IBM SiteProtector version 3 and Arcsight 5.2 integration: getting events very slowly

pranav.lal@voda · ‎2013-11-19

Hi all,

I am managing an Arcsight implementation. We are using IBM SiteProtector version 3. The Arcsight connector connects to the database every 15 minutes and pulls events. We already had a SIEM tool which is collecting this data in real time by accessing the database every few seconds. I have checked the smart connector documentation and SiteProtector version 3 is not supported. Are there any workarounds to this problem? I have raised a feature enhancement request with support but have not heard from them.

chenselein1 · ‎2013-11-19

Hi there,

I had a similar experiece with SiteProtector 2.9.

When I upgraded the Connector Software from 5.x to 6.x i noticed exactly the same - I couldn't be bothered to waste much time in investigating though, so I just rolled back to Connector (5.2.?) it was i believe. Worked like a charm.

pranav.lal@voda · ‎2013-11-20

Hi Christoph,

Thanks for your message. We had initially started with version 5.x of the connector. HP upgraded the connector to 6.x without success. The strange thing is that the events that we are getting are complete but the connector is poling the SiteProtector database only every 15 minutes which apparently is not soon enough. Our other SIEM solution pols almost every 15 seconds. Can we adjust the pol timing and try collecting events? I have still not heard from HP support so am exploring all avenues. We cannot change the version of SiteProtector.

vpt476 · ‎2014-01-02

Hi Pranav Lal,

Were you able to get this issue resolved by chance? We are also experiencing the same symptoms, but we initially started with the connector version of 4.x and upgraded to 5.2.5.6395. I have to restart the connector to show current events, but unfortunately it will slow down rather quickly after a connector restart in any case. Any help is appreciated.

Thank you.

pranav.lal@voda · ‎2014-01-03

Hi George,

Yes, this issue is resolved. Our Arcsight implementation team did a parser override and fixed the problem.

Pranav

vpt476 · ‎2014-01-03

Thank you for the information. Unfortunately, Arcsight support states that it (SiteProtector 3.0) is not supported and allows me to request it as a future enhancement. I'd like to implement the parser override, but I don't have the parser nor instructions on how to accomplish this. Was there something particular that you had mentioned when dealing with the Arcsight support team so that that could assist you with the issue at hand?

pranav.lal@voda · ‎2014-01-06

Hi George,

No but we have a very large implementation therefore roped our project team into it. I am not sure what happened after that. I have already requested that enhancement. I was told that the solution will appear next month. This happened in December.

I don’t know what the protocol is here but I could ask if you like.

Pranav

vpt476 · ‎2014-01-12

Thank you Pranav, I've provided this link to Arcsight support so hopefully they will be able to provide me that parser as well. If I don't get any resolution from them then I may come back here to ask for more of your assistance if this is OK.

Thanks again.

vpt476 · ‎2014-01-16

Would you be able to provide me with the steps that you took to override the parser in case I ever get a new one? Thank you.

Smart Connector