Configuring Linux Agent
Linux Agents can be configured and managed from the FortiSIEM Supervisor node.
Before proceeding, install the Linux Agent following the instructions in the Linux Agent Installation Guide.
To receive logs from the Linux Agent, you must complete the following steps
Once these steps are completed, the Supervisor node will distribute monitoring policies to the Linux Agents and you will be able to see events in FortiSIEM.
Note: FortiSIEM Linux Agent will not perform file integrity monitoring on the /root directory.
This section also covers these topics.
- Viewing Agent Status
- Enabling or Disabling an Agent
- Viewing Files in FortiSIEM
- File Integrity Monitoring Logs
- Agent Troubleshooting Notes
Define the Linux Agent Monitor Templates
Complete these steps to add a Linux Agent Monitor Template:
- Go to ADMIN > Setup > Linux Agent tab.
- Click New under the section Linux Agent Monitor Templates.
- In the Linux Agent Monitor Template dialog box, enter the information below.
- Emergency
- Alert
- Critical
- Error
- Warning
- Notice
- Info
- Debug
- File—(Required) Enter the full file name.
- Log Prefix—(Required) Any prefix to the identify events from this file for better accessibility.
- Include File/Directory—Enter the file or directory to monitor.
- Exclude File/Directory—Enter the file or directory to exclude from monitoring using a semi-colon (
;
) as a separator. - Action—Select the actions to monitor when there is an event in the included file or directory:
- All—All of the following actions will be monitored.
- Open—One or more of the monitored files or directories has been opened.
- Close—One or more of the monitored files or directories has been closed.
- Create—A file or directory has been created in one or more of the monitored files or directories.
- Modify—One or more of the monitored files or directories has been edited.
- Delete—One or more of the monitored files or directories has been deleted.
- Attribute Change—An attribute belonging to one or more of the monitored files or directories has been changed.
- On Modify (appears only if All or Modify is selected):
- Push Files—Select this if you want Linux Agent to push files to FortiSIEM whenever there is a change. The files are stored in SVN and are accessible from the Supervisor. These files are displayed in CMDB > Device > File. Send only important files, as this can fill up disk space.
- Compare Baseline—Select this if you want to be alerted when the file changes from a baseline. This is common for configuration files that rarely change. If you choose this option, you will be asked to provide a copy of the baseline file. Click Choose File and upload the file from your workstation. The Supervisor will compute the MD5 checksum and distribute the checksum to the agents for comparison.
- Click Save
Generic tab:
Configure the Generic settings with reference to the table below:
Generic Settings | Guidelines |
---|---|
Name | [Required] Enter the name of the FortiSIEM Linux Agent. This name is used as a reference in Template associations. |
Description | [Required] Enter the description about the FortiSIEM Linux Agent. |
Syslog tab:
Configure the Syslog settings with reference to the table below:
Syslog Settings | Guidelines |
---|---|
Syslog |
Select the Facility with the corresponding Syslog levels: |
Log File tab:
Configure the Log File settings with reference to the table below:
Log File Settings | Guidelines |
---|---|
Log Files |
Click New to add the custom log files to monitor: |
Configure the FIM settings with reference to the table below:
FIM Settings | Guidelines |
---|---|
FIM |
Click New to add the files to monitor: |
Associate Linux Agents to Templates
After defining the monitoring templates, associate the hosts to templates. To scale to large number of Hosts, this is done via Policies. A Policy is a mapping from Organization and Host to Templates and Collectors. Policies are evaluated in order (lower order or rank is higher priority) and the policy that matches first is selected. Therefore, define the exceptions first followed by broad policies. Hosts can be defined in terms of CMDB Device Groups or Business Services. Multiple templates can be used in one Policy and the system detects conflicts, if any.
Complete these steps to associate a Host to Template:
- Click New under the section Host To Template Associations.
- In the Host To Template Associations dialog box, enter the information below.
Settings Guidelines Name Name of the Host to Template Association. Organization Select the organization. Host Use the drop-down list to browse the folders and select the items. Template Select one or more monitoring templates from the list or select All Templates to select all. You can also use the search bar to find a specific template. Collector Select the Collector from the list or select All Collectors to select all. Agents forward events to Collectors via HTTP(S). A Collector is chosen at random and if that Collector is not available or non-responsive, then another Collector in the list is chosen. - Click Save and Apply.
A Rank number is automatically assigned to the association.
You can use the Edit button to modify or Delete button to remove any template association.
