Where and how can I view my skype logs (Chat and Voice history)? Does it get saved somewhere in PC by default? Can I choose a folder location myself to start saving voice and chat history?
Ryan Gates46722 gold badges88 silver badges2828 bronze badges
GuestGuest
5 Answers
how can i view skype logs?
There are plenty of third-party tools for that: Skyperious, SkypeBrowser, any SQLite browser & many others
Does it get saved somewhere?
Yes, that's the (incomplete) list of possible locations from SkypeBrowser website:
On Windows 7, 8, 10:
On Windows XP:
On Mac OS:
On Linux:
Also on Windows 10: (updated 2019-05-07)
Can i choose a folder location myself to start saving voice and chat history?
I don't know any way to do this
Andre BorgesAndre Borges
As of April 2017 and the new Skype for Windows 10 (Skype UWP - Universal Windows Platform), the
main.db
file has moved to with
%localappdata%
being C:Users<username>AppDataLocal
Source: https://answers.microsoft.com/en-us/skype/forum/skype_win10-skype_startms/skype-app-data-folder-missing-directs-me-to/e4ecb6ca-f64d-4983-b768-727237638fb2
Kurt Pfeifle9,57511 gold badge3636 silver badges5656 bronze badges
![Fortisiem duration that logs are holder Fortisiem duration that logs are holder](/uploads/1/2/3/7/123735850/408106768.png)
Brian BurnsBrian Burns
Skype profile data (including contacts, chat & voice history, etc..) is saved in
%AppData%Skype<skype username>
which will typically be c:Users<windows username>AppDataRoamingSkype<skype username>
on a Windows Vista/7/8 system.The databases are in SQLite3 format and will require an SQLite viewer to properly view them.
I'm not aware of any user-friendly way to change the location of Skype profile data, but it can be redirected to any location using symbolic links (for advanced users only).
Duke NukemDuke Nukem65111 gold badge44 silver badges1212 bronze badges
Normally it will be stored at
main.db file
for windows operating system the default path for Windows XP:
the default path for Windows 7+:
- Close Skype
- Navigate to run command
- type
%appdata%skype
- Navigate to your user name (skype username)
- you could find all the info at main.db file
Hope it helps
BlueBerry - Vignesh4303BlueBerry - Vignesh43035,5512020 gold badges5151 silver badges8080 bronze badges
There is a neat tool SkypeLogView. It is old but works like charm.
Bogdan BogdanovBogdan Bogdanov
protected by Community♦Nov 12 '17 at 19:22
Thank you for your interest in this question. Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).
Would you like to answer one of these unanswered questions instead?
Would you like to answer one of these unanswered questions instead?
Not the answer you're looking for? Browse other questions tagged skypehistory or ask your own question.
A new version of Last.fm is available, to keep everything running smoothly, please reload the site.
Do you know any background info about this album? Start the wiki
Tracklist
Track number | Play | Loved | Track name | Buy | Options | Duration | Listeners |
---|---|---|---|---|---|---|---|
1 | No Love, No Nothin' | 4:00 | 153 listeners | ||||
2 | Don't Fence Me In | 4:24 | 299 listeners | ||||
3 | I Don't Want To Walk Without You Baby | 3:56 | 101 listeners | ||||
4 | Every Time We Say Goodbye | 4:05 | 18 listeners | ||||
5 | You'd Be So Nice To Come Home To | 3:19 | 143 listeners | ||||
6 | Sentimental Journey | 4:14 | 594 listeners | ||||
7 | For All We Know | 4:06 | 171 listeners | ||||
8 | September Song | 3:28 | 134 listeners | ||||
9 | These Foolish Things (Remind Me Of You) | 5:58 | 160 listeners | ||||
10 | They're Either Too Young Or Too Old | 2:14 | 116 listeners | ||||
11 | The More I See You | 4:40 | 100 listeners | ||||
12 | (There'll Be Blue Birds Over) The White Cliffs Of Dover | 2:25 | 203 listeners | ||||
13 | Saturday Night Is The Loneliest Night Of The Week | 3:44 | 79 listeners | ||||
14 | I'll Be Seeing You | 4:19 | 1,308 listeners |
Don't want to see ads? Subscribe now
API Calls
Installation
Additional Information in the Help Center
You can find additional information about installation, upgrades, and license management for your AccelOps deployment in the Installati on, Upgrades, and Licenses section of the Help Center maintained by AccelOps Support.
The topics in this section are intended to guide you through the basic process of setting up and configuring your AccelOps deployment. This includes downloading and installing the AccelOps OVA image, using your hypervisor virtual machine manager to configure the hardware settings for your AccelOps node, setting up basic configurations on your Supervisor node, and registering your Supervisor and other nodes. Setting up IT infrastructure monitoring, including device discovery, monitoring configuration, setting up business services, is covered in under the section Confi guring Your AccelOps Platform.
