Highlighted
Absent Member.
Absent Member.
603 views

how many device receive are integrated?

Hi guys!

I have created a filter that contains all agents ID with the fields "device address,device host name, device vendor and device product" and I feel this isn't the best way to get all devices that send logs.

Please  share your methods to get all integrated or devices that send logs.



Thanks

Labels (4)
0 Likes
12 Replies
Highlighted
Respected Contributor.
Respected Contributor.

Re: how many device receive are integrated?

Dear Muteb,

deviceVendor!=arcsight and ( (DeviceAddress=not null and deviceHostname=Null) Or (DeviceAddress=null and deviceHostname= not Null) or (DeviceAddress=not null and deviceHostname= not Null))

Select field in report

Device Address,deviceHostname Device Vendor ,device Product

Thanks& regards,

Krunal Mendapara

Security Consultant
0 Likes
Highlighted
Respected Contributor.. Respected Contributor..
Respected Contributor..

Re: how many device receive are integrated?

I may be wrong, but all monitored devices are placed in the Active List \ArcSight Administration\Devices\All Monitored Devices. You can query that list anyway you like.

Regards

David

0 Likes
Highlighted
Acclaimed Contributor.. Acclaimed Contributor..
Acclaimed Contributor..

Re: how many device receive are integrated?

Hello,

David is right, you find them here:

/All Active Lists/ArcSight Administration/Connectors/System Health/Reporting Devices

however Keep in mind that TTL=0 means no entry in there expires.

Volker

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: how many device receive are integrated?

Hi all,

I am using the Device Event Class ID = agent:043 to collect the information generated by the connectors about the reporting devices.

In order to enable this kind of monitoring, you should enable the "Device Status monitoring" feature in the connector configuration (from the ESM is more comfortable) supplying a number of milliseconds (60000 minimum).

In that way, your connector will start generating information which you can capture like:

Agent Name = Connector which is generating the internal audit log (agent:043)

Source Address = IP Address of the device sending logs

Source Host Name = Host Name of the device sending logs

The other Source fields are containing additional information about the Source of the events.

Device Custom Number 1 = Total Count of events since the latest connector restart

Device Custom Number 2 = Number of events sent for every milliseconds set in the Device Status monitoring feature

Device Custom Date 1 = The latest date in which a device reported to the ESM

Device Custom String 1 = Device Vendor

Device Custom String 2 = Device Product

This is the best way I found. Some points worth to mention:

1) DNS resolution = make sure it is correctly enabled setting DNS servers which are able to resolve a hostname from the Source Address if you want to refer to devices by hostname.

2) Each connector can store information only for the latest 1000 devices. If you have more, make sure to split them in different connectors. Also keep in mind which a device is identified based on those fields:

Device Address

Device Host Name

Device Vendor

Device Product

If, for any reason, just one of them will differ, a new device will be generated regardless the "common fields".

If you search for agent:043, you can find a lot of information.

Good luck,

Alex

0 Likes
Highlighted
Honored Contributor.
Honored Contributor.

Re: how many device receive are integrated?

Very useful post for me.

Some time ago i investigate server log and found errors like:

[2015-10-30 12:16:27,586][ERROR][default.com.arcsight.server.util.ASComponentAssetsUtil] Sensor asset auto-creation overflow [[Key 32W5m0U8BABDNi8Tfd0WA2A== has exceeded the permissible limit (1000) -> 1375] ]

Now it seems i have found answer what is permissible limit

2) Each connector can store information only for the latest 1000 devices. If you have more, make sure to split them in different connectors.

32W5m0U8BABDNi8Tfd0WA2A== is a id of Microsoft Windows Unified Connector which is getting events from Hardware Events of collector.

Is it possible to increase permissible limit value?

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: how many device receive are integrated?

Hi Alexey,

I did not find any way to customize that parameter.

Cheers,

Alex

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: how many device receive are integrated?

Hi All,

I am new to Arcsight. Iam using Arcsight express 4.0 version and console version is 6.1.0.1389.

I have gone through above posts and I have not seen reporting devices list.

/All Active Lists/ArcSight Administration/Connectors/System Health/Reporting Devices.

Could you please let me know, is this above path varies as per version? If not, to get device list what I have to do. Please provide me the list of steps to get this information.

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: how many device receive are integrated?

I'm still not getting the right answer yet.

0 Likes
Highlighted
Contributor.
Contributor.

Re: how many device receive are integrated?

Hi Ramu,

The data to this active list is fed by Device Reported rule. Make sure that rule is enabled and in under Real time folders. The location of this rules is, /Real time Rules/ArcSight Administrations/ System Health/Device Reported.

Regards,

Praveen P

0 Likes
Highlighted
Contributor.
Contributor.

Re: how many device receive are integrated?

Hi Muteb,

You can try this condition, Type != correlation And Device Vendor != ArcSight And Event ID Is NOT NULL And Not in AL (the same AL with you will be using in the actions).

Actions: On every event: Add to active list (Fields will be Device address, device hostname and device product)

I have been using the same condition in my rule, this rule updates my AL whenever a new device is added. You can run a report on this AL to get the list of devices reporting.

Regards,

Praveen P

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: how many device receive are integrated?

I configured above, but no results are returned....Did this work for you?

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.