Best Practice SEM Rules for Monitoring Linux (Apache/MariaDB), Windows Servers, FortiGate Firewalls & Switches

Herou-GH

Hi Dears,

I’d like to gather your input on best practices for creating rules 

1. What are the recommended rules or alerts you suggest for monitoring Linux servers that host web applications (Apache, MariaDB, etc.)?

2. What are the best practice rules to apply for Active Directory and   Windows servers?

3. What about the rules to apply  for FortiGate firewalls and network switches?

Please share the rules you’ve found most useful in production, or any ideas we can implement to strengthen our monitoring strategy.

Thanks in advance for your kind of support

npatterson

Setup Rsyslog in Linux using TCP Syslog for better log collection. 

Set up profiles by applications so that you can set the connectors per application later on when you expand.

For windows ensure the logging in enable via GPO as the defaults setting in windows does not always capture both success and failure attempts.

With Solarwinds you must ensure logs are setup in the root of event viewer to parse logs correctly you change see this in the connector helps in set up

FortiGate Rules are subjective but to service enable on the firewall. IF you have IPS, syslog, VPN, are good start.  

Do you have network monitoring enable if not logs like network flapping is good to have as well.  

If you have HA setup for firewall I check for failovers as well. 

Please understand SEM is security events not network performance why it may overlap you offload network monitoring to dedicated appliance.  That being said  I create a special alert for all elevated users for console access for switches and firewalls as that should not be access on regular basis.  I monitor PowerShell commands being run as this is typically of Lateral movement attempts.  

Important to know the more you log the more your need filtered.  Rules will only get you so far you need to determine the actionable items want to address  have rules.  For others non-actionable event determine if the logs are usefully or redundant for example endpoint has log of access a file and so does the server for same event what is more usefully more than like the server is better in this regard for more logs.  

To get back on track for you questions you need to determine for your environment what makes sense to you for logs as this can build up quickly.  First then I recommend is set a retention period so that you can align all collection to common time frame.  This is the most common problem and define a scope for log collection and what you need to see.