SN47: Windows Unified Connector Planning, Implementation and Troubleshooting
Windows Unified Connector Planning, Implementation and Troubleshooting
Speakers: Brook Watson, Solutions Architect, ArcSight; Lisa Huff, Director, ArcSight Enterprise Specialist, ArcSight
As ArcSight customers expand their security focus from perimeter defense to insider threats, the first device they typically look at is Windows servers. This session will focus on the planning, implementation and troubleshooting best practices surrounding the Windows Unified Connector in large enterprise environments.
@farridem - The packages will be posted to this topic early next week. We are doing some fine tuning of the finished packages before posting for public consumption.
Thanks everyone for attending our session and I hope this topic helps you with future WUC deployments.
In slide 17, it is advised to clear the trend results... When looking for a way to do this, I only find the "hardcore" way through the DB.
Is there an easier (dummy proof) way to this?
The easiest way to clear a trend as you have found out is to re-install the ARB. This will effectively reset the WUC profiling content back to its initial state. Just re-enable the trend and you can continue with your testing / troubleshooting after the trend repopulates with current data.
Hello everyone. I just published a couple updated packages for the WUC Profiler ARB. There are two distinct versions.
- The first ( ), is for ArcSight architectures where the Windows Unified SmartConnectors report directly to ESM.
- The second ( ), is for ArcSight architectures where the Windows Unified SmartConnectors report to Logger and then forwarded to ESM.
Please use the appropriate package for your architecture as the two packages are slightly different and will not work properly in the other architecture.
FYI - 5.0 Versions of the two packages should be available for download this week as well.
Hello everyone. As promised, I have uploaded ESM 5.0-SP1 tested packages of the WUC Profiler ARB. Again, there are two seperate versions that are dependant on your architecture.
- The first (WindowsUnified_Profiling_ESMOnly_ESMv50SP1_v18.104.22.168.zip), is for ArcSight architectures where the Windows Unified SmartConnectors report directly to ESM.
- The second (WindowsUnified_Profiling_ESMwithLogger_ESMv50SP1_v22.214.171.124.zip), is for ArcSight architectures where the Windows Unified SmartConnectors report to Logger and then forwarded to ESM.
These packages can be installed in ESM 5.0-GA, but there has been a reported bug that effects the resolution of agent name and hostname in the Logger Version. If you experience this bug, please upgrade to SP1.
The trend checks the EPS at the ESM, which would be based on what the connector sends to the ESM after filtering. The real concern it would seem would be the EPS from the Device to Connector. The connector would need still need to process (retrieve and parse) all the events from the device even if it does not forward.
So is the recommended way of doing the profiling (in terms of grouping devices by eps), to Not filter anything Out at the connector so that everything from the device goes to the Manager?
That way you can better gage what work the connector has to do?