Fortinet black logo

FortiSIEM 6.3.0 MEA Collector 7.0.1 r1 Administration Guide

Home FortiAnalyzer 7.0.1 FortiSIEM 6.3.0 MEA Collector 7.0.1 r1 Administration Guide
7.0.1
7.0.1

Quick Start

Quick Start

This section includes the following information to help you get started with using FortiSIEM MEA Collector.

Enabling the FortiSIEM MEA Collector

The FortiSIEM MEA Collector can be enabled by the FortiAnalyzer GUI or CLI. Be aware that it takes approximately 5 minutes for the container to be fully up and running before a user can ssh to the container or register the MEA collector with the Supervisor. In a future release, this will be improved, if possible.

To enable FortiSIEM MEA Collector in the GUI:

  1. Login to the FortiAnzlyer GUI.

  2. Navigate to Management Extensions and click on FortiSIEM Collector to enable it.


  3. After clicking on FortiSIEM Collector, a dialog with the following message will appear:


    Click OK to continue. The FortiSIEM MEA Collector container will be downloaded from the Fortinet MEA registry and it will be enabled on FortiAnalyzer. The user will then be launched into the FortiSIEM Collector GUI.
    Note: If you navigate back to the Management Extensions page on FortiAnalyzer, the FortiSIEM Collector icon will appear bright, instead of having a dull gray shade, indicating that the extension is active.

To enable FortiSIEM MEA Collector in the CLI:

  1. SSH to FortiAnalyzer.

  2. Enable fsmcollector MEA module.

    1. config system docker

      1. set status enable

      2. set fsmcollector enable

      3. end

Registering FortiSIEM MEA Collector to FortiSIEM Supervisor

After enabling the FortiSIEM MEA Collector, it must be registered to a licensed FortSIEM Supervisor. Be aware that it takes approximately 5 minutes for the container to be fully up and running before a user can ssh to the container or register the MEA collector with the Supervisor. In a future release, this will be improved, if possible.

  1. Login to the FortiAnalyzer GUI.

  2. Navigate to Management Extensions > FortiSIEM Collector and click Setup.

  3. Fill in the form by specifying the Org level admin credentials.

    1. Name – Set this to be the same Collector name set on the FortiSIEM Supervisor side.

    2. Select Add.

    3. Org

      1. Enterprise version: Enter Super.

      2. Service Provider version: Enter the Organization name to which the Collector will belong.

    4. User ID

      1. Enterprise version: Enter any Full Admin user.

      2. Service Provider version: Enter any Full Admin user from the Organization in Step c.

    5. Password – Enter password for the User in Step d.

    6. Supervisor: Set Supervisor IP address or host name. Host name must be resolvable.

  4. Click Save. The Collector will register with Supervisor.

Note that this credential is only used for registration. After registration completes, the Collector uses a unique credential to communicate to the Supervisor.

Changing the Collector Password

To change the root password, login to the MEA Collector via SSH. You need to SSH to port 30022 as follows:

  1. Run the following command:
    ssh -p 30022 root@<FortiAnalyzer_IP>

  2. Enter the password. The default password is ProspectHills.

  3. You will then be prompted to change the password.

Checking Collector Health

The Collector Health can be viewed from the FortiAnalyzer GUI or from the FortiSIEM Supervisor GUI.

From the FortiAnalyzer Collector GUI

  1. Login to the FortiAnalyzer GUI.

  2. Navigate to Management Extensions > FortiSIEM Collector and click Health to see the Collector health.

System Info Section

The system information section provides the following information.

  • Host Name of the Collector

  • Organization Name: If FortiSIEM installation is Service Provider type, then this field shows the Organization to which the Collector belongs. For Enterprise installation, this field is set to Super.

  • Collector Id: Unique Collector identifier as it appears in FortiSIEM GUI.

  • FortiSIEM version - The version that the FortiSIEM MEA Collector that is running.

  • Uptime - The uptime of the Collector.

  • Supervisor - The hostname/FQDN or IP address of the Supervisor where the Collector is registered.

