ArcSight User Discussions
cancel

HOW TO - Device Status Monitoring on Logger

SOLVED
Go to solution
Knowledge Partner Knowledge Partner
Knowledge Partner

HOW TO - Device Status Monitoring on Logger

As you all know, there is no built-in feature for monitoring device status on Logger. After trying some methods, I've found a way to monitor device status on Logger by using 2 Smart Connectors, 1 scheduled search and 1 scheduled alert.

Since the lookup function works one-way (you can only search events and match with the lookup file entry), it's not possible to monitor device status by lookup files.

The following is a step by step guide with some explanations for monitoring device status on logger.

Step 1.

What if there is at least one event for every device in any 15min period? We can perform a search and count the total events for every device. For example, the following query gives devices with total event counts is less then 10 which can be thought as the device not sending logs.

deviceVendor!=ArcSight  | chart sum(baseEventCount) by deviceAddress, deviceHostName, deviceVendor, deviceProduct | where sum_baseEventCount<=10


How can we achieve this?
A. Create a csv file that contains deviceAddress, deviceHostName, deviceVendor, deviceProduct info.
B. install a file reader flexconnector on Logger and provide the csv file as a log file. and map deviceIP to deviceAddress etc.
   i. in agent.properties file, set preservestate=false and startatend=false
   ii. create a simple cronjob that restarts the connector every 15 minutes. (when connector restarts, it will read the same file and send the same data to logger).

Now we have at least one event for every device in any 15min period on Logger and we can use the search query to find devices not sending logs.

Step 2.

So, we can see which devices not sending logs. Then, we can create a scheduled alert for this query, right? Unfortunately no. Chart and top functions can not be used in scheduled alerts. What can we do then?

A. Create a scheduled search using the above query and save the results on Logger.
B. install a second connector as multiple folder follower. Read the scheduled search outputs as logs and send them to Logger. This way, we have the event in Logger which tells the devices not sending logs.
C. Create a search alert for following query (name field is a custom string in the parser).

name = "device event count info"| cef deviceAddress deviceHostName deviceVendor deviceProduct deviceCustomString1

Now, we can send the results as a syslog message, as an email etc.

Alternative method for Step 2:

Instead of installing the second conenctor; After creating the scheduled search, you can use a script which reads the scheduled search outputs and send them as an email.

I attached the parsers and a sample csv file.
dvcimport.sdkfilereader.properties: parses the csv file which contains device information.
dvcstatus.sdkfilereader.properties: parses the scheduled search outputs.

You can modify the time period, parsers etc. according to your needs.

I hope this helps users having just a Logger.

1 ACCEPTED SOLUTION

Accepted Solutions
Knowledge Partner Knowledge Partner
Knowledge Partner
Solution

Re: HOW TO - Device Status Monitoring on Logger

In some situations, agent:043 is not generated. I don't know why but I've come accross situations like that. Besides, one can easily forgot to enable device monitoring on the connector. That's why I didn't use it.

@Marius, is there a specific reason for aggregate functions not being supported in scheduled alerts?

6 REPLIES
Knowledge Partner
Knowledge Partner

Re: HOW TO - Device Status Monitoring on Logger

Thanks for taking the time to write this! I am sure this would be handy for certain users that do not utilize the ESM.

It's also a shame to see that this is the way to go about device monitoring in the Logger, since as you mentioned we cannot use chart or aggregated search as scheduled alerts :(

biancom Trusted Contributor.
Trusted Contributor.

Re: HOW TO - Device Status Monitoring on Logger

Good job, but i have one question.

Is any reason to don't use agent:043  ?

Knowledge Partner Knowledge Partner
Knowledge Partner
Solution

Re: HOW TO - Device Status Monitoring on Logger

In some situations, agent:043 is not generated. I don't know why but I've come accross situations like that. Besides, one can easily forgot to enable device monitoring on the connector. That's why I didn't use it.

@Marius, is there a specific reason for aggregate functions not being supported in scheduled alerts?

Respected Contributor.. kUMters Respected Contributor..
Respected Contributor..

Re: HOW TO - Device Status Monitoring on Logger

Those missing agent 043 messages was a bug resolved one year ago:)

Somewhere in this forum should be a discussion on very the same requirement. We faced that issue very the same way but based on this agent 043 and with a script which was running a prepared query over REST API and create email messages about DEVICE DOWN:)

It's nice to see that there is another way how to do it:) = GOOD JOB

Solution Security Architect
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: HOW TO - Device Status Monitoring on Logger

What was the version of the connector which resolved the bug? I saw the problem on 7.7.

Highlighted
Community Manager COEST Community Manager
Community Manager

Re: HOW TO - Device Status Monitoring on Logger

Thank you for your efforts in writing up this article! I have also added it to our Best Practice Board!

We are always looking for subject matter experts who want to submit "How to" content to this board! Any questions, let me know!

Top Contributors Last 30 Days