Very less events from DNS server. What properties needs to be changed to query the file frequently?

Hi Team,

We have integrated DNS via file reader connector. We also have configured log stoppage rule as well. We are observing log stoppage alert very frequently since the file isn't queried frequently. 

What parameters needed to be changed so that as soon as file is updated, our connector reads it and sends logs to our Console?

Please help.

Regards,

Mitesh Agrawal

Parents
  • Hello Mitesh,

    First of all, I would recommend checking the Flex Connector Developer's guide, especially the part "File Connector Parameters" - page 207.
    https://community.microfocus.com/t5/ArcSight-Connectors/ArcSight-FlexConnector-Developer-s-Guide/ta-p/1584874?nm=&attachment-id=76956
    Here you have all the parameters that you can try changing according to your needs.

    If you want the connector to keep reading the events as soon as they are written in the file, then you have to set to option to read it in real-time:
    agents[0].processingmode=realtime

    If you already have this set or if it doesn't work after setting so, then check in the logs if you have any ERROR or FATAL messages at the time you notice the log stoppage.

    I hope this helps.

    Regards,
    Kresimir

  • Hi  ,

     

    Thanks a lot for your reply. I mapped the drive where the dns logs are gettting written and I can see that the DNS events aren't written frequently. Please find the screenshot attached.

     

    The screenshot is taken at 02:30 PM IST and the last time the file was modified was at 1:43 PM IST.

    What can be the issue here? Why the DNS server isn't writing the events to the file frequently?

    Please help.

     

    Regards,

    Mitesh Agrawal 

  • Hi Mitesh,

    The connector is set to read new events from the file itself. If there are no new events written in the file, there will be nothing to read.
    This is not connector related but rather a setup issue (check your DNS settings and why the file doesn't get updated with new events).

    Once you will be able that the file is rotating constantly and the connector is not reading it in real-time, then check in the logs for any ERROR or FATAL messages and see if it can even read the file.

     

    Regards,
    Kresimir

  • Hi Kresimir,

    I just opened the file and saw that logs are written in the file but it seems the file last modified date isn't updated.

    I want your help to understand how ArcSight smart connector reads logs. Means, in processingmode = realtime, the connector goes to file and checks the last modified date and if it is then only read the logs or it is having some pointer which shows the last log till where it has already read? Is there any relation between connector reading and last modified time?

    I want to check this since I am not sure what exactly the issue is with the DNS server writing to this file, but I can create a script to change the Last modified time for the file if connector checks for last modified time and so it reads.

    Hope you will understand what I am trying to ask.

    Regards,
    Mitesh Agrawal
  • You can check the following presentation to understand how the file reader connector works:
    https://docplayer.net/37085739-Understanding-file-reader-connector-framework.html

    Understanding File Reader connector framework

    Hopefully, this answers your question.

    Regards,
    Kresimir
  • Thanks Kresimir,
    Also, I got the below warning in my logs.
    [WARN ][default.com.arcsight.agent.baseagents.c.d][read] FileReader.exe reached the end of log file or took too long to initialize. The reading process was cancelled.

    Since this is a warning, my connector should be still able to read logs right? What should be done in this case?

    Regards,
    Mitesh Agrawal
  • Hi Mitesh,

    Well, it depends if you can see any issues with the event collection or not.
    So check if it really reached the end of the log file as it read it completely or you have any other errors following this.
    If you can see events missing, you can try to change the following settings:
    usealternaterotationdetection set to "true" but it should be used in combination with followexternalrotation, so both have to be set to true.

    If that doesn't help, then investigate the logs and see if you can find something there.

    I hope this answers your question.
    If you found it solved, don't forget to "Accept as solution".

    Regards,
    Kresimir

Reply
  • Hi Mitesh,

    Well, it depends if you can see any issues with the event collection or not.
    So check if it really reached the end of the log file as it read it completely or you have any other errors following this.
    If you can see events missing, you can try to change the following settings:
    usealternaterotationdetection set to "true" but it should be used in combination with followexternalrotation, so both have to be set to true.

    If that doesn't help, then investigate the logs and see if you can find something there.

    I hope this answers your question.
    If you found it solved, don't forget to "Accept as solution".

    Regards,
    Kresimir

Children
No Data