  • Status - Registration status of the Collector - Not Registered, Registered, or Not Connected.

System Resource Section

The system resource section provides the following information.

  • CPU usage – Shows the current CPU utilization. It can be clicked on to show a breakdown. Click on it again to go back. The colors in the chart are an indicator for CPU utilization.

    • Green: CPU utilization less than 60%

    • Yellow: CPU utilization between 60% and 90%

    • Red: CPU utilization greater than 90%

  • Memory usage – shows the current physical memory utilization. It can be clicked to show a breakdown. Click on it again to go back. The colors in the chart are an indicator for Memory utilization.

    • Green: Memory utilization less than 60%

    • Yellow: Memory utilization between 60% and 90%

    • Red: Memory utilization greater than 90%

  • Volume usage – shows the current /container utilization. It can be clicked to show a breakdown. Click on it again to go back. The colors in the chart are an indicator for Volume utilization.

    • Green: Volume utilization less than 60%

    • Yellow: Volume utilization between 60% and 90%

    • Red: Volume utilization greater than 90%

  • Swap usage – shows current swap utilization. It can be clicked to show a breakdown. Click on it again to go back. The colors in the chart are an indicator for Swap utilization.

    • Green: Swap utilization less than 60%

    • Yellow: Swap utilization between 60% and 90%

    • Red: Swap utilization greater than 90%

  • Load average – shows 1 minute, 5 minutes and 15 minute values for load average.

Events Per Second (EPS) Section

The events per second (EPS) section provides the following information.

  • Licensed EPS – shows current incoming EPS that is included in EPS license calculations. It shows 3 minute, 15 minute and 30 minute values.

  • Perf Mon EPS – shows current EPS resulting from performance monitoring use cases. This EPS is a component of Licensed EPS. It shows 3 minute, 15 minute and 30 minute values.

  • Internal EPS – shows EPS from FortiSIEM internal system logs generated by the FortiSIEM application itself. This does not count towards licensed EPS. It shows 3 minute, 15 minute and 30 minute values.

Process Status section

The process status section shows the Process Name Uptime, CPU utilization and Memory usage for every FortiSIEM process running on the collector.

From the FortiSIEM Supervisor GUI

The MEA Collector status is shown from the FortiSIEM Supervisor GUI in the same way you would see the status of any other Collector. There is no difference except that Collector Type is set to Docker for a MEA Collector while it is set to VM (respectively Hardware) or a VM Collector (respectively 500F appliance).

  1. Login to the FortiSIEM GUI.

  2. Navigate to ADMIN > Health > Collector Health.

  3. Find the MEA Collector by name or IP. In the Collector Type column, it will appear as Docker. Click on the row with your MEA Collector to see its Process Status. Note that phMonitor on the Supervisor node communicates with phMonitor on the MEA Collector to get this information.

See the 6.3.0 FortiSIEM Online Help for details on all fields.

Discovery and Performance Monitoring

There is no difference between a VM Collector and MEA Collector for discovery and performance monitoring features. Just login to the FortiSIEM GUI and run discovery. The MEA Collector will start monitoring performance metrics like a VM Collector. For details see Viewing Performance Monitoring Jobs from the 6.3.0 User Guide.

Log Handling

Logs obtained by Outbound Protocols

This case covers cases such as VCenter Discovery and Performance monitoring, AWS Cloud trail monitoring where the Collector initiates the outbound connection. There is no difference between a VM Collector and MEA Collector. Just go to the GUI and run Discovery / Test Connectivity like you would for a VM Collector.

FortiAnalyzer Events

This case covers external events (e.g. from FortiGate Firewalls) that are already collected by FortiAnalyzer. Simply configure FortiAnalyzer to forward these events to the FortiSIEM MEA Collector as follows.

