Highlighted
zargaran Honored Contributor.
Honored Contributor.
380 views

ArcSight ESM active channel is empty with no error!

dear All

I have a Logger and ESM in Version 5.x and all things is working fine with no errors. event output in logger configured fine and connector created in esm navigator status is running. but in created untitled channel with no filter from logger connector i have not any input event and channel is empty!

also EPS out in Logger is 0!

why?

i have not any error log in system message!

can anybody help me about it?

sample screen from now status:

esm1.png

logger1.png

BR

Amir

Labels (4)
0 Likes
6 Replies
pbrettle Acclaimed Contributor.
Acclaimed Contributor.

Re: ArcSight ESM active channel is empty with no error!

I am not entirely sure you should see any events using this approach anyway. Maybe someone else can try in their situation, but the Logger connector isnt a connector as such and hence doesn't necessarily have the same functionality. In this situation you are actually creating an active channel with the agentId set to the resource ID of the connector itself. Since its not a normal connector, I am not sure that you will see data this way.

The better way would be to confirm that you are getting data forwarded from the Logger and then check in the logs for this that it is setting the agentId field. If so, we can double check that later, but I would be digging into the events forwarded out and seeing what is in them first before getting too worried.

0 Likes
zargaran Honored Contributor.
Honored Contributor.

Re: ArcSight ESM active channel is empty with no error!

Dear paul

It's very simple case. In 2 days ago it was works very fine and without any prob. 

In the logger i added a certificate generated from esm. Also after that i create an esm destination successfully. Therefor this connector created automatically. When i right click on logger and was created a channel with agentid filter all events viewed nice. But after passing 2 days the channel was empty!


I was thinking the manage archiving is damaged or data_event have not any free space. But i have not any log predicated this reason.

0 Likes
Super Contributor.. TsNik1 Super Contributor..
Super Contributor..

Re: ArcSight ESM active channel is empty with no error!

Hello Amir!

Could you provide screenshot with EPS in/out from your Logger, and check your Forwarders` Queries?

0 Likes
zargaran Honored Contributor.
Honored Contributor.

Re: ArcSight ESM active channel is empty with no error!

Hi Nikita

I will send you asap. 

BR

Amir

0 Likes
Honored Contributor.. varunraaj Honored Contributor..
Honored Contributor..

Re: ArcSight ESM active channel is empty with no error!

Hi Amir,

In the screenshot i could see it to be an getStatus event. Please check for traffic event.

Regards,

Varun P G

0 Likes
zargaran Honored Contributor.
Honored Contributor.

Re: ArcSight ESM active channel is empty with no error!

Dear varun

I reinstall arcsight manager again and it solved.

All things in previous config seemed correct but i cant find any solution and any reason why all channels was empty. 


BR

Amir

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.