Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Cisco Call Manager

What is Discovered and Monitored

Protocol Information discovered Metrics collected Used for
SNMP Application type

System metrics: Uptime, CPU utilization, Memory utilization, Disk utilization, Interface utilization, Process count, Per process: CPU utilization, Memory utilization

Performance Monitoring
SNMP VoIP phones and registration status

Call Manager metrics:Global Info: VoIP phone count, Gateway count, Media Device count, Voice mail server count  and SIP Trunks count broken down by Registered/Unregistered/Rejected status (FortiSIEM Event Type: PH_DEV_MON_CCM_GLOBAL_INFO)

SIP Trunk Info: Trunk end point, description, status (FortiSIEM Event Type: PH_DEV_MON_CCM_SIP_TRUNK_STAT)

SIP Trunk Addition, Deletion: FortiSIEM Event Type: PH_DEV_MON_CCM_NEW_SIP_TRUNK, PH_DEV_MON_CCM_DEL_SIP_TRUNK

Gateway Status Info: Gateway name, Gateway IP, description, status (FortiSIEM Event Types: PH_DEV_MON_CCM_GW_STAT)

Gateway Status Change, Addition, Deletion: FortiSIEM Event Type: PH_DEV_MON_CCM_GW_STAT_CHANGE, PH_DEV_MON_CCM_NEW_GW, PH_DEV_MON_CCM_DEL_GWH323 Device Info: H323 Device name, H323 Device IP, description, status (FortiSIEM Event Types: PH_DEV_MON_CCM_H323_STAT)

Gateway Status Change, Addition, Deletion: FortiSIEM Event Type: PH_DEV_MON_CCM_H323_STAT_CHANGE, PH_DEV_MON_CCM_NEW_H323, PH_DEV_MON_CCM_DEL_H323

Voice Mail Device Info: Voice Mail Device name, Voice Mail Device IP, description, status (FortiSIEM Event Types: PH_DEV_MON_CCM_VM_STAT)

Voice Mail Device Status Change, Addition, Deletion: FortiSIEM Event Type: PH_DEV_MON_CCM_VM_STAT_CHANGE, PH_DEV_MON_CCM_NEW_VM, PH_DEV_MON_CCM_DEL_VM

Media Device Info: Media Device name, Media Device IP, description, status (FortiSIEM Event Types: PH_DEV_MON_CCM_MEDIA_STAT)

Media Device Status Change, Addition, Deletion: FortiSIEM Event Type: PH_DEV_MON_CCM_MEDIA_STAT_CHANGE, PH_DEV_MON_CCM_NEW_MEDIA, PH_DEV_MON_CCM_DEL_MEDIA

Computer Telephony Integration (CTI) Device Info: CTI Device name, CTI Device IP, description, status (FortiSIEM Event Types: PH_DEV_MON_CCM_CTI_STAT)

CTI Device Status Change, Addition, Deletion: FortiSIEM Event Type: PH_DEV_MON_CCM_CTI_STAT_CHANGE, PH_DEV_MON_CCM_NEW_CTI, PH_DEV_MON_CCM_DEL_CTI

Availability Monitoring
WMI (for Windows based Call Managers) Application type, service mappings Process level metrics: Per process: Uptime, CPU utilization, Memory utilization, Read I/O KBytes/sec, Write I/O KBytes/sec Performance Monitoring
SFTP

Call Description Records (CDR): Calling Phone IP, Called Phone IP, Calling Party Number, Original Called Party Number, Final Called Party Number, Call Connect Time, Call Disconnect Time, Call Duration

Call Management Records (CMR): Latency, Jitter, Mos Score - current, average, min, max for each call in CDR

Performance and Availability Monitoring
Syslog Syslog messages from Cisco Call Manager as well as Cisco Unified Real Time Monitoring Tool (RTMT)  

Event Types

In ADMIN > Device Support > Event Types, search for "cisco_uc" and "cisco_uc_rtmt" to see the event types associated with this device. 

Rules

In RESOURCES > Rules, search for "cisco call manager" in the main content panel Search... field to see the rules associated with this device. 

Configuration

SNMP

FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.

WMI (for Call Manager installed under Windows)

Configuring WMI on your device so FortiSIEM can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
  2. Right-click Users and select Add User.
  3. Create a user.
  4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
  5. In the Distributed COM Users Properties dialog, click Add.
  6. Find the user you created, and then click OK
    This is the account you must use to set up the Performance Monitor Users group permissions. 
  7. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
  8. Repeat steps 4 through 7 for the Performance Monitor Users group.

