ArcSight Questions
cancel

How alert if connector is down or EPS is too low

Answer

How alert if connector is down or EPS is too low

Hi all.

I would like to know how I can establish a "rule" that notifies me of an alert when a connector receives fewer events of a certain number or if the connector is down.

Thanks

View Entire Topic
marijo
Micro Focus Expert

Hello,

1) In your ESM Console go to top where it says "Help" and then "Browse Documentation". It will open new windows in browser and there search for "agent:050".

2) So for specific SmartConnector your could make a rule that matches:
Device Event Class ID = "agent:050" And Agent ID "sample_connector" And Device Custom Number3 > 50

So this rule should trigger when Event statistics is above 50 Events. So you would find out your baseline (what is the usual number that you see there and then put rule to trigger for example when this number is 20% less then expected).

3) "agent:050" statistics comes each 5 minutes and in Active Channel it has "Connector Raw Event Statistics" in "Name" column.

4) Explanation of device Custom Number 3:
deviceCustomNumber3Label: "Event count (SLC)"
deviceCustomNumber3: The number of non-internal events seen by this component since the last internal event

5) Test Conditions with ESM Active Channel to see if you have any matches and then if you have then you can proceed with rule making.

6) For further ideas check "Audit Events" in same help documentation and there you have Categories likes "Connector Exceptions", "Connector Registration and Configuration"..... and here you can see "Device Event Class ID" for your future rules.

Regards,

Marijo