agent:043 results for one device
Hi we configured Device Status Monitoring for 900000 on one of our syslog connectors and when I check the agent:043 logs for last 30min and one specific device I got 32 different result for the same device (they report at the same time)
We upgradede the connector to 7.6 and clear out agentdata folder but that did not helped.
The search criteria is like below for $now-15m
deviceEventClassId=agent:043 and sourceAddress = X.Y.Z.Q AND deviceVendor = "ArcSight" AND deviceCustomString1 = "Check Point" and deviceCustomString2 = "VPN-1 & FireWall-1"
What can be wrong with this connector ?
Results attached to post.
I believe this can be expected according with the documentation, when you enable the device custom monitoring events include this information, if available:
· Event name (Connector Device Status)
· Vendor and Product information
· Source Address and Host Name
· Last event received
· Total number of events for the device since the connector started
· Event count since last call
Page 75 on the guide:
ArcSight Technical Support Engineer
Afaik the device statusmonitoring should send ony one event for one device for the configured threshold. since mine is configured as 15Min I should receive only 2 events for the last 30 min . But I got 32 events (All for the same device all at the same time)