Knowledge Doc: Detecting poorly constructed reports on the ESM logs

1 Likes

Summary
The following article details some error messages from ESM's logs that can provide insight regarding poorly constructed Reports.

Products
ArcSight Enterprise Security Manager (ESM)

Environment
Any 7.x Compact mode ESM

Situation
Consider the scenario where one is noticing an increasing usage of the VM resources (CPU and/or RAM) where the ESM is hosted.

Cause
Among the causes for the overuse of the VM resources by the ESM are poorly created Reports, like for example a Report that queries 3-day worth of data and is executed every hour.

Resolution
To detect these anomalous reports on the logs, one can search for the message "LongestRunReport" in the server.status.log as seen below:

LongestRunReport="[[9EILikGIBABC-dLuzavYucQ==, /All Archived Reports/Public/Event Analysis/ADFSFailsHourly.csv, A236871, Wed Feb 01 10:25:04 EST 2023, 275032]]"
LongestRunTime="275032"


This "LongestRunReport" report can be checked for any possible cause of performance issues such as poorly built Reports.


Knowledge Base Article Link


URL Name
KM000015079

Labels:

Support Tips/Knowledge Docs
Related
Recommended