taranjeet Absent Member.
Absent Member.
326 views

We have been working on ArcSight Management Centre, to check the health of connectors. The health of the connectors have been fluctuating, as the hostname/IP of connector is shown fatal/healthy at times. Whaat could be the possible reason for the connecto

We have been working on ArcSight Management Center, to check the health of connectors. The health of the connectors have been fluctuating, as the hostname/IP of connector is shown fatal/healthy at short intervals. What could be the possible reason for the connector service being fatal and then healthy in small time slots? How can this be fixed?

Is it a configuration issue with the connector?

Labels (2)
0 Likes
5 Replies
billiekwok Absent Member.
Absent Member.

Re: We have been working on ArcSight Management Centre, to check the health of connectors. The health of the connectors have been fluctuating, as the hostname/IP of connector is shown fatal/healthy at times. Whaat could be the possible reason for the conn

Did you keep track to the network connection between them and the service status?  I would suggest to monitor the status with a script for a short time, to make sure the connectivity is normal first.

0 Likes
taranjeet Absent Member.
Absent Member.

Re: We have been working on ArcSight Management Centre, to check the health of connectors. The health of the connectors have been fluctuating, as the hostname/IP of connector is shown fatal/healthy at times. Whaat could be the possible reason for the conn

Thanks a lot Billie for the suggestion. But there is another thing I just noticed. There are a few connectors which are down since a month or so, and the health status for those connectors too is fluctuating between the 2 states i.e. 'fatal' and 'healthy'.

If this is a network issue, should this not show 'down'/'not working' atleast for these connectors?

0 Likes
Super Contributor.. sahaya Super Contributor..
Super Contributor..

Re: We have been working on ArcSight Management Centre, to check the health of connectors. The health of the connectors have been fluctuating, as the hostname/IP of connector is shown fatal/healthy at times. Whaat could be the possible reason for the conn

Hi,

please check your breach rules.

if it is fatal error and if you are using only your default rules , then they are related to the average EPS.

I would suggest to check your breach rules.

As soon as you login, you can see export option on the top left corner in your home page.

That should help you to figure out which rule is creating the alerts.

HTH

Rgds,

Sahaya

0 Likes
vladimir.garasc1 Absent Member.
Absent Member.

Re: We have been working on ArcSight Management Centre, to check the health of connectors. The health of the connectors have been fluctuating, as the hostname/IP of connector is shown fatal/healthy at times. Whaat could be the possible reason for the conn

Hi!


It is true, such problems sometimes happen, not only with Arcsight but also with other SIEM’s   and can have many underlying reasons, such as DNS or network configuration errors, performance issues, memory leakage, etc. To determine the specific reasons of the problem, you need to read connectors logs.

I encourage you to take advantage of a free service to analyze connectors logs:

https://my.socprime.com/en/hmupload

You’ll just need to upload a connector logfile and  you’ll receive a report by mail with an analysis of errors, their description and detailed recomendation.


Regards, Vladimir

0 Likes
Samour Trusted Contributor.
Trusted Contributor.

Re: We have been working on ArcSight Management Centre, to check the health of connectors. The health of the connectors have been fluctuating, as the hostname/IP of connector is shown fatal/healthy at times. Whaat could be the possible reason for the conn

Yeah breach rules cause a lot of issues.

E.g. if the volume coming into one of your connectors is less than 50 EPS it shows it as down. These settings can be changed.

Here is what we had to do when we ran into this issue:

Breach Rules (Page 137 of the ArcMC admin guide), by default, look for any connector that doesn’t have 50 EPS on average over the course of five minutes.

The breach rules can be configured in the file <install_dir>/userdata/arcmc/monitor_breach_rules.properties. The file is re-read every 3 minutes, so no service restart is required after modifying it.

Comment out the offending breach rule (#3, whereas 1, 2 and 4 were commented out by default) and all of the connectors went back to healthy status, but the Breach Rules are quite powerful and can help identify issues within the environment including CPU, memory, JVM memory, etc.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.