Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
AarushJ Super Contributor.
Super Contributor.
1272 views

Facing Arcsight smart connector down AOH for sourcefireAPI config (estreamer)

Jump to solution

@pbrettle@Marijo Mandic @abezverkhyi  @shezaf1 @COEST prentice@hpe.co @tugcekrky1 @Gayan @Gayan

Hi All,

Recently we have deployed CISCO FSM 5.4.1.1 and integrate with Arcsight Solution through eStramer API with the avaliable connector type as sorcefire defence center estreamer connector version 7.6.0.

It is been observed that while OH it is running fine but AOH it dosent forward the events to the destination configured (in our case 1st destination is Logger and then logger to ESM).  We have to restart the connector service again in OH (next day), this is hapining on daily basis since we have installed the connector.

Does any one faces the same issue and wether is is resolved, do let me know how to troubleshoot.

Regads,
Anchal Jain
+918147106564

AJ
0 Likes
1 Solution

Accepted Solutions
Highlighted
pbrettle Acclaimed Contributor.
Acclaimed Contributor.

Re: Facing Arcsight smart connector down AOH for sourcefi...

Jump to solution

The first thing to do when facing a connector issue is to dig into the logs for the connector itself. While you can try to deduce what the issues might be, you really need to dig into the logs to see what is going on. For example

1) events not getting processed? Chances are that they are either not getting received or not parsed correctly. Logs will tell you that quickly and simply.

2) Having to restart a connector? Again, check the logs to see what is happening. Running out of memory? Hitting an error condition? Another issue? Either way, you will see the comments in the logs and understand what can be causing this - typically its a memory issue, as in it needs more. 

Really dig into the logs first and foremost. Then from there, I recommend posting up the messages that are having and that will assist everyone on trying to figure out what is going on.

Make sense?

View solution in original post

6 Replies
alexandros_n Honored Contributor.
Honored Contributor.

Re: Facing Arcsight smart connector down AOH for sourcefireAPI config (estreamer)

Jump to solution
have you consider open a service request (since looks a kind of important issue) instead of pointing couple of forum users (some in duplicate)?
0 Likes
AarushJ Super Contributor.
Super Contributor.

Re: Facing Arcsight smart connector down AOH for sourcefireAPI config (estreamer)

Jump to solution
yes I m trying to get the info on the same form support they have been looing for it and it pending wih the internal requets with the devlopment team. So i thought may someone help me with this in here.......!
AJ
0 Likes
Gayan Acclaimed Contributor.
Acclaimed Contributor.

Re: Facing Arcsight smart connector down AOH for sourcefireAPI config (estreamer)

Jump to solution
Hi Anchal, does restart the connector helps you to forward logs again to the destinations? do you see an errors in the agent.log?
Mr
0 Likes
AarushJ Super Contributor.
Super Contributor.

Re: Facing Arcsight smart connector down AOH for sourcefireAPI config (estreamer)

Jump to solution

Hi Gayan, yes when i restart connector services we start getting the logs.
Alos i have checked the logs and getting the below error:

Logs from agent.log file:

