Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

How CPU and Memory Utilization is Collected for Cisco IOS

FortiSIEM follows the process for collecting information about CPU utlization that is recommended by Cisco.

Monitoring CPU

The OID is 1.3.6.1.4.1.9.9.109.1.1.1.1.8. The issue there are multiple CPUs – which ones to take? A sample SNMP walk for this OID looks like this

SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.8.1 = Gauge32: 46
SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.8.2 = Gauge32: 22
SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.8.3 = Gauge32: 5
SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.8.4 = Gauge32: 4

Note that there are 4 CPUs – indexed 1-4. We must identify Control plane CPU and Data plane CPU

The cpu Id -> entity Id mapping from the following SNMP walk

SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.2.1 = INTEGER: 3014
SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.2.2 = INTEGER: 3001
SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.2.3 = INTEGER: 1001
SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.2.4 = INTEGER: 7001

This provides the following cpu Id -> entity Id mapping

1 -> 3014
2 -> 3001
3 -> 1001
4 -> 7001

The following SNMP walk provides the names for each entity Id

SNMPv2-SMI::mib-2.47.1.1.1.1.7.1001 = STRING: "Chassis 1 CPU of Module 2"SNMPv2-SMI::mib-2.47.1.1.1.1.7.3001 = STRING: "Chassis 1 CPU of Switching Processor 5"SNMPv2-SMI::mib-2.47.1.1.1.1.7.3014 = STRING: "Chassis 1 CPU of Routing Processor 5"SNMPv2-SMI::mib-2.47.1.1.1.1.7.7001 = STRING: "Chassis 2 CPU of Module 2"

Combining all this information, we finally obtain the CPU information for each object

Chassis 1 CPU of Routing Processor 5 -> 46%
Chassis 1 CPU of Switching Processor 5 -> 22%
Chassis 1 CPU of Module 2 -> 5
Chassis 2 CPU of Module 2 -> 4%

FortiSIEM reports utilization per cpu utilization

[PH_DEV_MON_SYS_PER_CPU_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp,[lineNumber]=9596,[cpuName]=Chassis 1 CPU of Routing Processor 
5,[hostName]=UB-CORE-SW,[hostIpAddr]=10.11.1.2,[cpuUtil]=46.000000,[pollIntv]=176,[phLogDetail]=

[PH_DEV_MON_SYS_PER_CPU_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp,[lineNumber]=9596,[cpuName]=Chassis 1 CPU of Switching Processor 
5,[hostName]=UB-CORE-SW,[hostIpAddr]=10.11.1.2,[cpuUtil]=22.000000,[pollIntv]=176,[phLogDetail]=

PH_DEV_MON_SYS_PER_CPU_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp,[lineNumber]=9596,[cpuName]=Chassis 1 CPU of Module 
2,[hostName]=UB-CORE-SW,[hostIpAddr]=10.11.1.2,[cpuUtil]=5.000000,[pollIntv]=176,[phLogDetail]=

[PH_DEV_MON_SYS_PER_CPU_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp,[lineNumber]=9596,[cpuName]=Chassis 2 CPU of Module 
2,[hostName]=UB-CORE-SW,[hostIpAddr]=10.11.1.2,[cpuUtil]=4.000000,[pollIntv]=176,[phLogDetail]=

To get the overall system CPU utilization, we average over “Switching and Routing CPUs”- so CPU Util = (46+22)/2 = 34%

PH_DEV_MON_SYS_CPU_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp,[lineNumber]=9611,[cpuName]=RoutingCpu,[hostName]=UB-CORE-SW,[hostIpAddr]=10.11.1.2,[cpuUtil]=34.0000,[pollIntv]=176,[phLogDetail]=

Monitoring Memory using PROCESS-MIB

The relevant OIDs are
Used memory OID = 1.3.6.1.4.1.9.9.48.1.1.1.6
Free memory OID =  1.3.6.1.4.1.9.9.48.1.1.1.5

Memory Util = (Used memory) / (Used memory + Free memory)

SNMPv2-SMI::enterprises.9.9.48.1.1.1.5.1 = Gauge32: 87360992  <-  Processor Memory Used
SNMPv2-SMI::enterprises.9.9.48.1.1.1.5.2 = Gauge32: 10715440  <-  IO Memory Used
SNMPv2-SMI::enterprises.9.9.48.1.1.1.6.1 = Gauge32: 2904976  <-  Processor Memory Free
SNMPv2-SMI::enterprises.9.9.48.1.1.1.6.2 = Gauge32: 1342944  <-  IO Memory Free


Therefore

Used Memory = 98,076,432
Total Memory = 102,324,352
Memory Util = 96%

How CPU and Memory Utilization is Collected for Cisco IOS

FortiSIEM follows the process for collecting information about CPU utlization that is recommended by Cisco.

