Highlighted
Respected Contributor.
Respected Contributor.
341 views

Very less events from DNS server. What properties needs to be changed to query the file frequently?

Hi Team,

We have integrated DNS via file reader connector. We also have configured log stoppage rule as well. We are observing log stoppage alert very frequently since the file isn't queried frequently. 

What parameters needed to be changed so that as soon as file is updated, our connector reads it and sends logs to our Console?

Please help.

Regards,

Mitesh Agrawal

Labels (2)
0 Likes
8 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Very less events from DNS server. What properties needs to be changed to query the file frequent

Hello Mitesh,

First of all, I would recommend checking the Flex Connector Developer's guide, especially the part "File Connector Parameters" - page 207.
https://community.microfocus.com/t5/ArcSight-Connectors/ArcSight-FlexConnector-Developer-s-Guide/ta-p/1584874?nm=&attachment-id=76956
Here you have all the parameters that you can try changing according to your needs.

If you want the connector to keep reading the events as soon as they are written in the file, then you have to set to option to read it in real-time:
agents[0].processingmode=realtime

If you already have this set or if it doesn't work after setting so, then check in the logs if you have any ERROR or FATAL messages at the time you notice the log stoppage.

I hope this helps.

Regards,
Kresimir

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: Very less events from DNS server. What properties needs to be changed to query the file frequent

The processing mode is set in realtime only but the logs itself aren't written in the dns file.
0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: Very less events from DNS server. What properties needs to be changed to query the file frequent

Hi @kzamuda ,

 

Thanks a lot for your reply. I mapped the drive where the dns logs are gettting written and I can see that the DNS events aren't written frequently. Please find the screenshot attached.

 

The screenshot is taken at 02:30 PM IST and the last time the file was modified was at 1:43 PM IST.

What can be the issue here? Why the DNS server isn't writing the events to the file frequently?

Please help.

 

Regards,

Mitesh Agrawal 

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Very less events from DNS server. What properties needs to be changed to query the file frequent

Hi Mitesh,

The connector is set to read new events from the file itself. If there are no new events written in the file, there will be nothing to read.
This is not connector related but rather a setup issue (check your DNS settings and why the file doesn't get updated with new events).

Once you will be able that the file is rotating constantly and the connector is not reading it in real-time, then check in the logs for any ERROR or FATAL messages and see if it can even read the file.

 

Regards,
Kresimir

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: Very less events from DNS server. What properties needs to be changed to query the file frequent

Hi Kresimir,

I just opened the file and saw that logs are written in the file but it seems the file last modified date isn't updated.

I want your help to understand how ArcSight smart connector reads logs. Means, in processingmode = realtime, the connector goes to file and checks the last modified date and if it is then only read the logs or it is having some pointer which shows the last log till where it has already read? Is there any relation between connector reading and last modified time?

I want to check this since I am not sure what exactly the issue is with the DNS server writing to this file, but I can create a script to change the Last modified time for the file if connector checks for last modified time and so it reads.

Hope you will understand what I am trying to ask.

Regards,
Mitesh Agrawal
0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Very less events from DNS server. What properties needs to be changed to query the file frequent

You can check the following presentation to understand how the file reader connector works:
https://docplayer.net/37085739-Understanding-file-reader-connector-framework.html

Understanding File Reader connector framework

Hopefully, this answers your question.

Regards,
Kresimir
0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: Very less events from DNS server. What properties needs to be changed to query the file frequent

Thanks Kresimir,
Also, I got the below warning in my logs.
[WARN ][default.com.arcsight.agent.baseagents.c.d][read] FileReader.exe reached the end of log file or took too long to initialize. The reading process was cancelled.

Since this is a warning, my connector should be still able to read logs right? What should be done in this case?

Regards,
Mitesh Agrawal
0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Very less events from DNS server. What properties needs to be changed to query the file frequent

Hi Mitesh,

Well, it depends if you can see any issues with the event collection or not.
So check if it really reached the end of the log file as it read it completely or you have any other errors following this.
If you can see events missing, you can try to change the following settings:
usealternaterotationdetection set to "true" but it should be used in combination with followexternalrotation, so both have to be set to true.

If that doesn't help, then investigate the logs and see if you can find something there.

I hope this answers your question.
If you found it solved, don't forget to "Accept as solution".

Regards,
Kresimir

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.