What You Need to Know before You Begin Installation What Kind of Deployment Will You Set Up?
Who Will Install and Configure AccelOps?
What Information Do You Need to Get Started? The Basic Installation Process
What You Need to Know before You Begin Installation
What Kind of Deployment Will You Set Up?
Before beginning installation you should have determined the exact deployment configuration you will follow, as described in the topics under Dep loyment Options. Note that many deployment options have particular hardware requirements. For example, if you intend to use an NFS server for a cluster deployment, or if want to use Visual Analytics, you will need to make sure that you have the necessary hardware and network components in place. We strongly recommend that you read through all the installation topics for your deployment configuration before you begin.
Who Will Install and Configure AccelOps?
These topics assume that you have the basic system administration skills required to install AccelOps, and that you are already familiar with the use of hypervisors such as VMware ESX or, if you are setting up a Cloud deployment, that you are already familiar with Cloud environments such as Amazon Web Services.
What Information Do You Need to Get Started?
You will need to have administrator-level permissions on the host where you will download and install AccelOps, and you will also need to have username and password associated with your AccelOps license. If you intend to use NFS storage for event data, you will also need to have set up an NFS server prior to installation.
The Basic Installation Process
The installation process for any AccelOps deployment consists of a few steps:
Import the AccelOps virtual appliance into a hypervisor or Amazon Web Services environment
Edit the virtual appliance hardware settings
Start and configure the virtual appliance from the hypervisor console
Register the virtual appliance
Topics in this section will take you through the specific installation and configuration instructions for the most popular hypervisors and deployment configurations.
System Performance Estimates and Recommendations for Large Scale Deployments
Browser Support and Hardware Requirements
Information Prerequisites for All FortiSIEM Installations
Hypervisor Installations
Installing in Amazon Web Services (AWS)
![Logs Logs](https://s-media-cache-ak0.pinimg.com/236x/cf/91/2a/cf912acf90d5c35bca3c62bf3bc3cd23.jpg)
Determining the Storage Type for EventDB in AWS
Configuring Local Storage in AWS for EventDB
Setting Up Supervisor, Worker and Collector Nodes in AWS
Setting Up AWS Instances
Creating VPC-based Elastic IPs for Supervisor and Worker Nodes in AWS Configuring the Supervisor and Worker Nodes in AWS
Registering the Collector to the Supervisor in AWS
Setting up a Network Bridge for Installing AccelOps in KVM
Importing the Supervisor, Collector, or Worker Image into KVM Configuring Supervisor Hardware Settings in KVM
Importing a Supervisor, Collector, or Worker Image into Microsoft Hyper-V
Setting the Network Time Protocol (NTP) for ESX
Installing a Supervisor, Worker, or Collector Node in ESX
Importing the Supervisor, Collector, or Worker Image into the ESX Server
Editing the Supervisor, Collector, or Worker Hardware Settings
Setting Local Storage for the Supervisor
Troubleshooting Tips for Supervisor Installations
Configuring the Supervisor, Worker, or Collector from the VM Console
ISO Installation
Installing a Collector on Bare Metal Hardware
General Installation
Configuring Worker Settings
Registering the Supervisor
Registering the Worker
Registering the Collector to the Supervisor
Using NFS Storage with AccelOps
Configuring NFS Storage for VMware ESX Server
Using NFS Storage with Amazon Web Services
Setting Up NFS Storage in AWS
Setting Up Snapshots of EBS Volumes that Host EventDB and CMDB in AWS
Moving CMDB to a separate Database Host
FortiSIEM Windows Agent and Agent Manager Install
FortiSIEM Windows Agent Pre-installation Notes
Installing FortiSIEM Windows Agent Manager
Installing FortiSIEM Windows Agent
Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Don't Forget To Buy Your Fortinet Hardware From The Fortinet GURU
Posted by5 months ago
Hey /r/AskNetsec
Hoping to get some feedback (or resources) from some of the pro's in here on how to best leverage our centralized logging solution. Little background information: The org I work is pumping all server, cloud (o365) and perimeter firewall logs into a centralized logging server that uses some kind of frankensteined combination of SQL, regex as their own query language that can be used to parse and search the logs using logical operators.
Now I think it's important that we set up some automatic alerting if certain conditions are met, but I don't have the expertise to know what the most important queries/alerts are to set up. I have done some research, and what I learned there + what I know from being a Windows admin gave me some ideas where to start. If you guys have any other good items I need to look for I'd love to know.
