Re: Assets enumeration - Micro Focus Community

Casadoc1 · ‎2009-09-09

Hi,

I´m trying to create a rule to place in an active list the name and the Ip address of every device that send events to our manager

I´m using this filter:

Event

|

|-And

|---Agent Name != Manager Internal Events

|-Or

|--Device Host Name Is NOT NULL

|--Device Address Is NOT NULL

When I use this filter in an active channel, it works fine, but when I put this filter in a rule without any aggregation it doesn´t work.

Any suggestions?.

Thanks in advance.

ThomasMeindl · ‎2009-09-09

Hi,

have you moved/linked/copied the rule under Real-time Rules?

BR,

Thomas

Casadoc1 · ‎2009-09-09

Yes, I have create it under Real Time.

I have it enable but the icon seems to be disable. When I make a right-click on the rule I can only choose Disable rule.

ThomasMeindl · ‎2009-09-09

Hi,

maybe you got a loop. Can you tell me what your ultimate goal is? Did you check if what you want to achieve is covered by some default content already?

This looks like a very generic rule which will have to evaluate a lot of events.. maybe you can do this by enabling "device Status Monitoring" in the connector and only correlate on this generated events. You should get an status event with a counter on how many events each device created for the timespan you configure in this device monitoring. And you can create a rule which takes this events and add the devices to the AL.

BR,

Thomas

GCA · ‎2009-09-09

you should aggregate on device host name and device IP

you should optimize your rule by doing a check in the condition tab to avoid having an entry added to your AL if the entry already exists in this AL

you should put something like "type != correlation" in condition tab to avoid loops

when it's done, if your AL is not populating properly, could you check that the rule is triggering or not ? ( create a filter with the generatorID = ruleID )

Let us know the result

tliu · ‎2009-09-10

Hi everyone! I've moved this thread to the Interact area as more of the question and answer activity is happening in Interact. I have also added some tags to the original post so that the thread is categorized under the ESM topic.

Cheers!

Trisha

Casadoc1 · ‎2009-09-10

I aggregate to those fields and now I have the rule working, but every address into the AL come from Agent Name = Manager Internal Agent.

I want to know the name or the Ip address of every device behind each conector so I put a new condition: Agent Name != Manager Internal Agent,

but still appearing the same Agent Name.

Any ideas?

Attached 2 pictures with the rule conditions and the AL content

Thanks

ThomasMeindl · ‎2009-09-10

did you aggregate on agent-name also? What you aggregate usually gets populated in the correlated event, unless some eventfields which you can use for aggregation but are not popoulated -> in the "aggregate"-window look out for the italic written fields.

look here on some specialty with aggregation:

https://protect724.arcsight.com/message/5453#5453

steven.taylor4@ · ‎2009-09-15

Try copying the filter into an active channel and use that to find out what details the rule is finding.

Also you have an OR condition on device host/address, so what if both are not null, then I do not think the rule will fire, copy the conditions in your rule to see what events match.

maor · ‎2009-09-15

Hi,

I know this issue with manager internal agent,

Try to use device vendor !=ArcSight insted

Regards.

Assets enumeration

ESM

Logger

Smart Connector