Fortinet white logo
Fortinet white logo

External Systems Configuration Guide

AWS EC2 CloudWatch API

AWS EC2 CloudWatch API

Support Added: FortiSIEM 4.7.2

Last Modification: FortiSIEM 6.3.1

Vendor Version Tested: Not Provided

Vendor: Amazon

Product Information: https://aws.amazon.com/cloudwatch/

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
CloudWatch API
  • Machine name
  • Internal Access IP
  • Instance ID
  • Image ID
  • Availability Zone
  • Instance Type
  • Volume ID
  • Status
  • Attach Time
  • Event Logs
  • CPU Utilization
  • Received Bits/sec
  • Sent Bits/sec
  • Disk reads (Instance Store)
  • Disk writes (Instance Store)
  • Disk reads/sec (Instance Store)
  • Disk writes/sec (Instance Store)
  • Packet loss
  • Read Bytes (EBS)
  • Write Bytes (EBS)
  • Read Ops (EBS)
  • Write Ops (EBS)
  • Disk Queue (EBS)
  • AWS or Custom event logs stored in AWS CloudWatch

Performance Monitoring

CloudWatch Events Monitoring

Event Types

  • PH_DEV_MON_EBS_METRIC captures EBS metrics

In ADMIN > Device Support > Event Types, search for "AWS-CloudTrail" to see the event types associated with this device. CloudWatch allows for different AWS event sources and custom event sources to store events in AWS CloudTrail.

To search for these event types, from ANALYTICS, click in the Edit Filters and Time Range... field, and take the following steps:

  1. In Filter, select the Event Attribute radio button.

  2. In the Attribute field, enter "Event Type".

  3. In the Operator field, select "CONTAIN".

  4. In the Value field, enter "AWS_VPC_FLOW".

  5. Under Row, click + to add another row.

  6. In the new row, in the Attribute field, enter "Raw Event Log".

  7. In the new row, in the Operator field, select "CONTAIN".

  8. In the new row, in the Value field, enter "AWS_CLOUDWATCH_EVENT_DATA".

  9. Configure your Time Range and click Apply & Run.

Configuration

If you have not already configured Access Keys and permissions in AWS, please follow the steps outlined in AWS Access Key IAM Permissions and IAM Policies.

You can configure FortiSIEM to communicate with your device, and then initiate discovery of the device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. You should also be sure to read the topic "Discovering Amazon Web Services (AWS) Infrastructure".

VPC Flow logs are supported. For more information, see HOW TO - Integrate Amazon VPC Flows.

The purpose of this discovery is to poll a list of EC2 instances in a given region so FortiSIEM knows that they are part of your AWS infrastructure. No logs are collected, but a CMDB entry for each EC2 instance is categorized under the “AWS” group in CMDB. This is important for certain reports that only look at AWS resources. It is still required to configure individual VMs with appropriate logging configurations, such as installable Agents (Linux, Windows) or Agentless (Syslog or WMI). Follow the instructions for the type of guest VM in this guide.

If you only want CloudWatch integration, you can create your AWS user and configure that user's policy by taking these steps.
Note: For the latest AWS documentation, see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Users and then choose Add user.

  3. Type the user name for the new user. This is the sign-in name for AWS.

  4. Select Programmatic access for the type of access this user will have.

  5. Choose Next: Permissions.

  6. Select Attach existing policies directly.

  7. Select the policy CloudwatchReadOnlyAccess.

  8. Choose Next: Tags.

  9. Choose Next: Review.

  10. Choose Create user.

  11. Choose Show and record the Access key ID.

    Note: To save the access keys, choose Download .csv and then save the file to a safe location.

    This is your only opportunity to view or download the secret access keys. You will not have access to the secret keys again after this step.

  12. Choose Show and record the secret key.

    Note: To save the access keys, choose Download .csv and then save the file to a safe location.

    This is your only opportunity to view or download the secret access keys. You will not have access to the secret keys again after this step.

  13. Click Close.

Settings for Access Credentials

FortiSIEM Configuration Setup

Complete these steps in the FortiSIEM UI:

  1. Navigate to ADMIN > Setup and click the Credentials tab.

  2. In Step 1: Enter Credentials:

    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.