[2017-11-06 14:16:16,372][INFO ][default.com.arcsight.agent.sourcefire.api.y][getConfig] Successfully Parsed properties from file [record/rna-event-3.0]
[2017-11-06 14:16:16,382][INFO ][default.com.arcsight.agent.fr][run] Memory Usage: 55Mb out of 219Mb
[2017-11-06 14:16:16,391][INFO ][default.com.arcsight.server.f.a][registerMBean] Registered MBean 'Arcsight:service=Cache,type=LRU,id=RkGCkF8BABCACnzeOfiqwwxx,description=ComponentAddress cache'.
[2017-11-06 14:16:16,402][INFO ][default.com.arcsight.agent.ed.i$c$a][<init>] New ThreadLocalWorker [ThreadLocalWorker #0 for Main Flow Batching[3-nMzBV4BABCmsH2O85KXGw==]] created by thread [InternalAlertSender[3-nMzBV4BABCmsH2O85KXGw==][1]]
[2017-11-06 14:16:16,402][WARN ][default.com.arcsight.agent.util.h][load] Neither [ps.genericupgrade_.genericupgrade_.0] nor [ps.genericupgrade_.genericupgrade_.1] exist. Unable to load persisted value
[2017-11-06 14:16:16,403][WARN ][default.com.arcsight.util.w][checkIfRunningOnArcSightAppliance] Cannot execute command [/usr/bin/query_platform is_appliance]
[2017-11-06 14:16:16,408][INFO ][default.com.arcsight.util.w][checkIfRunningOnArcSightAppliance] ArcSight SmartConnector is [not running] on ArcSight Appliance
[2017-11-06 14:16:16,408][INFO ][default.com.arcsight.util.w][checkIfRunningOnConAppOrLogger] ArcSight SmartConnector is [not running] on Connector Appliance
[2017-11-06 14:16:16,408][WARN ][default.com.arcsight.util.w][checkIfRunningOnConAppOrLogger] Cannot execute command [/usr/bin/query_platform logger_app]
[2017-11-06 14:16:16,408][INFO ][default.com.arcsight.util.w][checkIfRunningOnConAppOrLogger] ArcSight SmartConnector is [not running] on Logger
[2017-11-06 14:16:16,408][INFO ][default.com.arcsight.util.w][checkIfRunningOnConAppOrLogger] ArcSight Platform Service [is not running]
[2017-11-06 14:16:16,408][WARN ][default.com.arcsight.util.w][checkIfPlatformServiceIsSupported] PlatformCapabilities [unavailable]
[2017-11-06 14:16:16,408][INFO ][default.com.arcsight.util.w][checkIfPlatformServiceIsSupported] ArcSight Platform Service is [not supported]
[2017-11-06 14:16:16,408][INFO ][default.com.arcsight.util.w][<init>] ArcSight Platform Service is [not supported]
[2017-11-06 14:16:18,787][ERROR][default.com.arcsight.agent.a7.f][toCEF] Invalid AdditionalData type [16]
[2017-11-06 14:16:18,787][ERROR][default.com.arcsight.agent.a7.f][toCEF] Invalid AdditionalData type [16]
[2017-11-06 14:16:18,787][ERROR][default.com.arcsight.agent.a7.f][toCEF] Invalid AdditionalData type [16]

Logs form agent.out.wrapper file :

INFO   | jvm 1    | 2017/11/06 14:17:16 | [GC (Allocation Failure)  251141K->127064K(259328K), 0.0047762 secs]
INFO   | jvm 1    | 2017/11/06 14:17:16 | [GC (Allocation Failure)  252504K->126706K(258816K), 0.0047888 secs]
INFO   | jvm 1    | 2017/11/06 14:17:16 | [Mon Nov 06 14:17:16 IST 2017] [INFO ] {Eps=1588.6166666666666, Evts=95317}
INFO   | jvm 1    | 2017/11/06 14:17:16 | [Mon Nov 06 14:17:16 IST 2017] [INFO ] {C=0, ET=Down, HT=Up, N=IGS_CtrlsFiresightMC_Thane, S=100, T=1.6560404073859403}
INFO   | jvm 1    | 2017/11/06 14:17:16 | [Mon Nov 06 14:17:16 IST 2017] [INFO ] {C=0, ET=Down, HT=Up, N=IGS_CtrlsFiresightMC_Thane, S=0, T=0.0}
INFO   | jvm 1    | 2017/11/06 14:17:16 | [Mon Nov 06 14:17:16 IST 2017] [INFO ] {C=0, ET=Up, HT=Up, N=IGS_CtrlsFiresightMC_Thane, S=95171, T=1575.9919189242896}
INFO   | jvm 1    | 2017/11/06 14:17:16 | [GC (Allocation Failure)  251634K->126873K(259072K), 0.0052208 secs]
INFO   | jvm 1    | 2017/11/06 14:17:16 | [GC (Allocation Failure)  251801K->126880K(259072K), 0.0044611 secs]

AJ
0 Likes
Highlighted
pbrettle Acclaimed Contributor.
Acclaimed Contributor.

Re: Facing Arcsight smart connector down AOH for sourcefi...

Jump to solution

The first thing to do when facing a connector issue is to dig into the logs for the connector itself. While you can try to deduce what the issues might be, you really need to dig into the logs to see what is going on. For example

1) events not getting processed? Chances are that they are either not getting received or not parsed correctly. Logs will tell you that quickly and simply.

2) Having to restart a connector? Again, check the logs to see what is happening. Running out of memory? Hitting an error condition? Another issue? Either way, you will see the comments in the logs and understand what can be causing this - typically its a memory issue, as in it needs more. 

Really dig into the logs first and foremost. Then from there, I recommend posting up the messages that are having and that will assist everyone on trying to figure out what is going on.

Make sense?

View solution in original post

AarushJ Super Contributor.
Super Contributor.

Re: Facing Arcsight smart connector down AOH for sourcefi...

Jump to solution

@pbrettle
yes, you are very rite.
Thankx for the insights.

Regards,
Anchal Jain

AJ
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.