Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE

Feature Request - Smartconnector, send command to clear/dump cached events

Feature Request - Smartconnector, send command to clear/dump cached events

There are 2 scenarios I've encountered in which it might be nice to send a command to the Smartconnector to drop cached events.

Scenario 1: Every so often connector gets in a state in which some cache events are sort of orphaned and the connector will not process.

Scenario 2: When a destination goes down of course the connector will cache until destination returns to normal. I've had situations where connector cache from multiple days is no longer relevant and would like to clear/dump cache and resume normal state.

Current work around is manual stop of connector at command like and clear/dump cache file manually. 

I do understand this will drop the data and the events will not be available in ESM or Logger.

4 Comments
kmermoud1 Absent Member.
Absent Member.

Uploaded the videos separately since it looks like we can't see them in the recording.

Thanks,

Ken

Ken Mermoud

Manager, Product Management

ArcSight Content & Solutions

HP Enterprise Products

Office: +1 (408) 865-7794

Mobile: +1 (650) 215-0485

Email: ken.mermoud@hp.com

www.hpenterprisesecurity.com

Fred McGhee Respected Contributor.
Respected Contributor.

I agree Mark, this would be a great add-on, we are currently having to dump cache the old fashioned way.

skgm23 Contributor.
Contributor.

If you have ArcMC you might be able to delete the cache by  creating a repository in the Arcmc that deletes agentdata directory then uploads a new one without any cache

create a a folder called agentdata with  a single  file in it-- doesn't matter what file is called--then zip it up and upload the zip file into the new repository.

settings on  new repository:

name, displayname, and itemdisplayname can be whatever you want

Recursive is checked

Sort Priortoty  -1

restart connector process is checked

Download section is all blank

Upload:

delete before upload  -- checked

delete groups-- checked

relative path  -- <empty>

delete relative path  agentdata

Deletec incldue regular expression  .*

delete exclude reguslar expression -- <empty>

I tested this on  my lab box and it would only delete files that  were not "0"

bytes.-- not sure why it wouldn't delete zero byte files

When i actually tested this again-- it deleted all files except for the.cache.dflt.0 files(the cache) looks like java holds on to them and won't allow you to delete them while the connector is running-- I only tried this on a windows box-- I  also tried to delete them manually from the agentdata directory when the connector was running-- got an error about being in use by java.

Dev would have to come up with a way for the connector to release java holding on to those files then you could delete them remotely.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.