  1. Login to the FortiAnalyzer GUI.

  2. Go to System Settings -> Log Forward.

  3. Create a new policy as follows

    Name: Test

    Status: ON

    Remote Server Type: Syslog

    Server IP: 172.30.56.62 (Provide your FortiAnalyzer's IP)

    Server Port: 30514


  4. Click Save.

  5. Go to System Settings -> Device Log Settings -> Local Device Log.

  6. Add a checkmark to the "Send the local event logs to FortiAnalyzer/FortiManager" checkbox.

  7. Enter the following into these settings

    IP: 172.30.56.62 (Provide your FortiAnalyzer's IP)

    Upload Option: Real-time

    Severity Level: Choose an appropriate value from the drop-down list.


External Events

If you want external devices (such as Cisco ASA or IOS) to send events to the FortiSIEM MEA Collector, the device must send events to the following pre-configured translated ports.

  • UDP Syslog must be sent to FortiAnalyzer on port 30514/udp

  • TCP Syslog must be sent to FortiAnalyzer on port 30514/tcp

  • HTTPS POST must be sent to FortiAnalyzer on port 30443

  • SCP must be sent to FortiAnalyzer on port 30022

  • SNMP trap must be sent to FortiAnalyzer on port 30162

Note that Netflow/JFlow/SFlow is currently not supported by the MEA Collector.

Follow steps 1-4 in FortiAnalyzer Events to forward these external device logs to FortiSIEM.

Upgrade

An MEA Collector cannot be upgraded from the Supervisor GUI like other VM Collectors because the docker image is in the docker registry and not in the FortiSIEM Supervisor. To upgrade MEA Collectors one by one, take the following steps:

  1. First verify the FortiSIEM MEA Collector version – either from the FortiAnalyzer MEA Collector GUI or from the FortiSIEM Supervisor GUI, ADMIN > Health > Collector Health.

  2. The MEA registry can only hold the latest FortiSIEM MEA Collector image. Verify that version and make sure you want to upgrade to that version. Note that the FortiSIEM Supervisor and Worker(s) have to be on a higher version than the Collectors.

  3. If you want to upgrade then take the following steps:

    1. Login to the FortiAnalyzer CLI.

    2. Enter diagnose docker upgrade fsmcollector

      If the docker registry that is currently enabled has a new image published, then the system will automatically download this image, stop the running image, upgrade to the new image and re-create the new docker container.

Operational Differences between MEA Collector and VM/Hardware Collector

The MEA Collector is a collection of Linux processes that run inside a docker container on FortiAnalyzer. In contrast, a VM/hardware Collector runs on a Hypervisor or bare metal hardware. The following are noted differences.

  1. To login to the MEA Collector via SSH, you need to SSH to port 30022 as follows:

    1. ssh -p 30022 <user>@<FortiAnalyzer_IP>

  2. Upgrade works differently – see Upgrade in the FortiSIEM MEA Admin Guide.

  3. Rebooting a MEA Collector has to be done from FortiAnalyzer.

    1. SSH to FortiAnalyzer.

    2. Stop the MEA Collector.

      1. # config system docker

      2. # set fsmcollector disable

      3. #end

    3. Start MEA Collector

      1. # config system docker

      2. # set fsmcollector enable

      3. #end

  4. Running “ifconfig” inside the MEA Collector would only get Link-local address. If you want to get IP of FortiAnalyzer, then you need to run:

    1. # phGetDockerHostIP.py

  5. Only the following port mappings are available for communicating with the MEA Collector.

    1. SCP/FTP: 30021->21/tcp

    2. SSH: 30022->22

    3. SNMP Trap: 30162->162/udp

    4. HTTPS: 30443->443

    5. Syslog

      1. 30514->514/tcp

      2. 30514->514/udp

      3. 36514->6514/tcp

  6. Netflow to MEA Collector is not supported.

Recommendations

FortiSIEM management extension application system resource recommendation:

  • Disk: 100GB recommended for /var/docker/fsmcollector. This is where the persistent FortiSIEM MEA Collector state is stored. When the MEA Collector is rebooted, the state is not lost.