Enable DCOM Permissions for the Monitoring Account

  1. Go to Start > Control Panel > Administrative Tools > Component Services.
  2. Right-click My Computer, and then Properties.
  3. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
  4. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to Allowed.
  5. Click OK.
  6. Under Access Permissions, click EditDefault.
  7. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to Allowed.
  8. Click OK.
  9. Under Launch and Activation Permissions, click Edit Limits
  10. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local LaunchRemote LaunchLocal Activation, and Remote Activation.
  11. Click OK
  12. Under Launch and Activation Permissions, click Edit Defaults
  13. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local LaunchRemote LaunchLocal Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

  1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
  2. Right-click Users and select Add User.
  3. Create a user for the @accelops.com domain.
    For example, YJTEST@accelops.com.
  4. Go to Groups, right-click Administrators, and then click Add to Group.
  5. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
  6. For Enter the object names to select, enter the user you created in step 3. 
  7. Click OK to close the Domain Admins Properties dialog.
  8. Click OK

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account.

Enable DCOM Permissions for the Monitoring Account

  1. Go to Start > Control Panel > Administrative Tools > Component Services.
  2. Right-click My Computer, and then select Properties.
  3. Select the Com Security tab, and then under Access Permissions, click Edit Limits
  4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Remote Access
  5. Click OK.
  6. In the Com Security tab, under Access Permissions, click Edit Defaults
  7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Remote Access
  8. Click OK.
  9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits
  10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults
  12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local LaunchRemote LaunchLocal Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device. 

  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
  2. Select WMI Control, and then right-click and select Properties.
  3. Select the Security tab.
  4. Expand the Root directory and select CIMV2.
  5. Click Security
  6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remote Enable.
  7. Click Advanced.
  8. Select the user you created for the monitoring account, and then click Edit.
  9. In the Apply onto menu, select This namespace and subnamespaces
  10. Click OK to close the Permission Entry for CIMV2 dialog. 
  11. Click OK to close the Advanced Security Settings for CIMV2 dialog. 
  12. In the left-hand navigation, under Services and Applications, select Services
  13. Select Windows Management Instrumentation, and then click Restart.

Allow WMI to Connect Through the Windows Firewall (Windows 2003)

  1. In the Start menu, select Run
  2. Run gpedit.msc.
  3. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall
  4. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
  5. Select Windows Firewall: Allow remote administration exception.
  6. Run cmd.exe and enter these commands:
    netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135"netsh firewall add allowedprogram program=%windir%\system32\wbem\unsecapp.exe name=UNSECAPP 
    
  7. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

  1. Go to Control Panel > Windows Firewall.
  2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
  3. Select Windows Management Instrumentation, and the click OK.
SFTP

SFTP is used to send Call Description Records (CDRs) to FortiSIEM.

Configure FortiSIEM to Receive CDR Records from Cisco Call Manager
  1. Log in to your FortiSIEM virtual appliance as root over SSH.
  2. Change the directory.
    cd /opt/phoenix/bin
  3. Run ./phCreateCdrDestDir <call-manager-ip>.
    This creates an FTP account  for user ftpuser with the home directory /opt/phoenix/cache/ccm/<call-manager-ip>. If this is the first time you have created a Call Manager definition, you will be prompted for the ftpuser password. When you create subsequent Call Manager definitions, the same password will be used, and you will see a Success message when the definition is created.
  4. Switch user to admin by issuing "su - admin"
  5. Modify phoenix_config.txt entry
    ccm_ftp_directory = /opt/phoenix/cache/ccm
  6. Restart phParser by issuing "killall -9 phParser"
Configure Cisco Call Manager to Send CDR Records to FortiSIEM
  1. Log in to Cisco Call Manager.
  2. Go to Tools > CDR Management Configuration.
    The CDR Management Configuration window will open.
  3. Click Add New
  4. Enter this information.
  5. Field Value
    Host Name/IP Address <FortiSIEM IP Address>
    User Name ftpuser
    Password <The password you created for ftpuser>
    Protocol SFTP
    Directory Path /opt/phoenix/cache/ccm/<call-manager-ip>
  6. Click Save.

Settings for Access Credentials

See Access Credentials to set access and protocol for SMTP, SSH, and Telnet.

