vdor Absent Member.
Absent Member.
927 views

Any way to increase http transport tunnels to ESM on logger forwarder (or speed up the event send in general)?

Jump to solution

I have an L7400 that is not maxing its CPU out, but events are falling further and further behind in ESM. ESM is not even close to being overloaded. My batching settings are to send 300 events every 1 second (the max), but I can't seem to find any other way to increase the speed. I have 20 million events in Cache, and it's growing. Before I left last night it was at 26 million, and I had hoped it would dwindle down by this morning, but it only went down by 6 million. Yesterday, my event output far exceeded my event input for about 5-7 hours while it ate away at cache, but that ended abruptly and now my event input has basically equalled my output for the last  12 hours. How can I get this thing to catch up? If I still had SSH access to it, I would just increase the transport from 1-3, but that is not an option.

The Logger is at V 5.2-L6307.

Labels (3)
Tags (3)
0 Likes
Reply
1 Solution

Accepted Solutions
Acclaimed Contributor.. Volker Michels Acclaimed Contributor..
Acclaimed Contributor..

Re: Any way to increase http transport tunnels to ESM on logger forwarder (or speed up the event send in general)?

Jump to solution

Hello,

did you try to activate multi threading?

Logger

/opt/arcsight/connector/current/user/agent/agent.properties

http.transport.multithreaded=true

http.transport.threadcount=2 or 3 or 4 (Note: Increasing the threadcount may impact performance of the appliance!)

/opt/arcsight/connector/current/user/agent/agent.wrapper.conf

# Initial Java Heap Size (in MB)
wrapper.java.initmemory=512

# Maximum Java Heap Size (in MB)
wrapper.java.maxmemory=512

Important: Don't use more than 1024.

Restart:

After you made the changes you have to restart the container with: /etc/init.d/arc_logger_connector restart


Volker

View solution in original post

0 Likes
Reply
5 Replies
Acclaimed Contributor.. Volker Michels Acclaimed Contributor..
Acclaimed Contributor..

Re: Any way to increase http transport tunnels to ESM on logger forwarder (or speed up the event send in general)?

Jump to solution

Hello,

did you try to activate multi threading?

Logger

/opt/arcsight/connector/current/user/agent/agent.properties

http.transport.multithreaded=true

http.transport.threadcount=2 or 3 or 4 (Note: Increasing the threadcount may impact performance of the appliance!)

/opt/arcsight/connector/current/user/agent/agent.wrapper.conf

# Initial Java Heap Size (in MB)
wrapper.java.initmemory=512

# Maximum Java Heap Size (in MB)
wrapper.java.maxmemory=512

Important: Don't use more than 1024.

Restart:

After you made the changes you have to restart the container with: /etc/init.d/arc_logger_connector restart


Volker

View solution in original post

0 Likes
Reply
vdor Absent Member.
Absent Member.

Re: Any way to increase http transport tunnels to ESM on logger forwarder (or speed up the event send in general)?

Jump to solution

Hi Volker,

Thanks for the suggestion. That is what I'd like to do, but I have no way to edit the agent.properties on the Logger appliance. It's locked down and does not allow SSH access, so I was hoping there was a way with the web interface or ESM gui to achieve this. Any ideas?

0 Likes
Reply
Acclaimed Contributor.. Volker Michels Acclaimed Contributor..
Acclaimed Contributor..

Re: Any way to increase http transport tunnels to ESM on logger forwarder (or speed up the event send in general)?

Jump to solution

Hello,

login to the GUI, enable ssh, login via console and get a response code from support and voila you are on the appliance.

Volker

0 Likes
Reply
vdor Absent Member.
Absent Member.

Re: Any way to increase http transport tunnels to ESM on logger forwarder (or speed up the event send in general)?

Jump to solution

Unfortunately I'm at a remote site filling in for someone while they're on vacation, and they were not allowed to associate their SAIDs and give me a support account. I can probably get someone higher up to do it on a temporary basis with some bureaucratic wrangling, but was looking for a way to avoid having to go that route... If that's the only option though, I'll see what I can do.

0 Likes
Reply
Acclaimed Contributor.. Volker Michels Acclaimed Contributor..
Acclaimed Contributor..

Re: Any way to increase http transport tunnels to ESM on logger forwarder (or speed up the event send in general)?

Jump to solution

It is the only way because there is no diagnostic function like in conn apps.

Volker

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.