Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
kim.js Trusted Contributor.
Trusted Contributor.

Re: Device Status Monitoring Pack

Hi Mark,

That is very good!

Customer's mail address is ksu.lee@samsung.com

Please provide your package to the customer.

Thank you!

Regards,

Jungsoo

0 Likes
kayodeo1 Absent Member.
Absent Member.

Re: Device Status Monitoring Pack

Hi Mark,

Can you kindly share with me the link to download the Package (Device Status Monitoring Content Pack v1.0.0.0.arb).

Thank you.

Regards,

Kayode


0 Likes
vivekatt@hcl.co1 Absent Member.
Absent Member.

Re: Device Status Monitoring Pack

Good work Mark.

I am also looking for this package. Email ID is vivekatt@hcl.com

Please help.

Regards

Vivek

0 Likes
carlos.alcocer@1 Absent Member.
Absent Member.

Re: Device Status Monitoring Pack

Hi Mark,

Can you please send me the package.

Email: carlos.alcocer@digitalsecurity.com.ec

Thnks!

0 Likes
Valued Contributor.. Replay1 Valued Contributor..
Valued Contributor..

Re: Device Status Monitoring Pack

Hi Mark,

Can you kindly share the package? Thanks.

email address is ken.lee@e-guardian.net

0 Likes
Highlighted
AarushJ Super Contributor.
Super Contributor.

Re: Device Status Monitoring Pack

Hi, @sparky1

Does it works with ESM 6.9.1.2195 for device status monitoring.
And where I can find it the package.
--
Regards,
Aarush J
+91-6265258612

AJ
0 Likes
asilahazwani Frequent Contributor.
Frequent Contributor.

Re: Device Status Monitoring Pack

where is the pack? I searched for it but just display ads

0 Likes
Established Member.. raymond.doty
Established Member..

Re: Device Status Monitoring Pack

Hi Mark,
Have you been using this for a while?  Have you had any issues with device status monitoring simply not functioning (even though configured)?

We have noticed this issue particularly with all the Windows Unified Connectors, but also with one of our syslog connectors.

ArcSight support is, as usual, at a loss - I am curious if we are the only user whos connectors stop sending the device status monitoring.

Typically if the DSM events stop sending, they will repair themselves (without any intervention) and continue sending within 1-2 hours at the most (event data functions .

Good guide and useful content in your blog!  It is odd that ArcSight doesnt include something like this as canned content

Also FYI: there was also another presentation that is extremely useful in this area given by Harry Halladay and Wells Fargo at the protect conference this year.  It allows you to set multiple 'outage' criteria (such as timeout, warning, critical, and more), with individual settings per event feed, in a single active list.  We have tweaked it quite a bit to remove some extra content that wasn't necessary to us and plan to rebuild all the static DSM we have using the method listed in their doc.  You can easily use the DSM events you mention instead of the CRES events they list.

https://protect724.arcsight.com/docs/DOC-1947

We also monitor and test a number of the 'key' functions of our SIEM to ensure they are functioning.  We have to insert specific event types at regular intervals to do this, which can be accomplished via signature products (IDS/AV), or inserting raw syslog events into a syslog connector, or creating your own flex connector...

We test and are notified of issues regarding:
Cases (hourly - via inserted events and a rule)
Notifications (hourly- via inserted events and a rule)
Active lists (hourly- via inserted events and a rule)
Rules (hourly- via inserted events and a rule)

Trend runs (hourly)

Reports (daily)

Sometimes one of those functions (most commonly for us - reports and notifications and periodically cases) will cease to function and you wouldn't know unless you were testing it intentionally.

sparky1 Absent Member.
Absent Member.

Re: Device Status Monitoring Pack

Hey Ray,

Many thanks for yours and everyone else's feedback ... its really appreciated.

We've been using DSM since it was first introduced as a connector feature.

Yes, we've seen something similar ... however mostly in the older versions of the connector (pre version 5) ... and specifically around the WUC connector. Never managed to find a resolution, but a restart of the connector fixed it in most instances.

We'll certainly look into Harry's presentation.

We are also working on an updated version, that is more advanced at determining whether or not the device has actually stopped sending events.

Cheers

Mark

0 Likes
ivnyg
New Member.

Re: Device Status Monitoring Pack

Hi,

We are seeing similar issues with the generation of DSM statistics. Particularly with syslog connectors, but also with other types.

The issue we are seeing is when a device logs traffic that is parsed as being different deviceProducts DSM is only generated for one deviceProduct, not for all deviceProducts that a particular device is logging with.

Typically we see this on unix/linux boxes with one or more third party products installed.

For example we have one linux box with Symantec Brightmail on it along with InfoBlox NIOS.

The connector seems to pick the first product in the alphabet to generate DSM stats for, so in this case we only get DSM for the NIOS product, nothing for Unix or "Mail Security Appliance"

This is a problem since the NIOS only produces one or two log messages per hour on average thus it easily can produce an alert in the dsm monitoring since there may be a few hours with no logs from NIOS.

If the connector produces DMS for all products we would be OK since the others are logging regularly (~50 events pr sec)

Anyone else seeing this?
We have opened a ticket, but support is not understanding the problem at all after 3 weeks and a webex session...

Ivar

0 Likes
Established Member.. raymond.doty
Established Member..

Re: Device Status Monitoring Pack

Hi Ivar, what version of connector are you using?  Were you using the DSM prior?  If you were, what version did you upgrade from?


We specifically noticed a large impact on the functionality of the device status monitoring between 5.1.7 and 5.2.x and beyond.  The higher in version we went, the more issues we had with the connectors.  It really started with Windows Unified connectors but it spread to the syslog connectors as well.

I thought it was restricted to 'upgraded' connectors with high EPS, but we found it occurring on brand new installed connectors with extremely low EPS.

After many (4+) months of support cases we had no real idea of root cause.

0 Likes
ivnyg
New Member.

Re: Device Status Monitoring Pack

We are using version 5.2.2 and 5.2.3. We had started testing with it on 5.1 but was not using it to actually create alerts when devices stopped logging.

0 Likes
dswift@accuvant1 Absent Member.
Absent Member.

Re: Device Status Monitoring Pack

You'll have to convince Ray to package up his monitoring content for ArcSight 6

It's pretty extensive, and his trend dashboards are much nicer than default content, and the charting of performance over time is very useful in figuring out how changes impact the system.

My team's minor contribution was adding OS monitoring scripts to send events into syslog CEF format for iostat, vmstat, mpstat...

0 Likes
reit
New Member.

Re: Device Status Monitoring Pack

Hi,

I heard there was some stock content that was added in ESM 5.0 SP2 for device status monitoring.  Has anyone had a chance to try it?  We are still with SP1 so I haven't had a chance to take a look at it yet.

Thanks,


Fred

0 Likes
Vini Acclaimed Contributor.
Acclaimed Contributor.

Re: Device Status Monitoring Pack

Hi All,

I gave a presentation at Protect '11 about a device monitoring model that I developed.

The model I presented has some similarities to what you guys have mentioned but it is dynamic and it learns about devices so you don't have to hard code any information about what the device profile is.

Check it out and let me know what you think.

https://protect724.arcsight.com/docs/DOC-1911

Vini

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.