Here's are the 'conditions' that need to be met for alerts to be send out to me at this moment:
- Any 4625 event (login succeeded) from a Geolocation outside of the counties we operate in (I understand it's not perfect as you can just spin up a VPS in a DC in our country but it's a start right)
- Any o365 login from unknown countries, similar to #1
- More than 10 failed logins for a user per 10 minutes (looking for windows event ID)
- Presence of a 'high confidence' malicious IP where the word 'Denied' or 'Dropped' isn't present (leveraging Crowd Strikes threat intelligence to classify IPs, the Denied and Dropped are to ignore any invalid traffic on the FW)
- Administrative account creation (looking for windows event ID)
- User added to admin groups (looking for windows event ID)
- Audit log cleared (looking for windows event ID)
- If 'Mimikatz' ever shows up in any entry
- If 'Teamviewer' or 'Ammyy' or 'ScreenConnect' ever show up in entries
- RDP sessions from external IPs
- RDP sessions outside of business hours 09:00 - 17:00
Would love your guys feedback!
Regards,
Fortisiem Duration That Logs Are Hold Together
A Windows Admin trying to layer on security in a budget-driven world
14 comments
General System Administration
Topics in this section contain information on monitoring the health of your FortiSIEM deployment, general system settings such as language, date format, and system logos, and how to add devices to a maintenance calendar.
FortiSIEM Backend Processes
This topic provides a brief description of FortiSIEM backend system processes, and the nodes (Supervisor, Collector, Worker) that use them.
Process | Function | Used by Supervisor | Used by Worker | Used by Collector |
phMonitor | Monitoring other processes | X | X | X |
phDiscover | Pulling basic data from target | X | X | |
phPerfMonitor | Execute performance job | X | X | X |
phAgentManager | Execute event pulling job | X | X | X |
phCheckpoint | Execute checkpoint monitoring | X | X | X |
phEventPackage | Uploading event/SVN file to Supervisor/Worker | X | ||
phParser | Parsing event to shared store (SS) | X | X | X |
phDataManager | Save event from SS to Event DB | X | X | |
phRuleMaster | Determines if a rule should trigger | X | ||
phRuleWorker | Aggregates data for rules | X | X | |
phQueryMaster | Merges data from QueryWorker | X | ||
phQueryWorker | Executes a query task | X | X | |
phReportMaster | Merge data from ReportWorker | X | ||
phReportWorker | Aggregates data for reports | X | X | |
phIPIdentityMaster | Merges IP identity information | X | ||
phIdentityWorker | Collects IP identity information | X | X | |
Apache | Receives event/SVN files from the Collector | X | X |
Administrator Tools
This topic describes administration tools and scripts that are included with your FortiSIEM deployment, along with information on where to find and how to use them.
Tool | Description | How to Use It |
phTools | phTools is a simple tool for starting and stopping backend processes, and for getting change log information. When you upgrade your deployment, for example, you would use phTools to stop all backend processes. | Log in to the FortiSIEM host machine as root. Usage [root@FortiSIEM]# phtools Commands: –change-log, –st art, –stop, –stats Target: ALL –change-log also supports ERROR, T RACE, INFO, DEBUG, CRITICAL |
TestSegmentReader | Test Segment Reader is used to quickly read data segments in the eventdb through the command line. You can use this to manually inspect data integrity and parsed event attributes. | Log into the FortiSIEM host machine as root. Usage [root@FortiSIEM]# TestSegment Reader <segmentDir> |
phExportEvent | Used to export event information to a CSV file | See Exporting Events to Files |
TestDBPurger | A script to selectively delete event data per org and time interval | You can find the script at /opt/phoeni x/bin/TestDBPurger. Run it in |
Use Only to Delete Data for a Single Date You should only use this script to delete data for a single date and organization. If you try to delete data for multiple dates, the script will fail. | terminal mode and follow the instructions. |
Managing User Activity
In the User Activity page you can view the users who are logged into your system, user query activity, and locked out users. You can also log users out of the system, stop active user queries, and lock or unlock users from being able to log in. Click the User Activity icon in the upper-right corner of the FortiSIEM web interface to access user activity information.
Managing Logged In Users
In the Logged In Users tab of the User Activity page you can see the users who are currently logged in to your system. You can also log users out of the system, with an option to lock them out as well.
- Log in to your Supervisor node.
- In the upper-right corner of the FortiSIEM web interface, click the User Activity
- Click the Logged In Users
You will see a list of all the users who are currently in your system.
![Free Free](https://s-media-cache-ak0.pinimg.com/736x/ab/d8/3e/abd83e304fe9daded0e62c7105aafb5f.jpg)
- If you want to log a user out of the system, select the user and click Log Out.
