rayrp1 Valued Contributor.
Valued Contributor.
1247 views

Field Base aggregation

Can anyone explain the field base aggregation parameter, and where exactly does it aggregate the events (at the endpoint or the host where the connector software is installed)? I use the default 10 secs aggregate 30 events, but I have been experiencing a large number of events on certain sites and when I increase aggregation, let’s say 100 events every 30 sec, my logger shows that the amount of events increases. If anyone has some clarification that would be great!

Labels (2)
0 Likes
4 Replies
Highlighted
David Bau Outstanding Contributor.
Outstanding Contributor.

Re: Field Base aggregation

Hello

Aggregating in this context means that you can turn a bunch of events to one event with a count of all of the events that matched the aggregation within the timeframe

field based means you select to aggregate bases of specific fields

For example you choose to aggregate a firewall event based on these fields

Source address, Destination address, Destination port , Device Vendor, Device Product

And lets say you select 100 events or 30 seconds (which ever comes first)

In this case all of the events that happen within that timeframe (100 events MAX) that have the same values in these fields

Source address, Destination address, Destination port , Device Vendor, Device Product will turn to one event with the value of the field aggregated event count will count the number of events that matched these criteria even if the source port was different on all of these events

Best regards

David

rayrp1 Valued Contributor.
Valued Contributor.

Re: Field Base aggregation

So I understand that much. What I don’t understand is where does this take place? For example let’s say I have an endpoint, a server that host the connector software, and an Arcsight logger. Would it aggregate the events at the endpoint and send a value of let’s say 1 event for the 100 events? Or is it aggregating where the connector software resides and then sending that value to the logger? I ask because running the process in my head gives me the assumption that this should decrease bandwidth. But when I change the values to anything that is not the default, I begin to see large spikes on EPS in and EPS out. I also get a call from that site letting me know that I’m using a lot of their bandwidth.
0 Likes
David Bau Outstanding Contributor.
Outstanding Contributor.

Re: Field Base aggregation

The aggregation takes place in the connector and the aggregated event is sent to the logger / and or ESM check the EPS before and after the aggregation to see if the field bases aggregation was effective. Bandwidth should decrease since you are sending fewer events
0 Likes
Super Contributor.. Carl_E Super Contributor..
Super Contributor..

Re: Field Base aggregation

Hi,

SOC Prime just released a short blog post that goes into aggregation and filtering (I'm not affiliated with them but though the information might be useful,

https://socprime.com/en/blog/arcsight-optimizing-eps-aggregation-and-filtration/

One thing to keep in mind with aggregation is that if you are trying to aggregate something with a high eps and a low aggregation rate, you need to make sure you don't set the Time Interval and Event Threshold fields too high since all the events will need to be held in memory till either the time interval or event threshold is reached.  Setting the values to high in this case will eat up the agent's memory and negatively impact the perfomance of the agent.

Cheers,

Carl

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.