Karl2 Honored Contributor.
Honored Contributor.

Re: Alert when a connector has zero events

Jump to solution

Hi,

Yes, It's already added on aggregation fields.

Is this

     fieldCustom1 = $anotherField_or_Variable

the right way to assig values to a field?

Best regards,

Karl.

0 Likes
Highlighted
OBSCyril Frequent Contributor.
Frequent Contributor.

Re: Alert when a connector has zero events

Jump to solution

I've only tried with the "alias field", but I don't see why it shouldn't be OK with the uppercase function.

In one on my real use (extract from the xml package export):

On the Aggregation tab:

<GroupByClause>

<Variable TableAlias="event1" Column="myOriginalAgentID" />   ---> the variable

<Variable TableAlias="event1" Column="originalAgentId" />     ----> the field I want to extract from the event

</GroupByClause>

On the Action tab:

<SetEventField EventFieldName="deviceCustomString6" EventFieldValue="$myOriginalAgentID" />


On the Variables tab:

<DependentVariable FunctionName="alias_field" FieldName="myOriginalAgentID" FieldDisplayName="myOriginalAgentID">

<FunctionFieldVariable Column="originalAgentId" />
</DependentVariable>

Hope this helps...

0 Likes
Karl2 Honored Contributor.
Honored Contributor.

Re: Alert when a connector has zero events

Jump to solution

Hi!

I just delete it and do it again and it's begun to work properly.

BTW, what others fileds can I use to 'save' other info?

Thanks to all

0 Likes
Karl2 Honored Contributor.
Honored Contributor.

Re: Alert when a connector has zero events

Jump to solution

Hi Kevin,

I'd like to help you, but IDK how to, yet.

Maybe this can help you, on Active channel it'd be sth like :

     target address = x.x.x.x and device vendor != ArcSight

if you get events, that device is receiving events, else not.

On a rule it doesn't work because it needs events, if no events are received, the rule won't fire(that's why I openned this thread, but due to connectors).

I'll try to investigate it, maybe someone here can help Us,

Regards.

0 Likes
Super Contributor.. neil.desai@hpe. Super Contributor..
Super Contributor..

Re: Alert when a connector has zero events

Jump to solution

If you have a rule update an active list. The active list should have a short expiration time. You update the active list the system you want to track (host, connector,etc.). Then you have a second rule that triggers when an AL entry expires. This worked very well for us monitoring IDS, MS, syslog.

Neil

0 Likes
Karl2 Honored Contributor.
Honored Contributor.

Re: Alert when a connector has zero events

Jump to solution

Nice idea Neil,

But tell me, how can you specify on conditions that an entry from an AL has expired?

Best regards.

0 Likes
Super Contributor.. neil.desai@hpe. Super Contributor..
Super Contributor..

Re: Alert when a connector has zero events

Jump to solution

There is an ArcSight internal event that is triggered when an AL entry expires. I don't remember the name of the events. You can create an active channel looking for ArcSight internal events and find them.

0 Likes
Karl2 Honored Contributor.
Honored Contributor.

Re: Alert when a connector has zero events

Jump to solution

mmm, I'm looking but I don't find  anything similar

I only find events like this ones:

User deactivated the rule: xxx

Activating the rule xxx: The rule is under control

Deactivating the rule xxx: The number of Correlated alerts created is too high

i'd be glad if you can give Us the internal name,

thanks in advance neil,

best regards.

0 Likes
tammy.torbert@h1 Honored Contributor.
Honored Contributor.

Re: Alert when a connector has zero events

Jump to solution

Search for “audit events” in the online help, and you’ll get a list of them. I think the device event class id starts with activelist:.

0 Likes
Karl2 Honored Contributor.
Honored Contributor.

Re: Alert when a connector has zero events

Jump to solution

Hi,

Actually this is the event's name: "ActiveList entry expired"

But here it comes another question, how can I know which entry has expired?

Regards

0 Likes
Super Contributor.. neil.desai@hpe. Super Contributor..
Super Contributor..

Re: Alert when a connector has zero events

Jump to solution

EventName starts with ActiveList or DeviceEventCatagory starts with ActiveList. See if either of these work.

Create an Active list with a short TTL and when an entry expires open an active channel to look for it.

0 Likes
Super Contributor.. neil.desai@hpe. Super Contributor..
Super Contributor..

Re: Alert when a connector has zero events

Jump to solution

Look at the DeviceCustom Strings. You will get information on the AL name and the info that expired.

0 Likes
tammy.torbert@h1 Honored Contributor.
Honored Contributor.

Re: Alert when a connector has zero events

Jump to solution

Look at the device custom string values. You may have to use variables to parse out the fields in the list.

0 Likes
Karl2 Honored Contributor.
Honored Contributor.

Re: Alert when a connector has zero events

Jump to solution

Hi again

I can see it on devicecustomstring4, there appears the entry value (I only have to aply substring functions)

Applied to my case, I can do a rule that inserts into the AL the connector's name that are  'up' and a 2nd rule that triggers when one entry has expired,

thanks a lot neil, as i told you its a nice idea, i hope to implement it rightly.

Kevin, I hope that this could be useful for you.

regards.

0 Likes
pganguly1 Absent Member.
Absent Member.

Re: Alert when a connector has zero events

Jump to solution

Hi Karl ,

Can you please share the rule screen shot with aggregation tab etc, please 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.