Absent Member.
Absent Member.
440 views

Performance Problems with ESM Console 5.2SP1

Does anybody have any tips for improving performance with the ESM console events?

I made the suggested change in the console.bat and increased the sizes to 1024 but we are still dragging when it comes to correlated events.

It's still very slow though and takes several minutes for events to load.

Reports are also very slow as well.

Are there any settings on the manager that would allow the manager to utilize more of the allocated memory?

Any help would be appreciated. Thanks.

Labels (1)
0 Likes
3 Replies
Absent Member.
Absent Member.

Hi,

you can check the below steps & set necessary setting to boost up your managers performance-

1. Please patch your oracle.

The following partitions had errors during partition compression. Please check the Partition Compressor log and fix the root cause.

http://support.openview.hp.com/selfsolve/document/KM1272985

2. Check any huge oracle logs and reset it:

http://support.openview.hp.com/selfsolve/document/KM1270466

>> default listener.log file generate under ---->>> /export/home/oracle/OraHome11g/log/diag/tnslsnr/kubipesm/listener/trace/

clearlistener.log file with taking a backup

3. Resetting Oracle I/O Transfer Speed

http://support.openview.hp.com/selfsolve/document/KM1272082

4. Please increase the manager java heap to at least 6GB

- login arcsight user

- cd /<Manager Home>/bin

- ./arcsight managersetup (follow through and set the memory size)

5. Disable these rule with high partial match:

6. Restart the oracle instance.


7. Confirm filesystemio_options should be set to SETALL

Setting the Database Parameter filesystemio_options

http://support.openview.hp.com/selfsolve/document/KM1272675

8. Make sure stats run against Oracle only.

Check What Oracle Global Stats Jobs Are Running Against

http://support.openview.hp.com/selfsolve/document/KM1271342

9. Change the Oracle Global Stats Job to Run Against Oracle Only

http://support.openview.hp.com/selfsolve/document/KM1271084

10.purge old trace & incident & alert file from /tmp location if those files are not required at all according to last retention period.

/Dilip

0 Likes
Fleet Admiral
Fleet Admiral

Dear jtsapos,

You have to check on ESM web portal in going on the following link

https://[ESMhostname]:8443/arcsight/web/login.jsp

There you have different useful information to monitor and to troubleshoot your ESM.

For memory by example you click on MemoryMonitor and you should see

This will permit you to see if you have a JVM Memory Issue.

Green Zone is OK, Yellow Zone is WARNING and Red Zone is critical (not enough memory)

For CPU, you can click on HostSystemInfo and you should see CPU used

If your events takes times to load, you have a bottleneck somewhere.

Check value above then check if SmartConnector are caching and check also as recommended by Dilip the rule partial matches there is a Dashboard on ESM named Rules Status to check this point.

I advice you to check the ESM logs server.std.log and server.log to see if there is no critical issue.

You may launch the following commands:

cat server.log* | grep -v INFO

cat server.log* | egrep -i 'ERROR|FATAL'

I hope this information will help you.

If you have question do not hesitate to contact me.

Thanks

Best Regards

Michael

0 Likes
Absent Member.
Absent Member.

"5. Disable these rule with high partial match:"

What is the point at which you consider "high"? I have several of these "partial matchaes" rules that are 100K + events in a three day period.

At what point should I consider these "high"? Thanks.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.