Fortinet white logo
Fortinet white logo

External Systems Configuration Guide

HyperV

Hyper-V

What is Discovered and Monitored

Protocol

Information discovered

Metrics collected

Used for

Powershell over WMI

CPU, Memory, Network and Storage metrics both at Guest and Host level .

Performance Monitoring

Event Types

  • PH_DEV_MON_HYPERV_OVERALL_HEALTH: HyperV Machine Health Summary

    [PH_DEV_MON_HYPERV_OVERALL_HEALTH]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[vmHealthCritCount]=0,[vmHealthOkCount]=10
  • PH_DEV_MON_HYPERV_OVERALL_SYSINFO: HyperV System Information

    [PH_DEV_MON_HYPERV_OVERALL_SYSINFO]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[notificationCount]=10,[virtualProcessors]=52,[totalPages]=67290,[partitionCount]=6,[logicalProcessors]=16
  • PH_DEV_MON_HYPERV_CPU_LOGICAL_PROC: HyperV Logical Processor Usage

    [PH_DEV_MON_HYPERV_CPU_LOGICAL_PROC]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[idleTimePct]=47.30,[guestRunTimePct]=50.88,[hypervisorRunTimePct]=1.97,[totalRunTimePct]=52.84,[cpuInterruptPerSec]=53390.62,[contextSwitchPerSec]=85516.44
  • PH_DEV_MON_HYPERV_CPU_ROOT_VIRTUAL_PROC: HyperV Root Virtual Processor Usage

    [PH_DEV_MON_HYPERV_CPU_ROOT_VIRTUAL_PROC]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[phyMachIpAddr]=172.16.20.180,[phyMachName]=WIN-HH2MFBPMHMR,[guestRunTimePct]=0.19,[hypervisorRunTimePct]=0.04,[totalRunTimePct]=0.23,[cpuInterruptPersec]=4588.63,[interceptCost]=1458
  • PH_DEV_MON_HYPERV_CPU_GUEST_VIRTUAL_PROC: HyperV Guest Virtual Processor Usage

    [PH_DEV_MON_HYPERV_CPU_GUEST_VIRTUAL_PROC]:[hostIpAddr]=172.16.20.185,[hostName]=fsiem-reporter-hyperv-4.3.1.1158,[vmName]=fsiem-reporter-hyperv-4.3.1.1158,[phyMachIpAddr]=172.16.20.180,[phyMachName]=WIN-HH2MFBPMHMR,[guestRunTimePct]=1.06,[hypervisorRunTimePct]=0.70,[totalRunTimePct]=1.77,[cpuInterruptPersec]=6474.56,[interceptCost]=1086
  • PH_DEV_MON_HYPERV_MEM_PARTITION: HyperV Memory Partition usage

    [PH_DEV_MON_HYPERV_MEM_PARTITION]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[1gGpaPages]=0,[2mGpaPages]=16385,[4kGpaPages]=9949,[depositedGpaPages]=20946
  • PH_DEV_MON_HYPERV_MEM_PARTITION_PER_VM: HyperV per-VM Memory Partition usage

    [PH_DEV_MON_HYPERV_MEM_PARTITION_PER_VM]:[phyMachIpAddr]=172.16.20.180,[phyMachName]=WIN-HH2MFBPMHMR,[hostIpAddr]=172.16.20.182,[hostName]=fsiem-va-hyperv-4.3.1.1158,[vmName]=fsiem-va-hyperv-4.3.1.1158,[1gGpaPages]=0,[2mGpaPages]=4096,[4kGpaPages]=2089,[depositedGpaPages]=5044
  • PH_DEV_MON_HYPERV_MEM_ROOT_PARTITION: HyperV Root Partition Total Memory Usage

    [PH_DEV_MON_HYPERV_MEM_ROOT_PARTITION]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[1gGpa]=0,[2mGpa]=32613,[4kGpa]=9760,[depositedGpa]=46344
  • PH_DEV_MON_HYPERV_MEM_ROOT_PARTITION_ROOT: HyperV Root Partition Root Memory Usage

    [PH_DEV_MON_HYPERV_MEM_ROOT_PARTITION_ROOT]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[1gGpa]=0,[2mGpa]=32613,[4kGpa]=9760,[depositedGpa]=46344
  • PH_DEV_MON_HYPERV_MEM_VID_PARTITION: HyperV VID Partition Memory Usage

    [PH_DEV_MON_HYPERV_MEM_VID_PARTITION]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[physicalPages]=8398888,[remotePages]=0
  • PH_DEV_MON_HYPERV_MEM_VID_PARTITION_PER_VM: HyperV per-VM VID Partition Memory Usage

