Highlighted
nsalvati1 Absent Member.
Absent Member.
1014 views

Create a query or saved search to monitor smartconnectors down, in Logger

Jump to solution

Hi all,

I enabled Device Status Monitoring on all my connectors and set the connector to report every 1 hour . Now all the connectors send the agent:043 deviceEventClassId events every one hour. I dont have the esm but only the Logger.

I want create a query o a saved search combining to an alert sending email for these conditions:

"Send email alerts when the last agent:043 events has been received more than 2 hour".

I am not able, create and ask for help in practice creating query or saved search.

The query sounds like:

1 Select all the agent:043 events in the db received in the last 3 hours

2 From this selection extract the unique value of smartconnetctors  which have not sent the event for more than two hour, specifically the last gent:043  event sent by smart connector must be older than 2 hours.

3 Associate this to an alert,alarm sending email.

Thak you for your help.

Ns.

Labels (3)
0 Likes
Reply
1 Solution

Accepted Solutions
nsalvati1 Absent Member.
Absent Member.

Re: Create a query or saved search to monitor smartconnectors down, in Logger

Jump to solution

Referring to this post https://protect724.arcsight.com/message/36831#36831

the filed deviceCustomNumber1 is the "Total number of events for the device since the connector started";

So I found this Search that  which returns only the list of connectors which have not sent the agent:043 event in the last hour:

(deviceEventCategory = /Agent/Connection/Device/Status)  AND deviceCustomString2 = ArcSight AND deviceCustomString1= ArcSight | where deviceCustomNumber1 <1

The assumption is that it is enabled " Device Status Monitoring" an all smart connectors.

This is  the revers query control  that must return all the connectors live in the last hour

(deviceEventCategory = /Agent/Connection/Device/Status)  AND deviceCustomString2 = ArcSight AND deviceCustomString1= ArcSight | where deviceCustomNumber1 >=0 | chart count by agentType, deviceHostName, deviceAddress | sort - _count

The agentType files is helpful to me understand the multiple instances on the same host. In fact, there are hosts that have multiple instances.

device-alerts-down.JPG

View solution in original post

0 Likes
Reply
11 Replies
lincoln.thum@e- Trusted Contributor.
Trusted Contributor.

Re: Create a query or saved search to monitor smartconnectors down, in Logger

Jump to solution

Hi,

Base on my experience, logger seem not able to know if the smartconnector down, because logger use only receiver to communicate with smartconnector.


So in my practice, I would configure each smartconnector point to a particular receiver. So you can track the smartconnector by tracking receiver. I know planning the receiver in this way is not really good in some situation but this is the only way that I can think of to workaround with only logger.

To monitor specific receiver kindly refer the query below :-

deviceEventCategory = AND deviceCustomNumber1 = 0 _storageGroup IN ["Internal Event Storage Group"] AND deviceCustomString6 = [receiver name]


Warm regards,

Lincoln Thum

  

0 Likes
Reply
nsalvati1 Absent Member.
Absent Member.

Re: Create a query or saved search to monitor smartconnectors down, in Logger

Jump to solution

Hi in my case I''ve hundred of smartConnectors pointg to the same receiver for special and dedicated reason of customer and it's impossible to change this issue. So I I want to take advantage of  agent:043 events that are sent and doing a sort of query,saved search to associate an allarm compare the last agent:043 recived time and if more than two hours trigger an alarm.

My problem is that I am not  capaple to create this sort of query or saved search.

Thank you very much the same for replay.

N.S

0 Likes
Reply
lincoln.thum@e- Trusted Contributor.
Trusted Contributor.

Re: Create a query or saved search to monitor smartconnectors down, in Logger

Jump to solution

Hi Nino,

I see. It sound like a proper way to track the connector status. Maybe I can help you on the query.

You did mentioned a unique value for different smartconnector and I'm having limited resources to perform a test, may I know what field will the logger store the unique value of smartconnector?

0 Likes
Reply
nsalvati1 Absent Member.
Absent Member.

Re: Create a query or saved search to monitor smartconnectors down, in Logger

Jump to solution

It is possible to start from these deviceEventCategory /Agent/* :

agent-category.JPG

In the specific case i think that  deviceEventCategory = /Agent/Connection/Device/Status is useful for our purpose.

The coulms are:

Event TimeReceipt TimeDeviceLoggerVersionDevice VendorDevice ProductDevice VersiondeviceEventClassIdNameSeverityNon-CEF Raw MessagedeviceEventClassIdnamesourceZoneURIcatdtdeviceCustomString1LabeleventIddeviceCustomDate1deviceVersiondeviceTimeZoneagentReceiptTimedeviceZoneURIdeviceCustomNumber2deviceCustomNumber1startTimesourceHostNamedeviceReceiptTimeagentZoneURIdeviceCustomString2LabeldeviceEventCategorydeviceCustomString2_cefVerdeviceProductdeviceCustomString1agentIdRaw MessagemanagerReceiptTimesourceAddressdeviceCustomNumber1LabeldeviceCustomNumber2LabelendTimeEvent TimedeviceVendorbaseEventCountdeviceAddressdeviceHostNameagentTypeagentVersionagentTimeZonedeviceSeverityDeviceLoggeragentAddressdeviceCustomDate1LabelagentHostNamefileType
2013/12/11 00:02:42 CET2013/12/11 00:02:42 CETXXX-YYY[REC-NAME]Local0ArcSightArcSight6.0.7.6901.0agent:043Connector Device StatusLowagent:043Connector Device Status/All Zones/ArcSight System/Private Address Space Zones/RFC1918: xxxxxxxxxSecurity MangementVendor9573222013/12/11 00:03:09 CET6.0.7.6901.0Europe/Berlin2013/12/11 00:03:09 CET/All Zones/ArcSight System/Private Address Space Zones/RFC1918: xxxxxxxxxx79849350822013/12/11 00:03:09 CETHOSTNAME2013/12/11 00:03:09 CET/All Zones/ArcSight System/Private Address Space Zones/RFC1918: xxxxxxxxxxProduct/Agent/Connection/Device/StatusMicrosoft Windows0.01ArcSightMicrosoftMMMMMMMMMMMMMMMMM2013/12/11 00:03:09 CETxxx.xxx.xxx.xxxTotal Event CountEvent Count SLC2013/12/11 00:03:09 CETArcSight1xxxxxxxHOSTNAMEnt_local6.0.7.6901.0Europe/BerlinWarningxxxxxxxLast Event ReceivedHOSTNAME
0 Likes
Reply
lincoln.thum@e- Trusted Contributor.
Trusted Contributor.

