Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Outstanding Contributor.. mustapha_arakji Outstanding Contributor..
Outstanding Contributor..
699 views

Syslog Load Balancer with ArcMC

My events go from Load Balancer to ArcMC to ESM and Logger.

One thing you would notice with Syslog events when you check from the ESM or Logger, the Device Address feild is the ArcMC appliance, and not the actual event source, this was noticed for a couple of devices.

To solve this issue, I had to edit the lbConfig.xml file on the load balancer to add the parameter "syslog.address.prepend.mode" and set it to "always" as the default was "disabled".

Now that fixed the issue and event device address is showing as it should be, but that created a new issue, with other syslog sources as some events are no longer being parsed correctly and that's due to adding the information from the load balancer.

The solution would be to set the "syslog.address.prepend.mode" to "scan", but this might cause performance issue as per the load balancer documentation.

My alternative would be to configure multiple routing policies with different parameter options "always" and "disabled", but this will force me to split my syslog event sources where each will use different syslog port to match different routing policies.

I already shared this with ArcSight support team and we both agreed on this. I wanted to share this with the community to discuss, anyone would suggest a better solution?

Mustapha
Tags (2)
0 Likes
4 Replies
fjdoming Super Contributor.
Super Contributor.

Re: Syslog Load Balancer with ArcMC

HI

  I have a question, why the events go from LB to ArcMC?, is it necessary for any reason??

Regards,

0 Likes
Outstanding Contributor.. mustapha_arakji Outstanding Contributor..
Outstanding Contributor..

Re: Syslog Load Balancer with ArcMC

Hi,

Actually im using the ArcMC to send the events to my pool of loggers and to other two ESM servers.

I thought of sending events to logger directly from Load Balancer, but since I have ESM, I wanted to leverage the functionalilty of ArcMC.

Any recommendations?

Mustapha
0 Likes
fjdoming Super Contributor.
Super Contributor.

Re: Syslog Load Balancer with ArcMC

Hi,

   Could be the ArcMC a bottleneck?

   We are thinking to send syslog events to SmartConnector Load Balancer -> (pool) syslog connectors -> Loggers -> ESM, then the ArcMC will be used to connector management (statistics, updates, configurations, ....).

   I didn't know the funcionality of ArcMC like event receiver and forwarding.

0 Likes
Outstanding Contributor.. mustapha_arakji Outstanding Contributor..
Outstanding Contributor..

Re: Syslog Load Balancer with ArcMC

Yes, in my case I have ArcMC appliances which will hold my smart connectors.

Mustapha
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.