- If you want to lock a user out of the system, select the user and click Log Out and Lock Out.
Managing Locked Out Users
In the Locked Users tab of the User Activity page you can see the users who are currently locked out of your system, and also unlock them.
- Log in to your Supervisor node.
- In the upper-right corner of the FortiSIEM web interface, click the User Activity
- Click the Locked Users
You will see a list of all users who are locked out of the system.
- To unlock a user, select the user and then click Unlock.
Managing Active User Queries
In the User Queries tab of the User Activity page you can see the user queries that are running in your system, and also stop queries.
- In the upper-right corner of the FortiSIEM web interface, click the User Activity
- Click the User Queries
You will see a list of all the queries that are currently running in your system.
- To stop a query, select it and then click Stop Query.
Creating Maintenance Window for Devices
You can add a device to a maintenance window. During this period, the device is not monitored, and alerts for the device are not triggered. If you have an FortiSIEM multi-tenant deployment and you log in as a Super/Global user, you can schedule maintenance events for single organizations, the Super/Global organization, or add devices from multiple organizations to the same maintenance event.
- Log in to your Supervisor node.
- Go to Admin > Maintenance Calendar.
- Click Add.
- Enter a Name and Description for the maintenance event.
- Set the Time Range and Date Range for the maintenance event.
- Under Groups and Devices, click Edit.
- If you have an FortiSIEM multi-tenant deployment, select the Organization that has the devices you want to add to the maintenance calendar.
- Add Folders or Items to the maintenance event by selecting them, and then using the Folder >> and Item >> buttons to move them into the selection pane.
- Click OK when you’re done selecting Folders and Items.
- Select Generate incidents for devices under active maintenance if you want incidents for devices that are part of this maintenance event to be triggered.
- Click OK.
- You will now see your maintenance event listed on the calendar. Mouse over any calendar entry to view details of the maintenance event.
Creating Maintenance Window for Synthetic Transaction Monitoring jobs
You can add a Synthetic Transaction Monitoring (STM) job to a maintenance event. During the maintenance event, the STM job is not executed and hence related alerts do not trigger.
If you have an FortiSIEM multi-tenant deployment and you log in as a Super/Global user, you can schedule maintenance events for single organizations, the Super/Global organization, or add devices from multiple organizations to the same maintenance event.
- Log in to your Supervisor node.
- Go to Admin > Maintenance Calendar.
- Click Add.
- Enter a Name and Description for the maintenance event.
- Set the Time Range and Date Range for the maintenance event.
- Under Groups and Devices, click Edit.
- If you have an FortiSIEM multi-tenant deployment, select the Organization that has the devices you want to add to the maintenance calendar.
- Click Synthetic Transaction Monitor (STM) to see all the STM jobs under Items in the windows below.
- Select the Items from the bottom left and then click Item >> to move them into the selection pane.
- Click OK to Save the configuration.
- Select Generate incidents for devices under active maintenance if you want incidents for devices that are part of this maintenance event to be triggered.
- Click OK.
- You will now see your maintenance event listed on the calendar. Mouse over any calendar entry to view details of the maintenance event.
Creating Reverse SSH Tunnels to Debug Collector Issues
Using SSH Tunnels to Connect to Managed Endpoints
Browser Plugins and Connectivity Protocol Support
Firewall Configuration
Using Role-Based Access Control to Limit Access to Tunnel Creation, Viewing, and Closing Related Links
Using SSH Tunnels to Connect to Managed Endpoints
When you want to quickly debug an issue, you often need to connect to a managed endpoint directly from a browser using protocols such as Telnet/SSH, RDP, or VNC to HTTP(S), depending on the operating system of the endpoint. However, in a multi-tenant deployment, the managed endpoint could be behind a firewall and across the Internet. To further complicate matters, the firewall may not permit an inbound connection for management protocols for security reasons, and also may not allow quick policy changes.
The FortiSIEM solution to this situation is to build a reverse SSH tunnel between the Collector and the Supervisor. The firewall already allows
HTTP(S) sessions from Collector to Supervisor. After also being configured to also allow SSH connections from Collector to Supervisor, FortiSIEM builds an on-demand reverse SSH Tunnel initiated by the Collector. You can then use the tunnel to open a remote management session from your browser to the remote managed endpoint. This blog post on The Geek Stuff describes the process for setting up reverse SSH tunnels on Linux, and provides some additional technical details.
If the managed endpoint is directly accessible from your browser, FortiSIEM can open a direct session. The devices have to be discovered first, and based on this information, FortiSIEM can determine whether to launch a direct or Collector-based session.