    [PH_DEV_MON_HYPERV_MEM_VID_PARTITION_PER_VM]:[phyMachIpAddr]=172.16.20.180,[phyMachName]=WIN-HH2MFBPMHMR,[hostIpAddr]=172.16.20.185,[hostName]=fsiem-reporter-hyperv-4.3.1.1158,[vmName]=fsiem-reporter-hyperv-4.3.1.1158,[physicalPages]=1050632,[remotePages]=0
  • PH_DEV_MON_HYPERV_MEM_OVERALL: HyperV Root Memory Usage

    [PH_DEV_MON_HYPERV_MEM_OVERALL]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[freeMemKB]=27519348,[pageFaultsPersec]=0
  • PH_DEV_MON_HYPERV_NET_VIRTUAL_SWITCH: HyperV Virtual Switch Network Usage

    [PH_DEV_MON_HYPERV_NET_VIRTUAL_SWITCH]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[vSwitch]=broadcom bcm5709c netxtreme ii gige [ndis vbd client] _34 - virtual switch,[recvBitsPerSec]=719403.45,[recvPktsPerSec]=323.03,[sentBitsPerSec]=3382443.50,[sentPktsPerSec]=283.90,[totalPktsPerSec]=323.03[PH_DEV_MON_HYPERV_NET_VIRTUAL_SWITCH]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[vSwitch]=broadcom bcm5709c netxtreme ii gige [ndis vbd client] _34 - virtual switch,[recvBitsPerSec]=719403.45,[recvPktsPerSec]=323.03,[sentBitsPerSec]=3382443.50,[sentPktsPerSec]=283.90,[totalPktsPerSec]=323.03
  • PH_DEV_MON_HYPERV_NET_VIRTUAL_ADAPTER: HyperV Virtual Switch Per Adapter Network Usage

    [PH_DEV_MON_HYPERV_NET_VIRTUAL_ADAPTER]:[phyMachIpAddr]=172.16.20.180,[phyMachName]=WIN-HH2MFBPMHMR,[hostIpAddr]=172.16.20.182,[hostName]=fsiem-va-hyperv-4.3.1.1158,[vmName]=fsiem-va-hyperv-4.3.1.1158,[intfName]=adapter_e1eb0a1f-1b36-48fe-be79-fde20d335364--31575d2f-5085-45d3-905f-2f3e17342a81,[recvBitsPerSec]=64970.24,[recvPktsPerSec]=20.86,[sentBitsPerSec]=124741.68,[sentPktsPerSec]=42.61,[totalPktsPerSec]=20.86
  • PH_DEV_MON_HYPERV_STORAGE_VIRTUAL_STORAGE: HyperV Virtual Storage Usage

    [PH_DEV_MON_HYPERV_STORAGE_VIRTUAL_STORAGE]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[diskName]=e:-hyperinstance-report431-virtual hard disks-fsiem-reporter-4.3.1.1158-disk2.vhdx,[diskErrors]=2,[diskFlushes]=1267221,[diskReadKBytesPerSec]=0.00,[diskReadReqPerSec]=0.00,[diskWriteKBytesPerSec]=0.00,[diskWriteReqPerSec]=0.00
  • PH_DEV_MON_HYPERV_STORAGE_LOGICAL_DISK: HyperV Logical Disk Usage

    [PH_DEV_MON_HYPERV_STORAGE_LOGICAL_DISK]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[diskName]=e:,[ioReadLatency]=0,[ioWriteLatency]=14

Rules

  • HyperV Disk I/O Warning
  • HyperV Disk I/O Critical
  • HyperV Guest Critical
  • HyperV Guest Hypervisor Run Time Percent Warning
  • HyperV Logical Processor Total Run Time Percent Critical
  • HyperV Logical Processor Total Run Time Percent Warning
  • HyperV Page fault Critical
  • HyperV Page fault Warning
  • HyperV Remainining Guest Memory Warning

Reports

Look in RESOURCES > Reports > Device > Server > HyperV

  • HyperV Configuration and Health
  • Top HyperV Guests By Virtual Processor Run Time Pct
  • Top HyperV Guests by Large Page Size Usage
  • Top HyperV Guests by Remote Physical Page Usage
  • Top HyperV Root Partitions By Virtual Processor Run Time Pct
  • Top HyperV Root Partitions by Large Page Size Usage
  • Top HyperV Servers By Logical Processor Run Time Pct
  • Top HyperV Servers by Disk Activity
  • Top HyperV Servers by Disk Latency
  • Top HyperV Servers by Large Page Size Usage
  • Top HyperV Servers by Memory Remaining for Guests
  • Top HyperV Servers by Remote Physical Page Usage

Configuration

FortiSIEM needs WMI credentials to get the Hyper-V performance metrics. Configure this following the guidelines described in Microsoft Windows Server Configuration.

