Hyper-V

• What is Discovered and Monitored
• Event Types
• Rules
• Reports
• Configuration
• Settings for Access Credentials

What is Discovered and Monitored

Protocol	Information discovered	Metrics collected	Used for
Powershell over WMI		CPU, Memory, Network and Storage metrics both at Guest and Host level .	Performance Monitoring

Event Types

• PH_DEV_MON_HYPERV_OVERALL_HEALTH: HyperV Machine Health Summary

  [PH_DEV_MON_HYPERV_OVERALL_HEALTH]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[vmHealthCritCount]=0,[vmHealthOkCount]=10

• PH_DEV_MON_HYPERV_OVERALL_SYSINFO: HyperV System Information

  [PH_DEV_MON_HYPERV_OVERALL_SYSINFO]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[notificationCount]=10,[virtualProcessors]=52,[totalPages]=67290,[partitionCount]=6,[logicalProcessors]=16

• PH_DEV_MON_HYPERV_CPU_LOGICAL_PROC: HyperV Logical Processor Usage

  [PH_DEV_MON_HYPERV_CPU_LOGICAL_PROC]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[idleTimePct]=47.30,[guestRunTimePct]=50.88,[hypervisorRunTimePct]=1.97,[totalRunTimePct]=52.84,[cpuInterruptPerSec]=53390.62,[contextSwitchPerSec]=85516.44

• PH_DEV_MON_HYPERV_CPU_ROOT_VIRTUAL_PROC: HyperV Root Virtual Processor Usage

  [PH_DEV_MON_HYPERV_CPU_ROOT_VIRTUAL_PROC]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[phyMachIpAddr]=172.16.20.180,[phyMachName]=WIN-HH2MFBPMHMR,[guestRunTimePct]=0.19,[hypervisorRunTimePct]=0.04,[totalRunTimePct]=0.23,[cpuInterruptPersec]=4588.63,[interceptCost]=1458

• PH_DEV_MON_HYPERV_CPU_GUEST_VIRTUAL_PROC: HyperV Guest Virtual Processor Usage

  [PH_DEV_MON_HYPERV_CPU_GUEST_VIRTUAL_PROC]:[hostIpAddr]=172.16.20.185,[hostName]=fsiem-reporter-hyperv-4.3.1.1158,[vmName]=fsiem-reporter-hyperv-4.3.1.1158,[phyMachIpAddr]=172.16.20.180,[phyMachName]=WIN-HH2MFBPMHMR,[guestRunTimePct]=1.06,[hypervisorRunTimePct]=0.70,[totalRunTimePct]=1.77,[cpuInterruptPersec]=6474.56,[interceptCost]=1086

• PH_DEV_MON_HYPERV_MEM_PARTITION: HyperV Memory Partition usage

  [PH_DEV_MON_HYPERV_MEM_PARTITION]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[1gGpaPages]=0,[2mGpaPages]=16385,[4kGpaPages]=9949,[depositedGpaPages]=20946

• PH_DEV_MON_HYPERV_MEM_PARTITION_PER_VM: HyperV per-VM Memory Partition usage

  [PH_DEV_MON_HYPERV_MEM_PARTITION_PER_VM]:[phyMachIpAddr]=172.16.20.180,[phyMachName]=WIN-HH2MFBPMHMR,[hostIpAddr]=172.16.20.182,[hostName]=fsiem-va-hyperv-4.3.1.1158,[vmName]=fsiem-va-hyperv-4.3.1.1158,[1gGpaPages]=0,[2mGpaPages]=4096,[4kGpaPages]=2089,[depositedGpaPages]=5044

• PH_DEV_MON_HYPERV_MEM_ROOT_PARTITION: HyperV Root Partition Total Memory Usage

  [PH_DEV_MON_HYPERV_MEM_ROOT_PARTITION]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[1gGpa]=0,[2mGpa]=32613,[4kGpa]=9760,[depositedGpa]=46344

• PH_DEV_MON_HYPERV_MEM_ROOT_PARTITION_ROOT: HyperV Root Partition Root Memory Usage

  [PH_DEV_MON_HYPERV_MEM_ROOT_PARTITION_ROOT]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[1gGpa]=0,[2mGpa]=32613,[4kGpa]=9760,[depositedGpa]=46344

• PH_DEV_MON_HYPERV_MEM_VID_PARTITION: HyperV VID Partition Memory Usage

  [PH_DEV_MON_HYPERV_MEM_VID_PARTITION]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[physicalPages]=8398888,[remotePages]=0

• PH_DEV_MON_HYPERV_MEM_VID_PARTITION_PER_VM: HyperV per-VM VID Partition Memory Usage

