Highlighted
zargaran Honored Contributor.
Honored Contributor.
133 views

delayed in indexing forwarded event from Logger to ESM !

Hi All

I am forwarding all events from Logger Appliance L7400 V 5.2 to ArcSight ESM 7.0 SP1.

but i have any problems in this task:

1- All forwarded events from logger to ESM indexed in ESM about 2 or 3 hours delaying time. means  when i search a sample events in Active Channel i see all forwarded events from logger with 2-3 hours delay. (timestamp uses as in "endTime"  field) . if i change timestamp use as to "managerReceiptTime" field i can see the correct time frame of Active Channel.

2- In ArcSight Logger  >>>>>>>>>>>> EPS In  ~ 8000 EPS and EPS Out ~ 5000 EPS. Also in Event Throughput Dashboard of ESM i see  Current EPS Avg ~ 3000 with delayed time

Additional comments:

  • All ArcSight SIEM Tools (Smart Connectors, ArcSight Logger and ESM) are synchronized with NTP Server
  • I am not configure any filtering and aggregation in ESM Forwarder connector in Logger

 

12.JPG

 

13.JPG

 

Any Solutions?

 

BR

Amir

Labels (1)
Tags (3)
0 Likes
1 Reply
Micro Focus Expert
Micro Focus Expert

Re: delayed in indexing forwarded event from Logger to ESM !

Hi Amir

A couple of things:

1 - Logger Appliance L7400 V 5.2 (extremly old and out of support) 

2 -  almost 9000 EPS and EPS Out ~ 5000 EPS - , this is impressive to maintain this EPS.

I would recommend to review the best practises guide and see if there are any advise on optimisations / best practises there.

Check the percentage on the storage groups, if any are above 90%, then try to reduce them to 90% or below (by either increasing the capacity or recuding the retention period.

Check the number of forwarders and destinations - check best practise guide for recommendations.

Check the connector logs (forwarding connector) on the logger.

The issue could also be potentially on the ESM side and would also be worth investigating.

Hope it helps.

Lar

 

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.