ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins.Read more for important details.
Fleet Admiral
Fleet Admiral
861 views

How to Show Agents(Connectors) which are all not Receiving any Logs in Separate Dashboard ? Anything like Cache Mem is Possible ?

Hai Friends

I Would like to know is there any Possibilities to Get the Agent Connector Status which are all not receiving any logs or connectors which are down to show show them in a separate Dashboard.

Labels (2)
0 Likes
8 Replies
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Are you looking for something different than what is already included in the default content?  There's a dashboard for connector status as well as EPS that comes default with ESM.

0 Likes
Fleet Admiral
Fleet Admiral

Dear chrisb

Are you looking for something different than what is already included in  the default content?  There's a dashboard for connector status as well  as EPS that comes default with ESM.

I Would like to Know which are the devices which are giving very low count, connector is up(No Logs), Connector Is Down(No Logs) in a Separate Dashborad

Like Connector Status column ---> Up or down(Possible) with Agent Name Displayed(Not Simple) ..

Normally if connector is down it won't show that agent name in the dashboard,But I want to see them too...

Is it Possible?

Please Check it and Give me any Ideas

Note : Using it in Query Viewer not in Data Monitor.

0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

For the up/down status, take a look at the Connector Status in Dashboards -> Shared -> ArcSight Administration -> Connectors -> System Health.  The Connectors - Heads Up Display shows which connectors are up or down w/ a corresponding Green or Red color.  It's controlled by a filter that you can use to build into a query viewer (although IMO, the data monitor would be better).  The other alternative is using rules to populate an AL for when you see events, setting an expiration for when you want to know if a connector is down, then building another rule to look for that expiration...  It gets messy

For the low EPS - I'd build a rule with the following

&

  Name = Connector Raw Event Statistics

  Device Custom Number3 > 10 (or whatever you want)

  Type = Base

On First Event do whatever

Then build your query for the query viewer to look for the rule fire.

Device Custom Number 3 contains the # of events since the last time the Statistics event fired, which is 5 minutes by default.  If you wanted to look at EPS, you could create a variable that takes DCN3 and divides it by 300.  The connector puts the EPS in DeviceCustomString1, but since it's a string, you'd need to convert it to a float first...

0 Likes
Fleet Admiral
Fleet Admiral

Thanks Chrisb

0 Likes
Fleet Admiral
Fleet Admiral

Hai Chirsb

I Would Like to 1 More Thing.

How to get the Connector status from the Name Feild Which Contains Connector Device Status with Device Custom Number2(Event Count SLC)=0.

How We Will know that Connector is up,down,still down and Deleted man...

Is that Connector Device Status  is meant for all the Connector state changes or Specific...

Please Give me any Ideas...

0 Likes
Absent Member.
Absent Member.

Hi Balahasan,

In order to receive Connector Device Status events, you need to enable  Device Status Monitoring Feature on Connector.

Do check this article if you havevt done already.

https://arcsight.custhelp.com/cgi-bin/arcsight.cfg/php/enduser/std_adp.php?p_faqid=1319.

This Monitoring is helpful when you have multiple devices sending to a single connector (eg. syslog agent receiving from multiple servers/devices) and one of the device is stopped sending events, which is not possible in traditional monitoring of Connector Up/Down.

However this monitoring will not work if connector itself is down as it will not generate any such events.

In order to Track Connector Up, Down, Deleted events you can use default Rules Under

All Rules/ArcSight Administration/Connectors/Configuration Changes and All Rules/ArcSight Administration/Connectors/System Health.

Regards,

Ashwin Patil

0 Likes
Fleet Admiral
Fleet Admiral

Thanks ashwinpal

The Link that you gave is useful.

0 Likes
Vice Admiral
Vice Admiral

I've found that I have done similar function for customer that has only logger and hardware connector appliance. Basically we created scheduled search alerts that fire if the number of events during set period of time (based on Device status monitoring events).

Question however: in non-ESM environment, is there a way to set up alerts if smartConnectors (managed from hardware connector) are down?

I found no such functionality in stock (ofc you can see connector status if you manually click through all the manage menu in ConApp).

Anyone?

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.