Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

MySQL Server

What is Discovered and Monitored

Protocol Information discovered Metrics collected

Used for

SNMP Application type Process level CPU and memory utilization Performance Monitoring
WMI Application type, service mappings Process level metrics: uptime, CPU utilization, Memory utilization, Read I/O KBytes/sec, Write I/O KBytes/sec Performance Monitoring
JDBC

Generic database information: Version, Character Setting

JDBC

Database performance metrics:  User COnnections, Table Updates, table Selects, Table Inserts, Table Deletes, Temp Table Creates, Slow Queries, Query cache Hits, Queries registered in cache, Database Questions, Users, Live Threads  

Table space performance metrics: Table space name, table space type, Character set and Collation, table space  usage, table space free space, Database engine, Table version, Table Row Format, Table Row Count, Average Row Length, Index File length, Table Create time, Table Update Time

Performance Monitoring
JDBC None Database audit trail: Successful and failed database log on, Database CREATE/DELETE/MODIFY operations, Table CREATE/DELETE/MODIFY/INSERT operations Security Monitoring

Event Types

In ADMIN > Device Support > Event, search for "mysql" in the Device Type and Description columns to see the event types associated with this device. 

Rules

In RESOURCE > Rules, search for "mysql" in the Name column to see the rules associated with this application or device. 

Reports

In RESOURCE > Reports , search for ""mysql" in the Name  and Description columns to see the reports associated with this application or device. 

Configuration

SNMP

FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. 

JDBC for Database Auditing - MySQL Server

You must configure your MySQL Server to write audit logs to a database table. This topic in the MySQL documentation explains more about how to set the destination tables for log outputs. 

  1. Start MySQL server with TABLE output enabled.
    bin/mysqld_safe --user=mysql --log-output=TABLE &
  2. Login to mysql, run the following SQL commands to enable general.log in MyISAM.
    SET @old_log_state = @@global.general_log;
    SET GLOBAL general_log = 'OFF';
    ALTER TABLE mysql.general_log ENGINE = MyISAM;
    SET GLOBAL general_log = @old_log_state;
    SET GLOBAL general_log = 'ON';

You can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.

Settings for Access Credentials

SNMP Access Credentials for All Devices

Use these Access Method Definition settings to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.

Setting Value
Name <set name>
Device Type Generic
Access Protocol SNMP
Community String <your own>

Settings for MySQL Server JBDC Access Credentials for Performance Monitoring

Use these Access Method Definition settings to allow FortiSIEM to communicate with your MySQL Server over JDBC for performance monitoring:

Setting Value
Name MySQL-Performance-Monitoring
Device Type Oracle MySQL
Access Protocol JBDC
Used For Performance Monitoring
Pull Interval (minutes) 5
Port 3306
User Name The administrative user for the database server
Password The password associated with the administrative user

Settings for MySQL Server JBDC Access Credentials for Database Auditing

Use these Access Method Definition settings to allow FortiSIEM to communicate with your MySQL Server over JDBC for database auditing:

Setting Value
Name MySQL-Audit
Device Type Oracle MySQL
Access Protocol JBDC
Used For Audit
Pull Interval (minutes) 5
Port 1433
Database Name <database name> (mysql)
Audit Table general_log
User Name The administrative user for the database server
Password The password associated with the administrative user

Settings for MySQL Server JBDC Access Credentials for Synthetic Transaction Monitoring, Snort Audit, McAfee VulnMgr

Use these Access Method Definition settings to allow FortiSIEM to communicate with your MySQL Server over JDBC for Synthetic Transaction Monitoring, Snort Audit, or McAfee VulnMgr:

Setting Value
Name <name>
Device Type Oracle MySQL
Access Protocol JBDC
Used For Synthetic Transaction Monitoring, Snort Audit, or McAfee VulnMgr
Pull Interval (minutes) 5
Port 1433
Database Name <database name>
User Name The administrative user for the database server
Password The password associated with the administrative user

