Highlighted
New Member.
1332 views

Agent Aggregate Event's wrong name

Jump to solution

Attached is a spread sheet of events that all have triggered the same excessive login rule. We are not sure why some of these events have "Agent Aggregate Event" as the name and other have a real name with more meaning. I can't seem to find any differences in the events as to why some are parsed out differently so I'm not sure where to start looking for the problem. We would like the name field to not have "Agent Aggregate Event" and keep the true name. Device Custom String3 is the only difference I see in any of these events but I don't see what that has to do with the name of the event. Any help would be great. I excluded real IP's and User Names for obvious reasons.

Thanks,

Grant

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Re: Agent Aggregate Event's wrong name

Jump to solution

Hi!

So if you have Name added in the Aggregate event field, this should be fine and the names are kept.

I never saw anything related to the event count on that.

How does your event flow looks like? Are you forwarding events?  Because of course you hav to set up aggregation on the very first connetor. Lets say if you are forwarding events from logger, it makes no sense to aggregate on the connector from logger. You will have to add the "name" field at the very first connector, which creates the CEF Event.

BR Tobias

View solution in original post

0 Likes
7 Replies
Highlighted
New Member.

Re: Agent Aggregate Event's wrong name

Jump to solution

Any help would be great!

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: Agent Aggregate Event's wrong name

Jump to solution

I have the same EXACT question.

0 Likes
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Re: Agent Aggregate Event's wrong name

Jump to solution

Hm?

Just add the fields "Name" and "Message" to the connector configuration at the parameter "Field names".

After that only events with the same name will be aggregated.

I'm pretty sure that for your example in 100 events there are differences in the name.

Also set the "Preserve Common fields". But I think you did already...

Cheers!

0 Likes
Highlighted
New Member.

Re: Agent Aggregate Event's wrong name

Jump to solution

Thanks for the screen shot, I'll look at the connectors a little more but from what I had been told all the connectors have been set up the same. Is it possilbe that it would only do this when it hits the event count of 100 but less then that it will keep the name intact?

In the file I have posted there is events all coming from the same Agent. Some have the right name and some don't, also some that don't have an Aggregate event count less then 100. I don't think that it can be a connector issue.

0 Likes
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Re: Agent Aggregate Event's wrong name

Jump to solution

Hi!

So if you have Name added in the Aggregate event field, this should be fine and the names are kept.

I never saw anything related to the event count on that.

How does your event flow looks like? Are you forwarding events?  Because of course you hav to set up aggregation on the very first connetor. Lets say if you are forwarding events from logger, it makes no sense to aggregate on the connector from logger. You will have to add the "name" field at the very first connector, which creates the CEF Event.

BR Tobias

View solution in original post

0 Likes
Highlighted
New Member.

Re: Agent Aggregate Event's wrong name

Jump to solution

Looks like the problem has been resolved. We had thought that the "name" was in the aggregation fields but it was not. I don't have permission to see the fields since I'm not an admin.

0 Likes
Highlighted
Contributor.
Contributor.

Re: Agent Aggregate Event's wrong name

Jump to solution

If you have aggregation in the connector, disable it and it will work.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.