Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Nutanix Prism

Support Added: FortiSIEM 6.5.0

Last Modification: FortiSIEM 6.5.0

Vendor Version Tested: Not Provided

 

Vendor: Nutanix

Product Information: https://www.nutanix.com/products/prism

 

 

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
Syslog   API Audit, Audit, Security Policy Hitlogs, and Flow Service Logs Security Monitoring

Configuration

To configure syslog monitoring, take the following steps: 

For the latest configuration information, see https://portal.nutanix.com/page/documents/details?targetId=Prism-Central-Guide-Prism-v6_0:mul-syslog-server-configure-pc-t.html

Notes

  • You must have the IP address of the syslog server that is deployed in your environment prior to configuration.

  • For forwarding Flow logs, the Flow feature must be enabled.

 

  1. Fom the main menu, click the gear icon to go to the Settings page.

  2. From the Settings page, click Syslog Server.

    Note: You can only configure one syslog server per cluster.

  3. In the Server Name field, enter a name for the server.

  4. In the IP Address field, enter the IP address.

  5. In the Port field, enter the port number.

  6. From the Transport Protocol drop-down list, select TCP or UDP.

  7. (Optional) Click the check box to enable Reliable Logging Protocol (RELP).

  8. Click Edit against Data Sources.

  9. Select one or more log modules from the following log types. See Syslog Modules for details.

    • API Audit

    • Audit

    • Security Policy Hitlogs (policy hitlog files logs)

    • Flow Service Logs (flow processes logs)

  10. Click Save to complete the configuration.

Sample Logs

Flow Log
<135>2020-06-03T12:12:19.716894+00:00 node-1 flow-hitCount4: INFO:2020/06/03 12:12:18  [dd721468-033f-4368-bdc9-c22a99044421] dt_isolation [Update] SRC=192.0.20.0 DST=192.0.20.10 PROTO=TCP SPORT=22 DPORT=40726 ACTION=DROP ORIG: PKTS=9 BYTES=468 REPLY: PKTS=0 BYTES=0
Consolidated Audit
<134>2020-06-08T05:27:47.978858-07:00 node-1 consolidated_audit: {"affectedEntityList":[{"entityType":"cluster","name":"Unnamed","uuid":"c6162d80-9d3c-41ba-9928-123456"}],"alertUid":"PairingAudit","creationTimestampUsecs":"1590479209937393","defaultMsg":"Failed to pair with remote prism central None: Internal Server Error. Could not create remote connection. Skip pairing","opEndTimestampUsecs":"1590479209649077","opStartTimestampUsecs":"1590479209649077","operationType":"Create","originatingClusterUuid":"c6162d80-9d3c-41ba-9928-123456","params":{"remote_cluster_url":""},"recordType":"Audit","severity":"Audit","tenantUuid":"00000000-0000-0000-0000-000000000000","userName":"perpetuuiti-1@nutanixbd.local","userUuid":"3a8c19be-336d-52f0-bb52-10123456","uuid":"c47c84ef-2044-4d93-a377-f97706392b93"}
API Audit
<134>2020-05-29T06:27:22.225134-07:00 node-1 api_audit: INFO  2020-05-29 06:27:13,742 clientType=External||userName=000579e7-ae35-a11d-0000-000000003510||NutanixApiVersion=1.0||httpMethod=GET||restEndpoint=/v1/users/details||entityUuid=||queryParams=||payload=

 

Nutanix Prism

Support Added: FortiSIEM 6.5.0

Last Modification: FortiSIEM 6.5.0

Vendor Version Tested: Not Provided

 

Vendor: Nutanix

Product Information: https://www.nutanix.com/products/prism

 

 

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
Syslog   API Audit, Audit, Security Policy Hitlogs, and Flow Service Logs Security Monitoring

Configuration

To configure syslog monitoring, take the following steps: 

For the latest configuration information, see https://portal.nutanix.com/page/documents/details?targetId=Prism-Central-Guide-Prism-v6_0:mul-syslog-server-configure-pc-t.html

Notes

  • You must have the IP address of the syslog server that is deployed in your environment prior to configuration.

  • For forwarding Flow logs, the Flow feature must be enabled.

 

  1. Fom the main menu, click the gear icon to go to the Settings page.

  2. From the Settings page, click Syslog Server.

    Note: You can only configure one syslog server per cluster.

  3. In the Server Name field, enter a name for the server.

  4. In the IP Address field, enter the IP address.

  5. In the Port field, enter the port number.

  6. From the Transport Protocol drop-down list, select TCP or UDP.

  7. (Optional) Click the check box to enable Reliable Logging Protocol (RELP).

  8. Click Edit against Data Sources.

  9. Select one or more log modules from the following log types. See Syslog Modules for details.

    • API Audit

    • Audit

    • Security Policy Hitlogs (policy hitlog files logs)

    • Flow Service Logs (flow processes logs)

  10. Click Save to complete the configuration.

Sample Logs

Flow Log
<135>2020-06-03T12:12:19.716894+00:00 node-1 flow-hitCount4: INFO:2020/06/03 12:12:18  [dd721468-033f-4368-bdc9-c22a99044421] dt_isolation [Update] SRC=192.0.20.0 DST=192.0.20.10 PROTO=TCP SPORT=22 DPORT=40726 ACTION=DROP ORIG: PKTS=9 BYTES=468 REPLY: PKTS=0 BYTES=0
Consolidated Audit
<134>2020-06-08T05:27:47.978858-07:00 node-1 consolidated_audit: {"affectedEntityList":[{"entityType":"cluster","name":"Unnamed","uuid":"c6162d80-9d3c-41ba-9928-123456"}],"alertUid":"PairingAudit","creationTimestampUsecs":"1590479209937393","defaultMsg":"Failed to pair with remote prism central None: Internal Server Error. Could not create remote connection. Skip pairing","opEndTimestampUsecs":"1590479209649077","opStartTimestampUsecs":"1590479209649077","operationType":"Create","originatingClusterUuid":"c6162d80-9d3c-41ba-9928-123456","params":{"remote_cluster_url":""},"recordType":"Audit","severity":"Audit","tenantUuid":"00000000-0000-0000-0000-000000000000","userName":"perpetuuiti-1@nutanixbd.local","userUuid":"3a8c19be-336d-52f0-bb52-10123456","uuid":"c47c84ef-2044-4d93-a377-f97706392b93"}
API Audit
<134>2020-05-29T06:27:22.225134-07:00 node-1 api_audit: INFO  2020-05-29 06:27:13,742 clientType=External||userName=000579e7-ae35-a11d-0000-000000003510||NutanixApiVersion=1.0||httpMethod=GET||restEndpoint=/v1/users/details||entityUuid=||queryParams=||payload=