how to ensure from ArcSight ESM/Connector Appliance that it is receiving all logs?
I am looking for a way out to know is there any way to monitor or get an alert when any of the log is not received by connector.
Is there any way to automate that in ESM or connector appliance? Please share your view.
Thank you for your time and sharing your experience.
You can create a simple alert in the ESM that send email if connector does not get any thing from destination for specific time period.
Create a rule with the filter for targeted connector. Check the total logs from the destinations. If its zero then make an alert.
For this you can create rule to monitor when no feed is received via any of the connector to your ESM manager.
1. Create a Light weight rule
event1 :( Device Event Class ID = agent:050 AND Device Custom Number3 = 0 AND NotMatchesFilter("Connector Filter ") )
Note: Filter is ur list of AgentID
Action Will be: on every Event:
Add to Active List
Field: Agent Name
resource: //location of the active list (Create a list with event Based with filed of Agent name)
or you can send a mail as alert or create new Active channel and add the above Active list to see the new feeds. if no events seen from any of the device