Vice Admiral Vice Admiral
Vice Admiral
366 views

MISP issues

Hi, 

been having some issues with the MISP connector. It keeps crashing on large feeds after consuming extraordinary amouts of RAM. 

I was pointed to this post 

https://community.microfocus.com/t5/Archive-Discussion-Board/SN02-Tips-and-Tricks-for-ArcSight-ESM/td-p/1583148?attachment-id=63680

Specifically to the last page, where buildmodelydelay and maxeventsforebuild are specified. 

agent.component[36].buildmodeldelay=90000
agent.component[36].maxeventsbeforebuild=10000

After adding the above entries, seems to work better. Any body else with this experience?

 

0 Likes
5 Replies
Fleet Admiral
Fleet Admiral

Hello, 

 

i want to clarify if we are discussion about ( https://community.microfocus.com/t5/ESM-and-ESM-Express/Model-Import-Connector-for-MISP-Malware-Information-Sharing/ta-p/2752381)

What is the memory allocated for MISP Smart Connector?

 

Best Regards, 

Daniel

0 Likes
Vice Admiral Vice Admiral
Vice Admiral

Yes, this is in regard to the model import connector. 

 

We have assigned 4 GB of RAM to the connector.

0 Likes
Fleet Admiral
Fleet Admiral

Hello Simon, 

 

to be honest it's first time when i saw those parameters so i do not have any idea if they are helping or not.

Regarding to the memory consumption i think that we are already address this on the new release based on 7.15. 

Let's wait for the next release of this type of SM and see how it's behave. 

 

Best Regards, 

Daniel 

0 Likes
Vice Admiral Vice Admiral
Vice Admiral

Ok, will see at 7.15 version. 

The parameters are supposed to reduce batching. It helped here, especially for feeds with a large number of entries. Before that, it just crashed the connector with feeds with around 300k entries. 

So, when is the connector due? Is that the time that ESM 7.3 is coming out as well?

The property is from RepSM config guide.. 

Imported entries into Manager very low
The number of reputation data entries imported into the ArcSight Manager seems very low.
There might also be reputation data archive files that have a file extension of xml.bad in ARCSIGHT_
HOME\archive\webservices.
Solution:
Make sure the following Model Import Connector for RepSM Plus property is set in the
agent.properties file located at ARCSIGHT_HOME\current\user\agent:
buildmodeldelay=60000(one minute expressed in milliseconds)
This property controls how frequently the archives are sent to the Manager. If it is set too low, the
connector will send archives too frequently. For more information about this property, see the Model
Import Connector for RepSM Plus Configuration Guide.

 

 

0 Likes
Fleet Admiral
Fleet Admiral

Hello Simon, 

 

unfortunate i do not have release dates for SM 7.15 or ESM 7.2.1 but everyone it's expecting that will gonna happen soon.

 

Best Regards, 

Daniel

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.