Highlighted
eeaanderson1 Absent Member.
Absent Member.
406 views

How do administrators of ArcSight Logger monitor that expected log data is getting to the Logger?

How do administrators of ArcSight Logger monitor that expected log data is getting to the Logger?

I know that there is a "best practice" for configuring correlations for alerting from ESM when expected log collection is below certain minimums.

How are folks doing this in Logger?

Labels (2)
0 Likes
Reply
3 Replies
Micro Focus Expert
Micro Focus Expert

Re: How do administrators of ArcSight Logger monitor that expected log data is getting to the Logger?

Some administrators I know look at daily/weekly summary reports of event counts or GB per day as a check.


0 Likes
Reply
eeaanderson1 Absent Member.
Absent Member.

Re: How do administrators of ArcSight Logger monitor that expected log data is getting to the Logger?

Thanks, Aaron.

That was my thought; some kind of report to identify deviation from expected trend.

We had an ArcSight check-up visit just yesterday where the solutions (sales) engineer said that Logger is too dumb to provide systems check. Instead, that connector and device unresponsive was best moitored through ESM using rules and dashboards.

0 Likes
Reply
Absent Member.. Dean Farrington Absent Member..
Absent Member..

Re: How do administrators of ArcSight Logger monitor that expected log data is getting to the Logger?

That has been our experience. We use event flow monitoring content on ESM based on CRES events from the connectors to monitor throughput.

There are several packages out there in the archives from the protect conference. Ours is in the 2011 conference archive as are one or two other organizations and there was another one presented this year.

Please note, if you choose to use CRES events from agents that pass through logger, there is a default filter in the logger forwarder that will prevent the CRES events from getting through. You need to modify the forwarders agent.properties to allow the forwarder to pass those events (agent.rawevent.omit.stats.agents= )

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.