ArcSight Pro Tip #3 - It's in the Logs!
Monitoring and troubleshooting an ArcSight product doesn't have to be difficult. Luckily ArcSight products contain very verbose logs which likely point out potential problems, with the following tips you can quickly find the log entries of interest.
Where to look? The following log files are the most important and contain 90% of the information your looking for...
-- ESM Manager --
-- Logger --
-- Connector --
-- Unix/Linux Log Tips --
to quickly find only errors and warning messages use egrep:
egrep -i "warn|error" server.log
If you find an error you want investigate 5 lines before and 5 lines after:
grep -A5 -B5 "guardOverflow" server.log
or if you want to watch the log in real-time use tail -f (follow):
tail -f server.log
and then add a pipe character add grep functionality:
tail -f server.log |egrep -i "warn|error"
That's it. If you are running ArcSight products on a Windows environment then the best tip is to download Baretail. Baretail offers "tail -f" functionality in Windows and the ability to colorize your Warning and Error logs. Cool stuff!
Re: ArcSight Pro Tip #3 - It's in the Logs!
These logs are valuable but you should also look at:
- 'Server.std.log' of the manager (in the same location you've mentioned)
- 'Agent.out.wrapper.log' of the connectors (in the same location you've mentioned)
- The oracle alert log, maybe the best place to understand what’s wrong with your DB (located at '<ORACLE_BASE>\diag\rdbms\<SID>\<SID>\trace\alert_<SID>.log' in Oracle 11g)
- The 'partitionmanger.log' and 'partitionarchiver.log' in the manager and in the DB, as well as the partition archiver agent logs (agent.log and agent.out.wrapper.log) when you have something wrong with your partitions.
- The fact the ArcSight products produce internal audit events is also critical to remember when troubleshooting, mainly because sometimes just by regularly monitoring these events you can save time and effort.
And of course you can always use this handy tool :