HPE Software is now Micro Focus
HPE Software is now Micro Focus
Protect Your Assets
cancel

Did you know device & connector monitoring with ArcMC

Did you know device & connector monitoring with ArcMC

pbrettle Acclaimed Contributor.

Over the last few releases of ArcMC, a considerable amount of additional functionality has been added to allow a much better view of device and connector monitoring. ESM has always been the location for this with dedicated packages available for this. But, and let me be clear here - the future of device (thats log source) and connector (thats SmartConnector) monitoring WILL BE IN ARCMC going forward. While ESM functionality will not be removed, its not going to be the focus.

Why? Its costly. Its costly in complexity. Its costly in overhead. Its costly in management. ArcMC can do it faster, simpler, more effectively and without the need to run rules. To put it in a simple way, why should you pay to have a correlation engine and have a certain percentage of it running monitoring tools for it? That is where ArcMC steps in and provides a much more effective, simple and straightforward way to solve this.

Did you know that ArcMC provides device (log source) and SmartConnector monitoring? No, let me show you some examples of this. The screenshot below shows some of the defined monitoring rules that are built into ArcMC 2.5 already and you can customize and add your own. Its all detailed in the manual on page 178.

Check out some of the monitoring rules available:

Capture 1.PNG

You can of course add your own rules, and customize the ones you have. Its all designed to be simple, easy and straightforward to use:

Capture 2.PNG

When you use them, you can see the rules as reported by Connector and see what the overall status is. In this example, its only a test with a couple of connectors in place, but you can see what is going on here:

Capture 3.PNG

Its not just a case of monitoring the connectors though, you can also see the device status too (log source monitoring). In this case we provide a direct view of the log source, the host name (if available), matching device / vendor information and how much data is being sent from it. While its customizable, you can see if a device is active or not:

Capture 4.PNG

And more importantly though, you can view this on what is called the topology view. This gives you a single view of all of the log sources (devices), their status and then which connector they are being processed through. So you can see a status quickly and easily of what is happening. Its a great and simple way of displaying the overall status of what is happening and which devices are sending logs:

Capture 5.PNG

And just hovering over a device that is showing a problem will give you a view of what is happening. In this case we can see one device is not reporting and what the source details are. Note that you also get to see the EPS rates per log source too!

Capture 6.PNG

So why mention this? If you are looking to do device status and connector monitoring - while you can do it in ESM, I recommend using ArcMC for this. If you have Connector Appliance, get it upgraded to ArcMC. If you have ArcMC, get it upgraded to 2.5 and see the advantages of doing this in the simple and straightforward way.

Oh, and if you don't have either - take a look at this and see how easy it is - and get it purchased. Oh, and ArcMC 2.6 is due soon and it have even more functionality in this area.

About the Author

pbrettle

ArcSight

Comments
Absent Member.

Nice information Paul Brettle​ , please tell me how to add end devices. I am unable to see end devices in topology view.We need to see which end devices are not reporting, exactly the way you shown in last pic in abouve article.Does it require latest connector version ?

 Honored Contributor..

Thanks @Paul Brettle , with the EPS in rule, how do you know what device stopped sending events?  I only see an audit log for the connector.  I have many devices reporting to a connector.

Best,

Acclaimed Contributor.

Sorry, this slipped by and I didnt see it!

You do not add end devices to the ArcMC view. They are identified at the SmartConnector layer and added to what is a device list per connector. This information is reported back to the ArcMC as internal reporting data with relevant data such as event rates and number of events in the last period of time.

So if you don't see devices reporting, they aren't sending! You don't add them manually, but must make sure they are sending data in the first place and then been processed by the SmartConnectors. Once they do this, they should appear in the view and you should see the event rates accordingly.

As for latest connector versions - I would always encourage you to move forward, but check the releases and make sure that any problems are fixed before you implement them.

New Member.

Thanks @Paul Brettle