Advanced Health System Advanced Operations

FortiSIEM enables you to perform the following advanced operations:

Monitoring System Health

To see the system level health of every FortiSIEM Supervisor/Worker node, go to ADMIN > Health > Cloud Health. The top pane shows the overall health of various nodes – Supervisor and Workers. Click any one node and the bottom pane shows the health of the various processes in that node.

For details, see here.

Monitoring Collector Health

To see the system level health of every FortiSIEM Collector node, go to ADMIN > Health > Collector Health.

For details, see here.

Monitoring Agent Health

To see agent health information, go to ADMIN > Health > Agent Health.

For details, see here.

Monitoring Elasticsearch Health

To see the Elasticsearch health information, go to ADMIN > Health > Elasticsearch Health.

For details, see here.

Monitoring Replication Health

To see the Replication health information, go to ADMIN > Health > Replication Health.

For details, see here.

System Errors

To see the system errors, click the Jobs/Errors icon on the top-right corner of FortiSIEM GUI and select the Error tab. You can also run a report in ANALYTICS > click the Folders icon > Shortcuts > Top FortiSIEM Operational Errors.

Monitoring User and Query Activity

To see FortiSIEM User and Query Activity, click the User Activity icon () on the top-right corner of FortiSIEM GUI. The User Activity dialog box contains these tabs:

All of the tabs in the User Activity dialog box contain the time of the last refresh and the number of seconds until the next automatic refresh. By default, the automatic refresh interval is 60 seconds. To refresh the table on demand, click the Refresh button.

Logged in Users

This tab displays a table listing the users currently logged in to FortiSIEM. You can perform the following operations on this tab:

  • Log Out - Select one or more users in the table and click Log Out. The selected users will be logged out of FortiSIEM.
  • Log Out and Lock Out - Select one or more users in the table and click Log Out and Lock Out. The selected users will be logged out of FortiSIEM and prevented from logging back in.

The Logged in Users table contains the following information:

Column Description
Organization The Organization to which the user belongs.
User The name of the user.
Full Name The full name of the user.
Login IP The IP address from which the user logged in.
Role The name of the user's role.

Login Time

 The date and time when the user logged in.
Session ID The ID of the user's FortiSIEM session.

Supervisor

The supervisor of the user.

 

Locked Users

This tab displays a table listing the users currently locked out of FortiSIEM. Typically, user access to FortiSIEM can be locked due to multiple login failures. You can perform the following operations on this tab:

  • Unlock - Select one or more users in the table and click Unlock.

Note: Users can also be unlocked by going to CMDB > Users > Actions > Unlock.

The Locked Users table contains the following information:

Column Description
Organization The Organization to which the user belongs.
User The name of the user.
Full Name The full name of the user.
Login IP The IP address from which the user logged in.
Role The name of the user's role.

Locked Time

 The date and time when the user was locked out of FortiSIEM.

Query Status

This tab displays a table listing the status of current and recent queries. You can perform the following operations on this tab:

  • Stop Query - Select a query from the table and click Stop Query. The selected query will be stopped remotely. If the query was sent from the ANALYTICS page, you should see a warning message saying this query was stopped manually. You should also be able to see the partial results you received before it was stopped.
  • Search - Click the Search button to search for queries by Query name (plain text search), User name (multiple options selected via a checkbox), and/or query Type (multiple options selected via a checkbox).
  • Sort - Click a column name. You can sort the column data in ascending or descending order.
  • Job Distribution for Query - Click a query in the Query Status table to see the Job Distribution for Query <query_name> table. This table identifies the Worker nodes employed in processing the query and their status. For more information, see Obtaining Job Distribution for Query.

The Query Status table contains the following information:

Column Description
Query ID The ID of the query.
Query Name The name of the query.

Organization

The organization that the query came from.
User The name of the user who issued the query.
Status The value of Status can be:
  • Running - The query is currently running.
  • Waiting - The query is waiting in the queue because the maximum number of running queries has been reached.
Type The value of Type can be:
  • Interactive - Queries executed directly from the ANALYTICS page.
  • Scheduled Query - Queries scheduled from RESOURCES > Reports.
  • Scheduled Rule - Rule scheduled from RESOURCES > Rules.

Submit Time

The date and time when the query was submitted.
Start Time The date and time when the query was issued.
Progress The percent of progress the query has made towards completion.
Elapsed The time, in seconds, that the query has run.
Supervisor The Supervisor where the query was initiated.

Obtaining Job Distribution for Query

To see how the query job is distributed between nodes, click a query in the Query Status table. The Job Distribution for Query <query_name> table appears beneath the Query Status table.

  • Sort - Click a column name. You can sort the column data in ascending or descending order.

The Job Distribution for Query <query_name> table contains the following information:

Column Description
Node The node's IP address.

Role

The FortiSIEM handling the query.
Status The value of Status can be:
  • Unknown - The query process is in an unknown state.
  • Starting - The query has started processing.
  • Running - The query is currently processing.
  • Pausing - The query is in the process of pausing processing.
  • Resuming - The query has resumed processing.
  • Stopping - the query is in the process of stopping processing.
  • Paused - The query has temporarily paused processing.
  • Stopped - The query has stopped processing.
  • Completed - The query has completed processing.

Interactive Tasks

The number of interactive tasks (that is, sent from the ANALYTICS page) assigned to the node.

Scheduled Tasks

The number of scheduled tasks assigned to the node.

Task Workload

The total number of tasks assigned to the node.
Progress The percent of progress the query has made towards completion.
Running For The time (in seconds) elapsed since the Start Time. Note: This value is calculated from the last refresh time, not the Last Update minus the Start Time.
Start Time The date and time when the query began processing.
Last Update The data and time when the node last reported a progress update.

Query Workload

This tab displays a table listing the available nodes for a query job. You can perform the following operations on this tab:

  • Sort - Click a column name. You can sort the column data in ascending or descending order.
  • Status of Running Tasks - Click a node row in the Query Workload table to display the Tasks Running On <IP_address> table. For more information, see Obtaining Running Tasks.

The Query Workload table contains the following information:

Column Description
Node The node's IP address.

Role

The role of the node.
Status The value of Status can be:
  • Online - The node is currently online.
  • Offline - The node is currently offline.
Interactive Tasks The number of interactive tasks (that is, sent from the ANALYTICS page) assigned to the node.
Scheduled Tasks The number of scheduled tasks assigned to the node.
Task Workload The total number of tasks assigned to the node.

Obtaining Running Tasks

To see the status of running tasks, click a node in the Query Workload table. The Tasks Running On <IP_address> table appears beneath the Query Workload table. You can perform the following operations on this tab:

  • Sort - Click a column name. You can sort the column data in ascending or descending order.

The Tasks Running On <IP_address> table contains the following information:

Column Description
Query ID The ID of the query.
Query Name The name of the query.
User The name of the user who issued the query.
Type The value of Type can be:
  • Interactive - Queries executed directly from the ANALYTICS page.
  • Scheduled - Queries scheduled from RESOURCES > Reports.
Start Time The date and time when the query began processing.
Status See Status in Obtaining Job Distribution for Query.
Progress The percent of progress the query has made towards completion.
Range Start Time The time the ranged query started.
Range End Time The time that the ranged query ends.