    /var/docker/fsmcollector is mapped to /container

    • /opt/phoenix/cache -> /container/cache

    • /opt/phoenix/log -> /container/log

    • /opt/phoenix/config -> /container/config

    • /etc/pki/tls -> /container/etc/pki/tls

    • /etc/httpd -> /container/etc/httpd

Previous
Next

Quick Start

This section includes the following information to help you get started with using FortiSIEM MEA Collector.

Enabling the FortiSIEM MEA Collector

The FortiSIEM MEA Collector can be enabled by the FortiAnalyzer GUI or CLI. Be aware that it takes approximately 5 minutes for the container to be fully up and running before a user can ssh to the container or register the MEA collector with the Supervisor. In a future release, this will be improved, if possible.

To enable FortiSIEM MEA Collector in the GUI:

  1. Login to the FortiAnzlyer GUI.

  2. Navigate to Management Extensions and click on FortiSIEM Collector to enable it.


  3. After clicking on FortiSIEM Collector, a dialog with the following message will appear:


    Click OK to continue. The FortiSIEM MEA Collector container will be downloaded from the Fortinet MEA registry and it will be enabled on FortiAnalyzer. The user will then be launched into the FortiSIEM Collector GUI.
    Note: If you navigate back to the Management Extensions page on FortiAnalyzer, the FortiSIEM Collector icon will appear bright, instead of having a dull gray shade, indicating that the extension is active.

To enable FortiSIEM MEA Collector in the CLI:

  1. SSH to FortiAnalyzer.

  2. Enable fsmcollector MEA module.

    1. config system docker

      1. set status enable

      2. set fsmcollector enable

      3. end

Registering FortiSIEM MEA Collector to FortiSIEM Supervisor

After enabling the FortiSIEM MEA Collector, it must be registered to a licensed FortSIEM Supervisor. Be aware that it takes approximately 5 minutes for the container to be fully up and running before a user can ssh to the container or register the MEA collector with the Supervisor. In a future release, this will be improved, if possible.

  1. Login to the FortiAnalyzer GUI.

  2. Navigate to Management Extensions > FortiSIEM Collector and click Setup.

  3. Fill in the form by specifying the Org level admin credentials.

    1. Name – Set this to be the same Collector name set on the FortiSIEM Supervisor side.

    2. Select Add.

    3. Org

      1. Enterprise version: Enter Super.

      2. Service Provider version: Enter the Organization name to which the Collector will belong.

    4. User ID

      1. Enterprise version: Enter any Full Admin user.

      2. Service Provider version: Enter any Full Admin user from the Organization in Step c.

    5. Password – Enter password for the User in Step d.

    6. Supervisor: Set Supervisor IP address or host name. Host name must be resolvable.

  4. Click Save. The Collector will register with Supervisor.

Note that this credential is only used for registration. After registration completes, the Collector uses a unique credential to communicate to the Supervisor.

Changing the Collector Password

To change the root password, login to the MEA Collector via SSH. You need to SSH to port 30022 as follows:

  1. Run the following command:
    ssh -p 30022 root@<FortiAnalyzer_IP>

  2. Enter the password. The default password is ProspectHills.

  3. You will then be prompted to change the password.

Checking Collector Health

The Collector Health can be viewed from the FortiAnalyzer GUI or from the FortiSIEM Supervisor GUI.

From the FortiAnalyzer Collector GUI

  1. Login to the FortiAnalyzer GUI.

  2. Navigate to Management Extensions > FortiSIEM Collector and click Health to see the Collector health.

System Info Section

The system information section provides the following information.

  • Host Name of the Collector

  • Organization Name: If FortiSIEM installation is Service Provider type, then this field shows the Organization to which the Collector belongs. For Enterprise installation, this field is set to Super.

  • Collector Id: Unique Collector identifier as it appears in FortiSIEM GUI.

  • FortiSIEM version - The version that the FortiSIEM MEA Collector that is running.

  • Uptime - The uptime of the Collector.

  • Supervisor - The hostname/FQDN or IP address of the Supervisor where the Collector is registered.

  • Status - Registration status of the Collector - Not Registered, Registered, or Not Connected.

System Resource Section

The system resource section provides the following information.

