Very less events from DNS server. What properties needs to be changed to query the file frequently?

Hi Team,

We have integrated DNS via file reader connector. We also have configured log stoppage rule as well. We are observing log stoppage alert very frequently since the file isn't queried frequently. 

What parameters needed to be changed so that as soon as file is updated, our connector reads it and sends logs to our Console?

Please help.

Regards,

Mitesh Agrawal

Parents
  • Hello Mitesh,

    First of all, I would recommend checking the Flex Connector Developer's guide, especially the part "File Connector Parameters" - page 207.
    https://community.microfocus.com/t5/ArcSight-Connectors/ArcSight-FlexConnector-Developer-s-Guide/ta-p/1584874?nm=&attachment-id=76956
    Here you have all the parameters that you can try changing according to your needs.

    If you want the connector to keep reading the events as soon as they are written in the file, then you have to set to option to read it in real-time:
    agents[0].processingmode=realtime

    If you already have this set or if it doesn't work after setting so, then check in the logs if you have any ERROR or FATAL messages at the time you notice the log stoppage.

    I hope this helps.

    Regards,
    Kresimir

  • Hi  ,

     

    Thanks a lot for your reply. I mapped the drive where the dns logs are gettting written and I can see that the DNS events aren't written frequently. Please find the screenshot attached.

     

    The screenshot is taken at 02:30 PM IST and the last time the file was modified was at 1:43 PM IST.

    What can be the issue here? Why the DNS server isn't writing the events to the file frequently?

    Please help.

     

    Regards,

    Mitesh Agrawal 

  • Hi Mitesh,

    The connector is set to read new events from the file itself. If there are no new events written in the file, there will be nothing to read.
    This is not connector related but rather a setup issue (check your DNS settings and why the file doesn't get updated with new events).

    Once you will be able that the file is rotating constantly and the connector is not reading it in real-time, then check in the logs for any ERROR or FATAL messages and see if it can even read the file.

     

    Regards,
    Kresimir

  • Hi Kresimir,

    I just opened the file and saw that logs are written in the file but it seems the file last modified date isn't updated.

    I want your help to understand how ArcSight smart connector reads logs. Means, in processingmode = realtime, the connector goes to file and checks the last modified date and if it is then only read the logs or it is having some pointer which shows the last log till where it has already read? Is there any relation between connector reading and last modified time?

    I want to check this since I am not sure what exactly the issue is with the DNS server writing to this file, but I can create a script to change the Last modified time for the file if connector checks for last modified time and so it reads.

    Hope you will understand what I am trying to ask.

    Regards,
    Mitesh Agrawal
Reply
  • Hi Kresimir,

    I just opened the file and saw that logs are written in the file but it seems the file last modified date isn't updated.

    I want your help to understand how ArcSight smart connector reads logs. Means, in processingmode = realtime, the connector goes to file and checks the last modified date and if it is then only read the logs or it is having some pointer which shows the last log till where it has already read? Is there any relation between connector reading and last modified time?

    I want to check this since I am not sure what exactly the issue is with the DNS server writing to this file, but I can create a script to change the Last modified time for the file if connector checks for last modified time and so it reads.

    Hope you will understand what I am trying to ask.

    Regards,
    Mitesh Agrawal
Children