Cisco Call Manager

What is Discovered and Monitored

Protocol Information discovered Metrics collected Used for
SNMP Application type

System metrics: Uptime, CPU utilization, Memory utilization, Disk utilization, Interface utilization, Process count, Per process: CPU utilization, Memory utilization

Performance Monitoring
SNMP VoIP phones and registration status

Call Manager metrics:Global Info: VoIP phone count, Gateway count, Media Device count, Voice mail server count  and SIP Trunks count broken down by Registered/Unregistered/Rejected status (FortiSIEM Event Type: PH_DEV_MON_CCM_GLOBAL_INFO)

SIP Trunk Info: Trunk end point, description, status (FortiSIEM Event Type: PH_DEV_MON_CCM_SIP_TRUNK_STAT)

SIP Trunk Addition, Deletion: FortiSIEM Event Type: PH_DEV_MON_CCM_NEW_SIP_TRUNK, PH_DEV_MON_CCM_DEL_SIP_TRUNK

Gateway Status Info: Gateway name, Gateway IP, description, status (FortiSIEM Event Types: PH_DEV_MON_CCM_GW_STAT)

Gateway Status Change, Addition, Deletion: FortiSIEM Event Type: PH_DEV_MON_CCM_GW_STAT_CHANGE, PH_DEV_MON_CCM_NEW_GW, PH_DEV_MON_CCM_DEL_GWH323 Device Info: H323 Device name, H323 Device IP, description, status (FortiSIEM Event Types: PH_DEV_MON_CCM_H323_STAT)

Gateway Status Change, Addition, Deletion: FortiSIEM Event Type: PH_DEV_MON_CCM_H323_STAT_CHANGE, PH_DEV_MON_CCM_NEW_H323, PH_DEV_MON_CCM_DEL_H323

Voice Mail Device Info: Voice Mail Device name, Voice Mail Device IP, description, status (FortiSIEM Event Types: PH_DEV_MON_CCM_VM_STAT)

Voice Mail Device Status Change, Addition, Deletion: FortiSIEM Event Type: PH_DEV_MON_CCM_VM_STAT_CHANGE, PH_DEV_MON_CCM_NEW_VM, PH_DEV_MON_CCM_DEL_VM

Media Device Info: Media Device name, Media Device IP, description, status (FortiSIEM Event Types: PH_DEV_MON_CCM_MEDIA_STAT)

Media Device Status Change, Addition, Deletion: FortiSIEM Event Type: PH_DEV_MON_CCM_MEDIA_STAT_CHANGE, PH_DEV_MON_CCM_NEW_MEDIA, PH_DEV_MON_CCM_DEL_MEDIA

Computer Telephony Integration (CTI) Device Info: CTI Device name, CTI Device IP, description, status (FortiSIEM Event Types: PH_DEV_MON_CCM_CTI_STAT)

CTI Device Status Change, Addition, Deletion: FortiSIEM Event Type: PH_DEV_MON_CCM_CTI_STAT_CHANGE, PH_DEV_MON_CCM_NEW_CTI, PH_DEV_MON_CCM_DEL_CTI

Availability Monitoring
WMI (for Windows based Call Managers) Application type, service mappings Process level metrics: Per process: Uptime, CPU utilization, Memory utilization, Read I/O KBytes/sec, Write I/O KBytes/sec Performance Monitoring
SFTP

Call Description Records (CDR): Calling Phone IP, Called Phone IP, Calling Party Number, Original Called Party Number, Final Called Party Number, Call Connect Time, Call Disconnect Time, Call Duration

Call Management Records (CMR): Latency, Jitter, Mos Score - current, average, min, max for each call in CDR

Performance and Availability Monitoring
Syslog Syslog messages from Cisco Call Manager as well as Cisco Unified Real Time Monitoring Tool (RTMT)  

Event Types

In ADMIN > Device Support > Event Types, search for "cisco_uc" and "cisco_uc_rtmt" to see the event types associated with this device. 

Rules

In RESOURCES > Rules, search for "cisco call manager" in the main content panel Search... field to see the rules associated with this device. 

Configuration

SNMP

FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.

WMI (for Call Manager installed under Windows)

Configuring WMI on your device so FortiSIEM can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
  2. Right-click Users and select Add User.
  3. Create a user.
  4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
  5. In the Distributed COM Users Properties dialog, click Add.
  6. Find the user you created, and then click OK
    This is the account you must use to set up the Performance Monitor Users group permissions. 
  7. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
  8. Repeat steps 4 through 7 for the Performance Monitor Users group.