  • CPU usage – Shows the current CPU utilization. It can be clicked on to show a breakdown. Click on it again to go back. The colors in the chart are an indicator for CPU utilization.

    • Green: CPU utilization less than 60%

    • Yellow: CPU utilization between 60% and 90%

    • Red: CPU utilization greater than 90%

  • Memory usage – shows the current physical memory utilization. It can be clicked to show a breakdown. Click on it again to go back. The colors in the chart are an indicator for Memory utilization.

    • Green: Memory utilization less than 60%

    • Yellow: Memory utilization between 60% and 90%

    • Red: Memory utilization greater than 90%

  • Volume usage – shows the current /container utilization. It can be clicked to show a breakdown. Click on it again to go back. The colors in the chart are an indicator for Volume utilization.

    • Green: Volume utilization less than 60%

    • Yellow: Volume utilization between 60% and 90%

    • Red: Volume utilization greater than 90%

  • Swap usage – shows current swap utilization. It can be clicked to show a breakdown. Click on it again to go back. The colors in the chart are an indicator for Swap utilization.

    • Green: Swap utilization less than 60%

    • Yellow: Swap utilization between 60% and 90%

    • Red: Swap utilization greater than 90%

  • Load average – shows 1 minute, 5 minutes and 15 minute values for load average.

Events Per Second (EPS) Section

The events per second (EPS) section provides the following information.

  • Licensed EPS – shows current incoming EPS that is included in EPS license calculations. It shows 3 minute, 15 minute and 30 minute values.

  • Perf Mon EPS – shows current EPS resulting from performance monitoring use cases. This EPS is a component of Licensed EPS. It shows 3 minute, 15 minute and 30 minute values.

  • Internal EPS – shows EPS from FortiSIEM internal system logs generated by the FortiSIEM application itself. This does not count towards licensed EPS. It shows 3 minute, 15 minute and 30 minute values.

Process Status section

The process status section shows the Process Name Uptime, CPU utilization and Memory usage for every FortiSIEM process running on the collector.

From the FortiSIEM Supervisor GUI

The MEA Collector status is shown from the FortiSIEM Supervisor GUI in the same way you would see the status of any other Collector. There is no difference except that Collector Type is set to Docker for a MEA Collector while it is set to VM (respectively Hardware) or a VM Collector (respectively 500F appliance).

  1. Login to the FortiSIEM GUI.

  2. Navigate to ADMIN > Health > Collector Health.

  3. Find the MEA Collector by name or IP. In the Collector Type column, it will appear as Docker. Click on the row with your MEA Collector to see its Process Status. Note that phMonitor on the Supervisor node communicates with phMonitor on the MEA Collector to get this information.

See the 6.3.0 FortiSIEM Online Help for details on all fields.

Discovery and Performance Monitoring

There is no difference between a VM Collector and MEA Collector for discovery and performance monitoring features. Just login to the FortiSIEM GUI and run discovery. The MEA Collector will start monitoring performance metrics like a VM Collector. For details see Viewing Performance Monitoring Jobs from the 6.3.0 User Guide.

Log Handling

Logs obtained by Outbound Protocols

This case covers cases such as VCenter Discovery and Performance monitoring, AWS Cloud trail monitoring where the Collector initiates the outbound connection. There is no difference between a VM Collector and MEA Collector. Just go to the GUI and run Discovery / Test Connectivity like you would for a VM Collector.

FortiAnalyzer Events

This case covers external events (e.g. from FortiGate Firewalls) that are already collected by FortiAnalyzer. Simply configure FortiAnalyzer to forward these events to the FortiSIEM MEA Collector as follows.

  1. Login to the FortiAnalyzer GUI.

  2. Go to System Settings -> Log Forward.

  3. Create a new policy as follows

    Name: Test

    Status: ON

    Remote Server Type: Syslog

    Server IP: 172.30.56.62 (Provide your FortiAnalyzer's IP)

    Server Port: 30514


  4. Click Save.

  5. Go to System Settings -> Device Log Settings -> Local Device Log.

  6. Add a checkmark to the "Send the local event logs to FortiAnalyzer/FortiManager" checkbox.

  7. Enter the following into these settings

    IP: 172.30.56.62 (Provide your FortiAnalyzer's IP)

    Upload Option: Real-time

    Severity Level: Choose an appropriate value from the drop-down list.


