ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins.Read more for important details.
Absent Member.
Absent Member.
402 views

End device status monitoring

Hello,

I'd been digging around looking for a way to check if when an end device stops sending logs to a collector device sending those logs to a smartconnector. Seems a little confusing, so let me explain myself:

For example, let's say I'm receiving events from a Symantec EndPoint Device (Collector) via syslog:

Symantec Endpoint Manager  ---->>>---feed --->>> Syslog Connector (514/udp)

So far, If I turn on the Device Status Monitoring in the connector configuration, it will generate agent:043 events letting me know when there is no events from the Symantec Endpoint Manager. However, what I need to know is when any of the end devices (behind the collector), feeding the Symantec EndPointManager Device (Collector) stop sending events (sorry for my bad ascii art):

End device 1 -- |

                          v

End device 2 -- |

                          v

End device 3 ------>> Symantec Endpoint Manager---->>>---feed --->>> Syslog Connector (514/udp)

                          ^

End device 4 ---|

                         ^

End device 5 -- |

Any ideas about how to monitor this?

Thanks a lot in advance for any hints on this.

Regards

Sergio

Labels (1)
0 Likes
3 Replies
Fleet Admiral
Fleet Admiral

I believe that should work - not guaranteed, but should.

The way that device status monitoring works is that it will be tracking individual "devices" based on specific identifiable attributes. For example, the deviceProduct, deviceVendor and a unique identifier such as IP address. This data will be stored on the connector, but I can't remember where it is stored. The best and easiest way to get this and check is to do the following:

1) Assuming the ArcSight Console - go to the connector, right mouse click the connector

2) Select Send Command

3) Select Status

4) Select Get Device Status

It will then pull back a file from the connector with the list of the distinct devices that it is tracking. It should be IP address, deviceProduct, deviceVendor and if it is active. You can get this data from Connector Appliance and ArcMC too, but I can't remember where it is in the menus.

Run this and check if you get the unique devices - if they sources aren't listed then  you won't be able to track them. If you get a nice long list of devices in there, then you can do device status monitoring. If its empty it won't work I am afraid.

0 Likes
Fleet Admiral
Fleet Admiral

This really depends on how the parser team modeled the device. In general, Device Monitoring in SIEM typically is only done on the 'device' that is directly sending logs to SIEM, so that would be the Endpoint Manager. You are interested in going one level deeper though, and monitoring the real ENDpoints.

The agent messages generally work on whatever is mapped into the DeviceAddress field, and I can certainly say I've seen this mapped differently for other log sources like the setup you described above (Device Endpoint -> Log Aggregation/Manager ---(feed)---> ArcSight Connector) . Other examples are Juniper NSM, McAfee ePO, Windows Event Forwarding.

If you are trying to use the agent:043 events though, first you need to figure out what ArcSight is parsing into the Device Address field. This should be the Endpoint address, not the manager address. Also, check what is in the Final Device field, as I believe this is supposed to be where the Manager Address would be stored (though I don't recall seeing these schema fields really being used):

0 Likes
Fleet Admiral Fleet Admiral
Fleet Admiral

It sounds like all your events coming in are being parsed with your Symantec Endpoint Manager as the deviceAddress and/or deviceHostName.

agent:043 uses a combination of deviceVendor, deviceProduct, deviceAddress and deviceHostName to identify unique devices.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.