End device status monitoring
I'd been digging around looking for a way to check if when an end device stops sending logs to a collector device sending those logs to a smartconnector. Seems a little confusing, so let me explain myself:
For example, let's say I'm receiving events from a Symantec EndPoint Device (Collector) via syslog:
Symantec Endpoint Manager ---->>>---feed --->>> Syslog Connector (514/udp)
So far, If I turn on the Device Status Monitoring in the connector configuration, it will generate agent:043 events letting me know when there is no events from the Symantec Endpoint Manager. However, what I need to know is when any of the end devices (behind the collector), feeding the Symantec EndPointManager Device (Collector) stop sending events (sorry for my bad ascii art):
End device 1 -- |
End device 2 -- |
End device 3 ------>> Symantec Endpoint Manager---->>>---feed --->>> Syslog Connector (514/udp)
End device 4 ---|
End device 5 -- |
Any ideas about how to monitor this?
Thanks a lot in advance for any hints on this.
I believe that should work - not guaranteed, but should.
The way that device status monitoring works is that it will be tracking individual "devices" based on specific identifiable attributes. For example, the deviceProduct, deviceVendor and a unique identifier such as IP address. This data will be stored on the connector, but I can't remember where it is stored. The best and easiest way to get this and check is to do the following:
1) Assuming the ArcSight Console - go to the connector, right mouse click the connector
2) Select Send Command
3) Select Status
4) Select Get Device Status
It will then pull back a file from the connector with the list of the distinct devices that it is tracking. It should be IP address, deviceProduct, deviceVendor and if it is active. You can get this data from Connector Appliance and ArcMC too, but I can't remember where it is in the menus.
Run this and check if you get the unique devices - if they sources aren't listed then you won't be able to track them. If you get a nice long list of devices in there, then you can do device status monitoring. If its empty it won't work I am afraid.
This really depends on how the parser team modeled the device. In general, Device Monitoring in SIEM typically is only done on the 'device' that is directly sending logs to SIEM, so that would be the Endpoint Manager. You are interested in going one level deeper though, and monitoring the real ENDpoints.
The agent messages generally work on whatever is mapped into the DeviceAddress field, and I can certainly say I've seen this mapped differently for other log sources like the setup you described above (Device Endpoint -> Log Aggregation/Manager ---(feed)---> ArcSight Connector) . Other examples are Juniper NSM, McAfee ePO, Windows Event Forwarding.
If you are trying to use the agent:043 events though, first you need to figure out what ArcSight is parsing into the Device Address field. This should be the Endpoint address, not the manager address. Also, check what is in the Final Device field, as I believe this is supposed to be where the Manager Address would be stored (though I don't recall seeing these schema fields really being used):
It sounds like all your events coming in are being parsed with your Symantec Endpoint Manager as the deviceAddress and/or deviceHostName.
agent:043 uses a combination of deviceVendor, deviceProduct, deviceAddress and deviceHostName to identify unique devices.