Viewing Agent Status
Complete these steps to view the Agent status for any specific device:
- Go to CMDB > Devices and select the device.
The following fields displays the information related to the Agent:- Agent Status: status of the Agent running on the device.
- Agent Policy: agent policy.
- Monitor Status: status of monitoring.
The Agent Status indicates the following:
Status Description Registered Agent has completed registration but has not received the monitoring template. Running Active Agent has received a monitoring template and it is performing properly. Running Inactive Agent is running but does not have a monitoring template – the reasons can be (a) no license or (b) incomplete definition - no Collector or Template is defined for that host. Stopped Agent is stopped on the Linux Server. Disconnected Supervisor did not receive any status from the Agent for the last 10 minutes.
Enabling or Disabling an Agent
Complete these steps to enable or disable Linux Agent for a specific device:
- Go to CMDB > Devices and select the required device.
- Select the Action drop-down menu and click Enable Agent to enable or Disable Agent to disable Agent monitoring for the selected device.
Viewing Files in FortiSIEM
If the FortiSIEM Agent is running on a Server and a FIM policy is enabled with Push Files On Modify, then the FortiSIEM Agent will send the files to FortiSIEM when a change is detected. FortiSIEM stores the files in SVN on the Supervisor.
- Go to the CMDB page. Make sure that AGENT is one of the Methods.
- Search for the device in CMDB by name.
Use the host name that you used to install the Linux Agent.
- Click File beneath the device table.
You will see all of the files that were changed since the monitoring template was applied.
- Select a file.
If you need to search for a file, set the From and To dates. The files which changed between those dates will be displayed.
- Click the file name on the left and its contents will be displayed in the right hand window.
Each file has a header containing file meta data followed by the actual file content.
- OWNER: The name of the file owner
- GROUP: User group for specifying file permissions.
- PERMISSION=USER: “OWNER”, PERMIT: "...": The file owner’s permissions.
- PERMISSION=GROUP: “MEMBER”, PERMIT: "...":: The group member’s file permissions.
- PERMISSION=GROUP: “OTHER”, PERMIT: "...":: Other group file permissions.
- FILEPATH: The full file name, including the path.
- HASHCODE: The file hash.
- HASHALGO: The algorithm used to compute file hash.
- MODIFIED_TIME: The time when the file was last modified.
- To see the differences between two files, select two files on left and click Diff.
File Integrity Monitoring Logs
The following sections describe various use cases that can be detected by File Integrity Monitoring Logs.
- Use Case 1: File Created
- Use Case 2: File Deleted
- Use Case 3: File Attributes Changed
- Use Case 4: File Modified
- Use Case 5: File Modified and Upload is Selected
- Use Case 6: File Baseline Changed
- Use Case 7: File Renamed
- Use Case 8: File Accessed
- Use Case 9: File Opened
- Use Case 10: File Closed
- Agent Troubleshooting Notes
Use Case 1: File Created
Event Type
FSM_LINUX_FILE_CREATE
Important Event Attributes
targetOsObjType
: The type of object that was created:File
orDirectory
.targetOsObjName
: The name of the file or directory.user
: The name of the user who made the change.hashCode
: The hash code of the file.hashAlgo
: The algorithm used to create the file.
Reports
Agent FIM: Linux File/Directory Creation/Deletion/Movement/Unmount Activity
Rules
Agent FIM - Linux File or Directory Created
Sample Log
Fri Mar 27 09:39:25 2020 centos7: [FSM_LINUX_FILE_CREATE]: [objectType]=Directory,[objectName]=/mlm,[objectAction]=CREATE,[targetObjType]=File,[targetObjName]="/mlm/a.log",[hashCode]="d41d8cd98f00b204e9800998ecf8427e",[hashAlgo]="MD5",[user]=root
Use Case 2: File Deleted
Event Type
FSM_LINUX_FILE_DELETE
Important Event Attributes
targetOsObjType
: The type of object that was created:File
orDirectory
.targetOsObjName
: The name of the file or directory.user
: The name of the user who made the change.
Reports
Agent FIM: Linux File/Directory Creation/Deletion/Movement/Unmount Activity
Rules
Agent FIM - Linux File or Directory Deleted
Sample Log
Fri Mar 27 09:43:11 2020 centos7: [FSM_LINUX_FILE_DELETE]: [objectType]=Directory,[objectName]=/mlm,[objectAction]=DELETE,[targetObjType]=File,[targetObjName]="/mlm/k.log",[user]=root
Use Case 3: File Attributes Changed
Event Type
FSM_LINUX_FILE_ATTRIB_CHANGE
Important Event Attributes
targetOsObjType
: The type of object:File
orDirectory
.targetOsObjName
: The name of the file or directory.user
: The name of the user who made the change.fileOwner
: The name of the owner of the file or directory.userGrp
: The name of the user group for the file or directory.userPerm
: The permission granted to the owner.groupPerm
: The permission granted to the user group.otherPerm
: Other permissions.
