Custom SNMP Monitor for D-Link Interface Network Statistics

This example shows how to create a custom performance monitor for network interface statistics for D-link switches. In this case, the result is a table, with one set of metrics for each interface.

• Planning
• Adding the D-Link SNMP Performance Object
• Associating Device Types to Performance Objects
• Testing the Performance Monitor
• Enabling the Performance Monitor
• Writing Queries for the Performance Metrics

Planning

Matching SNMP OIDs to FortiSIEM Event Attribute Types

If you run the command snmpwalk -v 1 -c <community> <ip> .1.3.6.1.2.1.2.2.1 against the D-Link switch, you should see an output similar to this:

IF-MIB::ifIndex.1 = INTEGER: 1
IF-MIB::ifIndex.2 = INTEGER: 2
IF-MIB::ifIndex.3 = INTEGER: 3
IF-MIB::ifIndex.4 = INTEGER: 4
IF-MIB::ifIndex.5 = INTEGER: 5
...

To get the interface index, you would run snmpwalk -v 1 -c <community> <ip> .1.3.6.1.2.1.2.2.1.1:

IF-MIB::ifIndex.1 = INTEGER: 1
IF-MIB::ifIndex.2 = INTEGER: 2
IF-MIB::ifIndex.3 = INTEGER: 3
IF-MIB::ifIndex.4 = INTEGER: 4
IF-MIB::ifIndex.5 = INTEGER: 5
...

To get interface queue length (the outQLen event attribute in FortiSIEM), you would run snmpwalk -v 1 -c <community> <ip> .1.3.6.1.2.1.2.2.1.21:

IF-MIB::ifOutQLen.1 = Gauge32: 0
IF-MIB::ifOutQLen.2 = Gauge32: 0
IF-MIB::ifOutQLen.3 = Gauge32: 0
IF-MIB::ifOutQLen.4 = Gauge32: 0
IF-MIB::ifOutQLen.5 = Gauge32: 0
...

To get interface speed, you would run snmpwalk -v 1 -c <community> <ip> .1.3.6.1.2.1.2.2.1.5:

IF-MIB::ifSpeed.1 = Gauge32: 1000000000
IF-MIB::ifSpeed.2 = Gauge32: 1000000000
IF-MIB::ifSpeed.3 = Gauge32: 1000000000
IF-MIB::ifSpeed.4 = Gauge32: 1000000000
IF-MIB::ifSpeed.5 = Gauge32: 1000000000
...

To get received bytes (the recvBitsPerSec event attribute in FortiSIEM), you would run snmpwalk -v 1 -c <community> <ip> .1.3.6.1.2.1.2.2.1.10:

IF-MIB::ifInOctets.1 = Counter32: 0
IF-MIB::ifInOctets.2 = Counter32: 1247940872
IF-MIB::ifInOctets.3 = Counter32: 0
IF-MIB::ifInOctets.4 = Counter32: 0
IF-MIB::ifInOctets.5 = Counter32: 0
...

Finall,y to get sent bytes (the sentBitsPerSec event attribute in FortiSIEM ), you would  run snmpwalk -v 1 -c <community> <ip> .1.3.6.1.2.1.2.2.1.16:

IF-MIB::ifOutOctets.1 = Counter32: 0
IF-MIB::ifOutOctets.2 = Counter32: 1271371281
IF-MIB::ifOutOctets.3 = Counter32: 0
IF-MIB::ifOutOctets.4 = Counter32: 0
IF-MIB::ifOutOctets.5 = Counter32: 0
...

From these outputs you can see that if you want to create a performance monitor for D-Link switch uptime, you need to:

1. Create a new device type, since D-Link switches are not supported in this release.
2. Create an event type, PH_DEV_MON_CUST_DLINK_INTF_STAT, that will contain the event attribute types  outQLen ,  recvBitsPerSec, and sentBitsPerSec, which are already part of the FortiSIEM event attribute library, and hostNameSnmpIndx and intfSpeed, which you need to create.
3. Create the mapping between the SNMP OIDs and the event attributes:
   1. OID .1.3.6.1.2.1.2.2.1.1 and hostNameSnmpIndx
   2. OID .1.3.6.1.2.1.2.2.1.5 and intfSpeed
   3. OID .1.3.6.1.2.1.2.2.1.21 and outQLen
   4. OID .1.3.6.1.2.1.2.2.1.10 and recvBitsPerSec
   5. OID .1.3.6.1.2.1.2.2.1.16 and sentBitsPerSec

