Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
Trusted Contributor.. Miroslav Marcisin Trusted Contributor..
Trusted Contributor..
298 views

Super connector not sending events from ESM

Hi,

Im now solving one big issue.

 I have installed two ESM (both 7.0 P1) with superconnector and smartconnector

Superconnector taking events from ESM and sending them as CEF syslog. On other server I have syslog-ng 3.18.1 and smartconnector.

Problem is, that superconnector is not sending events from ESM, but only state events from connector (eq. connector raw event statistics, connector shtting down etc)

When I on super connector set second destination as local csv file, all events are logged localy - in csv are both state event and events from ESM, but, via CEF syslog this events are not sent.

I tried both superconnectors, firt 7.9 and second is 7.5

There are no settings, only install connectors, set login via forwarding user into ESM and set destination.

Do you anyone have some tips or workaround etc?

Thanks

0 Likes
5 Replies
Knowledge Partner
Knowledge Partner

Re: Super connector not sending events from ESM

Hi Miroslav,

 

first of all to be able to connect on ESM 7.0 P1 with the FWD connector ( or Supperconnector) you should have only ArcSight-7.9.0.8087.0-SuperConnector-Linux64..

Regarding what exactly are you sending please read the FwdConn_ConfigGuide_7.9.0.8087.0.pdf starting with page 7.

There is one more step that you need to do on source server in order to send the right events that you want.

 

all the best,

 

Daniel

0 Likes
Trusted Contributor.. Miroslav Marcisin Trusted Contributor..
Trusted Contributor..

Re: Super connector not sending events from ESM

Hi, thats what I did and read.

The problem is, that super connector can read events from source ESM and write them into destination "csv" file, but connector didnt send events thru cef syslog.

Filter is set in right way for forwarding user in source ESM...

0 Likes
Knowledge Partner
Knowledge Partner

Re: Super connector not sending events from ESM

Hi Miroslav,

there are any error in the Superconnector logs for that destination ?

Did you also take care of this "

Caution: When configuring the Forwarding Connector to send events to a non-ESM destination, you might encounter problems with certificate validation during connector setup. See "Sending Events to a Non-ESM Location" on page 7 for information on certificate validation.

same document but staring with page 20 .

Daniel

0 Likes
Trusted Contributor.. Miroslav Marcisin Trusted Contributor..
Trusted Contributor..

Re: Super connector not sending events from ESM

yes, this is set up correctly. Im using CEF syslog over TLS. I have set certificates, root CA in cacerts etc... on syslog-ng, there is decription running well. I can see established connection from super connector, I can see ssl handshake, established connection, than I recieve event like this:

Jan 15 13:03:52 193.84.159.130/193.84.159.130 CEF:0|ArcSight|ArcSight|7.9.0.8087.0|agent:050|Connector Raw Event Statistics|Low| eventId=181 mrt=1547553826020 categorySignificance=/Informational

 

This is event sent by super connector and I recieved it via CEF syslog.

 

I lookend into log for both sides and there is no error regarding to sending events. Super connector itself sending "state" events.. restarting, starting, configuration change etc... but only not sending corelation events from source ESM, but super connector is healthy, he can login into source esm, take corelation events thru forwarding user and filter. He can take this events and write them into csv file, but he cannot send them via CEF syslog...

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Super connector not sending events from ESM

Hi Miroslav,

 

if you made all the steps from the document and still not receing the events send by the FWD connector then my recomandation is to log an case to the support.

Maybe is a bug or there is one step that should be done in order to accomplish the task and is not written into the documentations. Will not be the first time when this is happening.

 

Best Regards,

Daniel

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.