Absent Member.
Absent Member.
1248 views

ESM : How to alert/warn that a device feed has failed?

Hi All.

Considering several hundred daily feeds, how is it possible to alert on failed feeds? i.e. a feed that sent logs yesterday is missing today.

Is there built in functionality to show this?

Alternatively, possibly a trend to capture today's feeds and compare it tomorrow against a fresh list?

Any tips appreciated.


Labels (1)
0 Likes
12 Replies
Fleet Admiral
Fleet Admiral

Hi Retep,

Are you talking about the Threat Feeds or Device Normal Events or something else ?

0 Likes
Absent Member.
Absent Member.

Hi.

Normal devices feeds (Windows, UNIX devices etc).


0 Likes
Fleet Admiral
Fleet Admiral

Hi Retep,

Please check out for "Connector Raw Event Statistics" generated by idle Connector and for the EPS and Last log received details refer the Device Custom Strings values.

It's Quite Simple.. Go to your Smart Connector Configuration --> Enable Device Status Monitoring: 300000 (5 Mins)

So this do the Following for you dude.You can choose how often u want to trigger this Event.

Enable Device Status Monitoring (in millisecs): The default value of -1 indicates device status monitoring is disabled. The minimum positive value is 1 min (60000 ms). When enabled, an internal event is sent named Connector Device Status for each device tracked by the connector containing the following types of information: the last timestamp when the connector received an event from the device, the total number of events from this device since the connector started, and the number of events sent by this device since the last event of this type.

Enable Device Status Monitoring: (<NumberOfMilliseconds> | -1 (disabled))

If set to a <NumberOfMilliseconds>, the selected SmartConnector generates internal events periodically 1 minute (60000 milliseconds) or greater with the status of the devices for which the connector is receiving normal events. These events have the name "Connector Device Status." Enabling periodic device status monitoring events helps monitor both the SmartConnector and device uptime.

Device status monitoring events include this information, if available:

• Event name (Connector Device Status)

• Vendor and Product information

• Source Address and Host Name

• Zone

• Last event received

• Total number of events for the device since the connector started

• Event count since last call

Device status monitoring events can be set to generate every 1 minute (60000 milliseconds), or less frequently (i.e., a greater number of milliseconds than the minimum). If you specify less than 60000, you get a warning in the log that the minimum is 60000 milliseconds (1 minute) and the system uses the minimum.

This will be generated if no feeds from the Actual Device is reporting to SmartConnector.

Refer the Console User Guide: Managing SmartConnectors Section to know more about this Configurations.



0 Likes
Absent Member.
Absent Member.

Hi Balahasan,

This is great information and many months ago I spent a long time building out content based upon Device Status Monitoring. I set custom thresholds for each feed so that it would alert when my SLC or EPS values were too low, and it all worked great... for a couple of days. Gradually, my connectors started to report false 0 values for my ESLC and EPS and would not resume reporting the correct numbers until a connector restart. You wouldn't think it's a huge problem, but it becomes sort of like "The Boy Who Cried Wolf", where, after a few false alerts, you simply start ignoring the emails because you assume they're false alerts.

I ended up tinkering with it for weeks before finally disabling it because it was too inconsistent. This was on connector builds 5.0.2.x, and I believe I submitted a bug report at a previous job, but never heard anything.

As for the Connector Raw Event Statistics, I also built content off of those because they report similar information in the device custom numbers field, but I found that reporting to be too inconsistent in its accuracy to make good use of it.

Maybe they've improved the consistency in recent builds? Mine at the time were ESM 5.2 with connectors around the 5.0.2.x

0 Likes
Fleet Admiral
Fleet Admiral

Hi Evan,

I don't know about this Bug.. But ur Goal is to identify the SLC which is ideally 0 right.. So ignore the EPS which are showing less than 10 or 100.. Create the rule based on Last Reported Event Time and Ideal Value Zero from the Device Custom Strings.. The problem might be due to Fluctuation with the Device Events which are sent to ESM.. So u can wait and update ur Rule based on Device Last Event Received time along with the SLC

0 Likes
Absent Member.
Absent Member.

Hi, I have the same problem with monitoring devices. I'm using Connector Device Status events and SLC values ​​to see if a device stops sending events, but the sending for this event is very irregular in some smartconnector, I configure to send Connector Device Status events every 5 minutes, but in some cases spend hours and there is no information.

Anyone know how to solve the problem??

Thanks

0 Likes
Absent Member.
Absent Member.

I had the same problem and ended up having to quit using Device Status Monitoring because it was too inconsistent. Sort of pointless if you can't actually depend on it..  That was on versions 5.2.x of the connectors, and I haven't tried since (I pushed through several upgrades hoping it would solve the problem prior to disabling it).

0 Likes
Absent Member.
Absent Member.

This is a great information, which will solve the problem with monitoring devices. After enabling the device monitoring status, how do we see the list of devices which stops sending events,what next after enabling device monitoring. Kindly explain.

0 Likes
Absent Member.
Absent Member.

Don't know if this will be useful, but I have a rule running that alerts me via email and populates an active list when a connector goes down.

The filter for the rule looks for

Name=Connector Down

Name=Connector Still Down

Name=Connector Deleted.

been fairly effective

0 Likes
Absent Member.
Absent Member.

Hi Allen Rosenfeld.

In mater of fact, those trigger are quite useful and i also suggest everyone to use them.

The limitation there that the connector may be up all day but no events arrive, or the flow is to low.

Today we do that check by hand .

For a more complete approach it should consider the day of week, and even the hour.

I haven't yet implemented but probably it may work with some rules, trends and active lists in place.

0 Likes
Fleet Admiral
Fleet Admiral

Hi Kayode,

This will give u some Ideas. Since the Device Infra and Priority may vary according to ur Environment..

https://protect724.hp.com/message/18117#18117

https://protect724.hp.com/message/22190#22190

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.