ArcSight Best Practices
cancel

HOW TO - Device Status Monitoring on Logger

Attachments

Our honored contributor mr_ergene has created this article in the discussion board - as it is a great "how to" document, it should also show in the best practices board. Again, thank you for having taken the efforts to write this up!

As you all know, there is no built-in feature for monitoring device status on Logger. After trying some methods, I've found a way to monitor device status on Logger by using 2 Smart Connectors, 1 scheduled search and 1 scheduled alert.

Since the lookup function works one-way (you can only search events and match with the lookup file entry), it's not possible to monitor device status by lookup files.

The following is a step by step guide with some explanations for monitoring device status on logger.

Step 1.

What if there is at least one event for every device in any 15min period? We can perform a search and count the total events for every device. For example, the following query gives devices with total event counts is less then 10 which can be thought as the device not sending logs.

deviceVendor!=ArcSight  | chart sum(baseEventCount) by deviceAddress, deviceHostName, deviceVendor, deviceProduct | where sum_baseEventCount<=10


How can we achieve this?
A. Create a csv file that contains deviceAddress, deviceHostName, deviceVendor, deviceProduct info.
B. install a file reader flexconnector on Logger and provide the csv file as a log file. and map deviceIP to deviceAddress etc.
   i. in agent.properties file, set preservestate=false and startatend=false
   ii. create a simple cronjob that restarts the connector every 15 minutes. (when connector restarts, it will read the same file and send the same data to logger).

Now we have at least one event for every device in any 15min period on Logger and we can use the search query to find devices not sending logs.

Step 2.

So, we can see which devices not sending logs. Then, we can create a scheduled alert for this query, right? Unfortunately no. Chart and top functions can not be used in scheduled alerts. What can we do then?

A. Create a scheduled search using the above query and save the results on Logger.
B. install a second connector as multiple folder follower. Read the scheduled search outputs as logs and send them to Logger. This way, we have the event in Logger which tells the devices not sending logs.
C. Create a search alert for following query (name field is a custom string in the parser).

name = "device event count info"| cef deviceAddress deviceHostName deviceVendor deviceProduct deviceCustomString1

Now, we can send the results as a syslog message, as an email etc.

Alternative method for Step 2:

Instead of installing the second conenctor; After creating the scheduled search, you can use a script which reads the scheduled search outputs and send them as an email.

I attached the parsers and a sample csv file.
dvcimport.sdkfilereader.properties: parses the csv file which contains device information.
dvcstatus.sdkfilereader.properties: parses the scheduled search outputs.

You can modify the time period, parsers etc. according to your needs.

I hope this helps users having just a Logger.

 

Comments from other members can be seen here: https://community.softwaregrp.com/t5/ArcSight-User-Discussions/HOW-TO-Device-Status-Monitoring-on-Logger/m-p/1674892

 

Version history
Revision #:
1 of 1
Last update:
3 weeks ago
Updated by:
 
Contributors
0 Kudos