- Title Page
- Introduction & Preface
- Logging into the FireSIGHT System
- Using Objects and Security Zones
- Managing Devices
- Setting Up an IPS Device
- Setting Up Virtual Switches
- Setting Up Virtual Routers
- Setting Up Aggregate Interfaces
- Setting Up Hybrid Interfaces
- Using Gateway VPNs
- Using NAT Policies
- Getting Started with Access Control Policies
- Blacklisting Using Security Intelligence IP Address Reputation
- Tuning Traffic Flow Using Access Control Rules
- Controlling Traffic with Network-Based Rules
- Controlling Traffic with Reputation-Based Rules
- Controlling Traffic Based on Users
- Controlling Traffic Using Intrusion and File Policies
- Understanding Traffic Decryption
- Getting Started with SSL Policies
- Getting Started with SSL Rules
- Tuning Traffic Decryption Using SSL Rules
- Understanding Intrusion and Network Analysis Policies
- Using Layers in Intrusion and Network Analysis Policies
- Customizing Traffic Preprocessing
- Getting Started with Network Analysis Policies
- Using Application Layer Preprocessors
- Configuring SCADA Preprocessing
- Configuring Transport & Network Layer Preprocessing
- Tuning Preprocessing in Passive Deployments
- Getting Started with Intrusion Policies
- Tuning Intrusion Rules
- Tailoring Intrusion Protection to Your Network Assets
- Detecting Specific Threats
- Limiting Intrusion Event Logging
- Understanding and Writing Intrusion Rules
- Blocking Malware and Prohibited Files
- Logging Connections in Network Traffic
- Working with Connection & Security Intelligence Data
- Analyzing Malware and File Activity
- Working with Intrusion Events
- Handling Incidents
- Configuring External Alerting
- Configuring External Alerting for Intrusion Rules
- Introduction to Network Discovery
- Enhancing Network Discovery
- Configuring Active Scanning
- Using the Network Map
- Using Host Profiles
- Working with Discovery Events
- Configuring Correlation Policies and Rules
- Using the FireSIGHT System as a Compliance Tool
- Creating Traffic Profiles
- Configuring Remediations
- Using Dashboards
- Using the Context Explorer
- Working with Reports
- Understanding and Using Workflows
- Using Custom Tables
- Searching for Events
- Managing Users
- Scheduling Tasks
- Managing System Policies
- Configuring Appliance Settings
- Licensing the FireSIGHT System
- Updating System Software
- Monitoring the System
- Using Health Monitoring
- Auditing the System
- Using Backup and Restore
- Specifying User Preferences
- Importing and Exporting Configurations
- Purging Discovery Data from the Database
- Viewing the Status of Long-Running Tasks
- Command Line Reference
- Security, Internet Access, and Communication Ports
- Third-Party Products
- glossary
Monitoring the System
The FireSIGHT System provides many useful monitoring features to assist you in the daily administration of your system, all on a single page. For example, on the Host Statistics page you can monitor basic host statistics and intrusion event information, as well as statistics for the Data Correlator and network discovery processes for the current day. You can also monitor both summary and detailed information on all processes that are currently running on the Defense Center or managed device. The following sections provide more information about the monitoring features that the system provides:
- Viewing Host Statistics describes how to view host information such as:
- system uptime
- disk and memory usage
- Data Correlator statistics
- system processes
- intrusion event information
- On the Defense Center, you can also use the health monitor to monitor disk usage and alert on low disk space conditions. For more information, see Understanding Health Monitoring.
- Monitoring System Status and Disk Space Usage describes how to view basic event and disk partition information.
- Viewing System Process Status describes how to view basic process status.
- Understanding Running Processes describes the basic system processes that run on the appliance.
You can use the options in Overview > Summary to view and graph statistics for intrusion and discovery events. For more information, see:
Viewing Host Statistics
The Statistics page lists the current status of the following:
- general host statistics; see the Host Statistics table for details
- Data Correlator statistics (Defense Center only — requires FireSIGHT); see the Data Correlator Process Statistics table for details
- intrusion event information (requires Protection); see the Intrusion Event Information table for details
The following table describes the host statistics listed on the Statistics page.
The number of days (if applicable), hours, and minutes since the system was last started. |
|
The average number of processes in the CPU queue for the past 1 minute, 5 minutes, and 15 minutes. |
|
The percentage of the disk that is being used. Click the arrow to view more detailed host statistics. See Monitoring System Status and Disk Space Usage for more information. |
|
A summary of the processes running on the system. See Viewing System Process Status for more information. |
If your FireSIGHT System deployment includes a Defense Center with a FireSIGHT license, you can also view statistics about the Data Correlator and network discovery processes for the current day. As the managed devices perform data acquisition, decoding, and analysis, the network discovery process correlates the data with the fingerprint and vulnerability databases, then produces binary files that are processed by the Data Correlator running on the Defense Center. The Data Correlator analyzes the information from the binary files, generates events, and creates the discovery network map.
The statistics that appear for network discovery and the Data Correlator are averages for the current day, using statistics gathered between 12:00 AM and 11:59 PM for each device.
