Monitoring Settings

The following sections describe the procedures for Monitoring settings:

Important Processes

This setting allows you to always get process resource utilization reports and UP/DOWN alerts on a set of important processes across all device types.

  1. Go to ADMIN > Settings > Monitoring > Important Processes tab.
  2. Click Enable.
    This will stop monitoring all processes.
  3. Click New.
  4. Enter a Process Name, Parameter, and select an Organization from the drop-down.
  5. Click Save.
  6. Select the processes from the table and click Apply.
    FortiSIEM will start monitoring only the selected processes in this tab.
  7. If you want to disable this and return to ALL process monitoring, then click Disable.

Important Ports

This setting allows you to get TCP/UDP port UP/DOWN status only for a set of important critical ports. Always reporting UP/DOWN status for every TCP/UDP port on every server can consume a significant amount of resources. A port's UP/DOWN status is reported only if the port belongs to this list defined here.

Matching is exact based on port number and IP protocol.

  1. Go to ADMIN > Settings > Monitoring > Important Ports tab.
  2. Click New.
  3. Enter the Port Number and select the Port Type and Organization from the drop-down.
  4. Click Save.
  5. Select the new ports from the list and click Apply.

Important Interfaces

This setting allows you to always get interface utilization reports on a set of important network interfaces across all device types.

  1. Create a list of all Important interfaces.
  2. Go to ADMIN > Settings > Monitoring > Important Interfaces tab.
  3. Click Enable.
    This will stop monitoring all interfaces.
  4. Click the icon left to search field to select either Show Device Table or Show Interface only.
  5. Click Select to add the selected interface to the list. The Critical and Monitor columns will be automatically checked.
  6. Check the WAN box if applicable. If checked, the interface utilization events will have the isWAN = "yes" attribute.
    You can use this to run a report for all WAN interfaces.
  7. Select the interfaces from the table and click Apply.
    FortiSIEM will start monitoring only the selected interfaces in this tab.
  8. If you want to disable this and return to ALL process monitoring, click Disable.

By default, this feature is disabled regardless of whether it is upgraded or newly installed. If this feature is disabled, FortiSIEM monitors all interface util and up/down events. The isHostIntfCritical attribute will be set to false for all interfaces. Only non-critical interface staying down rule may trigger. Critical interface staying down rule will have no chance to trigger. If this feature is enabled, there are two check boxes - monitor and critical. If critical is checked, monitor will be checked automatically. Monitor controls whether we must generate interface util event. We monitor interface utils events for interface whose monitor check box is selected. Critical controls whether we must generate interface up/down events. FortiSIEM monitors interface up/down events for an interface whose critical check box is selected. If one interface is marked as critical, we set the attribute of isHostIntfCritical to true in the generated interface util and up/down events. The Rule “critical interface staying down” will trigger on interfaces whose isHostIntfCritical is true. Non-critical interface staying down rule will have no chance to trigger.

Excluded Disks

This setting allows you to exclude disks from disk capacity utilization monitoring. Disk capacity utilization events will not be generated for devices matching device name, access IP and disk name. Incidents will not trigger for these events, and the disks will not show up in summary dashboards. Use this list to exclude read only disk volumes or partitions that do not grow in size and are close to full.

  1. Go to ADMIN > Settings > Monitoring > Excluded Disks tab.
  2. Click New.
  3. From the Choose Disk dialog box, select the device from the device group.
  4. Click Select.
  5. Select the device from the table and click Apply.

Windows WMI Filter

Windows can produce a very high number of system, application, and security logs. The system provides a default filter, Get All Logs, which returns all of the Windows logs detected. By defining a filter, you can obtain only the logs you need.

Step 1: Create the Windows WMI Filter

  1. Go to ADMIN > Settings > Monitoring > Windows WMI Filter tab.
  2. Click New.
  3. Enter a name and an optional description for the filter in the New WMI Filter dialog box.
  4. Click New to define a filter for the template:
    1. From the Type drop-down list, select Application, Security, or System.
    2. In the Include and Exclude fields, enter a comma-separated list of the event codes which should be included or excluded from the filter.
    3. Click Save.
  5. Click Save again to save the Windows WMI filter.

Step 2: Apply the Filter in a Credential

  1. Go to ADMIN > Setup > Credentials.
  2. Click New in Step 1: Enter Credentials.
    1. In the Access Method Definition dialog box, select one of the Microsoft devices from the Device Type drop-down list.
    2. From the Access Protocol drop-down list, select WMI.
    3. From the WMI Filter drop-down list, select the filter created in Step 1: Create the Windows WMI Filter.
    4. Enter any other required information for the credential. For more information, see Setting Credentials.
    5. Click Save.
  3. Click New in Step 2: Enter the IP Range for Credential.
    1. In the Device Credential Mapping Definition dialog box, enter an IP or IP range.
    2. From the Credentials drop-down list, select the filter created in Step 1: Create the Windows WMI Filter.

      For more information, see Associating a credential to IP ranges or hosts.

    3. Click Save.

Step 3: Discover Using the WMI credential in Step 2

Any Windows Server discovery that uses that a WMI credential will only pull the logs specified in the Filter in Step 1.