  [PH_DEV_MON_HYPERV_MEM_VID_PARTITION_PER_VM]:[phyMachIpAddr]=172.16.20.180,[phyMachName]=WIN-HH2MFBPMHMR,[hostIpAddr]=172.16.20.185,[hostName]=fsiem-reporter-hyperv-4.3.1.1158,[vmName]=fsiem-reporter-hyperv-4.3.1.1158,[physicalPages]=1050632,[remotePages]=0

• PH_DEV_MON_HYPERV_MEM_OVERALL: HyperV Root Memory Usage

  [PH_DEV_MON_HYPERV_MEM_OVERALL]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[freeMemKB]=27519348,[pageFaultsPersec]=0

• PH_DEV_MON_HYPERV_NET_VIRTUAL_SWITCH: HyperV Virtual Switch Network Usage

  [PH_DEV_MON_HYPERV_NET_VIRTUAL_SWITCH]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[vSwitch]=broadcom bcm5709c netxtreme ii gige [ndis vbd client] _34 - virtual switch,[recvBitsPerSec]=719403.45,[recvPktsPerSec]=323.03,[sentBitsPerSec]=3382443.50,[sentPktsPerSec]=283.90,[totalPktsPerSec]=323.03[PH_DEV_MON_HYPERV_NET_VIRTUAL_SWITCH]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[vSwitch]=broadcom bcm5709c netxtreme ii gige [ndis vbd client] _34 - virtual switch,[recvBitsPerSec]=719403.45,[recvPktsPerSec]=323.03,[sentBitsPerSec]=3382443.50,[sentPktsPerSec]=283.90,[totalPktsPerSec]=323.03

• PH_DEV_MON_HYPERV_NET_VIRTUAL_ADAPTER: HyperV Virtual Switch Per Adapter Network Usage

  [PH_DEV_MON_HYPERV_NET_VIRTUAL_ADAPTER]:[phyMachIpAddr]=172.16.20.180,[phyMachName]=WIN-HH2MFBPMHMR,[hostIpAddr]=172.16.20.182,[hostName]=fsiem-va-hyperv-4.3.1.1158,[vmName]=fsiem-va-hyperv-4.3.1.1158,[intfName]=adapter_e1eb0a1f-1b36-48fe-be79-fde20d335364--31575d2f-5085-45d3-905f-2f3e17342a81,[recvBitsPerSec]=64970.24,[recvPktsPerSec]=20.86,[sentBitsPerSec]=124741.68,[sentPktsPerSec]=42.61,[totalPktsPerSec]=20.86

• PH_DEV_MON_HYPERV_STORAGE_VIRTUAL_STORAGE: HyperV Virtual Storage Usage

  [PH_DEV_MON_HYPERV_STORAGE_VIRTUAL_STORAGE]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[diskName]=e:-hyperinstance-report431-virtual hard disks-fsiem-reporter-4.3.1.1158-disk2.vhdx,[diskErrors]=2,[diskFlushes]=1267221,[diskReadKBytesPerSec]=0.00,[diskReadReqPerSec]=0.00,[diskWriteKBytesPerSec]=0.00,[diskWriteReqPerSec]=0.00

• PH_DEV_MON_HYPERV_STORAGE_LOGICAL_DISK: HyperV Logical Disk Usage

  [PH_DEV_MON_HYPERV_STORAGE_LOGICAL_DISK]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[diskName]=e:,[ioReadLatency]=0,[ioWriteLatency]=14

Rules

• HyperV Disk I/O Warning
• HyperV Disk I/O Critical
• HyperV Guest Critical
• HyperV Guest Hypervisor Run Time Percent Warning
• HyperV Logical Processor Total Run Time Percent Critical
• HyperV Logical Processor Total Run Time Percent Warning
• HyperV Page fault Critical
• HyperV Page fault Warning
• HyperV Remainining Guest Memory Warning

Reports

Look in RESOURCES > Reports > Device > Server > HyperV

• HyperV Configuration and Health
• Top HyperV Guests By Virtual Processor Run Time Pct
• Top HyperV Guests by Large Page Size Usage
• Top HyperV Guests by Remote Physical Page Usage
• Top HyperV Root Partitions By Virtual Processor Run Time Pct
• Top HyperV Root Partitions by Large Page Size Usage
• Top HyperV Servers By Logical Processor Run Time Pct
• Top HyperV Servers by Disk Activity
• Top HyperV Servers by Disk Latency
• Top HyperV Servers by Large Page Size Usage
• Top HyperV Servers by Memory Remaining for Guests
• Top HyperV Servers by Remote Physical Page Usage

Configuration

FortiSIEM needs WMI credentials to get the Hyper-V performance metrics. Configure this following the guidelines described in Microsoft Windows Server Configuration.

Settings for Access Credentials

Configure WMI on FortiSIEM.