ArcSight SmartConnector Device Availability Monitoring Use Case

Summary:

The provided text discusses two rules within the ArcSight system that are related to infrastructure connectors caching status determination. These rules, named Rule 7 (Infrastructure Connectors Cache - Red - Rule 7) and Rule 8 (Infrastructure Connectors Cache - Green - Rule 8), serve to visually represent the cache status of infrastructure connectors on a dashboard through either RED or GREEN icons based on specific conditions. ### Rule 7: Infrastructure Connectors Cache - Red - Rule 7 - **Trigger**: The rule is triggered when certain criteria related to cache status (either "Red" or "Green") are met, along with a flexString2 value of "Daily RED". - **Purpose**: It sets deviceCustomString2 to "Connector Cache Status" for monitoring the infrastructure connector cache status. - **Priority**: Assigns a priority of 10, indicating that connectors have been caching data for at least 2 hours. - **Dashboard Icon**: Maps Rule Fire Name to last state data monitor settings to display an icon as RED on the dashboard. ### Rule 8: Infrastructure Connectors Cache - Green - Rule 8 - **Trigger**: Similar criteria are met but with a flexString2 value of "Daily GREEN". - **Purpose**: It also sets deviceCustomString2 to "Connector Cache Status" for monitoring purposes. - **Priority**: Operates under the same conditions and priority settings as Rule 7, except it indicates functioning connectors that have recently cached data (within the configurable TTL period). - **Dashboard Icon**: The rule determines whether to display an icon as GREEN based on the specific conditions being satisfied. ### Last State Data Monitor for Infrastructure Connectors - **Declaration**: A "Last State Data Monitor" named "Infrastructure Connector Cache Status" allows only one icon (last state) to be displayed on the dashboard for connectors with caching enabled. - **Mapping**: The rule fire name is used in mapping within the data monitor, where "Name" maps to "Status" to set the value of all inclusive connector cache icons as green. - **Query Viewer**: Filters queries every minute to list the names of connectors currently in the process of caching. - **Dashboard**: All these details are part of a larger dashboard named "All Inclusive Infrastructure Connectors State Status." ### Confidentiality Notice The content within this document is marked as confidential and intended for internal use only within ArcSight, emphasizing its sensitivity and potential non-disclosure agreements.

Details:

The document titled "ArcSight Connector Monitoring" by Rashaad Steward, dated Q3 FY11, is a guide for understanding and managing connectors within the ArcSight platform. It aims to provide a clear visual representation of connector caching states through a single icon, making it easier to identify which connectors are using cache and which are not in large infrastructures with numerous connectors. Key aspects include:

• **Objective**: The primary goal is to offer an all-inclusive solution for monitoring connectors, specifically distinguishing between those that use caching (enabled) and those that do not (disabled). This will be achieved by leveraging internal ArcSight events to generate advanced content.

• **Overview**:

• The tool provides a status view of both connected and disconnected connectors regarding their cache usage.

• It is planned for future inclusion in the ArcSight Administration Package, suggesting it will be part of the standard platform functionality or available as an add-on.

• Specific content such as rules are detailed within the document, which include:

• **Infrastructure Connectors Cache - Connector Caching - Rule 1**: This rule detects when connectors are using cache.

• **Infrastructure Connectors Cache - Failed - Rule 2**: Identifies failed connector instances that might need attention.

• **Infrastructure Connectors Cache - Failed Increment Counter - Rule 3**: Increments a counter for connectors with failures, helping in tracking and troubleshooting issues.

• **Configuration**: Instructions are provided on how to configure the cache settings (TTL - Time To Live) for connectors based on user preferences like every 30 minutes or every 2 hours. The initial list of caching connectors includes both active and inactive entries.

• **Content**: Detailed rules that may include dependent variables, crucial for understanding the operational status and performance of connector caches within the system.

The document is intended for use by those managing large-scale systems using ArcSight, ensuring efficient monitoring and troubleshooting through automated rule-based detection and reporting mechanisms. The article discusses the "All Inclusive Connector/No Connector Caching State" within the context of infrastructure connectors caching mechanisms, as implemented by ArcSight for monitoring and managing connector performance. Key components include: 1. **Cache Structure**:

• Connectors Cache is structured around a decrement counter rule (Rule 4) which tracks if critical connectors are caching for extended periods, potentially indicating issues.

• The number of active connectors in the cache, their status (red or green), and whether they have been emptied are monitored by Rules 5-8 under the Infrastructure Connectors Cache category.

