Diode Collector
Feature
The diode collector has the following functionalities:
-
Ability to install without Internet connectivity
-
Ability to work without registering with Supervisor node
-
Ability to collect syslog, SNMP trap and Windows log via WMI/OMI protocol using local configuration
-
Ability to send events to another Collector or Worker via UDP/514 using syslog protocol
A diode collector only requires a strictly one-way communication from itself to another Collector or Worker. There are two deployment modes:
-
Diode Collector -> Worker
-
Diode Collector -> Regular Collector -> Worker
The regular Collector can send events to Worker via HTTPS.
Standard Configuration
To configure a diode collector, there are two general steps. Note that there is a Service Provide case (1) , and an Enterprise case (2), in Step 1.
Step 1: Collect Collector Information from Supervisor Node
-
For Service Provider case, a Collector is associated with a customer.
-
Navigate to Admin > Setup > Organizations.
-
Click New, and create an Organization with the Collector.
-
Get the Customer Id, which appears in the ID column. This should appear after the Organization is created.
-
Navigate to ADMIN > Health > Collector Health.
-
From the Collector Health page, get the following information:
-
Customer Name (From the Organization column)
-
Collector Name (From the Name column)
-
Collector Id (From the Collector ID column)
-
-
-
For Enterprise case (1 Organization)
-
Navigate to ADMIN > Setup > Collector.
-
Click New, and create a Collector.
-
Navigate to ADMIN > Health > Collector Health.
-
From the Collector Health page, get the following information:
-
Collector Id
-
Collector Name
-
-
Step 2: Configure Collector Using the Information in Step 1
-
Download the collector binary from the Fortinet Support Site.
-
Run
configFSM.sh
on the VM (Internet connectivity not needed). Installation steps are provided here. -
Modify the file
/opt/phoenix/config/diode_collector.json
. See Example diode_collector.json File for an example file.-
Set custId to Customer Id from Step 1 (for Enterprise case, set to 1).
-
Set collectorId to Collector Id from Step 1.
-
Set orgName to Customer Name from Step 1 (for Enterprise case, set to super).
-
Set collectorName to Collector Name from Step 1.
-
Set eventUploadServers to the Worker in UDP:<IP1>:514,UDP<IP2:514> format where IP1 and IP2 are Worker IP addresses.
-
Set Windows Server credentials in the Credentials section.
-
-
Run the following command.
phProvisionDiodeCollector
Setup is now complete, and events should appear in the FortiSIEM GUI. There are no differences between events from a diode collector and a regular collector.
Additional Configurations
The following additional configurations are available.
Adding Windows Servers or Changing WMI/OMI Credentials
To add more Windows servers or change WMI/OMI credentials, take the following step.
-
Modify
/opt/phoenix/config/diode_collector.json
There is no need to restart any process.
Change Parsers
To Change Parsers, take the following steps.
-
Modify or create parser files under
/opt/phoenix/config/xml/
-
Edit
/opt/phoenix/config/xml/parserOrder.csv
-
Restart phParser by running the following command.
killall -9 phParser
Example diode_collector.json File
This JSON has 1 WMI example and 1 OMI example.
{ "custId": 2000, "orgName": "org1", "collectorId": 10000, "collectorName": "CO1", "eventUploadServers": "UDP:192.168.1.100:514,UDP:192.168.1.101:514", "eventUploadEpsLimit": 1000, "creds": [ { "custId": "2000", "accessIp": "1.2.3.4", "deviceType": { "vendor": "Microsoft", "model": "Windows", "version": "ANY" }, "accessMethod": { "accessProtocol": "MS_WMI", "pullInterval": 1, "credential": { "username": "Administrator", "password": "12345678" }, "template": { "name": "Get All Logs", "logTypes": [ { "type": "SECURITY", "include": "", //blank means ALL "exclude": "" //blank means ALL }, { "type": "APPLICATION", "include": "", //blank means ALL "exclude": "" //blank means ALL }, { "type": "SYSTEM", "include": "", //blank means ALL "exclude": "" //blank means ALL } ] } } } , { "custId": "2000", "accessIp": "1.2.3.4", "deviceType": { "vendor": "Microsoft", "model": "Windows", "version": "ANY" }, "accessMethod": { "accessProtocol": "MS_OMI", "pullInterval": 1, "credential": { "username": "Administrator", "password": "12345678", "omiAuth": "ntlm or kerberos", "kerberosADServer": "1.2.3.4", "kerberosDomain": "abc" }, "template": { "name": "Get All Logs", "logTypes": [ { "type": "SECURITY", "include": "", "exclude": "" }, { "type": "APPLICATION", "include": "", "exclude": "" }, { "type": "SYSTEM", "include": "", "exclude": "" } ] } } } ] }