rule to monitor devices in reporting in particular time frame
I want to create a rule to monitor device reporting to esm within last 1 hour. and if any device is not reporting then rule will trigger an alert. anyone is having such kind of idea to create a rule.
Thanks & regards,
Re: rule to monitor devices in reporting in particular ti...
In order to achieve that you can turn on "Device Status Monitoring" for the Connector retrieving events from the Devices you want to monitor. To do that please:
-> Go to your Connector in the ArcSight Console -> Configure -> Default -> Processing -> "Enable Device Status Monitoring (in milliseconds)". The minimum amount is 60000 ms (which is 1 minute), if you want it reporting every hour just multiply that by 60.
-> Restart your Connector
Now the ESM will generate messages with the name "Connector Device Status" every hour, for each Device reporting to that specific Connector. A few pieces of information you can find in these events:
Name: Connector Device Status
Device Event Class ID : agent:043
Agent Name: your configured Connector
Source Host Name: the reporting Device
Device Custom Number2.Event Count SLC: the number of events that Device has sent during the last period of time
I suggest you first familiarize yourself with the events, and then create your rule based on the specific information in the events, the Devices you want to monitor and look for Device Custom Number2 being equal to 0 (which would mean that the Device did not report any events Since Last Check).
All the best,