Sample events

System Level Performance Metrics
<134>Apr 21 19:06:07 10.1.2.8 java: [PH_DEV_MON_PERF_MYSQLDB]: [eventSeverity]=PHL_INFO,
[hostIpAddr]=172.16.22.227, [hostName]=MYSQL, [appGroupName]=MySQL Database
Server, [appVersion]=MySQL 5.6.11, [charSetting]=utf8, [dbConnections]=24, [dbComUpdate]=0, [dbComSelect]=1, [dbComInsert]=0,
[dbComDelete]=0, [dbCreatedTmpTables]=0, [dbSlowQueries]=0, [dbQcacheHits]=0, [dbQcacheQueriesinCache]=0,
[dbQuestions]=7, [dbThreadsConnected]=1, [dbThreadsRunning]=1
Table Space Performance Metrics
<134>Apr 29 10:06:07 172.16.22.227 java: [PH_DEV_MON_PERF_MYSQLDB_TABLESPACE]: [eventSeverity]=PHL_INFO, [appGroupName]=MySQL Database Server, 
[instanceName]=mysql, [tablespaceName]=general_log, [tablespaceType]=PERMANENT, [tablespaceUsage]=0.01, [tablespaceFreeSpace]=4193886, 
[dbEngine]=MyISAM, [tableVersion]=10, [tableRowFormat]=dynamic, [tableRows]=124, [tableAvgRowLength]=80, [tableIndexLength]=1024, 
[tableCreateTime]=2013-04-29 15:12:30, [tableUpdateTime]=2013-04-29 12:35:46, [tableCollation]=utf8_general_ci
System Level Performance Metrics
<134>Apr 21 19:06:07 10.1.2.8 java: [PH_DEV_MON_PERF_MYSQLDB]: [eventSeverity]=PHL_INFO,
[hostIpAddr]=172.16.22.227, [hostName]=MYSQL, [appGroupName]=MySQL Database
Server, [appVersion]=MySQL 5.6.11, [charSetting]=utf8, [dbConnections]=24, [dbComUpdate]=0, [dbComSelect]=1, [dbComInsert]=0,
[dbComDelete]=0, [dbCreatedTmpTables]=0, [dbSlowQueries]=0, [dbQcacheHits]=0, [dbQcacheQueriesinCache]=0,
[dbQuestions]=7, [dbThreadsConnected]=1, [dbThreadsRunning]=1
Logon/Logoff Events
<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_ Logon_Success]: [eventSeverity]=PHL_INFO, [eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227, 
[srcIp]=172.16.22.227, [user]=admin, [logonTime]=2013-04-29 15:14:54, [logoffTime]=, [actionName]=Connect, [msg]=admin@172.16.22.227 on

<134>Apr 10 14:29:22 abc-desktop java: [MYSQL_Logoff]:[eventSeverity]=PHL_INFO, [eventTime]=2013-04-10 14:29:22, [rptIp]=172.16.22.227, 
[srcIp]=172.16.22.227, [user]=admin, [logonTime]=, [logoffTime]=2014-04-10 14:29:22, [actionName]=quit, [msg]=

<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_ Logon_Fail]: [eventSeverity]=PHL_WARN, [eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227,
 [srcIp]=172.16.22.227, [user]=admin, [logonTime]=2013-04-29 15:14:54, [logoffTime]=, [actionName]=Connect, 
[msg]=Access denied for user 'admin'@'172.16.22.227' (using password: YES)
Database CREATE/DELETE/MODIFY Events
<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_Create_database]: [eventSeverity]=PHL_INFO, [eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227, 
[srcIp]=172.16.22.227, [user]=admin, [actionName]=Query, [msg]=create database sliutest

<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_Drop_database]: [eventSeverity]=PHL_INFO, [eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227, 
[srcIp]=172.16.22.227, [user]=admin, [actionName]=Query, [msg]=drop database sliutest
Table CREATE/DELETE/MODIFY Events
<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_Create_table]: [eventSeverity]=PHL_INFO, [eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227, 
[srcIp]=172.16.22.227, [user]=admin, [actionName]=Query, [msg]=CREATE TABLE tutorials_tbl(     tutorial_id INT NOT NULL AUTO_INCREMENT, 
tutorial_title VARCHAR(100) NOT NULL,     tutorial_author VARCHAR(40) NOT NULL,     submission_date DATE,     PRIMARY KEY ( tutorial_id )    )

<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_Delete_table]: [eventSeverity]=PHL_INFO, [eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227, 
[srcIp]=172.16.22.227, [user]=admin, [actionName]=Query, [msg]=DELETE FROM tutorials_tbl WHERE tutorial_id=2NOT NULL,     
tutorial_author VARCHAR(40) NOT NULL,     submission_date DATE,     PRIMARY KEY ( tutorial_id )    

<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_Insert_table]: [eventSeverity]=PHL_INFO, [eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227, 
[srcIp]=172.16.22.227, [user]=admin, [actionName]=Query, [msg]=INSERT INTO tutorials_tbl       (tutorial_title, tutorial_author, submission_date)  
    VALUES      ("Learn Java", "John Smith", NOW())

<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_Drop_table]: [eventSeverity]=PHL_INFO, [eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227, 
[srcIp]=172.16.22.227, [user]=admin, [actionName]=Query, [msg]=DROP table sliutable

