Advanced Health System Advanced Operations
FortiSIEM enables you to perform the following advanced operations:
- Monitoring System Health
- Monitoring Collector Health
- Monitoring Agent Health
- Monitoring Elasticsearch Health
- Monitoring Replication Health
- System Errors
- Monitoring User and Query Activity
Monitoring System Health
To see the system level health of every FortiSIEM Supervisor/Worker node, go to ADMIN > Health > Cloud Health. The top pane shows the overall health of various nodes – Supervisor and Workers. Click any one node and the bottom pane shows the health of the various processes in that node.
For details, see here.
Monitoring Collector Health
To see the system level health of every FortiSIEM Collector node, go to ADMIN > Health > Collector Health.
For details, see here.
Monitoring Agent Health
To see agent health information, go to ADMIN > Health > Agent Health.
For details, see here.
Monitoring Elasticsearch Health
To see the Elasticsearch health information, go to ADMIN > Health > Elasticsearch Health.
For details, see here.
Monitoring Replication Health
To see the Replication health information, go to ADMIN > Health > Replication Health.
For details, see here.
System Errors
To see the system errors, click the Jobs/Errors icon on the top-right corner of FortiSIEM GUI and select the Error tab. You can also run a report in ANALYTICS > click the Folders icon > Shortcuts > Top FortiSIEM Operational Errors.
Monitoring User and Query Activity
To see FortiSIEM User and Query Activity, click the User Activity icon () on the top-right corner of FortiSIEM GUI. The User Activity dialog box contains these tabs:
All of the tabs in the User Activity dialog box contain the time of the last refresh and the number of seconds until the next automatic refresh. By default, the automatic refresh interval is 60 seconds. To refresh the table on demand, click the Refresh button.
Logged in Users
This tab displays a table listing the users currently logged in to FortiSIEM. You can perform the following operations on this tab:
- Log Out - Select one or more users in the table and click Log Out. The selected users will be logged out of FortiSIEM.
- Log Out and Lock Out - Select one or more users in the table and click Log Out and Lock Out. The selected users will be logged out of FortiSIEM and prevented from logging back in.
The Logged in Users table contains the following information:
Column | Description |
---|---|
Organization | The Organization to which the user belongs. |
User | The name of the user. |
Full Name | The full name of the user. |
Login IP | The IP address from which the user logged in. |
Role | The name of the user's role. |
Login Time |
The date and time when the user logged in. |
Session ID | The ID of the user's FortiSIEM session. |
Supervisor |
The supervisor of the user. |
Locked Users
This tab displays a table listing the users currently locked out of FortiSIEM. Typically, user access to FortiSIEM can be locked due to multiple login failures. You can perform the following operations on this tab:
- Unlock - Select one or more users in the table and click Unlock.
Note: Users can also be unlocked by going to CMDB > Users > Actions > Unlock.
The Locked Users table contains the following information:
Column | Description |
---|---|
Organization | The Organization to which the user belongs. |
User | The name of the user. |
Full Name | The full name of the user. |
Login IP | The IP address from which the user logged in. |
Role | The name of the user's role. |
Locked Time |
The date and time when the user was locked out of FortiSIEM. |
Query Status
This tab displays a table listing the status of current and recent queries. You can perform the following operations on this tab:
- Stop Query - Select a query from the table and click Stop Query. The selected query will be stopped remotely. If the query was sent from the ANALYTICS page, you should see a warning message saying this query was stopped manually. You should also be able to see the partial results you received before it was stopped.
- Search - Click the Search button to search for queries by Query name (plain text search), User name (multiple options selected via a checkbox), and/or query Type (multiple options selected via a checkbox).
- Sort - Click a column name. You can sort the column data in ascending or descending order.
- Job Distribution for Query - Click a query in the Query Status table to see the Job Distribution for Query <query_name> table. This table identifies the Worker nodes employed in processing the query and their status. For more information, see Obtaining Job Distribution for Query.
The Query Status table contains the following information:
Column | Description |
---|---|
Query ID | The ID of the query. |
Query Name | The name of the query. |
Organization |
The organization that the query came from. |
User | The name of the user who issued the query. |
Status | The value of Status can be:
|
Type | The value of Type can be:
|
Submit Time |
The date and time when the query was submitted. |
Start Time | The date and time when the query was issued. |
Progress | The percent of progress the query has made towards completion. |
Elapsed | The time, in seconds, that the query has run. |
Supervisor | The Supervisor where the query was initiated. |
Obtaining Job Distribution for Query
To see how the query job is distributed between nodes, click a query in the Query Status table. The Job Distribution for Query <query_name> table appears beneath the Query Status table.
- Sort - Click a column name. You can sort the column data in ascending or descending order.
The Job Distribution for Query <query_name> table contains the following information:
Query Workload
This tab displays a table listing the available nodes for a query job. You can perform the following operations on this tab:
- Sort - Click a column name. You can sort the column data in ascending or descending order.
- Status of Running Tasks - Click a node row in the Query Workload table to display the Tasks Running On <IP_address> table. For more information, see Obtaining Running Tasks.
The Query Workload table contains the following information:
Column | Description |
---|---|
Node | The node's IP address. |
Role |
The role of the node. |
Status | The value of Status can be:
|
Interactive Tasks | The number of interactive tasks (that is, sent from the ANALYTICS page) assigned to the node. |
Scheduled Tasks | The number of scheduled tasks assigned to the node. |
Task Workload | The total number of tasks assigned to the node. |
Obtaining Running Tasks
To see the status of running tasks, click a node in the Query Workload table. The Tasks Running On <IP_address> table appears beneath the Query Workload table. You can perform the following operations on this tab:
- Sort - Click a column name. You can sort the column data in ascending or descending order.
The Tasks Running On <IP_address> table contains the following information:
Column | Description |
---|---|
Query ID | The ID of the query. |
Query Name | The name of the query. |
User | The name of the user who issued the query. |
Type | The value of Type can be:
|
Start Time | The date and time when the query began processing. |
Status | See Status in Obtaining Job Distribution for Query. |
Progress | The percent of progress the query has made towards completion. |
Range Start Time | The time the ranged query started. |
Range End Time | The time that the ranged query ends. |