Enable DCOM Permissions for the Monitoring Account

  1. Go to Start > Control Panel > Administrative Tools > Component Services.
  2. Right-click My Computer, and then Properties.
  3. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
  4. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to Allowed.
  5. Click OK.
  6. Under Access Permissions, click EditDefault.
  7. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to Allowed.
  8. Click OK.
  9. Under Launch and Activation Permissions, click Edit Limits
  10. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local LaunchRemote LaunchLocal Activation, and Remote Activation.
  11. Click OK
  12. Under Launch and Activation Permissions, click Edit Defaults
  13. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local LaunchRemote LaunchLocal Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

  1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
  2. Right-click Users and select Add User.
  3. Create a user for the @accelops.com domain.
    For example, YJTEST@accelops.com.
  4. Go to Groups, right-click Administrators, and then click Add to Group.
  5. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
  6. For Enter the object names to select, enter the user you created in step 3. 
  7. Click OK to close the Domain Admins Properties dialog.
  8. Click OK

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account.

Enable DCOM Permissions for the Monitoring Account

  1. Go to Start > Control Panel > Administrative Tools > Component Services.
  2. Right-click My Computer, and then select Properties.
  3. Select the Com Security tab, and then under Access Permissions, click Edit Limits
  4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Remote Access
  5. Click OK.
  6. In the Com Security tab, under Access Permissions, click Edit Defaults
  7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Remote Access
  8. Click OK.
  9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits
  10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults
  12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local LaunchRemote LaunchLocal Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device. 

  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
  2. Select WMI Control, and then right-click and select Properties.
  3. Select the Security tab.
  4. Expand the Root directory and select CIMV2.
  5. Click Security
  6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remote Enable.
  7. Click Advanced.
  8. Select the user you created for the monitoring account, and then click Edit.
  9. In the Apply onto menu, select This namespace and subnamespaces
  10. Click OK to close the Permission Entry for CIMV2 dialog. 
  11. Click OK to close the Advanced Security Settings for CIMV2 dialog. 
  12. In the left-hand navigation, under Services and Applications, select Services
  13. Select Windows Management Instrumentation, and then click Restart.

Allow WMI to Connect Through the Windows Firewall (Windows 2003)

  1. In the Start menu, select Run
  2. Run gpedit.msc.
  3. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall
  4. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
  5. Select Windows Firewall: Allow remote administration exception.
  6. Run cmd.exe and enter these commands:
    netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135"netsh firewall add allowedprogram program=%windir%\system32\wbem\unsecapp.exe name=UNSECAPP 
    
  7. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

  1. Go to Control Panel > Windows Firewall.
  2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
  3. Select Windows Management Instrumentation, and the click OK.
SFTP

SFTP is used to send Call Description Records (CDRs) to FortiSIEM.

Configure FortiSIEM to Receive CDR Records from Cisco Call Manager
  1. Log in to your FortiSIEM virtual appliance as root over SSH.
  2. Change the directory.
    cd /opt/phoenix/bin
  3. Run ./phCreateCdrDestDir <call-manager-ip>.
    This creates an FTP account  for user ftpuser with the home directory /opt/phoenix/cache/ccm/<call-manager-ip>. If this is the first time you have created a Call Manager definition, you will be prompted for the ftpuser password. When you create subsequent Call Manager definitions, the same password will be used, and you will see a Success message when the definition is created.
  4. Switch user to admin by issuing "su - admin"
  5. Modify phoenix_config.txt entry
    ccm_ftp_directory = /opt/phoenix/cache/ccm
  6. Restart phParser by issuing "killall -9 phParser"
Configure Cisco Call Manager to Send CDR Records to FortiSIEM
  1. Log in to Cisco Call Manager.
  2. Go to Tools > CDR Management Configuration.
    The CDR Management Configuration window will open.
  3. Click Add New
  4. Enter this information.
  5. Field Value
    Host Name/IP Address <FortiSIEM IP Address>
    User Name ftpuser
    Password <The password you created for ftpuser>
    Protocol SFTP
    Directory Path /opt/phoenix/cache/ccm/<call-manager-ip>
  6. Click Save.

Settings for Access Credentials

See Access Credentials to set access and protocol for SMTP, SSH, and Telnet.