Highlighted
Absent Member.
Absent Member.
310 views

Is there a definitive list of ESM system health events e.g. cpu:100, disk:101 etc

I am trying to locate a definitive list of all possible ESM system health events such as those related to CPU, DISK etc. I have located a list of the audit events within the ArcSight Console User Guide but this does not seem to list health events.

If anyone has one to hand or knows of it's location I would very much appreciate the assistance.

Many thanks

0 Likes
Reply
6 Replies
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Re: Is there a definitive list of ESM system health events e.g. cpu:100, disk:101 etc

Jonathan,

You'll find a list of these events in the Logger Admin guide _6.0 at page 366. Same applies for ConnApp_Admin_Guide_64 at page 238.

Regards,

Michel Beaudry

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Re: Is there a definitive list of ESM system health events e.g. cpu:100, disk:101 etc

Hi Michael,

Thanks very much for the response and the information provided. One question though, the guides you refer to obviously cover the Logger and Con App, do these events mirror across for ESM (6.5 for instance)?

The reason I ask is that the page you refer to in the Logger guide states:- 'System Health Events for Appliance and Software Loggers'.


So, in short, do the Device Event Class ID's match for ESM generated health events?

Thanks again for your help.

0 Likes
Reply
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Re: Is there a definitive list of ESM system health events e.g. cpu:100, disk:101 etc

Hi Jonathan,

In order to get these events to ESM you'll have to enable it at the connector level. There is a parameter in connector configuration that you have to set to "Yes"

Health.png

It is well described into the ArcSight Console User uide 6.5 at page 651.

Hope it helps

Regards,

Michel Beaudry

0 Likes
Reply
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: Is there a definitive list of ESM system health events e.g. cpu:100, disk:101 etc

Hi Jonathan,

I think there is a misunderstanding, the audits events you see as CPU, DISK, MEMORY etc...

are related to Connector System Health. You may collect the same events of Loggers and Connector Appliances, if you use a Connector Forwarder but they are not related to ESM. 

To find them all, you may like me filter on Device Event Category startwith /Monitor and Device Event Class ID NOT contain monitor:      you will see this:

If by example, you would like to access ESM CPU values, you may use Datamonitor in choosing the System Monitor Attribute type and then

choose HostSystemInfo as Monitor Type and CPUStatisticsPercent as Attribute Name.

There are for Memory, Error Log, NGServer, you have to try which one are interesting for you.

You will have the following useful Monitoring Dashboards for CPU and for Memory:

I hope this information will help you.

Thanks

Best Regards

Michael

0 Likes
Reply
Highlighted
Frequent Contributor.. Frequent Contributor..
Frequent Contributor..

Re: Is there a definitive list of ESM system health events e.g. cpu:100, disk:101 etc

Hi,

Are those information can be used in a rule? I mean, I have a data monitor for the ActiveThreadCount but I do not know how to retrieve the value of the datamonitor so I can use it in a rule that will fire an alert as soon as the value is higher than a parameter.

Thanks

Romain

0 Likes
Reply
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: Is there a definitive list of ESM system health events e.g. cpu:100, disk:101 etc

Dear Romain,

There is an Audit Event for Datamonitor but only for Top Value Count type (datamonitor:500)

I have tried a long time like you to retrieve information like ActiveThreadCount from SystemMonitor type but this is not available by default on ArcSight Audit Events.

If this use case is really important, there is one solution which require some external work.

All the information present in SystemMonitor is available in the ESM logs or with the ESM webservice API.

The information you are looking for (ActiveThreadCount) is saved in the server.status.log thus it can be retrieved with the following command:

$ cat server.status.log* | grep '"ActiveThreadCount"

It is not difficult to develop a Perl or Python script tot retrieve this information (cf. above) and in using the CaKe python script you may forge and send to ESM CEF Event which will be read properly by any SmartConnector type (because CEF is the default format).

Finally you build a correlation rule based on that new event (by example deviceVendor=ArcSight, deviceProduct=NGServer) and your use case is created. It is clear that it will take some times to develop the script but it should work!

In using the API, it is a bit more difficult because you have to know the command to retrieve Datamonitor Value and also how to program the API.

If you need more information about this, do not hesitate to contact me.

I have not implemented this solution yet thus some test and fine-tuning should be done but I am sure it is possible.

Thanks

Best Regards

Michael

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.