Highlighted
rburra251 Absent Member.
Absent Member.
678 views

Arcsight ESM unable to load event details

hi all,

arcsight manager is unable to load event details in the active channel.

device has enough disk space  as below

[root@ manager]# df -h

Filesystem            Size  Used Avail Use% Mounted on

/dev/sda3             545G   21G  497G   5% /

tmpfs                 127G     0  127G   0% /dev/shm

/dev/sda1             976M   61M  864M   7% /boot

/dev/mapper/arcarchivep1

                      5.3T  4.8T  247G  96% /opt/archive

/dev/md0              5.4T  2.5T  2.6T  50% /opt/arcsight

all the services in the manager are up and running

we are running ESM version 6.8 and all the events most of the event are forwarded to ESM from logger appliances.

[root@ manager]# /etc/init.d/arcsight_services status

Build versions:

        esm:6.8.0.2108.2(BE2108)

        storage:BL1713

        process management:6.8-1763

        installer:6.8-1763

aps service is available

arcsight_web service is available

execprocsvc service is available

logger_httpd service is available

logger_servers service is available

logger_web service is available

manager service is available

mysqld service is available

postgresql service is available

i have checked the log files for any errors but, i couldn't get much information related to database or any other issue.

please see screenshot below

active channel.JPG

could some one help me with possible root cause of this issue and if I'm missing something here ?

Thanks,

Rahul

Labels (3)
0 Likes
5 Replies
rburra251 Absent Member.
Absent Member.

Re: Arcsight ESM unable to load event details

also,
i could see temporary table deletion and purging of tables in the log files but nothing related to database connectivity.

0 Likes
sujansures Absent Member.
Absent Member.

Re: Arcsight ESM unable to load event details

Hi ​, if this is happening only with the databases, try installing and populating a test scenario with some demo logs. There might also be a possibility in the connector's push and pull! (i doubt)

Thanks.

0 Likes
rburra251 Absent Member.
Absent Member.

Re: Arcsight ESM unable to load event details

Hi Sujan,

thanks for the response but, i don't have any test system to populate test logs and check if it works. besides the connector push and pull do u have idea why this issue occurs in general ?

Thanks,

Rahul

0 Likes
sujansures Absent Member.
Absent Member.

Re: Arcsight ESM unable to load event details

Hi ​,

Basically, a scenario may happen where, due to low disk space the connector will cache the logs and would populate them at once. In these kind of cases the logs might not populate properly! But here, in this case (hoping this is not a PE) I would suggest you to check the log sources first and then restart the connector service if possible.

Awaiting the result

0 Likes
rburra251 Absent Member.
Absent Member.

Re: Arcsight ESM unable to load event details

hi sujan,

thanks for your response.

the issue got resolved now. we had to create a duplicate channel and the events details started displaying in the new active channel but, i was unable to find the exact root cause of this issue

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.