The following table describes the statistics displayed for the Data Correlator process.
On managed devices and on Defense Centers that manage devices, you can also view the date and time of the last intrusion event, the total number of events that have occurred in the past hour and the past day, and the total number of events in the database.
Note The information in the Intrusion Event Information section of the Statistics page is based on intrusion events stored on the managed device rather than those sent to the Defense Center. If you manage your device so that intrusion events are not stored locally, no intrusion event information is listed on this page. This is also the case for managed devices that cannot store events locally.
The following table describes the statistics displayed in the Intrusion Event Information section of the Statistics page.
Step 1 Select System > Monitoring > Statistics .
Step 2 On the Defense Center, you can also list statistics for managed devices. From the Select Device(s) box, click Select Devices . You can use the Shift and Ctrl keys to select multiple devices at once.
The Statistics page is updated with statistics for the devices you selected.
Monitoring System Status and Disk Space Usage
The Disk Usage section of the Statistics page provides a quick synopsis of disk usage, both by category and by partition status. If you have a malware storage pack installed on a device, you can also check its partition status. You can monitor this page from time to time to ensure that enough disk space is available for system processes and the database.
Tip On the Defense Center, you can also use the health monitor to monitor disk usage and alert on low disk space conditions. For more information, see Understanding Health Monitoring.
To access disk usage information:
Step 1 Select System > Monitoring > Statistics .
Step 2 Hover your pointer over a disk usage category in the By Category stacked bar to view (in order):
For more information on the disk usage categories, see Understanding the Disk Usage Widget.
Step 3 Click the down arrow next to Total to expand it.
The Disk Usage section expands, displaying partition usage. If you have a malware storage pack installed, the
/var/storage
partition usage is also displayed.
If your deployment includes multiple managed devices, you may want to constrain disk usage data by specific devices.
On the Defense Center, to view disk usage information for a specific device:
Step 1 Select the device name from the Select Device(s) box, and click Select Devices .
The page reloads, listing host statistics for each device you selected.
Step 2 Click the down arrow next to Disk Usage to expand it.
The Disk Usage section expands.
Viewing System Process Status
The Processes section of the Host Statistics page allows you to see the processes that are currently running on an appliance. It provides general process information and specific information for each running process. If you are managing devices with a Defense Center, you can use the Defense Center’s web interface to view the process status for any managed device.
The following table describes each column that appears in the process list.
Step 1 Select System > Monitoring > Statistics .
Step 2 On the Defense Center, select the device or devices you want to view process statistics for from the Select Device(s) box and click Select Devices .
Step 3 Click the down arrow next to Processes .
The process list expands, listing general process status information that includes the number and types of running tasks, the current time, the current system uptime, the system load average, CPU, memory, and swap information, and specific information about each running process.
Cpu(s) lists the following CPU usage information:
Nice values indicate the scheduled priority for system processes and can range between -20 (highest priority) and 19 (lowest priority).
Mem lists the following memory usage information:
Swap lists the following swap usage information:
Note For more information about the types of processes that run on the appliance, see Understanding Running Processes.
Step 1 Click the up arrow next to Processes .
Understanding Running Processes
There are two different types of processes that run on an appliance: daemons and executable files. Daemons always run, and executable files are run when required.
See the following sections for more information:
Understanding System Daemons
Daemons continually run on an appliance. They ensure that services are available and spawn processes when required. The following table lists daemons that you may see on the Process Status page and provides a brief description of their functionality.
Note The table below is not an exhaustive list of all processes that may run on an appliance.
Understanding Executables and System Utilities
There are a number of executables on the system that run when executed by other processes or through user action. The following table describes the executables that you may see on the Process Status page.
Utility that executes programs written in the |
|
Utility that reads files and writes content to standard output |
|
Analyzes binary files created by FireSIGHT to generate events, connection data, and the network map |
|
Utility that lists the amount of free space on the appliance |
|
Utility that searches files and folders for specified input; supports extended set of regular expressions not supported in standard grep |
|
Utility that recursively searches directories for specified input |
|
Utility that searches files and directories for specified input |
|
Indicates the network configuration executable. Ensures that the MAC address stays constant |
|
Handles access restriction based on changes made to the Access Configuration page. See Configuring the Access List for Your Appliance for more information about access configuration. |
|
Utility that provides a way to access the syslog daemon from the command line |
|
Utility that prints checksums and block counts for specified files |
|
Identifies a heartbeat broadcast, indicating that the appliance is active; heartbeat used to maintain contact between a device and Defense Center |
|
Indicates a message broker process; handles communication between Defense Centers and device. |
|
Utility that suspends a process for a specified number of seconds |
|
Mail client that handles email transmission when email event notification functionality is enabled |
|
Forwards SNMP trap data to the SNMP trap server specified when SNMP notification functionality is enabled |
|
Indicates a sudo process, which allows users other than admin to run executables |
|
Utility that displays information about the top CPU processes |
|
Utility that can be used to change the access and modification times of specified files |
|
Utility that performs line, word, and byte counts on specified files |
Feedback