Highlighted
Super Contributor.
Super Contributor.

Re: ESM Health Monitoring

Hi Doron,

Is there a express 4.0 compatible package available?

I removed the Casesensitive Type declaration but then I get a error saying the manifest is not found while it is present in the ARB.

Mark

0 Likes
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Re: ESM Health Monitoring

Hi Doron,

Great work!

I have issues with the EPS QV, although I followed your procedure for this QV it comes back in broken and complains about the names of these variables:

Invalid display column name: getHour

Invalid display column name: getMinute

Invalid display column name: hourAsString

Invalid display column name: minAsString

Invalid display column name: minAsStringWithZero

Invalid display column name: hourAsStringWithZero

Invalid display column name: lengthOfMin

Invalid display column name: minStart

Invalid display column name: getMinFinal

Invalid display column name: lengthOfHour

Invalid display column name: hourStart

Invalid display column name: getHourFinal

Invalid display column name: hourminute

Invalid display column name: getDat

Invalid display column name: dayAsString

Invalid display column name: dayAsStringWithZero

Invalid display column name: lengthOfDay

Invalid display column name: dayStart

Invalid display column name: getDayFinal

Invalid display column name: dayHourMinute

looks like they are missing ?

0 Likes
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Re: ESM Health Monitoring

Thanks.

Make sure that the QV you exported is not in broken state.

Try deleting the QV and the packages and reinstall the full package.

This is a really annoying ESM bug and I jope they fix it soon.

Doron

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: ESM Health Monitoring

Doron,

Thanks for the content, it looks great!

We are running RHEL 6.2 and I was receiving this error when running: /opt/software/scripts/crontab_stats

File created using sar/sadc from sysstat version 9.0.4

Current sysstat version can no longer read the format of this file (0x2170)

Format of this file had been changed in sysstat-9.0.4-20.el6

due to incompatibility of the certain data types with the current kernel.

For more information, please refer to the description of the "--legacy"

option in the sar(1) manual page.

I am assuming this is due to sadf lines in stats.sh.

Do you have any ideas on what the cause of this would be?

-Rudy

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: ESM Health Monitoring

Doron,

More questions about this content.

I got it up and running.  As a side note you need the Linux 32-bit connector, installed on a ext3/4 partition that is 4GB or less and is using 32bit addressing.

The Disk Utilization Last hour metric - It seems to be based off of calculated % disk utilization from the scripts.  What I am wondering is why the thresholds are set so low? 1=low, 2=Med, 3=high.  It seems like you may have gotten that mixed up with the await (ms)?

This are my stats and the Datamonitor is always red when I am looking at it.  Of course its only been running a day and the scripts have been running overnight, so it caught up while I tried to get the correct agent installed and running.

disk_util.png

This is really cool stuff.

I notice you really concentrated on MRT vs. Endtime for many of the dashboards we seen to have much of that.  Any advices on how you handle fixing that?  Connectors in UTC is what I was thinking for some stuff, since we are not UTC but a ton of stuff logs that way.

Can you explain a little on the metrics you use for the ESM Performance Stats and Engineering Overview Dashboard?

Thanks Again!

Rudy

0 Likes
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Re: ESM Health Monitoring

You may be right about the IO thresholds. We were using FusionIO cards so IO was never an issue for us.

0 Likes
Highlighted
Honored Contributor.. Honored Contributor..
Honored Contributor..

Re: ESM Health Monitoring

For any arcsight newbies like me, I ran into a lot of problems so just wanted to share how I got it working in case there are any others out there new to ArcSight having the same issues I did:

From what I figured out (please correct me if I'm wrong) you cant install the CEF connector on the conapp, it has to be installed on the ESM itself (will need root to make it a service). 

You cant use the 64 bit linux connector, only 32 bit.  I ran into a lot of JVM library issues until I just told it to install the connector in my home directory instead of /opt/arcsight/ (possibly due to a conflict with the forwarder64 connector already installed)  This is less than ideal, since i have to give everyone access to my home directory but it worked so Ill have to figure out how to move it later. 

To make the cef connector read from the end of file you have to change agents[0].startatend=false to true in the agent.properties file (which you cant do via arcsight connectorsetup unless you have x11 redirection but you can just edit the file manually or use the conapp diagnostic wizard to do so).

For the crontab i tried everthing to get the script to work in cron.d but eventually gave up and just added them via crontab -e under the arcsight user (removing the arcsight name from each line of the script as its not needed with crontab -e)

Once I did all that it started sending the ESM logs to the dashboards...something I have been asking support and our Tam about how to do for months but was told many times it wasnt possible, so thank you so much !

Highlighted
Outstanding Contributor.
Outstanding Contributor.

Re: ESM Health Monitoring

You are absolutely right about your comments. I will add

agents[0].startatend=true

to the description above.

I'm glad you found it useful.

Highlighted
Honored Contributor.. Honored Contributor..
Honored Contributor..

Re: ESM Health Monitoring

One other thing I noticed, everytime the cronscript ran it generated an error: awk: warning: escape sequence `\*' treated as plain `*'

I looked through the scripts and found the problem. At the very bottom of the /opt/software/scripts/stats_eps.sh script it has the line:

sort /tmp/arcsight_exceptions | awk 'BEGIN{FS="\*\*\*"}{print $2}'

The \ characters are not necessary so if you modify it to this then the script runs and doesnt give that warning message everytime it does:

sort /tmp/arcsight_exceptions | awk 'BEGIN{FS="***"}{print $2}'

0 Likes
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Re: ESM Health Monitoring

Thanks for the correction

0 Likes
Highlighted
Honored Contributor.. Honored Contributor..
Honored Contributor..

Re: ESM Health Monitoring

BTW is the May 16th 2014 package the latest one available?  

On a side note the Agent Threads Exceeded rule has been a life saver for us.  I'm working with Teir 2 support and Fast Track (dev) and was showing them the rule and how we were using it to notify us when the threads are being exceeded as we are working with them on a bug around that issue.  I suggested to the support folks that they recommend this package to any other customer having similar issues as us so they have some way of knowing when that particular bug\issue is happening ;-D

0 Likes
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Re: ESM Health Monitoring

Yes, this is the latest package. I am glad this is helping you and others, and I hope dev will somehow integrate it to the product.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.