External Events

If you want external devices (such as Cisco ASA or IOS) to send events to the FortiSIEM MEA Collector, the device must send events to the following pre-configured translated ports.

  • UDP Syslog must be sent to FortiAnalyzer on port 30514/udp

  • TCP Syslog must be sent to FortiAnalyzer on port 30514/tcp

  • HTTPS POST must be sent to FortiAnalyzer on port 30443

  • SCP must be sent to FortiAnalyzer on port 30022

  • SNMP trap must be sent to FortiAnalyzer on port 30162

Note that Netflow/JFlow/SFlow is currently not supported by the MEA Collector.

Follow steps 1-4 in FortiAnalyzer Events to forward these external device logs to FortiSIEM.

Upgrade

An MEA Collector cannot be upgraded from the Supervisor GUI like other VM Collectors because the docker image is in the docker registry and not in the FortiSIEM Supervisor. To upgrade MEA Collectors one by one, take the following steps:

  1. First verify the FortiSIEM MEA Collector version – either from the FortiAnalyzer MEA Collector GUI or from the FortiSIEM Supervisor GUI, ADMIN > Health > Collector Health.

  2. The MEA registry can only hold the latest FortiSIEM MEA Collector image. Verify that version and make sure you want to upgrade to that version. Note that the FortiSIEM Supervisor and Worker(s) have to be on a higher version than the Collectors.

  3. If you want to upgrade then take the following steps:

    1. Login to the FortiAnalyzer CLI.

    2. Enter diagnose docker upgrade fsmcollector

      If the docker registry that is currently enabled has a new image published, then the system will automatically download this image, stop the running image, upgrade to the new image and re-create the new docker container.

Operational Differences between MEA Collector and VM/Hardware Collector

The MEA Collector is a collection of Linux processes that run inside a docker container on FortiAnalyzer. In contrast, a VM/hardware Collector runs on a Hypervisor or bare metal hardware. The following are noted differences.

  1. To login to the MEA Collector via SSH, you need to SSH to port 30022 as follows:

    1. ssh -p 30022 <user>@<FortiAnalyzer_IP>

  2. Upgrade works differently – see Upgrade in the FortiSIEM MEA Admin Guide.

  3. Rebooting a MEA Collector has to be done from FortiAnalyzer.

    1. SSH to FortiAnalyzer.

    2. Stop the MEA Collector.

      1. # config system docker

      2. # set fsmcollector disable

      3. #end

    3. Start MEA Collector

      1. # config system docker

      2. # set fsmcollector enable

      3. #end

  4. Running “ifconfig” inside the MEA Collector would only get Link-local address. If you want to get IP of FortiAnalyzer, then you need to run:

    1. # phGetDockerHostIP.py

  5. Only the following port mappings are available for communicating with the MEA Collector.

    1. SCP/FTP: 30021->21/tcp

    2. SSH: 30022->22

    3. SNMP Trap: 30162->162/udp

    4. HTTPS: 30443->443

    5. Syslog

      1. 30514->514/tcp

      2. 30514->514/udp

      3. 36514->6514/tcp

  6. Netflow to MEA Collector is not supported.

Recommendations

FortiSIEM management extension application system resource recommendation:

  • Disk: 100GB recommended for /var/docker/fsmcollector. This is where the persistent FortiSIEM MEA Collector state is stored. When the MEA Collector is rebooted, the state is not lost.

    /var/docker/fsmcollector is mapped to /container

    • /opt/phoenix/cache -> /container/cache

    • /opt/phoenix/log -> /container/log

    • /opt/phoenix/config -> /container/config

    • /etc/pki/tls -> /container/etc/pki/tls

    • /etc/httpd -> /container/etc/httpd

Previous
Next