MySQL Server

What is Discovered and Monitored

Protocol Information discovered Metrics collected

Used for

SNMP Application type Process level CPU and memory utilization Performance Monitoring
WMI Application type, service mappings Process level metrics: uptime, CPU utilization, Memory utilization, Read I/O KBytes/sec, Write I/O KBytes/sec Performance Monitoring
JDBC

Generic database information: Version, Character Setting

JDBC

Database performance metrics:  User COnnections, Table Updates, table Selects, Table Inserts, Table Deletes, Temp Table Creates, Slow Queries, Query cache Hits, Queries registered in cache, Database Questions, Users, Live Threads  

Table space performance metrics: Table space name, table space type, Character set and Collation, table space  usage, table space free space, Database engine, Table version, Table Row Format, Table Row Count, Average Row Length, Index File length, Table Create time, Table Update Time

Performance Monitoring
JDBC None Database audit trail: Successful and failed database log on, Database CREATE/DELETE/MODIFY operations, Table CREATE/DELETE/MODIFY/INSERT operations Security Monitoring

Event Types

In ADMIN > Device Support > Event, search for "mysql" in the Device Type and Description columns to see the event types associated with this device. 

Rules

In RESOURCE > Rules, search for "mysql" in the Name column to see the rules associated with this application or device. 

Reports

In RESOURCE > Reports , search for ""mysql" in the Name  and Description columns to see the reports associated with this application or device. 

Configuration

SNMP

FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. 

JDBC for Database Auditing - MySQL Server

You must configure your MySQL Server to write audit logs to a database table. This topic in the MySQL documentation explains more about how to set the destination tables for log outputs. 

  1. Start MySQL server with TABLE output enabled.
    bin/mysqld_safe --user=mysql --log-output=TABLE &
  2. Login to mysql, run the following SQL commands to enable general.log in MyISAM.
    SET @old_log_state = @@global.general_log;
    SET GLOBAL general_log = 'OFF';
    ALTER TABLE mysql.general_log ENGINE = MyISAM;
    SET GLOBAL general_log = @old_log_state;
    SET GLOBAL general_log = 'ON';

You can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.

Settings for Access Credentials

SNMP Access Credentials for All Devices

Use these Access Method Definition settings to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.

Setting Value
Name <set name>
Device Type Generic
Access Protocol SNMP
Community String <your own>

Settings for MySQL Server JBDC Access Credentials for Performance Monitoring

Use these Access Method Definition settings to allow FortiSIEM to communicate with your MySQL Server over JDBC for performance monitoring:

Setting Value
Name MySQL-Performance-Monitoring
Device Type Oracle MySQL
Access Protocol JBDC
Used For Performance Monitoring
Pull Interval (minutes) 5
Port 3306
User Name The administrative user for the database server
Password The password associated with the administrative user

Settings for MySQL Server JBDC Access Credentials for Database Auditing

Use these Access Method Definition settings to allow FortiSIEM to communicate with your MySQL Server over JDBC for database auditing:

Setting Value
Name MySQL-Audit
Device Type Oracle MySQL
Access Protocol JBDC
Used For Audit
Pull Interval (minutes) 5
Port 1433
Database Name <database name> (mysql)
Audit Table general_log
User Name The administrative user for the database server
Password The password associated with the administrative user

Settings for MySQL Server JBDC Access Credentials for Synthetic Transaction Monitoring, Snort Audit, McAfee VulnMgr

Use these Access Method Definition settings to allow FortiSIEM to communicate with your MySQL Server over JDBC for Synthetic Transaction Monitoring, Snort Audit, or McAfee VulnMgr:

Setting Value
Name <name>
Device Type Oracle MySQL
Access Protocol JBDC
Used For Synthetic Transaction Monitoring, Snort Audit, or McAfee VulnMgr
Pull Interval (minutes) 5
Port 1433
Database Name <database name>
User Name The administrative user for the database server
Password The password associated with the administrative user

