Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
stefan.oancea Outstanding Contributor.
Outstanding Contributor.
742 views

Generate Alert for Forward Connector Down

Dear All,

I have a topology involving a Forward Connector gathering events from an ArcSightm ESM and sending them to a Logger.

What I would like to accomplish is receive an Alert when for some reason the Forward Connector goes down and stops sending events to the Logger. Since I do not find the Forward Connector as a normal connector in ESM but only use it to retrieve events from it, I would expect setting up the Alert on the Logger.

Please let me know if this is correct and kindly advice how I can set up such an Alert. I was not able to find such a scenario in the documentation or in other discussions here.

Thank you,

Stefan

Labels (3)
0 Likes
Reply
5 Replies
Jurgen
Visitor.

Re: Generate Alert for Forward Connector Down

Hi,

I think the forward connector still functions as a connector similar to other connectors (only the way it retrieves logging is different).

I have two ideas:

1. Monitor for agent events

For Connector Audit Event Use (here you can build a rule around).

  • Device Event Class ID: agent:103, agent:031.
  • Device Event Category: /Agent/Connection/Drop, /Agent/ShuttingDown.
  • Device Event Class ID: agent:101, agent:030.
  • Device Event Category: /Agent/Connection/Establish, /Agent/Started, .

2. Monitor the forward connector service

(if it's up or down) using ArcMC or a availability monitoring system that checks service status on the machine (like Zabbix or something).

Kind regards,

Jurgen

0 Likes
Reply
stefan.oancea Outstanding Contributor.
Outstanding Contributor.

Re: Generate Alert for Forward Connector Down

Hello Jurgen,

Thank you for your answer; however, just to be sure I got it right - for your first solution you suggest monitoring for those events on the Logger or on the Manager?

Since the Forward Connector is forwarding events to the Logger and only gathering them from the Manager, I would expect finding such events (if any) on the destination - the Logger. I have no information whatsoever from the Forward Connector on the Manager, except for the user it connects with to gather events and therefore I don't think the Manager has any idea about the state of the Forward Connector.

Thanks,

Stefan

0 Likes
Reply
Acclaimed Contributor.. Volker Michels Acclaimed Contributor..
Acclaimed Contributor..

Re: Generate Alert for Forward Connector Down

Hello Stefan,

the only idea I have is to Forward the audit events back from the logger to your ESM and Monitor them there.

Volker

0 Likes
Reply
Jurgen
Visitor.

Re: Generate Alert for Forward Connector Down

Hi Stefan,

You can configure up to 10 alerts in the Logger (not sure how specific you can get there). You can build a trigger around that.

Another option is too add a second destination to the forwarder to the esm itself and just filter out all events except the connector events itself and trigger on that. (i'm not sure if you can filter everything out except the agent:050 because the vendorname en productname are both the same for connector events and the forwarded esm events).

Configuration guide can be found here:

Kind regards,

Jurgen

0 Likes
Reply
stefan.oancea Outstanding Contributor.
Outstanding Contributor.

Re: Generate Alert for Forward Connector Down

Hello All,

Thank you for the ideas; based on them I installed the following scenario and it works perfectly:

-> Add a second destination to the Forward Connector to send the events back to the ArcSight Express itself but filter everything (be careful about event loops when forwarding them back, it happened to me before I started filtering everything). This step is only useful in order to have the Forward Connector appear on the Express and have the Express monitor the connector's state so that it would notify me when it goes down

-> Create a simple Rule that filters after events with the Name "Connector Down", Device Product & Device Vendor "ArcSight" and Agent Type "arcsight_security_manager" - the internal generator of Connector Down events

-> Play with the Velocity Templates, local variables and the "Device Custom String2" field in the original Connector Down event which holds the name of the failed connector so that the Alert and the generated Connector Down Event from your rule will include the name of the failed connector (otherwise the resulting event does not include this information)

This way you will have alerts for any Failed Connector, not only the Forward Connector.

Thought of sharing this with anybody trying to achieve a similar goal.

All the best,

Stefan

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.