If the device is discovered by the Supervisor, then it opens a direct session
If the device is discovered by a Collector, then it opens a reverse SSH tunnel from the collector, and then initiates a session over this tunnel
FortiSIEM has several features for managing SSH tunnels, including:
You can define the port of the reverse SSH tunnel. By default it is set to 19999, but it can be changed to any port.
FortiSIEM automatically times out each tunnel after a day, although you can manually delete a tunnel at any time
FortiSIEM provides full tunnel management auditing, such as a reporting on who creates and deletes a tunnel
FortiSIEM supports a broad group of connectivity protocols protocols. You can can launch any connectivity application by specifying the port, and FortiSIEM will create the tunnel.
RBAC is supported at the Collector level – if the user can visit the Collector health page, then the user can open a remote collector tunnel.
Browser Plugins and Connectivity Protocol Support
Since FortiSIEM runs from a browser, some integrations are possible if certain browser plugins are installed. The best use case is:
Using the Firefox browser to connect to FortiSIEM
The FireSSH browser plugin is already installed in Firefox
You launch a remote session to the managed endpoint over SSH
FortiSIEM launches the FireSSH browser plugin and passes the managed endpoint IP
You type in your user name and password, and if the authentication succeeds, then the shell appears
This table lists the browsers, and the protocols supported by their plugins, that you can use to connect to the managed endpoint.
Always type the end host/device credentials for direct connections over a reverse tunnel even though the displayed IP/port belongs to the Supervisor.
Web Browser | Connectivity Protocol | Supported Browser Plugin | Integration |
Firefox | SSH | FireSSH | The plugin launches. You need to provide your user name and password for the end host/device |
Telnet | None | A dialog shows the Supervisor’s port/tunnel endpoint to connect to. Use your favorite external telnet client to telnet to <Supervisor-IP> and the port. | |
HTTP(S) | None required | Another tab opens. You will need to provide your user name and password if the endpoint device requires it. | |
RDP | None | A dialog shows the Supervisor’s port/tunnel endpoint to connect to. Use your favorite external remote desktop client to connect to <Supervisor-IP> and the port. | |
VNC | None | A dialog shows the Supervisor’s port/tunnel endpoint to connect to. Use your favorite external VNC client to connect to <Supervisor-IP> and the port. | |
Other | None | A dialog shows the Supervisor’s port/tunnel endpoint to connect to. Use your favorite external application client to connect to <Supervisor-IP> and the port. | |
Chrome | SSH | FireSSH | The plugin launches. You need to provide your user name and password for the end host/device. |
Telnet | None | A dialog shows the Supervisor’s port/tunnel endpoint to connect to. Use your favorite external telnet client to telnet to <Supervisor-IP> and the port. | |
RDP | Chrome RDP | A dialog opens for the Chrome RDP plugin. Make sure your popup blocker is disabled, or that you allow popups from this site. Click Launch App to launch the plugin in a new tab. A dialog shows the Supervisor’s port/tunnel endpoint to connect to. Enter <Supervisor-IP>:<Supervisor Port> to connect. Alternatively, you can use your favorite RDP client. | |
HTTP(S) | None required | Another tab opens. You will need to provide your user name and password if the endpoint device requires it. | |
VNC | None | A dialog shows the Supervisor’s port/tunnel endpoint to connect to. Use your favorite external VNC client to connect to <Supervisor-IP> and the port. | |
Other | None | A dialog shows the Supervisor’s port/tunnel endpoint to connect to. Use your favorite external application client to connect to <Supervisor-IP> and the port. | |
Safari (on OSX only) | SSH | Mac Terminal | A new terminal window launches and connects via SSH to <Supervisor-IP> and <Supervisor-port>. Enter your user name and password for the end host/device. |
Telnet | Mac Terminal | A new terminal window launches and connects via telnet to <Supervisor-IP> and <Supervisor-port>. Enter your user name and password for the end host/device. | |
RDP | None | A dialog opens for the Chrome RDP plugin. Make sure your popup blocker is disabled, or that you allow popups from this site. Click Launch App to launch the plugin in a new tab. A dialog shows the Supervisor’s port/tunnel endpoint to connect to. Enter <Supervisor-IP>:<Supervisor Port> to connect. Alternatively, you can use your favorite RDP client. | |
HTTP(S) | None required | Another tab opens. You will need to provide your user name and password if the endpoint device requires it. | |
VNC | None | A dialog shows the Supervisor’s port/tunnel endpoint to connect to. Use your favorite external VNC client to connect to <Supervisor-IP> and the port. | |
Other | None | A dialog shows the Supervisor’s port/tunnel endpoint to connect to. Use your favorite external application client to connect to <Supervisor-IP> and the port. | |
Internet Explorer | SSH, Telnet, RDP, HTTP(S), VNC, Other | No plugin integration | Create the tunnel and then connect to the <Supervisor-Port> that is displayed using an external application. |
Firewall Configuration
If there is a firewall between the Collector and the Supervisor, the firewall needs to allow SSH from the Collector to the Supervisor. The default setting uses a non-standard port, 19999, so make sure you configure the firewall between the Collector and the Supervisor to allow outbound TCP connections on port 19999.
