Absent Member.
Absent Member.
1217 views

ArcSight Pro Tip #3 - It's in the Logs!

Monitoring and troubleshooting an ArcSight product doesn't have to be difficult.  Luckily ArcSight products contain very verbose logs which likely point out potential problems, with the following tips you can quickly find the log entries of interest.

Where to look?  The following log files are the most important and contain 90% of the information your looking for...

-- ESM Manager --

Log: server.log

Location: manager/logs/default/server.log

-- Logger --

Log: logger_server.log

Location: logger/logs/logger_server.log

-- Connector --

Log: agent.log

Location: agent/logs/agent.log

-- Unix/Linux Log Tips --

to quickly find only errors and warning messages use egrep:

egrep -i "warn|error" server.log

If you find an error you want investigate 5 lines before and 5 lines after:

grep -A5 -B5 "guardOverflow" server.log

or if you want to watch the log in real-time use tail -f (follow):

tail -f server.log

and then add a pipe character add grep functionality:

tail -f server.log |egrep -i "warn|error"

That's it.  If you are running ArcSight products on a Windows environment then the best tip is to download Baretail.  Baretail offers "tail -f" functionality in Windows and the ability to colorize your Warning and Error logs.  Cool stuff!

Happy Hacking!

Greg

@threatstream

http://www.threatstream.com

0 Likes
Reply
3 Replies
Highlighted
Absent Member.
Absent Member.

Re: ArcSight Pro Tip #3 - It's in the Logs!

Hello,

These logs are valuable but you should also look at:

  • 'Server.std.log' of the manager (in the same location you've mentioned)
  • 'Agent.out.wrapper.log' of the connectors (in the same location you've mentioned)
  • The oracle alert log, maybe the best place to understand what’s wrong with your DB (located at '<ORACLE_BASE>\diag\rdbms\<SID>\<SID>\trace\alert_<SID>.log' in Oracle 11g)
  • The 'partitionmanger.log' and 'partitionarchiver.log' in the manager and in the DB, as well as the partition archiver agent logs (agent.log and agent.out.wrapper.log) when you have something wrong with your partitions.
  • The fact the ArcSight products produce internal audit events is also critical to remember when troubleshooting, mainly because sometimes just by regularly monitoring these events you can save time and effort.

And of course you can always use this handy tool :

Regards,

Or.

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Re: ArcSight Pro Tip #3 - It's in the Logs!

Excellent summaries of things it took many of us a while to stumble upon.

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Re: ArcSight Pro Tip #3 - It's in the Logs!

marking this for later, thanks

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.