Vice Admiral
Vice Admiral
2449 views

Clean Notifications (from ESM)

Dear All,

We've been testing some rules(with send notification as action, the notifications does not need to ack), and this rule fired many times,

as a result We received many notifications and the email "ArcSight - Discarding Notifications"(to prevent flooding), the question is, is the destination still disabled?

Also, as the destination were blocked, the rest of the notifications went to the 'Notifications' (From ESM > Acknowledge Notifications), in the section underivable, I understand this, but I'd like to clean this section, I selected the notifications in this sections and clicked on acknowledge, but nothing happens, the notifications persists in this section. However in the other sections, I still having old notifications. Is there a way to clean these sections?

The version I'm using is the 5.0.1,

Best regards,

Karl.

Labels (1)
0 Likes
9 Replies
Fleet Admiral
Fleet Admiral

0 Likes
Vice Admiral
Vice Admiral

Hi Richard,

Thanks for your reply, to sum up what you do in this walkarround is delete the notifications from the DB,

delete from arc_notification_history;
delete from arc_notification_registry;
commit;


However, firstly you have to stop the manager, and this is critical for us, is there another way?

Regards.

Captain
Captain

Stop everything then start MySql - I had to do this this morning when clearing out the notifications.

This is how I did it (I was root at the time)

/etc/init.d/arcsight_services stop all

/etc/init.d/arcsight_services start mysqld

su - arcsight

cd  /opt/arcsight/logger/current/arcsight/bin

./mysql -u arcsight -p

use arcsight;

set foreign_key_checks=0;

truncate table arc_notification_history;

truncate table arc_notification_registry;

set foreign_key_checks=1;

exit

/etc/init.d/arcsight_services start all

0 Likes
Vice Admiral
Vice Admiral

Hi Rudy,

Thanks for your reply, I can apreaciate that is a similar solution, stop everything firstly, clear them directly from the database(in your case, MySql), and then start it again. I also think that you did it on the Logger(I want to clear notifications from the ESM), but anyway thank you, it could be useful for others.

is there a way to clean the notifications from the ESM that doesn't require stop the services?(stop the mannager is quite critical for us)

Best regards,

Karl.

0 Likes
Captain
Captain

Karl,

This was ESM 6.5c.  If you truncate the table while the database is running you may get some mis-matches and corrupt the installation.  I did this because we had over 50K entries per user that needing cleaning out, and it was much faster.  It was only down a few minutes of downtime and we just piled up the events.  I am not sure how to do it in 5.0.

The previous replies above I think had it also.  You can just do a delete sql statement for events matching.

Good luck, let us know if you solved it so those after us can find the solution too!

Rudy

0 Likes
Vice Admiral
Vice Admiral

Hi Rudy,

I have realized that the notifications has gone, with no action taken! (at the begining were arround 300)

I think that depending of the Threat-priority the notifications expires sooner or later.

Thanks for your replies, I bear on mind if it happens again(I hope not!), also We are planning to migrate to ESM 6.X, as 5.0 is going to be unsupported,

Best regards.

0 Likes
Captain Captain
Captain

Hi Ruddylogger,

          Your solution was very good. But i want to know if there is a way to increase notification limit from 100 to 200 or more.

I did some solutions like, set the values in server.properties file in /opt/arcsight/manager/config.

  1. notification.aggregation.max_notifications=200
  2. notification.aggregation.time_window=1d

But it didn't work. I have a software logger though it might be work for appliance logger.

Can you help me regarding this or anybody have solution for this ?

Thanks in Advance

0 Likes
Captain
Captain

Hi Amresh,

This should work for you like you tried.

notification.aggregation.max_notifications=1000

I would just modify this one line and not add the time_window as I think 1 day is default.

You can look up the defaults in /opt/arcsight/manager/config/server.defaults.properties

Remember you need to restart the manager after making these changes.

Rudy

0 Likes
Captain Captain
Captain

Hi Rudy,

    Thanks for your reply,

I want to make some point as this line (notification.aggregation.max_notifications=1000) was not present in the defaults properties file.

/opt/arcsight/manager/config/server.defaults.properties

I have added these two lines after seeing your answer, but nothing happened. Still my ESM disabled after 100 notifications, then I have to truncate table or wait for next day.

I have Software ESM 6.8.

Could you please help me regarding this, I will be very thankful to you.

Regards

Amresh

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.