Custom SNMP Monitor for D-Link HostName and SysUpTime
Although D-link switches and routers are not supported in this release of FortiSIEM, you can still use the custom monitor feature to create a system uptime event that will collect basic performance metrics like hostName and SysUpTime.
- Planning
- Adding New IBM WebSphere Performance Objects
- Associating Device Types to Performance Objects
- Testing the Performance Monitor
- Enabling the Performance Monitor
- Writing Queries for the Performance Metrics
Planning
Mapping SNMP OIDs to FortiSIEM Event Attribute Types
If you run the command snmpwalk -v 1 -c <community> <ip> .1.3.6.1.2.1.1 against the D-Link switch, you should see an output similar to this:
SNMPv2-MIB::sysDescr.0 = STRING: DGS-1210-48 2.00.011 SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.171.10.76.11 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (157556100) 18 days, 5:39:21.00 SNMPv2-MIB::sysContact.0 = STRING: SNMPv2-MIB::sysName.0 = STRING: SJ-Test-Lab-D-Link SNMPv2-MIB::sysLocation.0 = STRING: San Jose SNMPv2-MIB::sysServices.0 = INTEGER: 72 SNMPv2-MIB::sysORLastChange.0 = Timeticks: (157555949) 18 days, 5:39:19.49
To get sysUptime, you would run snmpwalk -v 1 -c <community> <ip> .1.3.6.1.2.1.1.3:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (157577770) 18 days, 5:42:57.70
To get hostname, you run snmpwalk -v 1 -c <community> <ip> .1.3.6.1.2.1.1.5:
SNMPv2-MIB::sysName.0 = STRING: SJ-Test-Lab-D-Link
From these outputs you can see that if you want to create a performance monitor for D-Link switch uptime, you need to:
- Create a new device type, since D-Link switches are not supported in this release
- Create an event type,
PH_DEV_MON_CUST_DLINK_UPTIME, that will contain the event attribute typeshostNameandSysUpTime, which are already part of the FortiSIEM event attribute type library. - Create the mapping between the SNMP OIDs and the event attributes:
- OID
.1.3.6.1.2.1.1.5andhostName. - OID
.1.3.6.1.2.1.1.5andSysUpTime.
- OID
Creating New Device Types, Event Attribute Types, and Event Types
Device Type:
Create a new device type with these attributes:
| Field | Setting |
|---|---|
| Vendor | D-Link |
| Model | DGS |
| Version | Any |
| Device/App Group | Devices > Network Devices > Router Switch |
| Biz Service Group | <no selection> |
| Description | D-Link Switch |
Event Attribute Types and Event Types
Both sysUptime and hostName are included in the Event Attribute Types, so you only need to create a new event type, PH_DEV_MON_CUST_DLINK_UPTIME, that will contain them.
Naming Custom Event Types
All custom event types must begin with the prefix P H_DEV_MON_CUST_ .
| Name |
Device Type |
Severity | Description |
|---|---|---|---|
PH_DEV_MON_CUST_DLINK_UPTIME
|
D-Link DGS | 0 - Low | D-Link Uptime |
Adding the D-Link SNMP Performance Object
In this case, you will create one performance object that will map the SNMP OIDs to the FortiSIEM event attribute types hostName and SysUptime, and then associate them with the PH_DEV_MON_CUST_DLINK_UPTIME event type. When you create the SysUpTime mapping you will also add a transform to convert system time to centiseconds to seconds as shown in the second table.
Performance Object Configuration for Event Type PH_DEV_MON_CUST_DLINK_UPTIME
| Field | Setting | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Name | D-LinkUptime | |||||||||||||||
| Type | System | |||||||||||||||
| Method | SNMP | |||||||||||||||
| Parent OID | .1.3.6.1.1.2.1.1 | |||||||||||||||
| Parent OID is Table | <left cleared> | |||||||||||||||
| List of OIDs |
|
|||||||||||||||
| Event Type | PH_DEV_MON_CUST_DLINK_UPTIME
|
|||||||||||||||
| Polling Frequency | 10 seconds |
Transform Formula for SysUptime Event Attribute
| Type | Formula |
|---|---|
| custom | uptime/100 |
Associating Device Types to Performance Objects
In this case you would only need to make one association with the D-Link DGS device you created.
| Field | Settings |
|---|---|
| Name | D-LinkPerfObj
|
| Device Types |
|
| Perf Objects |
|
Testing the Performance Monitor
Before testing the monitor, make sure you have defined the access credentials for the D-Link device, created the IP address to credentials mapping, and tested connectivity.
- Go to ADMIN > Device Support > Performance Monitoring.
- Select the performance monitor you created, and then click Test.
- For IP, enter the address of the device, and select either the Supervisor or Collector node that will retrieve the information for this monitor.
- Click Test.
You should seesucceedunder Result, and the parsed event attributes in the test result pane. - When the test succeeds, click Close, and then click Apply to register the new monitor with the backend module.
Enabling the Performance Monitor
- Discover or re-discover the device you want to monitor.
- Once the device is successfully discovered, make sure that the monitor is enabled and pulling metrics.
Writing Queries for the Performance Metrics
You can now use a simple query to make sure that that the metrics are pulled correctly. The search results should display the metrics for the event attributes you defined.
Create a structured historical search with these settings:
| Filter Criteria | Display Columns | Time | For Organizations |
|---|---|---|---|
Structured
Reporting IP IN <IP Range> AND Event Type = "PH_DEV_MON_CUST_DLINK_UPTIME"; Group by: [None] |
Event | Last 10 Minutes | All |
Copyright © 2020 Fortinet, Inc. All Rights Reserved. | Terms of Service | Privacy Policy
