Re: Device Status Monitoring Pack - Page 10 - Micro Focus Community

sparky1 · ‎2012-03-05

Hey guys,

Appreciate that there are some threads that talk about Device Status Monitoring (DSM), but we have released a content pack to help you get started in ensuring that you always get your event logs. This is aimed more at people that are new to ArcSight and just getting started, as I'm sure that the more seasoned of you will already have something setup.

General Description

The success of any SIEM system relies on receiving events from the respective in scope source devices and servers. Without any events, the SIEM platform effectively becomes useless. Part of setting up a good SIEM system is creating mechanisms to ensure that these events are received and the most effective approach to do this is by using the Device Status Monitoring (DSM) capability built-in to the ArcSight platform.

This content pack utilises the DSM capability to track and alert on any event sources that stop sending events, so that you can take the appropriate action to re-establish the event flow. The pack also contains mechanisms to detect servers/devices that have potentially been removed from the network.

Other Information

+ Attached is the user guide, and the complete pack is available from our website http://www.edgeseven.com/resources.html.

+ This also ties into our blog (http://totalsiem.blogspot.com), where we are currently discussing the "Golden Rules of SIEM"

Hope you all find this useful ... please do provide feedback 😉

asuvorov1 · ‎2014-11-20

See also: https://protect724.hp.com/message/51460#51460

hlog1234 · ‎2014-12-11

Hi Mark,

I'm Bob.

Can you please send me the package.

I really need it for my problem solving!

Email: hlog@ahnlab.com

Thank you!

olin9 · ‎2015-03-11

I need the version that will work with ESM 5.0

Robin.Jackson@wellpoint.com

manojs · ‎2015-03-20

Superb

A++++++

Manoj S.

hatemware · ‎2015-05-31

Dear Mark,

Could you please send me the Device Status Monitoring Pack @ hatem.metwally@mannai.com.qa

BR,

Hatem Metwally

tajudeen_it · ‎2015-06-03

Hi, Mark,

Could you please send me the device status monitoring pack to my email id Tajudeen.Abdulrashid@chemtura.com

Regards

Tajudeen

Mark Johnston wrote:

Hey guys,

Appreciate that there are some threads that talk about Device Status Monitoring (DSM), but we have released a content pack to help you get started in ensuring that you always get your event logs. This is aimed more at people that are new to ArcSight and just getting started, as I'm sure that the more seasoned of you will already have something setup.

General Description

The success of any SIEM system relies on receiving events from the respective in scope source devices and servers. Without any events, the SIEM platform effectively becomes useless. Part of setting up a good SIEM system is creating mechanisms to ensure that these events are received and the most effective approach to do this is by using the Device Status Monitoring (DSM) capability built-in to the ArcSight platform.

This content pack utilises the DSM capability to track and alert on any event sources that stop sending events, so that you can take the appropriate action to re-establish the event flow. The pack also contains mechanisms to detect servers/devices that have potentially been removed from the network.

Other Information

+ Attached is the user guide, and the complete pack is available from our website http://www.edgeseven.com/resources.html.

+ This also ties into our blog (http://totalsiem.blogspot.com), where we are currently discussing the "Golden Rules of SIEM"

Hope you all find this useful ... please do provide feedback 😉

kUMters · ‎2015-08-13

Hello Tajudeen,

that links you provided are not working anymore. Can you share new one with us?

__
Solution Security Architect

aINFOSECas2012g · ‎2015-06-10

fyi only

I just got the confirmation from HP support in Ticket ID 4651189492, that Connector DSM events are limited to 1000 entries only...

"/opt/arcsight/ArcSightSmartConnectors/current/bin/arcsight -quiet agentcommand -c status | grep "Device " | wc -l"

As per below the original wording from the ticket

Andro

###

Hi,

Thanks for the update. I have just confirmed that indeed that in the SmartConnector there is a hardcoded maximum limit in of devices for which DSM will be logged/sent. The limit is 1000 as you have observed. So if the connector is receiving events from 5000 devices only the first 1000 will have DSM enabled.

Regards

ArcSight Support

###

shezaf1 · ‎2015-07-02

Andro,

what would be a sufficient number?

~ Ofer

rodrigo.curcino · ‎2015-07-29

hello people, I have the same problem as you, can not monitor the absence of events from devices on the connectors.

Could you send me the Device Status Monitoring Pack for email ?

rodrigo.curcino@ibest.com.br

Thank you for you help.

asilahazwani · ‎2017-03-22

Hi Ofer, Do you have DSM pack? kindly email to me rajaasilah.hazwani@gmail.com

pbrettle · ‎2017-03-22

Take a look at the Activate content:

https://marketplace.saas.hpe.com/arcsight/content/c-security-system-monitoring-connectors

https://marketplace.saas.hpe.com/arcsight/content/activate-c-security-system-monitoring-base

https://marketplace.saas.hpe.com/arcsight/content/activate-c-security-system-monitoring-appliance

You will also need the base content package;

https://marketplace.saas.hpe.com/arcsight/content/activate-base

Device Status Monitoring Pack

ESM

Smart Connector