    2. Enter these settings in the Access Method Definition dialog box and click Save:

      Setting Value
      Name ec2
      Device Type Amazon AWS CloudWatch
      Access Protocol AWS CloudWatch
      Region The region in which your AWS instance is located
      AWS Account The name of your AWS account.
      Log Group Name Name of the log group.
      Log Stream Name Name of the log stream.
      Password Config See Password Configuration.
      Access Key ID The access key for your EC2 instance
      Secret Key The secret key for your EC2 instance
  3. In Step 2: Enter IP Range to Credential Associations, click New.

    1. Select the ec2 credential you created earlier from the Credentials drop-down list. It should autofill IP/Host Name as destination "amazon.com".

    2. Click Save.

  4. Select the new mapping and click the Test drop-down list and select Test Connectivity without Ping to start pulling.

Sample Events

[PH_DEV_MON_EC2_METRIC]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp,
[lineNumber]=6571,[hostName]=ec2-54-81-216-218.compute-1.amazonaws.com,[hostIpAddr]=10.144.18.131,[cpuUtil]=0.334000,[diskReadKBytesPerSec]=0.000000,[diskWriteKBytesPerSec]=0.000000,[diskReadReqPerSec]=0.000000,[diskWriteReqPerSec]=0.000000,[sentBytes]=131,[recvBytes]=165,[sentBitsPerSec]=17.493333,[recvBitsPerSec]=22.026667,[phLogDetail]=
[PH_DEV_MON_EBS_METRIC]:[eventSeverity]=PHL_INFO,[fileName]=deviceAws.cpp,
[lineNumber]=133,[hostName]=ec2-52-69-215-178.ap-northeast-1.compute.amazonaws.com,[hostIpAddr]=172.30.0.50,[diskName]=/dev/sda1,[volumeId]=vol-63287d9f,[diskReadKBytesPerSec]=7.395556,[diskWriteKBytesPerSec]=7.395556,[ioReadsPerSec]=0.000000,[ioWritesPerSec]=0.010000,[diskQLen]=0,[phLogDetail]=

AWS EC2 CloudWatch API

AWS EC2 CloudWatch API

Support Added: FortiSIEM 4.7.2

Last Modification: FortiSIEM 6.3.1

Vendor Version Tested: Not Provided

Vendor: Amazon

Product Information: https://aws.amazon.com/cloudwatch/

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
CloudWatch API
  • Machine name
  • Internal Access IP
  • Instance ID
  • Image ID
  • Availability Zone
  • Instance Type
  • Volume ID
  • Status
  • Attach Time
  • Event Logs
  • CPU Utilization
  • Received Bits/sec
  • Sent Bits/sec
  • Disk reads (Instance Store)
  • Disk writes (Instance Store)
  • Disk reads/sec (Instance Store)
  • Disk writes/sec (Instance Store)
  • Packet loss
  • Read Bytes (EBS)
  • Write Bytes (EBS)
  • Read Ops (EBS)
  • Write Ops (EBS)
  • Disk Queue (EBS)
  • AWS or Custom event logs stored in AWS CloudWatch

Performance Monitoring

CloudWatch Events Monitoring

Event Types

  • PH_DEV_MON_EBS_METRIC captures EBS metrics

In ADMIN > Device Support > Event Types, search for "AWS-CloudTrail" to see the event types associated with this device. CloudWatch allows for different AWS event sources and custom event sources to store events in AWS CloudTrail.

To search for these event types, from ANALYTICS, click in the Edit Filters and Time Range... field, and take the following steps:

  1. In Filter, select the Event Attribute radio button.

  2. In the Attribute field, enter "Event Type".

  3. In the Operator field, select "CONTAIN".

  4. In the Value field, enter "AWS_VPC_FLOW".

  5. Under Row, click + to add another row.

  6. In the new row, in the Attribute field, enter "Raw Event Log".

  7. In the new row, in the Operator field, select "CONTAIN".

  8. In the new row, in the Value field, enter "AWS_CLOUDWATCH_EVENT_DATA".

  9. Configure your Time Range and click Apply & Run.

Configuration

If you have not already configured Access Keys and permissions in AWS, please follow the steps outlined in AWS Access Key IAM Permissions and IAM Policies.

