Highlighted
Super Contributor.
Super Contributor.
337 views

how to ensure from ArcSight ESM/Connector Appliance that it is receiving all logs?

Dear Forum,

I am looking for a way out  to know is there any way to monitor or get an alert when any of the log is not received by connector.

Is there any way to automate that in ESM or connector appliance? Please share your view.

Thank you for your time and sharing your experience.

Labels (5)
Tags (1)
0 Likes
3 Replies
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Hi Fahima,

You can create a simple alert in the ESM that send email if connector does not get any thing from destination for specific time period.

Create a rule with the filter for targeted connector. Check the total logs from the destinations. If its zero then make an alert.

Cheers

Gayan

Mr
0 Likes
Highlighted
Absent Member.
Absent Member.

For this you can create rule to monitor when no feed is received via any of the connector to your ESM manager.

1. Create a Light weight rule

with condition:

event1 :( Device Event Class ID = agent:050 AND Device Custom Number3 = 0 AND NotMatchesFilter("Connector Filter ") )    

Note: Filter is ur list of AgentID

Action Will be: on every Event:

Add to Active List

Field: Agent Name

resource: //location of the active list (Create a list with event Based with filed of Agent name)

or you can send a mail as alert or create new Active channel and add the above Active list to see the new feeds. if no events seen from any of the device

0 Likes
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Hello Fahima,

The breach rules in the latest version of ArcMC are pretty awesome IMO.

  - See page 182.

Hope this helps.

Best regards,

Lar

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.