2. **Active Lists**:

• **Infrastructure Connectors Currently Caching**: This list contains all connectors currently engaged in caching activities. Entries expire after 2 hours of continuous caching unless manually reset.

• **Infrastructure Connectors Caching**: Records all connectors that have been caching consistently for at least 2 hours, with entries remaining indefinitely until the cache is cleared or a rule action triggers deletion.

• **Infrastructure Number of Connectors Caching**: Tracks the total count of connectors that are caching continuously for over 2 hours, updated in real-time and not subject to expiration unless explicitly reset.

3. **Filters**:

• **Connector Cache Counter Check Filter** and **Infrastructure Connectors Cache Status** filters provide visibility into the cache status and connector activities.

4. **Notifications and Dashboard Visualization**:

• A critical notification is triggered if any essential connector remains in caching mode for more than a predefined threshold (time unspecified, possibly configurable).

• The dashboard displays an icon indicating whether all inclusive connectors are actively caching or not; if the icon is red, it signifies issues and lists connectors that are currently or previously in the cache.

5. **Data Sources**:

• Information is sourced from the Connector Caching Framework and internal events managed by the ESM (Enterprise Security Manager) within ArcSight.

6. **Expiry and Deletion**:

• Entries in active lists do not expire unless manually reset or when a connector cache is emptied, which also triggers rule actions.

7. **Documentation Conventions**:

• The document follows the pattern of providing content descriptions for each section under "Content Description" headings, with references to specific sections and pages (e.g., www.arcsight.com © 2010 ArcSight Confidential).

This comprehensive structure is designed to provide real-time visibility into connector caching activities, manage performance bottlenecks, and alert on critical issues within the infrastructure for effective management and troubleshooting. This summary outlines several rules related to connector caching in the ArcSight system, focusing on entries in active lists that track and manage connectors. The rules are designed to monitor and manage the caching state of connectors, ensuring accurate tracking of which connectors are currently caching data and handling cases where cache clearing or connectivity issues occur. The first rule (Rule 1) triggers when a connector starts caching but is not already listed in the "Infrastructure Connectors Currently Caching" active list. It includes specific conditions for internal event monitor:113 to activate the rule, ensuring it only fires under these defined circumstances. The rule captures details such as the connector's name and URI during its cache operation. Rule 1a is similar but activates when a connector's cache is cleared or "emptied," and this rule also checks if the connector was previously listed in either the "Infrastructure Connectors Currently Caching" or "Infrastructure Connectors Caching" lists. Upon activation, it removes entries from these active lists to reflect the updated state of the connectors. Rule 2 is specific to failed cache operations, where the rule activates when a connector's caching operation encounters an issue. This rule does not specify further details beyond its triggering event and the general context of infrastructure connectors. Each rule concludes with a reference to ArcSight Confidential documentation, indicating that this information is proprietary and should be handled accordingly. The document outlines a rule-based system implemented in ArcSight to monitor and manage connectors that fail to cache data for extended periods. The rule, named "Infrastructure Connectors Cache - Failed - Rule 2," is designed to trigger an internal event when a connector remains in the caching state for more than two hours, causing it to fall off the active list. This triggers an event with code 104 and piped delimited values indicating expired entries. The rule uses six variables—IndexOf, Substring, LengthOf, Add, LengthOf, and Substring—to extract details such as the connector's name and resource URI from a custom string field in deviceCustomString4. This is done to identify connectors that are caching data improperly. The extracted information is used to populate fields for aggregation, which can later be utilized in various actions or notifications. To enhance monitoring and notification, this rule also sets specific variables to map to ESM schema fields, aiming to include them in the "Infrastructure Connectors Caching" active list. It allows users to configure a notification action if a critical connector remains in the caching state for extended periods, potentially using custom email templates for more personalized notifications. Additionally, there is a related rule, "Infrastructure Connectors Cache - Failed Increment Counter - Rule 3," which fires when the initial failed cache detection occurs and increments a counter to track repeated failures. This dual mechanism ensures that persistent caching issues are both detected and managed effectively. The text provided appears to be a documentation excerpt from ArcSight, discussing a specific rule named "Infrastructure Connectors Cache - Failed Increment Counter" within the context of connector caching state management. Here's a summary and breakdown of the key points mentioned in the document: 1. **Rule Overview**: This rule is designed to manage the cache state of infrastructure connectors by incrementing a counter when a failure occurs in the caching process, which can be tracked using two main variables - `getALCounterValue` for retrieving data from the active list and `incrementALCounter` for adding to this data. 2. **Variable Details**:

• **getALCounterValue**: This variable is used to fetch the current value of the counter related to infrastructure connectors caching from the active list named "Infrastructure Number of Connectors Caching".

