ArcSight Ideas - TEMPORARILY CLOSED
cancel

Feature Request - Smartconnector, send command to clear/dump cached events

There are 2 scenarios I've encountered in which it might be nice to send a command to the Smartconnector to drop cached events.

Scenario 1: Every so often connector gets in a state in which some cache events are sort of orphaned and the connector will not process.

Scenario 2: When a destination goes down of course the connector will cache until destination returns to normal. I've had situations where connector cache from multiple days is no longer relevant and would like to clear/dump cache and resume normal state.

Current work around is manual stop of connector at command like and clear/dump cache file manually. 

I do understand this will drop the data and the events will not be available in ESM or Logger.

4 Comments
Absent Member.

Uploaded the videos separately since it looks like we can't see them in the recording.

Thanks,

Ken

Ken Mermoud

Manager, Product Management

ArcSight Content & Solutions

HP Enterprise Products

Office: +1 (408) 865-7794

Mobile: +1 (650) 215-0485

Email: ken.mermoud@hp.com

www.hpenterprisesecurity.com

Respected Contributor.

I agree Mark, this would be a great add-on, we are currently having to dump cache the old fashioned way.

Contributor.

If you have ArcMC you might be able to delete the cache by  creating a repository in the Arcmc that deletes agentdata directory then uploads a new one without any cache

create a a folder called agentdata with  a single  file in it-- doesn't matter what file is called--then zip it up and upload the zip file into the new repository.

settings on  new repository:

name, displayname, and itemdisplayname can be whatever you want

Recursive is checked

Sort Priortoty  -1

restart connector process is checked

Download section is all blank

Upload:

delete before upload  -- checked

delete groups-- checked

relative path  -- <empty>

delete relative path  agentdata

Deletec incldue regular expression  .*

delete exclude reguslar expression -- <empty>

I tested this on  my lab box and it would only delete files that  were not "0"

bytes.-- not sure why it wouldn't delete zero byte files

When i actually tested this again-- it deleted all files except for the.cache.dflt.0 files(the cache) looks like java holds on to them and won't allow you to delete them while the connector is running-- I only tried this on a windows box-- I  also tried to delete them manually from the agentdata directory when the connector was running-- got an error about being in use by java.

Dev would have to come up with a way for the connector to release java holding on to those files then you could delete them remotely.