Using Role-Based Access Control to Limit Access to Tunnel Creation, Viewing, and Closing
For security and management reasons, you may want to limit the ability of users to create tunnels. The easiest way to do this is through user roles that have defined access capabilities. For example
To prevent the creation of any tunnels for a role, disallow access to the CMDB tab for that role, or disallow access to the particular device or device group. This second option lets you create fine-grained controls for tunnel creation, for example:
Admins who are able to view Network devices can only open tunnels to Network devices
Admins who are able to view Servers can only open tunnels to Servers
Admins who are able to view a custom-created device group can only open tunnel to that specific custom group
To prevent viewing and closing existing tunnels, disallow access to the Admin > Collector Health page
Related Links
Setting Up User Roles
Auditing the Creation and Deletion of SSH Tunnels
FortiSIEM includes a system-defined report that shows the SSH tunnel open/close history for the time range that you specify.
- Log in to your Supervisor node.
- Go to Analytics > Reports > System Audit.
- Select the SSH Tunnel Open/Close History
- Run the report as described in Running System and User-Defined Reports and Baseline Reports.
Creating a Remote Tunnel to a Device Monitored by a Collector
Prerequisites
You should review the browsers and plugins that are supported for the connectivity protocol you want to use to connect to the device.
Procedure
- Log in to your Supervisor node.
- Go to CMDB > Devices.
- Search for or browse to the device you want to establish the connection to.
- In the IP Address column for that device, click on the IP address associated with it to open the Options
- In the Options menu, select Connect To… .
- Enter the Protocol and Port you want to use to connect to the device.
For SSH this is Port 22.
- Select Create Tunnel.
A tunnel will be established between the Supervisor and the Collector that is monitoring the device.
- Use your browser and plugins to establish remote connectivity to the device as described in Creating Reverse SSH Tunnels to Debug Collector Issues.
Managing Remote Tunnels to Collector Devices
After you have created tunnels to collector devices, you can view and manage those tunnels in the Collector Health page.
- Log in to your Supervisor node.
- Go to Admin > Collector Health.
- Click Tunnels.
The existing tunnels will be displayed in a table with these columns:
Column Name | Description |
Host IP | The IP address of the managed endpoint |
Super Port | Sessions are opened on this port on the Supervisor to connect to the managed endpoint. This ensures that the Supervisor will use the correct tunnel to reach the managed endpoint. |
Protocol | The protocol used to establish the connection to the endpoint |
Collector | The Collector that monitors the endpoint |
PID | The process ID of the tunnel. If you kill this process, it will kill the tunnel |
Opened Time | The time when the tunnel was opened |
- You can close a tunnel by selecting it and then clicking Close, or you can close all tunnels at the same time by clicking Close All.
Managing System Date Format and Logos
The UI page under Admin > General Settings contains fields that you can use to change the date format for your FortiSIEM user interface, and to upload logos to be used within the user interface and on PDF reports.
- Log in to your Supervisor node.
- Go to Admin > General Settings > UI.
- Select the Date Format you want to use to display dates in the user interface, and then click Change.
- Click Change to choose a UI Logo that will be displayed alongside the main application tabs for your FortiSIEM deployment.
The logo file must be in in PNG format, and should not be more than 200 pixels wide or 60 pixels high (54 pixels is the ideal height).
- Click Change to choose a Report Logo that will be used in the header of reports you export to PDF.
The logo file must be in SVG format, 160 pixels wide and 40 pixels high, or other dimensions with a 4:1 width/height ratio.
For Service Provider installs, UI Logos can also be set on a per organization basis.
- SSH to Supervisor via root
- Change user to admin ‘su admin’
- Change directory by running ‘cd /opt/glassfish3/glassfish/domains/domain1/applications/phoenix/phoenix-web-1.0_war/resources/header’
- Create a logo per organization
- mkdir org
- cd org
- Create Organizations IDs as directories. Eg: ‘mkdir 2001’ (To find Org ids, Goto Admin > Setup Wizard > Organizations > ID)
- Copy PNG files to respected Organizations as logo.png. For example:
/opt/glassfish3/glassfish/domains/domain1/applications/phoenix/phoenix-web-1.0_war/resources/header/org/2001/logo.png
- Logon to Organization e.g: Org1 (id: 2001) and make sure that UI logo is updated
Viewing Cloud Health and System Information
The Admin > Cloud Health page shows you the status of the nodes in your deployment, as well as the processes running on them.
