Karl2 Super Contributor.
Super Contributor.
1928 views

Alert when a connector has zero events

Jump to solution

Dear All,

     I want to be alerted when a connector has zero events, so I have created a rule(where I specify the connector and device vendor), also I have added an action to send a notification to a notifier's group.


     The 'problem'  is that the rule's condition is not enough, what another fields should be included in the rule?, is a rule the right way to do it?

Thanks in advance,

Best regards,

Karl.

Labels (1)
0 Likes
1 Solution

Accepted Solutions
vivekvenu188 Absent Member.
Absent Member.

Re: Alert when a connector has zero events

Jump to solution

Hi Karl,

Sorry its my bad.

It is Name field in ArcSight and not Event Name.

monitor:104 is ArcSight internal monitor events which helps in detecting connector event rate.

If device custom number 1<=0 and device event class id = monitor:104 then it means connector is receiving no events from the end devices.

Kindly use this condition in a active channel and view the events you will understand.

Regards,

Vivek

0 Likes
29 Replies
Acclaimed Contributor.. lless Acclaimed Contributor..
Acclaimed Contributor..

Re: Alert when a connector has zero events

Jump to solution

Try to read about the connector options (processing) "Preserve System Health Events" and "Enable Device Status Monitoring"

0 Likes
vivekvenu188 Absent Member.
Absent Member.

Re: Alert when a connector has zero events

Jump to solution

Hello,

This condition should help.

Even Name = Monitor Event

Device Custom Number 1 <= 0

Device Vendor = ArcSight

Type = Base

Device Event Class ID = monitor:104

In the Action specify notification as below to get the connector name displayed in the alert.

Connector $fileName is down.

Regards,

Vivek

0 Likes
Karl2 Super Contributor.
Super Contributor.

Re: Alert when a connector has zero events

Jump to solution

Hi Vivek,

Where do you find Event name?(I only find Event ID).

Also, I think that Device Vendor should be different than ArcSight: Device Vendor != ArcSight.

Why do you use these fields?:

    

     Type = Base

     Device Event Class ID = monitor:104

Thanks in advance Vivek,

Regards,

Karl.

0 Likes
vivekvenu188 Absent Member.
Absent Member.

Re: Alert when a connector has zero events

Jump to solution

Hi Karl,

Sorry its my bad.

It is Name field in ArcSight and not Event Name.

monitor:104 is ArcSight internal monitor events which helps in detecting connector event rate.

If device custom number 1<=0 and device event class id = monitor:104 then it means connector is receiving no events from the end devices.

Kindly use this condition in a active channel and view the events you will understand.

Regards,

Vivek

0 Likes
Karl2 Super Contributor.
Super Contributor.

Re: Alert when a connector has zero events

Jump to solution

Thanks a lot, Vivek!

I used on AC, and now I understand it

The rule is working properly, the only thing that when I use $fileName in the message, it sends me the rule's name and not the "File Name" field(where the connector's name appears), do you know how to show it properly?

Anyway, your answer was too helpfull, again, thanks!

Regards,

Karl.

0 Likes
Arun0106 Contributor.
Contributor.

Re: Alert when a connector has zero events

Jump to solution

Hi,

Have you added file name field in the aggregation tab ??

Thanks,

ArN

0 Likes
Karl2 Super Contributor.
Super Contributor.

Re: Alert when a connector has zero events

Jump to solution

Hi Arun, thanks by answer,

Honestly I didnt do it,

But I have added and it is the result is the same..(on rules, agregation tab is quite different, I think with another meaning).

Anyway, I have realized why it sends me rule's name in file name, because  it is! - on this event(of the rule),

I mean, the file name I want, it's inside "Monitor event"(When I Click on it, it shows me the event related to the connector who has zero events, and in file name appears its name).

I tryed with $monitorEvent.fileName, and $event1.fileName but it doesn't work.. anyone knows how to proceed?

Thanks in advance.

Karl.

0 Likes
Karl2 Super Contributor.
Super Contributor.

Re: Alert when a connector has zero events

Jump to solution

On the ESM We can see it too:

We can test the rule with events on AC, so I have the following event:

simple.png

On the email, I have fields related to this event(related to the rule, not to the events that triggered the rule),

If We right-click on it>detailed chain, We can see the event I want(the Name is MonitorEvent):

due.png

On this MonitorEvent's fields, I can find the file name of the connector with zero events:

trie.png

So.. the big question  is.. How can I access to this 'File Name' from the rule, I want to sent on the notification the connector's name(this file name).

Thanks in advance,

Karl.

0 Likes
tammy.torbert@h1 Honored Contributor.
Honored Contributor.

Re: Alert when a connector has zero events

Jump to solution

Have you tried aggregating the file name field in your rule?

0 Likes
Karl2 Super Contributor.
Super Contributor.

Re: Alert when a connector has zero events

Jump to solution

Hi,

Actually on conditions I have: File Name is NOT NULL:

conds.png

And on agregation fields, I added file name too,

but it still doesn't work(it stills sends me rule's name).

Do you have any suggestions?

Best regards,

Karl.

0 Likes
hisangwon1 Absent Member.
Absent Member.

Re: Alert when a connector has zero events

Jump to solution

Is there a way to trigger an event when a specific device(by Device IP Address or Device Host Name) receives zero event?

Any response would be helpful.

Thank you

0 Likes
OBSCyril Frequent Contributor.
Frequent Contributor.

Re: Alert when a connector has zero events

Jump to solution

Hello,

You can try to

- create a variable using the "alias field" function that will be aliased to the "File Name" field.

- create a "Set Event Field" action that will put this variable in a field (like deviceCustomString1 or flexString1)

- use this field in the notification.

0 Likes
Karl2 Super Contributor.
Super Contributor.

Re: Alert when a connector has zero events

Jump to solution

Hi,

The Idea is fine(I hope it'd work), but I have tried to do it in this way:

I created a variable called "nomConn"(which just use the function to_upper(file name) ),

and on actions, I choosed set event field actions: deviceCustomString1 = $nomConn

But then in deviceCustomString1 I have "$nomConn",

Also I tried deviceCustomString1 = nomConn but it sends me "nomConn"

Maybe this is too simple, but IDK how to put it properly,

Best regards.

Karl.

0 Likes
Highlighted
OBSCyril Frequent Contributor.
Frequent Contributor.

Re: Alert when a connector has zero events

Jump to solution

Have you added the $nomConn variable in the aggregation tab ?

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.