This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
raptraj1
Vice Admiral
Vice Admiral
‎2017-04-05 15:19
259 views

Notification for connector is in hung state OR connector is not processing any events

The scenario is Connector is in hung state OR connector is not processing any events(Connector state is still showing running), how can i get notification for this.

will the details of agent:050 suffice this scenario?

Raj
Labels (1)
Labels
0 Likes
Reply
Report Inappropriate Content
1 Reply
pbrettle
Fleet Admiral
Fleet Admiral
‎2017-04-05 22:36

agent:050 messages include a bunch of information that would be useful, but its worth detailing out what is there.

For agent:050 messages, you are looking for the following in a filter:

deviceVendor = ArcSight

deviceProduct = ArcSight

deviceEventClassId = agent:050

The message is generated every 5 minutes by default in accordance with the setting in the properties default file:

[ARCSIGHT HOME]/current/config/agent/agent.default.properties

agent.rawevent.logging.interval=30000

Assuming this is left as standard (which is highly recommended) then you will get around 288 agent:050 messages per day - 24 * 60 = 1440 minutes / 5 minutes for the raw event sampling data = 288 messages. You can also see the amount of data in the deviceCustomString4 field which is the number of bytes.

This is a status message though, so it will give you a break down of the amount of data that is processing through a SmartConnector and if the log source is down, then you will see a drop in the total number of bytes being sent, but you will still get the agent:050 messages. If your SmartConnector is down, yes, you will no longer see the agent:050 message and hence it will be suitable for a connector not being available, but the difficulty here is that this every 5 minutes and the worst case scenario is that you will have to wait for up to 5 minutes to have this identified.


So its a 1/2 and 1/2 answer - yes it might be useful, but its not great.

But the bigger question is why are you not using ArcMC for this purpose? Its a powerful platform for defining these things and you can do a lot with it. Also, have you considered the use of the Activate framework for this too? There is an Activate framework package for connector monitoring:

https://marketplace.saas.hpe.com/arcsight/content/activate-base

https://marketplace.saas.hpe.com/arcsight/content/activate-c-security-system-monitoring-base

https://marketplace.saas.hpe.com/arcsight/content/c-security-system-monitoring-connectors

And for ArcMC and what you can do with it for monitoring, I recommend taking a look here:

0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.