Reports
Agent FIM: Linux File/Directory Ownership or Permission Changes
Rules
Agent FIM - Linux Directory Ownership or Permission changed
Agent FIM - Linux File Ownership or Permission Changed
Sample Log
Fri Mar 27 09:45:27 2020 centos7: [FSM_LINUX_FILE_ATTRIB_CHANGE]: [objectType]=Directory,[objectName]=/mlm,[objectAction]=ATTRIBUTE_CHANGE,[targetObjType]=File,[targetObjName]="/mlm/mlm.txt",[fileOwner]="root",[groupName]="mlm",[userPerm]="READ,WRITE,EXEC",[groupPerm]="READ,EXEC",[otherPerm]="READ,EXEC",[user]=root
Use Case 4: File Modified
Event Type
FSM_LINUX_FILE_MODIFY
Important Event Attributes
targetOsObjName
: The name of the file.user
: The name of the user who made the change.hashCode
: The hash code of the file.hashAlgo
: The algorithm used to create the file.
Reports
Agent FIM: Linux File Content Modified
Rules
Agent FIM - Linux File Content Modified
Sample Log
Fri Mar 27 09:47:06 2020 centos7: [FSM_LINUX_FILE_MODIFY]: [objectType]=Directory,[objectName]=/mlm,[objectAction]=MODIFY,[targetObjType]=File,[targetObjName]="/mlm/mlm.txt",[hashCode]=5d71f074cf9a75e0324f210160d4b9cb,[hashAlgo]=md5,[user]=root
Use Case 5: File Modified and Upload is Selected
Event Type
PH_DEV_MON_FILE_CONTENT_CHANGE
Important Event Attributes
userId
: The ID of the user who modified the file.domain
: The user’s domain for a Domain computer.fileName
: The name of the file that was modified.procName
: The Windows process that was used to modify the file.hashCode, hashAlgo
: The file hash after modification and the algorithm used to calculate the hash.oldSVNVersion
: The SVN revision number of the file before change.newSVNVersion
: The SVN revision number of the file after change.addedItem
: The lines that were added to the file.deletedItem
: The lines that were removed from the file.
Reports
Agent FIM: Linux File Content Modified in SVN
Rules
Audited file or directory content modified in SVN
Sample Log
<14>Mar 27 09:51:30 sp3 phPerfMonitor[6340]: [PH_DEV_MON_FILE_CONTENT_CHANGE]:[eventSeverity]=PHL_INFO,[procName]=phPerfMonitor,[fileName]=phSvnUpdate.cpp,[lineNumber]=306,[phCustId]=2000,[hostName]=centos7,[hostIpAddr]=10.30.3.39,[fileName]=/mlm/mlm.txt,[hashCode]=ac399331afa9d1f13618c9eff36ed51c,[oldSVNVersion]=53,[newSVNVersion]=54,[deletedItem]=(none),[addedItem]=retest;,[user]=root,[hashAlgo]=MD5,[phLogDetail]=
Use Case 6: File Baseline Changed
Event Type
FSM_LINUX_FILE_CHANGE_BASELINE
Important Event Attributes
targetOsObjName
: The name of the baseline file.user
: The name of the user who made the change.hashCode
: The hash code of the file after modification.hashAlgo
: The algorithm used to create the file hash.targetHashCode
: The hash code of the baseline file.
Reports
Agent FIM: Linux File Change from Baseline
Rules
Agent FIM - Linux File Changed From Baseline
Sample Log
Fri Mar 27 09:51:23 2020 centos7: [FSM_LINUX_FILE_CHANGE_BASELINE]: [fileName]=/mlm/mlm.txt,[targetHashCode]="aa63e826654915e0e2e1da385e6d14f8",[hashCode]="ac399331afa9d1f13618c9eff36ed51c",[hashAlgo]="MD5",[user]=root
Use Case 7: File Renamed
Event Types
FSM_LINUX_FILE_MOVED_TO
FSM_LINUX_FILE_MOVED_FROM
Important Event Attributes
targetOsObjType
: The file type:File
orDirectory
.targetOsObjName
: The file or directory name.user
: The name of the user who renamed the file.
