to 0-5:
      # snmpd command line options
      OPTIONS="-LS0-5d -Lf /dev/null -p /var/run/snmpd.pid"
  10. Restart SNMP.
    service snmpd start
    chkconfig auditd on
  11. View the contents of the /var/lib/snmp/snmpd.conf file.

    If this works, restarting snmpd will have no errors, also the entry that you created under /var/lib/snmp/snmpd.conf will be removed:

    cat /var/lib/snmp/snmpd.conf
  12. Run snmpwalk -v 3 -u <snmpv3user> -l authpriv <IP> -a MD5 -A <snmpv3md5password> -x DES -X <snmpv3despassword>
    You will see your snmpwalk if this works. If there are any errors, see net-snmp for further instructions.
Configuring net-smnp-devel

If you have net-snmp-devel on your Linux server/client, follow these steps to configure SNMP v3.

  1. Stop SNMP.
    service snmpd stop
  2. Run net-snmp-config --create-snmpv3-user -ro -A <MD5passwordhere> -X <DESpasswordhere> -x DES -a MD5 <SNMPUSERNAME>.
  3. Restart SNMP.
    service snmpd start
  4. Test by following step 10 from above.
SSH
  1. Make sure that the vmstat and iostat commands are available. If not, install these libraries.
  2. Create a user account that can issue vmstat and iostat commands. FortiSIEM will use that user account to log in to the server.
Syslog Logging

Syslog forwarding can be configured on Linux servers to send the logs to FortiSIEM. There are different options regarding syslog configuration, including Syslog over TLS.

There are typically two commonly-used Syslog demons:

Basic Syslog-ng Configuration

Follow these steps to enable basic Syslog-ng:

  1. Add the following line to your Syslog-ng configuration:

    { udp("Collector IP" port(514));};

  2. Restart the syslog-ng service or reload the configuration.
Basic rsyslog Configuration

Follow these steps to enable ryslog:

  1. Add the following lines to your ryslog configuration:

    # Send logs to the FortiSIEM Collector

    *.* @Collector IP:514

  2. Restart the rsyslog service or reload the configuration.
Basic Linux File Monitoring over Syslog

FortiSIEM has licensed Linux agents that provide additional capabilities. such as custom log forwarding and central management. See the “Linux Agent Installation Guide” for details on this agent.

FortiSIEM uses the LinuxFileMon monitoring agent to detect user activity and create syslogs. When a change as defined in the configuration file is detected, the agent gets the user information from the Audit module and sends a syslog to FortiSIEM. You must install the agent on your Linux server to send syslogs to FortiSIEM.

  1. Log in to your server as root.
  2. Install the audit service.
    This is needed for obtaining user information. For more information about Linux audit files, see this blog post.
    yum install audit
  3. Start the audit service.
    service auditd start
    chkconfig auditd on
  4. Copy the LinuxFileMon executable from the FortiSIEM /opt/phoenix/bin directory to any location on the server.
    This is the agent that monitors the file changes.
  5. Edit the LinuxFileMon configuration file linuxFileMon.conf as shown here.
    The file should be in the same directory as the executable.
    # destIP is the IP address of FortiSIEM and must be the first line
    [destIP]=127.0.0.1
    # directories or files to monitor - path must be absolute
    # Monitored Actions are All, Open, Close, Create, Modify, Delete, Attrib
    # Multiple lines must be in different lines
    [object]=/tmp/test2/,Open,Delete,Close
    [object]=/tmp/test/,All
    [object]=/home/bin/LinuxFileMon/test,All
    
  6. Start the LinuxFileMon agent.

Sample Parsed Linux Syslog Message

Mon Oct 18 16:26:25 2010 PowerEdgeSC440A: [LINUX_FILE_CHANGE|LINUX_FILE_CHANGE]: [objectType]=Dir,[objectName]=/home/phoenix_dev/projects/phoenix/src/cpp/extAgents/linuxFileMon/,[objectAction]=ACCESS,[targetObjType]=File,[targetObjName]="test",[user]=admin

Settings for Access Credentials

SNMP Access Credentials for All Devices

Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.

Setting Value
Name <set name>
Device Type Generic
Access Protocol SNMP
Community String <your own>
SSH Access Credentials for All Devices

These are the generic settings for providing SSH access to your device from FortiSIEM.

Setting Value
Name ssh-generic
Device Type Generic
Access Protocol SSH
Port 22
User Name A user who has access credentials for your device over SSH
Password The password for the user