Sample events

System Level Performance Metrics
<134>Apr 21 19:06:07 10.1.2.8 java: [PH_DEV_MON_PERF_MYSQLDB]: [eventSeverity]=PHL_INFO,
[hostIpAddr]=172.16.22.227, [hostName]=MYSQL, [appGroupName]=MySQL Database
Server, [appVersion]=MySQL 5.6.11, [charSetting]=utf8, [dbConnections]=24, [dbComUpdate]=0, [dbComSelect]=1, [dbComInsert]=0,
[dbComDelete]=0, [dbCreatedTmpTables]=0, [dbSlowQueries]=0, [dbQcacheHits]=0, [dbQcacheQueriesinCache]=0,
[dbQuestions]=7, [dbThreadsConnected]=1, [dbThreadsRunning]=1
Table Space Performance Metrics
<134>Apr 29 10:06:07 172.16.22.227 java: [PH_DEV_MON_PERF_MYSQLDB_TABLESPACE]: [eventSeverity]=PHL_INFO, [appGroupName]=MySQL Database Server, 
[instanceName]=mysql, [tablespaceName]=general_log, [tablespaceType]=PERMANENT, [tablespaceUsage]=0.01, [tablespaceFreeSpace]=4193886, 
[dbEngine]=MyISAM, [tableVersion]=10, [tableRowFormat]=dynamic, [tableRows]=124, [tableAvgRowLength]=80, [tableIndexLength]=1024, 
[tableCreateTime]=2013-04-29 15:12:30, [tableUpdateTime]=2013-04-29 12:35:46, [tableCollation]=utf8_general_ci
System Level Performance Metrics
<134>Apr 21 19:06:07 10.1.2.8 java: [PH_DEV_MON_PERF_MYSQLDB]: [eventSeverity]=PHL_INFO,
[hostIpAddr]=172.16.22.227, [hostName]=MYSQL, [appGroupName]=MySQL Database
Server, [appVersion]=MySQL 5.6.11, [charSetting]=utf8, [dbConnections]=24, [dbComUpdate]=0, [dbComSelect]=1, [dbComInsert]=0,
[dbComDelete]=0, [dbCreatedTmpTables]=0, [dbSlowQueries]=0, [dbQcacheHits]=0, [dbQcacheQueriesinCache]=0,
[dbQuestions]=7, [dbThreadsConnected]=1, [dbThreadsRunning]=1
Logon/Logoff Events
<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_ Logon_Success]: [eventSeverity]=PHL_INFO, [eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227, 
[srcIp]=172.16.22.227, [user]=admin, [logonTime]=2013-04-29 15:14:54, [logoffTime]=, [actionName]=Connect, [msg]=admin@172.16.22.227 on

<134>Apr 10 14:29:22 abc-desktop java: [MYSQL_Logoff]:[eventSeverity]=PHL_INFO, [eventTime]=2013-04-10 14:29:22, [rptIp]=172.16.22.227, 
[srcIp]=172.16.22.227, [user]=admin, [logonTime]=, [logoffTime]=2014-04-10 14:29:22, [actionName]=quit, [msg]=

<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_ Logon_Fail]: [eventSeverity]=PHL_WARN, [eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227,
 [srcIp]=172.16.22.227, [user]=admin, [logonTime]=2013-04-29 15:14:54, [logoffTime]=, [actionName]=Connect, 
[msg]=Access denied for user 'admin'@'172.16.22.227' (using password: YES)
Database CREATE/DELETE/MODIFY Events
<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_Create_database]: [eventSeverity]=PHL_INFO, [eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227, 
[srcIp]=172.16.22.227, [user]=admin, [actionName]=Query, [msg]=create database sliutest

<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_Drop_database]: [eventSeverity]=PHL_INFO, [eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227, 
[srcIp]=172.16.22.227, [user]=admin, [actionName]=Query, [msg]=drop database sliutest
Table CREATE/DELETE/MODIFY Events
<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_Create_table]: [eventSeverity]=PHL_INFO, [eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227, 
[srcIp]=172.16.22.227, [user]=admin, [actionName]=Query, [msg]=CREATE TABLE tutorials_tbl(     tutorial_id INT NOT NULL AUTO_INCREMENT, 
tutorial_title VARCHAR(100) NOT NULL,     tutorial_author VARCHAR(40) NOT NULL,     submission_date DATE,     PRIMARY KEY ( tutorial_id )    )

<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_Delete_table]: [eventSeverity]=PHL_INFO, [eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227, 
[srcIp]=172.16.22.227, [user]=admin, [actionName]=Query, [msg]=DELETE FROM tutorials_tbl WHERE tutorial_id=2NOT NULL,     
tutorial_author VARCHAR(40) NOT NULL,     submission_date DATE,     PRIMARY KEY ( tutorial_id )    

<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_Insert_table]: [eventSeverity]=PHL_INFO, [eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227, 
[srcIp]=172.16.22.227, [user]=admin, [actionName]=Query, [msg]=INSERT INTO tutorials_tbl       (tutorial_title, tutorial_author, submission_date)  
    VALUES      ("Learn Java", "John Smith", NOW())

<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_Drop_table]: [eventSeverity]=PHL_INFO, [eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227, 
[srcIp]=172.16.22.227, [user]=admin, [actionName]=Query, [msg]=DROP table sliutable