Lieutenant Commander
Lieutenant Commander

Check Events Received

Hi Guys,

I have a connector that receives TCP data on a port lets say for this example port 514.

Now the connector is working and receiving tcp logs, now we have an outage in the network. How can we see if the connector at that time received any TCP logs? 

If I look in agent.log file I can see that the connector cant communicate with the manager because of the network outage, but how can I check that during this outage the connector received any logs, or none at all?

Surely there must be a log that will show the tcp ack as failed seeing that it is TCP data and not UDP.

Labels (2)
3 Replies

If I understand you correctly, you can add a new csv destination or check what is in connector's cache.

Lieutenant Commander
Lieutenant Commander

No, What I was trying to explain, is as follow.

Logsource -> TCPlogs -> Connector -> ESM

Now the connection Between Logsource and connector drops, how in the connector logs can you see this, is there something like tcp ack failed or ET is 0 or EPS=0 what do you check to confirm this?

Fleet Admiral
Fleet Admiral

If the connection is lost between the connector and the ESM then you will see a growth of .queue and .cache files in your agentdata folder on the connector.

If you want to monitor the logsources, if any stops sending data to your connector due to an outage, then there is a health monitoring option.

From ESM, open up the specific connector, go to configuration, and set health checking to true (should be almost at the bottom.

That way, the connector will send a health event per interval you set, to the ESM, per logsource that has ever sent data to the connector.

You can then have rules in ESM like:

If auditid: agent:043, product is not arcsight and time since last received event is larger than X minutes/hours/days, then create an event.

If you don't want an event you can also just monitor this manually during an investigation, by creating a channel that filter out all events except agent:043 events on that connector, for that specific IP/hostname.

There is also documentation around about device monitoring setups there is even a built in one in ESM if you want to use that.

All topics and replies made is based on my personal opinion, viewpoint and experience, it does not represent the viewpoints of MicroFocus.
All replies is based on best effort, and can not be taken as official support replies.
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.