Reports
Agent FIM: Linux File/Directory Creation/Deletion/Movement/Unmount Activity
Rules
None
Sample Logs
Fri Mar 27 09:57:42 2020 centos7: [FSM_LINUX_FILE_MOVED_FROM]: [objectType]=Directory,[objectName]=/mlm,[objectAction]=MOVED_FROM,[targetObjType]=File,[targetObjName]="/mlm/bb.log",[user]=root
Fri Mar 27 09:57:42 2020 centos7: [FSM_LINUX_FILE_MOVED_TO]: [objectType]=Directory,[objectName]=/mlm,[objectAction]=MOVED_TO,[targetObjType]=File,[targetObjName]="/mlm/cc.log",[user]=root
Use Case 8: File Accessed
Event Type
FSM_LINUX_FILE_ACCESS
Important Event Attributes
targetOsObjType
: The file type:File
orDirectory
.targetOsObjName
: The file or directory name.user
: The name of the user who accessed the file.
Reports
None
Rules
None
Sample Log
Fri Mar 27 10:05:28 2020 centos7: [FSM_LINUX_FILE_ACCESS]: [objectType]=Directory,[objectName]=/mlm,[objectAction]=ACCESS,[targetObjType]=File,[targetObjName]="/mlm/mlm.txt",[user]=root
Use Case 9: File Opened
Event Type
FSM_LINUX_FILE_OPEN
Important Event Attributes
targetOsObjType
: The file type:File
orDirectory
.targetOsObjName
: The file or directory name.user
: The name of the user who opened the file.
Reports
None
Rules
None
Sample Log
Fri Mar 27 09:57:40 2020 centos7: [FSM_LINUX_FILE_OPEN]: [objectType]=Directory,[objectName]=/mlm,[objectAction]=OPEN,[targetObjType]=Directory,[targetObjName]="/mlm",[user]=root
Use Case 10: File Closed
Event Types
FSM_LINUX_FILE_CLOSE_WRITE
FSM_LINUX_FILE_CLOSE_NOWRITE
Important Event Attributes
targetOsObjType
: The file type:File
orDirectory
.targetOsObjName
: The file or directory name.user
: The name of the user who closed the file.
Reports
None
Rules
None
Sample Logs
Fri Mar 27 09:57:36 2020 centos7: [FSM_LINUX_FILE_CLOSE_WRITE]: [objectType]=Directory,[objectName]=/mlm,[objectAction]=CLOSE_WRITE,[targetObjType]=File,[targetObjName]="/mlm/bb.log",[user]=root
Fri Mar 27 10:05:28 2020 centos7: [FSM_LINUX_FILE_CLOSE_NOWRITE]: [objectType]=Directory,[objectName]=/mlm,[objectAction]=CLOSE_NOWRITE,[targetObjType]=File,[targetObjName]="/mlm/mlm.txt",[user]=root
Agent Troubleshooting Notes
A Linux Agent can be in following states (shown in CMDB):
- Registered
- Running Inactive
- Running Active
- Disabled
- Disconnected
When an Agent is installed and registered, then it is in Registered state. The following audit event is generated: PH_AUDIT_AGENT_INSTALLED
.
When a monitoring template is assigned to the device, then the state moves to Running Inactive. When the agent receives the template and starts monitoring, then the state moves to Running Active. In both cases, the following audit event is generated: PH_AUDIT_AGENT_RUNNING
.
Agent periodically sends heartbeat messages. When a heartbeat not received for 10 minutes, the state moves to Disconnected and the audit event PH_AUDIT_AGENT_NOTRESPONDING
is generated. Status is checked every 1 hour. At that time, if we heard from the Agent in the last 15 minutes, the state moves back to Running Inactive and a PH_AUDIT_AGENT_RUNNING
audit event is generated.
If the Agent is disabled from the GUI, the state moves to Disabled and PH_AUDIT_AGENT_DISABLED
audit event is generated.
If the Agent is uninstalled or the service is stopped, then the state moves to Disconnected and the audit event PH_AUDIT_AGENT_NOTRESPONDING
is generated.
Audit events are generated at state transitions, however, the event PH_AUDIT_AGENT_NOTRESPONDING
is generated every hour to identify all agents that are currently disconnected. A nested query can be run to detect Agents that did not report in the last N hours. Note that PH_AUDIT
events must be queried with System Event Category = 2
. Rules do not need this condition.