- Go to Admin > Cloud Health.
- Click on any node to view its Process Details.
See FortiSIEM Backend Processes for more information about the system role played by each process.
- You can access other information about your FortiSIEM deployment by clicking the Alert icon in the upper-right corner of the user interface, which will show you Alerts and Tasks for the system within the last 24 hours.
Viewing Collector Health
If your FortiSIEM deployment includes Collectors, you can monitor the status of the Collectors in the Admin > CollectorHealth page. You can also upgrade Collectors from this page, as described in Setting Up the Image Server for Collector Upgrades.
- Log in to your Supervisor node.
- Go to Admin > Collector Health.
- Select a Collector and click Show Processes to see the processes running on that Collector.
See FortiSIEM Backend Processes for more information about the processes that run on Collectors.
- You can also Stop or Start a Collector by selecting it and clicking the appropriate button.
Properties associated with Collector Health include:
Collector Property | Description |
Org Name | Name of the organization to which the Collector belongs |
Collector Name | The name of the Collector |
IP Address | The IP address of the Collector |
Status | The status of the Collector as either Up or Down |
Health | Displays the health of the Collector based on the health of the modules running on it. If Health is Critical, it means that one of the modules is not running on the Collector. |
Up Time | Total time that the Collector has been up |
Last Performance Data | The time when the collector last reported its performance status to the cloud |
Last Status Update | The time when the collector last reported its status to the cloud |
Last Event Data | The time when the collector last reported events to the cloud |
CPU Utilization | Overall CPU utilization of the Collector |
Memory Utilization | Overall memory utilization of the Collector |
Version | Which version of FortiSIEM the Collector is running on |
Build Date | The date on which the version of FortiSIEM the Collector is running on was built |
Upgrade Version | If the Collector has been upgraded, the version it was upgraded to |
Install Status | If you upgrade the Collector, the status of the upgrade is shown here as either Success or Failed |
Download Status | If an image was downloaded to the Collector as described in Setting Up the Image Server for Collector Upgrades, the status of the download is shown here as Success or Failed |
Allocated EPS | The number of events per second (EPS) dynamically allocated by the system to this collector. See Dynamic Distribution of Events per Second (EPS) across Collectors for more information about how EPS is allocated across Collectors. |
Incoming EPS | The EPS that the Collector is currently seeing |
Viewing License Information and Adding Nodes to a License
The License Management page in the Admin tab shows information associated with your current FortiSIEM license, and allows you to add virtual appliances and Report Servers to your deployment as your license allows.
- Log in to your Supervisor node.
- Go to Admin > License Management.
- Under License Information you will see detailed information about both Allowed and Current Usage for the number of virtual appliances, EPS, number of devices, and other attributes associated with you FortiSIEM license.
- Under VA Information you will see the name and IP address of the virtual appliances, and their roles, in your FortiSIEM deployment. Click Add, and then enter an IP address for other nodes that you want to add to your license.
- Under Report Server Information you will see the IP address of any Report Servers in your deployment. Click Add, and then enter an IP address for other Report Servers that you want to add to your license.
Calculations for License Usage Statistics
Statistic | Calculation | Notes |
EPS | AccelOps calculates the EPS for your system using a counter that records the total number of received events in a three minute time interval. Every second, a thread wakes up and checks the counter value. If the counter is less than 110% of the license limit (using the calculation 1.1 x EPS License x 180) , then AccelOps will continue to collect events. If you exceed 110% of your licensed EPS, events are dropped for the remainder of the three minute window, and an email notification is triggered. At the end of the three minute window the counter resets and resumes receiving events. | |
Number of Devices | Each entry in CMDB > Devices counts as one device. Exceptions to this are: Mobile Devices VoIP Phones These devices are not counted against the number of devices that are licensed for your deployment. |
Using Beaconing to Communicate with AccelOps Support
Your FortiSIEM virtual appliance includes a beaconing feature that periodically transmits information about the functioning of your FortiSIEM deployment to FortiSIEM support. This information includes the health of your FortiSIEM virtual appliances, performance data, and summary information about the configuration of your deployment. This information is used exclusively by FortiSIEM support for forensic analysis of your system, and is never shared with anyone.
