Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
Absent Member.
Absent Member.
789 views

Multiple destinations for CheckPoint smart connector

Hi All,

Need your help..

Post addition of multiple destinations (2 manager servers) to checkpoint smart connector, connector has stopped sending logs.

But, at the console connectors status is showing as running WRT both the manager.

Later I have removed one destination. But, still logs are not coming even though connector status is running at one destination.

Rgds

Punith

Labels (1)
0 Likes
6 Replies
Absent Member.
Absent Member.

Hi Punith,

I don't think, the problem is with multiple destinations. You will find the exact root cause in agent.log, check the same. Or if feasible attach agent.logs to your thread. It will help other ArcSight users to find the solution.

Also, let us know how you are fetching Check Point logs. In our setup, from Check Point's Manager Server sysloged to a Log-Aggregator server. And from LA server, logs are pushed to ESM Manager through Clear Connection.

So, please check agent.log or attach the same if feasible.

--

Regards,

Anil A

0 Likes
Absent Member.
Absent Member.

Hi Anil,

Log flow:

checkpoint manager server -> arcsight agent server -> arcsight manager server

through clear connection

Rgds,

Punith

0 Likes
Absent Member.
Absent Member.

Hi Anil,

Adding to above..

I have gone through the agent.log file. Found many warnings as below.

2013-08-06 12:40:13,342][WARN ][default.com.arcsight.event.SecurityEvent]
[setModelConfidence] Number of bad threat level values received and corrected = 510

Rgds,
Punith

0 Likes
Absent Member.
Absent Member.

Hi Punith,

Just like Anil advised, it will be better if you attached the agent.out.wrapper.log, let it run for about 10-15mins and then upload to the thread.  You might also want to attach a sanitized copy of the agent.properties.

Cheers,

Gbenga

0 Likes
Absent Member.
Absent Member.

Hi,

Please find the agent.properties content.

#ArcSight Properties File

#Mon Aug 05 12:04:58 IST 2013

agents.maxAgents=1

agents[0].AgentSequenceNumber=0

agents[0].agenttestmode=false

agents[0].checkpoint.parser.batchdelay=10000

agents[0].checkpoint.parser.batchsize=200

agents[0].checkpoint.parser.multithreading.enabled=false

agents[0].checkpoint.parser.threadcount=-1

agents[0].checkpoint.parser.threadsperprocessor=-1

agents[0].checkpoint.reconnect=30

agents[0].connection_type=clear

agents[0].destination.count=1

agents[0].destination[0].agentid=xxxxxxxx

agents[0].destination[0].failover.count=0

agents[0].destination[0].params=<?xml version\="1.0" encoding\="UTF-8"?>\n<ParameterValues>\n    <Parameter Name\="host" Value\="yyyyyyy"/>\n    <Paramet\

r Name\="port" Value\="8443"/>\n    <Parameter Name\="aupmaster" Value\="false"/>\n    <Parameter Name\="filterevents" Value\="false"/>\n    <Parameter Name\="f\

psciphers" Value\="fipsDefault"/>\n</ParameterValues>\n

agents[0].destination[0].type=http

agents[0].deviceconnectionalertinterval=60000

agents[0].enabled=true

agents[0].entityid=CuanCT8BABCAA2D1Bav2Gw\=\=

agents[0].fcp.version=0

agents[0].filequeuemaxfilecount=100

agents[0].filequeuemaxfilesize=10000000

agents[0].id=xxxxxxxx

agents[0].inmemoryqueuesize=15000

agents[0].leaservers.count=1

agents[0].leaservers[0].opsec_entity_sic_name=

agents[0].leaservers[0].opsec_sic_name=

agents[0].leaservers[0].opsec_sslca_file=

agents[0].leaservers[0].server_ip=10.xx.xx.xx

agents[0].leaservers[0].server_port=18184

agents[0].log_read_mode=online

agents[0].persistenceinterval=0

agents[0].queuetype=2

agents[0].termsignalcount=3

agents[0].termsignalinterval=5000

agents[0].termtimeout=20

agents[0].type=checkpointfirewall_ad_opsec

remote.management.second.listener.port=10050

remote.management.ssl.organizational.unit=zzzzzzz

0 Likes
Absent Member.
Absent Member.

Hi Punith,


I'm not able to figure out with single line from agent.log.

Please check, if it is possible for you to attach agent.log and agent.out.wrapper.log.

Also, make sure, from management server whether logs are pushed to arcsight agent server or not.

--

Regards,

Anil A

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.