Cadet 1st Class
Cadet 1st Class
965 views

Assets enumeration

Hi,

I´m trying to create a rule to place in  an active list the name and the Ip address of every device that send events to our manager

I´m using this filter:

Event

|

|-And

|---Agent Name != Manager Internal Events

|-Or

|--Device Host Name Is NOT NULL

|--Device Address Is NOT NULL

When I use this filter in an active channel, it works fine, but when I put this filter in a rule without any aggregation it doesn´t work.

Any suggestions?.

Thanks in advance.

Labels (3)
0 Likes
9 Replies
Vice Admiral
Vice Admiral

Hi,

have you moved/linked/copied the rule under Real-time Rules?

BR,

Thomas

0 Likes
Cadet 1st Class
Cadet 1st Class

Yes, I have create it under Real Time.

I have it enable but the icon seems to be disable. When I make a right-click on the rule I can only choose Disable rule.

0 Likes
Vice Admiral
Vice Admiral

Hi,

maybe you got a loop. Can you tell me what your ultimate goal is? Did you check if what you want to achieve is covered by some default content already?

This looks like a very generic rule which will have to evaluate a lot of events.. maybe you can do this by enabling "device Status Monitoring" in the connector and only correlate on this generated events. You should get an status event with a counter on how many events each device created for the timespan you configure in this device monitoring. And you can create a rule which takes this events and add the devices to the AL.

BR,

Thomas

0 Likes
Admiral
Admiral

you should aggregate on device host name and device IP

you should optimize your rule by doing a check in the condition tab to avoid having an entry added to your AL if the entry already exists in this AL

you should put something like "type != correlation" in condition tab to avoid loops

when it's done, if your AL is not populating properly, could you check that the rule is triggering or not ? ( create a filter with the generatorID = ruleID )

Let us know the result

0 Likes
Absent Member.
Absent Member.

Hi everyone! I've moved this thread to the Interact area as more of the question and answer activity is happening in Interact. I have also added some tags to the original post so that the thread is categorized under the ESM topic.

Cheers!

Trisha

0 Likes
Cadet 1st Class
Cadet 1st Class

I aggregate to those fields and now I have the rule working, but every address into the AL come from Agent Name = Manager Internal Agent.

I want to know the name or the Ip address of every device behind each conector so I put a new condition: Agent Name != Manager Internal Agent,

but still appearing the same Agent Name.

Any ideas?

Attached 2 pictures with the rule conditions and the AL content

Thanks

0 Likes
Vice Admiral
Vice Admiral

did you aggregate on agent-name also? What you aggregate usually gets populated in the correlated event, unless some eventfields which you can use for aggregation but are not popoulated -> in the "aggregate"-window look out for the italic written fields.

look here on some specialty with aggregation:

https://protect724.arcsight.com/message/5453#5453

0 Likes
Absent Member.
Absent Member.

Try copying the filter into an active channel and use that to find out what details the rule is finding.

Also you have an OR condition on device host/address, so what if both are not null, then I do not think the rule will fire, copy the conditions in your rule to see what events match.

0 Likes
Absent Member.
Absent Member.

Hi,

I know this issue with manager internal agent,

Try to use device vendor !=ArcSight insted

Regards.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.