The basic version of the beaconing feature is included with your FortiSIEM license, but you can opt out of the service at any time by going to Adm in > License Management and clearing the Enable Beaconing Data Upload option. You can also purchase the advanced version of the beaconing service, which includes added support services. Contact FortiSIEM Sales or Support for more information.
To find the level of beaconing support on your deployment, go to the License Information table under Admin > License Management, and scroll down the License Attribute column to look for the row labeled Beaconing Support.
Basic Beaconing Support
Advanced Beaconing Support
Basic Beaconing Support
Basic Beaconing periodically uploads health and usage information from FortiSIEM instance. This includes
Customer Name
Organization Name (for Service Provider installations)
Organization Collector Name
Number of devices discovered by category (Network, Server, Storage) and their types
Performance Monitoring Jobs and their status
Discovery Error Types, Event parsing errors, Operational errors
Incident names, severity and count
Event rate
Event Type
FortiSIEM system incidents and license issues
IP address and host name are not transmitted to the cloud.
For specific details, see these rules and reports which contain data periodic sent to the cloud.
Advanced Beaconing Support
In advanced beaconing support, system logs and audit logs from your FortiSIEM deployment are uploaded to FortiSIEM support in addition to the information listed under basic beaconing support. This allows FortiSIEM support to closely monitor your FortiSIEM deployment for errors and problems remotely without the risk of system log rollover, and to provide an accelerated path to problem resolution.
Advanced beaconing support can be enabled via a license change. You will need to re-register your FortiSIEM deployment after FortiSIEM Sales has enabled advanced beaconing on the license server. During re-registration, FortiSIEM services will continue to run except for a restart of the p hMonitor service.
AccelOps Event Categories and Handling
This topic provides a brief description of various types of event categories in FortiSIEM
Event Categories
System Event Category | Description | Counted in EPS License | phstatus -a outout | Stored in DB? |
0 | External events and not flow events (e.g. syslog, SNMP Trap, Event pulling) | Yes | EPS | Yes |
1 | Incidents (events that begin with PH_RULE) | No | EPS INTERNAL | Yes |
2 | FortiSIEM Audit Events (events that begin with PH_AUDIT) | No | EPS INTERNAL | Yes |
3 | FortiSIEM Internal system logs, free format | No | EPS INTERNAL | Yes |
4 | External flow events (Netflow, Sflow) | Yes | EPS | Yes |
5 | FortiSIEM Internal health events for summary dashboards | No | EPS INTERNAL | Yes |
6 | FortiSIEM Performance Monitoring events (events that begin with PH_DEV_MON) | Yes | EPS PERF | Yes |
7 | AO Beaconing events | No | EPS INTERNAL | Yes |
8 | FortiSIEM Real Time Performance Probe Events | No | EPS INTERNAL | No |
99 | FortiSIEM Internal Rule Engine | No | EPS INTERNAL | No |
Event handling at various nodes
Running “phstatus -a” command at various nodes provides the events handled by that node.The output shows the statistics at 3min, 15min and 30 min averages.
If you run “phstatus -a” at a Supervisor, you get the aggregated view across all nodes
Reported EPS by events
The following events report eps which includes EPS (EXTERNAL) and EPS PERF – to be measured against license
- PH_SYSTEM_EVENTS_PER_SEC: this reports eps at a organization level
- PH_SYSTEM_PERF_EVENTS_PER_SEC: this reports performance monitoring related eps (counted against license)
- PH_SYSTEM_INTERNAL_EVENTS_PER_SEC: this reports internal eps (not counted against license)
- PH_SYSTEM_IP_EVENTS_PER_SEC: this reports eps reported by a device level
- PH_SYSTEM_DEVAPP_EVENTS_PER_SEC: his reports eps reported by a device level but also has vendor, model info
Changing Dashboard Theme
The UI page under Admin > General Settings contains fields that you can use to change the theme for widget dashboards
My Dashboard
Availability/Performance > Avail/Perf Widgets
Biz Svc Dashboard
Dashboards By Function
To do this
- Log in to your Supervisor node.
- Go to Admin > General Settings > UI.
- Select the Dashboard Theme you want to use, and then click Change.
- Refresh the browser.
Installing OS Security Patches
You may want to install OS level security patches to fix some recently found vulnerabilities.
First check whether the CVEs you are interested in have already been patched by the current FortiSIEM version. You can do this by running the following command.
To upgrade OS packages on Super, Worker, or Collectors, run the following command as root
We use a headless chrome browser for STM but chrome is not supported by Google on CentOS6 or 7 platforms. To upgrade that package to the latest version, we use a third party system.
Run the following commands as root on Super/Worker/Collector
Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Don't Forget To Buy Your Fortinet Hardware From The Fortinet GURU