Honored Contributor.. john.robinson21 Honored Contributor..
Honored Contributor..
741 views

ArcSight Online Expert day - ArcMC WUC ?

Jump to solution

Installed WUC smartconnector 7.5.1 on ArcMC 2.6 in order to collect Windows events from all servers and DC's.  Increased java heap to min = 2048 and max = 4096, yet I am still getting connection up/down events every minute from multiple Windows hosts. ArcMC, Logger and ESM are all in same subnet. 

In agent.log I see numerous DCERPC java exceptions for multiple hosts.  Below is an example:

Successfully tested connection to host [NASBYPHYP02.GODIVA.CHOC.COM]

[2017-09-26 15:27:18,077][INFO ][default.com.arcsight.agent.au.ah][getPolicyHandle] set new log policy handler for host [NASBYPHYP02.GODIVA.CHOC.COM][ Security]

[2017-09-26 15:27:18,077][ERROR][default.com.arcsight.agent.au.ah][logOpenEventLogException] Could not create policy handle to open the event log for reading for host [NASBYPHYP02.GODIVA.CHOC.COM][Security]

[2017-09-26 15:27:18,077][ERROR][default.com.arcsight.agent.au.ah][logOpenEventLogException]

java.io.IOException: DCERPC pipe is no longer open

                at jcifs.dcerpc.DcerpcPipeHandle.doSendFragment(DcerpcPipeHandle.java:63)

                at jcifs.dcerpc.DcerpcHandle.sendrecv(DcerpcHandle.java:190)

                at com.arcsight.agent.au.ah.a(ah.java:1835)

                at com.arcsight.agent.au.ah.a(ah.java:1816)

                at com.arcsight.agent.au.ah.d(ah.java:1668)

                at com.arcsight.agent.au.ah.a(ah.java:1517)

                at com.arcsight.agent.au.ah.a(ah.java:2246)

                at com.arcsight.agent.au.ah.run(ah.java:740)

                at java.lang.Thread.run(Thread.java:745)

Tags (3)
0 Likes
1 Solution

Accepted Solutions
Marijo Mandic Acclaimed Contributor.
Acclaimed Contributor.

Re: ArcSight Online Expert day - ArcMC WUC ?

Jump to solution

Hello John,

I was going to write longer update but then I remembered that we have this excellent resource for WUC SmartConnector.

This will probably cover all your questions and explain how SmartConnector works.

Please go to this link, download the ZIP file and see presentation "1019 - HP ArcSight Windows Unified Connector a look under the hood.....":
https://community.saas.hpe.com/t5/Past-Protect-Event-Resources/HP-Protect-2012-zip/td-p/1585145

Regards,

Marijo

0 Likes
7 Replies
Marijo Mandic Acclaimed Contributor.
Acclaimed Contributor.

Re: ArcSight Online Expert day - ArcMC WUC ?

Jump to solution

Hello,

1) when you see "java.io.IOException: DCERPC pipe is no longer open" could mean:
a) network connectivity loss to the Windows host
b) Widnows host down
c) event log service issues on the Windows host
d) possible high latency in network

2) What you could check:
a) how many Windows hosts you have in SmartConnector (up to Windows 50 hosts and up 500 EPS, not combined but each condition)
b) what is the ping between SmartConnector host and Windows host (like 50 ms)
c) how many hops there are between SmartConnector host and Windows host (less than 5 recommended)

3) You could try user that you are using on SmartConnector in some computer in your network if you can connect to remote computer via Event Viewer and see Application, Security, System logs.
https://technet.microsoft.com/en-us/library/cc766438(v=ws.11).aspx

If you cannot see then user has permission issues. Also Security logs require least permissions so you could try to modify SmartConnector to collect only Security logs to see if this works and then build on it.

4) Also as option you can create Service Request and work with ArcSight Technical Support.

Regards,

Marijo

0 Likes
Highlighted
Super Contributor.. hatemware Super Contributor..
Super Contributor..

Re: ArcSight Online Expert day - ArcMC WUC ?

Jump to solution

Hi marijo

Regarding your point - a) how many Windows hosts you have in SmartConnector (up to Windows 50 hosts and up 500 EPS, not combined but each condition)

Could you please explain in more detail the above point and advise

- what is the maximum EPS per windows host and maximum combined EPS that WUC could handle?

 -Also does this applies to ArcMC only or to software SmartConnector installed on a Windows Server for example?

BR,

Hatem

0 Likes
Marijo Mandic Acclaimed Contributor.
Acclaimed Contributor.

Re: ArcSight Online Expert day - ArcMC WUC ?

Jump to solution

Hello Hatem,

I apologize for delay, it seems that I did not get notification about your update or I unfortunately missed it.

1) SmartConnecor that is used on ArcMC Appliance or that you can install using bin or exe file are the same framework, no difference. Difference is that on ArcMC Appliance the SmartConnector is hosted locally on appliance and you can have multiple SmartConnector in same Container (this is JVM process). When using standalone SmartConnector install, only 1 SmartConnector is supported per JVM.

2) As I mentioned to John in this thread please see this presentation about WUC SmartConnector. It will help with your undestanding of this framework.

Regards,

Marijo

0 Likes
Honored Contributor.. john.robinson21 Honored Contributor..
Honored Contributor..

Re: ArcSight Online Expert day - ArcMC WUC ?

Jump to solution

Hello,

Sorry for the delay.  I have 243 servers collecting security, application and system events from one connector on ArcMC.  With field based aggregation of 10 seconds and 30 events. The EPS is about 150.

0 Likes
Marijo Mandic Acclaimed Contributor.
Acclaimed Contributor.

Re: ArcSight Online Expert day - ArcMC WUC ?

Jump to solution

Hello John,

I was going to write longer update but then I remembered that we have this excellent resource for WUC SmartConnector.

This will probably cover all your questions and explain how SmartConnector works.

Please go to this link, download the ZIP file and see presentation "1019 - HP ArcSight Windows Unified Connector a look under the hood.....":
https://community.saas.hpe.com/t5/Past-Protect-Event-Resources/HP-Protect-2012-zip/td-p/1585145

Regards,

Marijo

0 Likes
Honored Contributor.. john.robinson21 Honored Contributor..
Honored Contributor..

Re: ArcSight Online Expert day - ArcMC WUC ?

Jump to solution

Thank you!

Very useful.  Do you know by chance if the setting "windowsfg.jcifs.smb.client.soTimeout" is already in the agent.properties file or another file on the connector OR do we have to manually add it in?

Best,

0 Likes
Marijo Mandic Acclaimed Contributor.
Acclaimed Contributor.

Re: ArcSight Online Expert day - ArcMC WUC ?

Jump to solution

Hello John,

if you did not test it in meanwhile (was out of office), you will have to add it to agent.properties.

Regards,

Marijo

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.