Re: Create a query or saved search to monitor smartconnectors down, in Logger

Jump to solution

Is there any event that will be received by logger when the smartconnector is down ?

Please correct me if I'm wrong.


Since the connector down and logger will not receive any "hello message" from it, whenever we search we only can return the result of last update "hello message". Problem comes here, because of the alert is triggered in a way that when the search result meet condition defined, it means there must be something return of query. In a logic way with your request would be :-

if the eventTime last receive is last 2 hours, then return "something" and alert will trigger if match "something".

Unfortunately the search query operator is limited, it doesn't work for if else statement. Maybe is me not intelligent enough to write the query, from my view is almost impossible to do the way you mentioned. because the search operator is limited. But I will keep my eye on this post because I also like to know the best way to get alert when connector down. Thanks for your information sharing.

Warm Regards,

Lincoln Thum

0 Likes
Reply
nsalvati1 Absent Member.
Absent Member.

Re: Create a query or saved search to monitor smartconnectors down, in Logger

Jump to solution
0 Likes
Reply
lincoln.thum@e- Trusted Contributor.
Trusted Contributor.

Re: Create a query or saved search to monitor smartconnectors down, in Logger

Jump to solution

I have look on the post, it seem like HP ArcSight support engineer also recommend using receiver to track the connector status as my first reply. I heard that logger version 6 having big changes, hope it will have some features to work with this problem.

0 Likes
Reply
nsalvati1 Absent Member.
Absent Member.

Re: Create a query or saved search to monitor smartconnectors down, in Logger

Jump to solution

I think it is necessary to make an assessment on the date and in the field :

managerReceiptTime

2013/12/11 00:03:09 CET

This is what  should do the query:

1) the query run every hour

2)The query select from db the deviceEventClassId that have value agent:043 of last hour.

3)From the output of the previous query, select only the right timestamp of filed managerReceiptTime which has the requirements (older than 2 hour), for example:

2013/12/11 00:03:09 CET is older of more of 2 hours (> or = of 2 housr)

4)On the output of last query trigger an alarm.

N.S

0 Likes
Reply
nsalvati1 Absent Member.
Absent Member.

Re: Create a query or saved search to monitor smartconnectors down, in Logger

Jump to solution

I think a query or a saved search that sounds like:

SELECT
  COUNT
(*)
FROM
  alert
WHERE
  alert
.timestamp < extract('epoch' from (CURRENT_TIMESTAMP  - INTERVAL '10 days'))::bigint



Otherwise:


SELECT *
FROM table
WHERE auth_user.lastactivity > CURRENT_TIMESTAMP - INTERVAL '100 days'



Otherwise:


SELECT now()::date + 100 AS date1, current_date - 100 AS date2


Otherwise:








0 Likes
Reply
lincoln.thum@e- Trusted Contributor.
Trusted Contributor.

Re: Create a query or saved search to monitor smartconnectors down, in Logger

Jump to solution

Hi,

Unfortunately SQL doesn't work in the query. As I said, there are limitation with the query operator.

Maybe you can refer the query operator below :

!=

String Operators | Numeric/Timestamp Operators

=

String Operators | Numeric/Timestamp Operators

>

String Operators | Numeric/Timestamp Operators

<

String Operators | Numeric/Timestamp Operators

>=

String Operators | Numeric/Timestamp Operators

<=

String Operators | Numeric/Timestamp Operators

BETWEEN

String Operators | Numeric/Timestamp Operators

IN

String Operators | List Operator

STARTSWITH

String Operators

ENDSWITH

String Operators

CONTAINS

String Operators

IS

SQL Operator

AND

Boolean Operators

OR

Boolean Operators

NOT

Boolean Operators

Cheers.

Regards,

Lincoln Thum

0 Likes
Reply
nsalvati1 Absent Member.
Absent Member.

Re: Create a query or saved search to monitor smartconnectors down, in Logger

Jump to solution

Referring to this post https://protect724.arcsight.com/message/36831#36831

the filed deviceCustomNumber1 is the "Total number of events for the device since the connector started";

So I found this Search that  which returns only the list of connectors which have not sent the agent:043 event in the last hour:

(deviceEventCategory = /Agent/Connection/Device/Status)  AND deviceCustomString2 = ArcSight AND deviceCustomString1= ArcSight | where deviceCustomNumber1 <1

The assumption is that it is enabled " Device Status Monitoring" an all smart connectors.

This is  the revers query control  that must return all the connectors live in the last hour

(deviceEventCategory = /Agent/Connection/Device/Status)  AND deviceCustomString2 = ArcSight AND deviceCustomString1= ArcSight | where deviceCustomNumber1 >=0 | chart count by agentType, deviceHostName, deviceAddress | sort - _count

The agentType files is helpful to me understand the multiple instances on the same host. In fact, there are hosts that have multiple instances.

device-alerts-down.JPG

View solution in original post

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.