Settings for Access Credentials

Configure WMI on FortiSIEM.

HyperV

Hyper-V

What is Discovered and Monitored

Protocol

Information discovered

Metrics collected

Used for

Powershell over WMI

CPU, Memory, Network and Storage metrics both at Guest and Host level .

Performance Monitoring

Event Types

  • PH_DEV_MON_HYPERV_OVERALL_HEALTH: HyperV Machine Health Summary

    [PH_DEV_MON_HYPERV_OVERALL_HEALTH]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[vmHealthCritCount]=0,[vmHealthOkCount]=10
  • PH_DEV_MON_HYPERV_OVERALL_SYSINFO: HyperV System Information

    [PH_DEV_MON_HYPERV_OVERALL_SYSINFO]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[notificationCount]=10,[virtualProcessors]=52,[totalPages]=67290,[partitionCount]=6,[logicalProcessors]=16
  • PH_DEV_MON_HYPERV_CPU_LOGICAL_PROC: HyperV Logical Processor Usage

    [PH_DEV_MON_HYPERV_CPU_LOGICAL_PROC]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[idleTimePct]=47.30,[guestRunTimePct]=50.88,[hypervisorRunTimePct]=1.97,[totalRunTimePct]=52.84,[cpuInterruptPerSec]=53390.62,[contextSwitchPerSec]=85516.44
  • PH_DEV_MON_HYPERV_CPU_ROOT_VIRTUAL_PROC: HyperV Root Virtual Processor Usage

    [PH_DEV_MON_HYPERV_CPU_ROOT_VIRTUAL_PROC]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[phyMachIpAddr]=172.16.20.180,[phyMachName]=WIN-HH2MFBPMHMR,[guestRunTimePct]=0.19,[hypervisorRunTimePct]=0.04,[totalRunTimePct]=0.23,[cpuInterruptPersec]=4588.63,[interceptCost]=1458
  • PH_DEV_MON_HYPERV_CPU_GUEST_VIRTUAL_PROC: HyperV Guest Virtual Processor Usage

    [PH_DEV_MON_HYPERV_CPU_GUEST_VIRTUAL_PROC]:[hostIpAddr]=172.16.20.185,[hostName]=fsiem-reporter-hyperv-4.3.1.1158,[vmName]=fsiem-reporter-hyperv-4.3.1.1158,[phyMachIpAddr]=172.16.20.180,[phyMachName]=WIN-HH2MFBPMHMR,[guestRunTimePct]=1.06,[hypervisorRunTimePct]=0.70,[totalRunTimePct]=1.77,[cpuInterruptPersec]=6474.56,[interceptCost]=1086
  • PH_DEV_MON_HYPERV_MEM_PARTITION: HyperV Memory Partition usage

    [PH_DEV_MON_HYPERV_MEM_PARTITION]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[1gGpaPages]=0,[2mGpaPages]=16385,[4kGpaPages]=9949,[depositedGpaPages]=20946
  • PH_DEV_MON_HYPERV_MEM_PARTITION_PER_VM: HyperV per-VM Memory Partition usage

    [PH_DEV_MON_HYPERV_MEM_PARTITION_PER_VM]:[phyMachIpAddr]=172.16.20.180,[phyMachName]=WIN-HH2MFBPMHMR,[hostIpAddr]=172.16.20.182,[hostName]=fsiem-va-hyperv-4.3.1.1158,[vmName]=fsiem-va-hyperv-4.3.1.1158,[1gGpaPages]=0,[2mGpaPages]=4096,[4kGpaPages]=2089,[depositedGpaPages]=5044
  • PH_DEV_MON_HYPERV_MEM_ROOT_PARTITION: HyperV Root Partition Total Memory Usage

    [PH_DEV_MON_HYPERV_MEM_ROOT_PARTITION]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[1gGpa]=0,[2mGpa]=32613,[4kGpa]=9760,[depositedGpa]=46344
  • PH_DEV_MON_HYPERV_MEM_ROOT_PARTITION_ROOT: HyperV Root Partition Root Memory Usage

    [PH_DEV_MON_HYPERV_MEM_ROOT_PARTITION_ROOT]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[1gGpa]=0,[2mGpa]=32613,[4kGpa]=9760,[depositedGpa]=46344
  • PH_DEV_MON_HYPERV_MEM_VID_PARTITION: HyperV VID Partition Memory Usage

    [PH_DEV_MON_HYPERV_MEM_VID_PARTITION]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[physicalPages]=8398888,[remotePages]=0
  • PH_DEV_MON_HYPERV_MEM_VID_PARTITION_PER_VM: HyperV per-VM VID Partition Memory Usage

