Commodore
Commodore
357 views

agent:043 results for one device

Hi we configured Device Status Monitoring for 900000 on one of our syslog connectors and when I check the agent:043 logs for last 30min and one specific device I got 32 different result for the same device (they report at the same time)

We upgradede the connector to 7.6 and clear out agentdata folder but that did not helped.

The search criteria is like below for $now-15m

deviceEventClassId=agent:043 and sourceAddress = X.Y.Z.Q AND deviceVendor = "ArcSight" AND deviceCustomString1 = "Check Point" and deviceCustomString2 = "VPN-1 & FireWall-1"

What can be wrong with this connector ?

Results attached to post.

 

0 Likes
2 Replies
Commander
Commander

Hello,

I believe this can be expected according with the documentation, when you enable the device custom monitoring events include this information, if available:

·         Event name (Connector Device Status)

·         Vendor and Product information

·         Source Address and Host Name

·         Zone

·         Last event received

·         Total number of events for the device since the connector started

·         Event count since last call

Page 75 on the guide:

https://community.microfocus.com/t5/ArcSight-Connectors/ArcSight-SmartConnector-User-Guide-7-15-0/ta-p/1586784?nm=

Diego Chaves Avendaño
ArcSight Technical Support Engineer
0 Likes
Commodore
Commodore

Hi Diego,

 

Afaik the device statusmonitoring should send ony one event for one device for the configured threshold. since mine is configured as 15Min I should receive only 2 events for the last 30 min . But I got 32 events (All for the same device all at the same time)

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.