ArcSight Discussions

Connector Post Installation Best Practices

David Bau
Outstanding Contributor.

Connector Post Installation Best Practices

Best practice regrarding connector installations

  • Provide your connector with a clear name which will state the server that it is installed on and its type, such as ConServer01-Syslog-514-UDP
  • Name the folder and service name accordindly to make it easy to find
  • Configure the Customer name from the console (even if there is only one customer)
  • Customer SettingsCustomer Settings
  • Select the relevant networks for the connector to apply the network model
  • NetworkNetwork
  • Right click on the connector and select Send Model mappings now
  • Model MappingModel Mapping
  • Enable event monitoring (agent:043) according to your monitoring needs, my default suggestion will be 360,0000 for one hour and restart the connector
  • Device Status MonitoringDevice Status Monitoring
  • Check log if memory is allocated sufficiently and increase as needed in the agent.wapper.conf settingsMemory.jpg
  • If receiving events on languages besides English check for encoding issues and set the agent.wapper.conf settings for encoding properly (add the relevant line)
  • encoding.jpg
  • Check the agent.log for any parsing issues and correct the parser as needed
  • Run additional mapping. Be sure to map relevant data to relevant field types, such as strings to fields which are strings. Notice that its possible to apply any parser operations on the additional data mapping for example run __createOptionalTimeStampFromString and map it to a timeStamp field
  • mapping.jpgmapping3.jpg
  • Check the cache under current\user\agent\agentdata and make sure that the folder isnt accumilating large files constantly , if it is, review the logs carefully for parsing issues and other errors. If no indication is found besides a large amount of events consider increasing threads carefully
  • Considor aggregating and filtering out if needed/possible
  • Check for the new connector's EPS impact to make sure that it wont cause licensing issues
Acclaimed Contributor.

Re: Connector Post Installation Best Practices

Excellent stuff - keep it coming!


And a quick point for those who dont use the network model - YOU ARE MISSING OUT ON A GREAT FEATURE! Its fantastic if you want to differentiate logical networks, zones and situations. It also makes it simple to do higher level abstraction rules too! Without the zones, you cant do anything other than to hard code it!