    [PH_DEV_MON_HYPERV_MEM_VID_PARTITION_PER_VM]:[phyMachIpAddr]=172.16.20.180,[phyMachName]=WIN-HH2MFBPMHMR,[hostIpAddr]=172.16.20.185,[hostName]=fsiem-reporter-hyperv-4.3.1.1158,[vmName]=fsiem-reporter-hyperv-4.3.1.1158,[physicalPages]=1050632,[remotePages]=0
  • PH_DEV_MON_HYPERV_MEM_OVERALL: HyperV Root Memory Usage

    [PH_DEV_MON_HYPERV_MEM_OVERALL]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[freeMemKB]=27519348,[pageFaultsPersec]=0
  • PH_DEV_MON_HYPERV_NET_VIRTUAL_SWITCH: HyperV Virtual Switch Network Usage

    [PH_DEV_MON_HYPERV_NET_VIRTUAL_SWITCH]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[vSwitch]=broadcom bcm5709c netxtreme ii gige [ndis vbd client] _34 - virtual switch,[recvBitsPerSec]=719403.45,[recvPktsPerSec]=323.03,[sentBitsPerSec]=3382443.50,[sentPktsPerSec]=283.90,[totalPktsPerSec]=323.03[PH_DEV_MON_HYPERV_NET_VIRTUAL_SWITCH]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[vSwitch]=broadcom bcm5709c netxtreme ii gige [ndis vbd client] _34 - virtual switch,[recvBitsPerSec]=719403.45,[recvPktsPerSec]=323.03,[sentBitsPerSec]=3382443.50,[sentPktsPerSec]=283.90,[totalPktsPerSec]=323.03
  • PH_DEV_MON_HYPERV_NET_VIRTUAL_ADAPTER: HyperV Virtual Switch Per Adapter Network Usage

    [PH_DEV_MON_HYPERV_NET_VIRTUAL_ADAPTER]:[phyMachIpAddr]=172.16.20.180,[phyMachName]=WIN-HH2MFBPMHMR,[hostIpAddr]=172.16.20.182,[hostName]=fsiem-va-hyperv-4.3.1.1158,[vmName]=fsiem-va-hyperv-4.3.1.1158,[intfName]=adapter_e1eb0a1f-1b36-48fe-be79-fde20d335364--31575d2f-5085-45d3-905f-2f3e17342a81,[recvBitsPerSec]=64970.24,[recvPktsPerSec]=20.86,[sentBitsPerSec]=124741.68,[sentPktsPerSec]=42.61,[totalPktsPerSec]=20.86
  • PH_DEV_MON_HYPERV_STORAGE_VIRTUAL_STORAGE: HyperV Virtual Storage Usage

    [PH_DEV_MON_HYPERV_STORAGE_VIRTUAL_STORAGE]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[diskName]=e:-hyperinstance-report431-virtual hard disks-fsiem-reporter-4.3.1.1158-disk2.vhdx,[diskErrors]=2,[diskFlushes]=1267221,[diskReadKBytesPerSec]=0.00,[diskReadReqPerSec]=0.00,[diskWriteKBytesPerSec]=0.00,[diskWriteReqPerSec]=0.00
  • PH_DEV_MON_HYPERV_STORAGE_LOGICAL_DISK: HyperV Logical Disk Usage

    [PH_DEV_MON_HYPERV_STORAGE_LOGICAL_DISK]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[diskName]=e:,[ioReadLatency]=0,[ioWriteLatency]=14

Rules

  • HyperV Disk I/O Warning
  • HyperV Disk I/O Critical
  • HyperV Guest Critical
  • HyperV Guest Hypervisor Run Time Percent Warning
  • HyperV Logical Processor Total Run Time Percent Critical
  • HyperV Logical Processor Total Run Time Percent Warning
  • HyperV Page fault Critical
  • HyperV Page fault Warning
  • HyperV Remainining Guest Memory Warning

Reports

Look in RESOURCES > Reports > Device > Server > HyperV

  • HyperV Configuration and Health
  • Top HyperV Guests By Virtual Processor Run Time Pct
  • Top HyperV Guests by Large Page Size Usage
  • Top HyperV Guests by Remote Physical Page Usage
  • Top HyperV Root Partitions By Virtual Processor Run Time Pct
  • Top HyperV Root Partitions by Large Page Size Usage
  • Top HyperV Servers By Logical Processor Run Time Pct
  • Top HyperV Servers by Disk Activity
  • Top HyperV Servers by Disk Latency
  • Top HyperV Servers by Large Page Size Usage
  • Top HyperV Servers by Memory Remaining for Guests
  • Top HyperV Servers by Remote Physical Page Usage

Configuration

FortiSIEM needs WMI credentials to get the Hyper-V performance metrics. Configure this following the guidelines described in Microsoft Windows Server Configuration.

Settings for Access Credentials

Configure WMI on FortiSIEM.