Monitoring Settings
The following section describes the procedures for Monitoring settings:
Important Processes
This setting allows you to always get process resource utilization reports and UP/DOWN alerts on a set of important processes across all device types.
- Go to ADMIN > Settings > Monitoring > Important Processes tab.
- Click Enable.
This will stop monitoring all processes. - Click New.
- Enter a Process Name, Parameter, and select an Organization from the drop-down.
- Click Save.
- Select the processes from the table and click Apply.
FortiSIEM will start monitoring only the selected processes in this tab. - If you want to disable this and return to ALL process monitoring, then click Disable.
Important Ports
This setting allows you to get TCP/UDP port UP/DOWN status only for a set of important critical ports. Always reporting UP/DOWN status for every TCP/UDP port on every server can consume a significant amount of resources. A port's UP/DOWN status is reported only if the port belongs to this list defined here.
Matching is exact based on port number and IP protocol.
- Go to ADMIN > Settings > Monitoring > Important Ports tab.
- Click New.
- Enter the Port Number and select the Port Type and Organization from the drop-down.
- Click Save.
- Select the new ports from the list and click Apply.
Important Interfaces
This setting allows you to always get interface utilization reports on a set of important network interfaces across all device types.
- Create a list of all Important interfaces.
- Go to ADMIN > Settings > Monitoring > Important Interfaces tab.
- Click Enable.
This will stop monitoring all interfaces. - Click the icon left to search field to select either Show Device Table or Show Interface only.
- Click Select to add the selected interface to the list. The Critical and Monitor columns will be automatically checked.
- Check the WAN box if applicable. If checked, the interface utilization events will have the
isWAN = "yes"
attribute.
You can use this to run a report for all WAN interfaces. - Select the interfaces from the table and click Apply.
FortiSIEM will start monitoring only the selected interfaces in this tab. - If you want to disable this and return to ALL process monitoring, click Disable.
By default, this feature is disabled regardless of whether it is upgraded or newly installed.
If this feature is disabled, FortiSIEM monitors all interface util and up/down events.
The isHostIntfCritical
attribute will be set to false for all interfaces. Only non-critical interface staying down rule may trigger. Critical interface staying down rule will have no chance to trigger.
If this feature is enabled, there are two check boxes - monitor and critical. If critical is checked, monitor will be checked automatically.
Monitor controls whether we must generate interface util event. We monitor interface utils events for interface whose monitor check box is selected.
Critical controls whether we must generate interface up/down events. FortiSIEM monitors interface up/down events for an interface whose critical check box is selected.
If one interface is marked as critical, we set the attribute of isHostIntfCritical
to true in the generated interface util and up/down events.
The Rule “critical interface staying down” will trigger on interfaces whose isHostIntfCritical
is true. Non-critical interface staying down rule will have no chance to trigger.
Excluded Disks
This setting allows you to exclude disks from disk capacity utilization monitoring. Disk capacity utilization events will not be generated for devices matching device name, access IP and disk name. Incidents will not trigger for these events, and the disks will not show up in summary dashboards. Use this list to exclude read only disk volumes or partitions that do not grow in size and are close to full.
- Go to ADMIN > Settings > Monitoring > Excluded Disks tab.
- Click New.
- From the Choose Disk dialog box, select the device from the device group.
- Click Select.
- Select the device from the table and click Apply.