Creating New Device Types, Event Attributes, and Event Types

Device Type

Create a new device type with these attributes:

Field	Setting
Vendor	D-Link
Model	DGS
Version	Any
Device/App Group	Devices > Network Devices > Router Switch
Biz Service Group	<no selection>
Description	D-Link Switch

Event Attribute Types

Create these event attribute types:

Name	Display Name	Value Type	Display Format Type
hostSnmpIndex	Host Interface SNMP Index	INT64	<left blank>
intfSpeed	Interface Speed in bits/sec	INT64	<left blank>

Event Types

Naming Custom Event Types: All custom event types must begin with the prefix P H_DEV_MON_CUST_ .

Create this event type:

Name	Device Type	Severity
PH_DEV_MON_CUST_INTF_STAT	D-Link DGS	Low

Adding the D-Link SNMP Performance Object

In this case, you will create one performance object that will map the SNMP OIDs to the FortiSIEM event attribute types, and then associate them with the PH_DEV_MON_CUST_INTF_STAT event type. When you create the  recvBitsPerSec and  sentBitsPerSec mapping you will also add a sequential transform to convert the cumulative metric to a rate, and then convert bytes per second to bits per second. . 

Performance Object Configuration for Event Type  PH_DEV_MON_CUST_INTF_STAT

Field	Setting
Name	D-LinkIntStat
Type	System
Method	SNMP
Parent OID	.1.3.6.1.2.1.2.2.1
Parent OID is Table	Selected
List of OIDs	Object Attribute Name Format Type Event Attribute .1.3.6.1.1.2.1.2.2.1.1 IntfIndex INTEGER RawValue hostSnmpIndex .1.3.6.1.1.2.1.1.2.1.5 intfSpeed Gauge32 RawValue intfSpeed .1.3.6.1.1.2.1.1.2.1.10 recvBitsPerSec Counter32 Counter recvBitsPerSec .1.3.6.1.1.2.1.1.2.1.16 sentBitsPerSect Counter32 Counter sentBitsPerSect .1.3.6.1.1.2.1.1.2.1.21 outInftQ Gauge32 RawValue OutQLen
Event Type	PH_DEV_MON_CUST_INTF_STAT
Polling Frequency	60 seconds

Transform Formula for recvBitsPerSec and sentBitsPerSec Event Attributes

Type	Formula
system	toRate
system	BytesPerSecToBitsPerSec

Associating Device Types to Performance Objects

In this case you would only need to make one association with the D-Link DGS device you created. 

Field	Settings
Name	D-LinkPerfObj
Device Types	D-Link DGS
Perf Objects	D-LinkIntfStat(SNMP) - Default Interval:1mins

Testing the Performance Monitor

Before testing the monitor, make sure you have defined the access credentials for the D-Link device, created the IP address to credentials mapping, and tested connectivity. 

1. Go to ADMIN > Device Support > Monitoring.
2. Select the performance monitor you created, and then click Test. 
3. For IP, enter the address of the device, and select either the Supervisor or Collector node that will retrieve the information for this monitor. 
4. Click Test. 
   You should see succeed under Result, and the parsed event attributes in the test result pane. 
5. When the test succeeds, click Close, and then click Apply to register the new monitor with the backend module.

Enabling the Performance Monitor

1. Discover or re-discover the device you want to monitor. 
2. Once the device is successfully discovered, make sure that the monitor is enabled and pulling metrics. 

Writing Queries for the Performance Metrics

You can now use a simple query to make sure that that the metrics are pulled correctly. The search results should display the metrics for the event attributes you defined. 

Create a structured historical search with these settings:

Filter Criteria	Display Columns	Time	For Organizations
Structured Reporting IP IN <IP Range> AND Event Type =" PH_DEV_MON_CUST_INTF_STAT"; Group by: Host Name, Host Interface	Host Name,Host Interface SNMP Index,MAX(Out Intf Queue), AVG(Intf Speed), AVG(Sent Bit Rate), AVG(Received Bit Rate)	Last 10 Minutes	All