Monitoring CPU

The OID is 1.3.6.1.4.1.9.9.109.1.1.1.1.8. The issue there are multiple CPUs – which ones to take? A sample SNMP walk for this OID looks like this

SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.8.1 = Gauge32: 46
SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.8.2 = Gauge32: 22
SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.8.3 = Gauge32: 5
SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.8.4 = Gauge32: 4

Note that there are 4 CPUs – indexed 1-4. We must identify Control plane CPU and Data plane CPU

The cpu Id -> entity Id mapping from the following SNMP walk

SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.2.1 = INTEGER: 3014
SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.2.2 = INTEGER: 3001
SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.2.3 = INTEGER: 1001
SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.2.4 = INTEGER: 7001

This provides the following cpu Id -> entity Id mapping

1 -> 3014
2 -> 3001
3 -> 1001
4 -> 7001

The following SNMP walk provides the names for each entity Id

SNMPv2-SMI::mib-2.47.1.1.1.1.7.1001 = STRING: "Chassis 1 CPU of Module 2"SNMPv2-SMI::mib-2.47.1.1.1.1.7.3001 = STRING: "Chassis 1 CPU of Switching Processor 5"SNMPv2-SMI::mib-2.47.1.1.1.1.7.3014 = STRING: "Chassis 1 CPU of Routing Processor 5"SNMPv2-SMI::mib-2.47.1.1.1.1.7.7001 = STRING: "Chassis 2 CPU of Module 2"

Combining all this information, we finally obtain the CPU information for each object

Chassis 1 CPU of Routing Processor 5 -> 46%
Chassis 1 CPU of Switching Processor 5 -> 22%
Chassis 1 CPU of Module 2 -> 5
Chassis 2 CPU of Module 2 -> 4%

FortiSIEM reports utilization per cpu utilization

[PH_DEV_MON_SYS_PER_CPU_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp,[lineNumber]=9596,[cpuName]=Chassis 1 CPU of Routing Processor 
5,[hostName]=UB-CORE-SW,[hostIpAddr]=10.11.1.2,[cpuUtil]=46.000000,[pollIntv]=176,[phLogDetail]=

[PH_DEV_MON_SYS_PER_CPU_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp,[lineNumber]=9596,[cpuName]=Chassis 1 CPU of Switching Processor 
5,[hostName]=UB-CORE-SW,[hostIpAddr]=10.11.1.2,[cpuUtil]=22.000000,[pollIntv]=176,[phLogDetail]=

PH_DEV_MON_SYS_PER_CPU_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp,[lineNumber]=9596,[cpuName]=Chassis 1 CPU of Module 
2,[hostName]=UB-CORE-SW,[hostIpAddr]=10.11.1.2,[cpuUtil]=5.000000,[pollIntv]=176,[phLogDetail]=

[PH_DEV_MON_SYS_PER_CPU_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp,[lineNumber]=9596,[cpuName]=Chassis 2 CPU of Module 
2,[hostName]=UB-CORE-SW,[hostIpAddr]=10.11.1.2,[cpuUtil]=4.000000,[pollIntv]=176,[phLogDetail]=

To get the overall system CPU utilization, we average over “Switching and Routing CPUs”- so CPU Util = (46+22)/2 = 34%

PH_DEV_MON_SYS_CPU_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp,[lineNumber]=9611,[cpuName]=RoutingCpu,[hostName]=UB-CORE-SW,[hostIpAddr]=10.11.1.2,[cpuUtil]=34.0000,[pollIntv]=176,[phLogDetail]=

Monitoring Memory using PROCESS-MIB

The relevant OIDs are
Used memory OID = 1.3.6.1.4.1.9.9.48.1.1.1.6
Free memory OID =  1.3.6.1.4.1.9.9.48.1.1.1.5

Memory Util = (Used memory) / (Used memory + Free memory)

SNMPv2-SMI::enterprises.9.9.48.1.1.1.5.1 = Gauge32: 87360992  <-  Processor Memory Used
SNMPv2-SMI::enterprises.9.9.48.1.1.1.5.2 = Gauge32: 10715440  <-  IO Memory Used
SNMPv2-SMI::enterprises.9.9.48.1.1.1.6.1 = Gauge32: 2904976  <-  Processor Memory Free
SNMPv2-SMI::enterprises.9.9.48.1.1.1.6.2 = Gauge32: 1342944  <-  IO Memory Free


Therefore

Used Memory = 98,076,432
Total Memory = 102,324,352
Memory Util = 96%