You can configure FortiSIEM to communicate with your device, and then initiate discovery of the device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. You should also be sure to read the topic "Discovering Amazon Web Services (AWS) Infrastructure".

VPC Flow logs are supported. For more information, see HOW TO - Integrate Amazon VPC Flows.

The purpose of this discovery is to poll a list of EC2 instances in a given region so FortiSIEM knows that they are part of your AWS infrastructure. No logs are collected, but a CMDB entry for each EC2 instance is categorized under the “AWS” group in CMDB. This is important for certain reports that only look at AWS resources. It is still required to configure individual VMs with appropriate logging configurations, such as installable Agents (Linux, Windows) or Agentless (Syslog or WMI). Follow the instructions for the type of guest VM in this guide.

If you only want CloudWatch integration, you can create your AWS user and configure that user's policy by taking these steps.
Note: For the latest AWS documentation, see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Users and then choose Add user.

  3. Type the user name for the new user. This is the sign-in name for AWS.

  4. Select Programmatic access for the type of access this user will have.

  5. Choose Next: Permissions.

  6. Select Attach existing policies directly.

  7. Select the policy CloudwatchReadOnlyAccess.

  8. Choose Next: Tags.

  9. Choose Next: Review.

  10. Choose Create user.

  11. Choose Show and record the Access key ID.

    Note: To save the access keys, choose Download .csv and then save the file to a safe location.

    This is your only opportunity to view or download the secret access keys. You will not have access to the secret keys again after this step.

  12. Choose Show and record the secret key.

    Note: To save the access keys, choose Download .csv and then save the file to a safe location.

    This is your only opportunity to view or download the secret access keys. You will not have access to the secret keys again after this step.

  13. Click Close.

Settings for Access Credentials

FortiSIEM Configuration Setup

Complete these steps in the FortiSIEM UI:

  1. Navigate to ADMIN > Setup and click the Credentials tab.

  2. In Step 1: Enter Credentials:

    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.

    2. Enter these settings in the Access Method Definition dialog box and click Save:

      Setting Value
      Name ec2
      Device Type Amazon AWS CloudWatch
      Access Protocol AWS CloudWatch
      Region The region in which your AWS instance is located
      AWS Account The name of your AWS account.
      Log Group Name Name of the log group.
      Log Stream Name Name of the log stream.
      Password Config See Password Configuration.
      Access Key ID The access key for your EC2 instance
      Secret Key The secret key for your EC2 instance
  3. In Step 2: Enter IP Range to Credential Associations, click New.

    1. Select the ec2 credential you created earlier from the Credentials drop-down list. It should autofill IP/Host Name as destination "amazon.com".

    2. Click Save.

  4. Select the new mapping and click the Test drop-down list and select Test Connectivity without Ping to start pulling.

Sample Events

[PH_DEV_MON_EC2_METRIC]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp,
[lineNumber]=6571,[hostName]=ec2-54-81-216-218.compute-1.amazonaws.com,[hostIpAddr]=10.144.18.131,[cpuUtil]=0.334000,[diskReadKBytesPerSec]=0.000000,[diskWriteKBytesPerSec]=0.000000,[diskReadReqPerSec]=0.000000,[diskWriteReqPerSec]=0.000000,[sentBytes]=131,[recvBytes]=165,[sentBitsPerSec]=17.493333,[recvBitsPerSec]=22.026667,[phLogDetail]=
[PH_DEV_MON_EBS_METRIC]:[eventSeverity]=PHL_INFO,[fileName]=deviceAws.cpp,
[lineNumber]=133,[hostName]=ec2-52-69-215-178.ap-northeast-1.compute.amazonaws.com,[hostIpAddr]=172.30.0.50,[diskName]=/dev/sda1,[volumeId]=vol-63287d9f,[diskReadKBytesPerSec]=7.395556,[diskWriteKBytesPerSec]=7.395556,[ioReadsPerSec]=0.000000,[ioWritesPerSec]=0.010000,[diskQLen]=0,[phLogDetail]=