Highlighted
Respected Contributor.
Respected Contributor.
113 views

lightweight rule is not writing to active list consistently

Jump to solution

Hi there,

My ArcSight ESM manager version is 7.0.0.

I set up a Flex Connector that sends custom mapped events to ArcSight manger.  I can see the events appear in the active channel as expected.   However, the lightweight rule that I set up with the same filter as the active channel does not seem to write to the active list consistently.   Sometimes it writes part of the events, and other times not writing new events at all.    

I should add that the volume of events is in the 10s of thousands or more. 

One observation is that if I manually disable the rule and re-enable it, it would write about 50k entries to the active list.  It seems like there's a "rate limit" on writing to the active list??

I also found that the rule icon changes to a gray-green icon from the red lightening bolt.  

What does this mean?

Screen Shot 2020-09-15 at 11.02.28 PM.png

 

Thanks in advance!

0 Likes
1 Solution

Accepted Solutions
Highlighted
Respected Contributor.
Respected Contributor.

thanks vitz1!  I did some digging on the icon and reasons for disabling rules by system.   It turns out that there is a "rate limit" of a sort, but instead of event rate, it's limiting on cpu usage.  

The property is "rules.max.fractional.cpu=50".    It's a relative % of the rules cpu time vs other rules.  If it is over 50%, it would be disabled by the system.   

There used to be error messages on the console's footer alerting this disablement, but it's not present in v7.0. I turn it up to the value of 90, restarted the manager, and the rule is no longer disabled by the system.

View solution in original post

Tags (1)
3 Replies
Highlighted
Respected Contributor.
Respected Contributor.

Updated additional details on my findings. ..

0 Likes
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Normally this greyed out icon means that your rule was disabled due to high activity...

/All Dashboards/ArcSight Administration/ESM/System Health/Resources/Rules/Rules Status

should tell you the reason for disabling... however... thinking about this.. its a lightweigt rule... it probably will not come here... not sure about any limits for those.

KR

A

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

thanks vitz1!  I did some digging on the icon and reasons for disabling rules by system.   It turns out that there is a "rate limit" of a sort, but instead of event rate, it's limiting on cpu usage.  

The property is "rules.max.fractional.cpu=50".    It's a relative % of the rules cpu time vs other rules.  If it is over 50%, it would be disabled by the system.   

There used to be error messages on the console's footer alerting this disablement, but it's not present in v7.0. I turn it up to the value of 90, restarted the manager, and the rule is no longer disabled by the system.

View solution in original post

Tags (1)
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.