Highlighted
Absent Member.
Absent Member.
2064 views

Configure Notification Threshold

Jump to solution

Guys,

I have a couple of rules the generate notifications that are sent to different destinations.

I keep getting the following message:

"You have received 100 notifications within 24 hours. This destination will temporarily be disabled to prevent flooding. Please visit the ArcSight notification page to view/acknowledge your notifications (if they need acknowledging). If you have not configured Acknowledgement of Notifications then you may contact Administrator to reconfigure notification thresholds."


Once this message arrives, no one receives notifications via email anymore.  I would like to bump it up from 100 to 200.  How do I reconfigure the notification thresholds, I can't seem to find any useful documentation for this.

Labels (3)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Hi Casey,

You need to set the following parameters to meet your requirements:

notification.aggregation.max_notifications=100

notification.aggregation.time_window=1d

The first one is the threshold which you have already met and the other is the duration of notifications disabling, You should set these values in server.properties which is located in /opt/arcsight/manager/config.

Regards,

Michel

View solution in original post

0 Likes
7 Replies
Highlighted
Absent Member.
Absent Member.

what technology are you referencing? ESM, Logger, ArcMc?

0 Likes
Highlighted
Absent Member.
Absent Member.

ArcSight Express

0 Likes
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Hi Casey,

You need to set the following parameters to meet your requirements:

notification.aggregation.max_notifications=100

notification.aggregation.time_window=1d

The first one is the threshold which you have already met and the other is the duration of notifications disabling, You should set these values in server.properties which is located in /opt/arcsight/manager/config.

Regards,

Michel

View solution in original post

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.


1) Log into the console on the Express:

2) Backup and then Edit '/opt/arcsight/manager/config/server.properties


3) Modify/Add following properties:

notification.aggregation.max_notifications=100

notification.aggregation.time_window=1d

4) Save the server.properties file


5) Restart th Manager Service

0 Likes
Highlighted
Absent Member.
Absent Member.

Thanks! 

0 Likes
Highlighted
Absent Member.
Absent Member.

Thanks Michael, exactly what I was looking for!

0 Likes
Highlighted
Absent Member.
Absent Member.

Dear Michael,

I also received the same error, I performed above changes and restarted manager service.

Does notification starts immediately ??

I can see events with notification:112 which indicates notification has been sent by arcsight, Still no emails have been received by  destination email ID.

Is there something I am missing ??

Thanks & Regards,

Pratik

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.