Highlighted
Super Contributor.. Super Contributor..
Super Contributor..
871 views

Logs not loading on Arcsight console 6.8

Jump to solution

Why does some logs never load up on Arcsight console 6.8. This happens when i open an active channel with filter agent ID of a connector, earlier things were working fine but now its not working.

Issue with connectors: Cisco IPS and Damballa failsafe.

Events do populate on the console but, they never load. Few events with name "Heartbeat" , "system err" only load up. I do not see any dropped events or any legitimate security alert since a month. I did run a report to crosscheck events but i get only device status logs.
I have cleared cache several times on the connector and restarted the services,but still the issue stays unresolved.
Please suggest what could be the reason behind this and what can i do to troubleshoot it?

Note: I have others connectors as well but they work perfectly fine.

Ankit
Labels (2)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Super Contributor.. Super Contributor..
Super Contributor..

Hi Maxim,

i tried with adding the field that was used in the filter, but it still had the same results.

Although, the issue is now resolved, possibly an ESM performance issue. As already mentioned in above posts i was able to load the events in the channel by reducing the no. of fields selected in the channel.

My ESM administrator had made some optimizations on the ESM and the issue got sorted out permanently thereafter.

Thanks everyone for your valuable inputs.

Ankit

Ankit

View solution in original post

0 Likes
9 Replies
Highlighted
Absent Member.
Absent Member.

Hello!
Which version of ESM (clear 6.8.0, Patch 1 or Patch 2) do you have?

0 Likes
Highlighted
Super Contributor.. Super Contributor..
Super Contributor..

its ESM 6.8c.

Ankit
0 Likes
Highlighted
Absent Member.
Absent Member.

Have you checked your permissions to view this connectors? Are you in the Administrators group?

0 Likes
Highlighted
Super Contributor.. Super Contributor..
Super Contributor..

Although I am not in the Administrators group, but i do have have permission to view the connectors.

Ankit
0 Likes
Highlighted
Absent Member.
Absent Member.

Try to move yourself to Administrators temporary and check the results.
We do this to ensure that permissions is not a problem here.

0 Likes
Highlighted
Super Contributor.
Super Contributor.

Hi,

If you have a filter defined for this user, try to use fields used in filter, as fieldset for the channel. For example, if you have filter agent.name=XXX, then add agent.name to the fields in your active channel.

0 Likes
Highlighted
Super Contributor.. Super Contributor..
Super Contributor..

Hey Nikolay,

I tried it with the administrator's account still the issue remains the same. Doesn't seem to be happening because of permissions and now, i have two more connectors having the same issue.
For time being, i have reduced the number of fields in the active channel and the logs have loaded up.

Ankit
0 Likes
Highlighted
Super Contributor.. Super Contributor..
Super Contributor..

Hey Maxim,

Will try and let you know.

Ankit
0 Likes
Highlighted
Super Contributor.. Super Contributor..
Super Contributor..

Hi Maxim,

i tried with adding the field that was used in the filter, but it still had the same results.

Although, the issue is now resolved, possibly an ESM performance issue. As already mentioned in above posts i was able to load the events in the channel by reducing the no. of fields selected in the channel.

My ESM administrator had made some optimizations on the ESM and the issue got sorted out permanently thereafter.

Thanks everyone for your valuable inputs.

Ankit

Ankit

View solution in original post

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.