• **incrementALCounter**: This variable serves to add 1 to the retrieved count, effectively incrementing the total number of connectors that have failed in their cache operation over a period.

3. **Field Aggregation and Usage**: The rule sets specific fields as per the ESM schema for tracking purposes. These include setting `flexNumber1` to the value of `incrementALCounter`, which is used to adjust the count of connectors with caching issues, particularly those that have failed in their cache operation over a specified time threshold (more than 2 hours). 4. **Applicability and Documentation**: The rule is part of a broader system for monitoring connector states within ArcSight's All Inclusive Connector/No Connector Caching State feature, with detailed documentation available at the provided website link under copyright by ArcSight. 5. **Related Rule**: There is no direct mention of a "Rule 4" mentioned in this excerpt; it might be a placeholder or an error in the document. However, if there were such a rule, it would likely pertain to cases where connector caching succeeds and requires a counter decrement operation. This summary provides a concise understanding of how ArcSight uses rules and variables to manage and monitor the performance and state of infrastructure connectors in relation to their caching operations. The provided text outlines a rule within the software system ArcSight, which is designed to manage caching connectors and their states. Here's a summary of the key points from the text: 1. **Rule Purpose**: The primary purpose of this rule is to manage caching connectors by removing them from active lists when they are no longer needed or have been inactive for an extended period (more than 2 hours). This helps in reducing memory usage and improving system performance. 2. **Action Taken**: When the rule triggers, it removes a previously noted caching connector entry from two specific active lists: "Infrastructure Connectors Currently Caching" and "Infrastructure Connectors Caching". 3. **Conditions for Triggering**: The action is conditioned around an internal event activation list (AL) which sets certain criteria to ensure the rule fires appropriately. 4. **Rule Components**:

• **Dependent Variables**: The rule uses two main variables:

• `getALCounterValue` which retrieves values from the "Infrastructure Connectors Caching" entry in the "Infrastructure Number of Connectors Caching" active list.

• `decrementALCounter` which subtracts (1) from the counter field value retrieved by `getALCounterValue`.

• **Aggregate Fields**: The fields set to aggregate on can be used later in the Actions tab for more detailed actions or reports. It is important that any variables created and used in this context are added to an identical Aggregate field.

5. **Field Mapping**:

• The rule sets `flexNumber1` to the variable `decrementALCounter`, which serves as a decrement value to be subtracted from the total count of connectors caching for more than 2 hours.

6. **Documentation Source**: All information is attributed to ArcSight, indicating that this documentation might be part of an internal training material or user guide provided by the software vendor. This rule effectively manages and optimizes the usage of resources by removing unnecessary cached items from active lists, ensuring that only actively used connectors remain in memory. This document discusses a rule within ArcSight's infrastructure called "Infrastructure Connectors Cache - Number of Connectors Cache Active List Checker - Rule 5." The purpose of this rule is to monitor and respond when certain events occur, specifically related to changes in the number of connectors being cached. The rule triggers if either Infrastructure Connectors Cache - Failed Increment Counter - Rule 3 or Infrastructure Connectors Cache - Success Decrement Counter - Rule 4 increments or decrements a counter field value that is part of the "Infrastructure Number of Connectors Caching" active list. This trigger requires specific conditions related to changes in internal event activelist:103, which indicates that an entry within this list has been modified. The rule utilizes seven variables for data extraction from the deviceCustomString4 field (piped delimited) associated with entries in the "Infrastructure Number of Connectors Caching" active list: IndexOf, Substring, LengthOf, Add, LengthOf, Substring, and Convert_String_To_Long. The last mentioned variable is crucial as it converts the second value in deviceCustomString4 from a string to a long for further evaluation. The rule's fields are set to aggregate data, which means they can be used later on the Actions tab. Variables created or utilized on this tab must be added to an identical Aggregate field within the same schema. This setup is intended to provide detailed information about the connector caching status and facilitate better decision-making for infrastructure management. Finally, the rule also includes a dependent variable "Infrastructure Connectors Cache - Red or Green Determinant - Rule 6," which sets fileName to retrieve the substring of the first string related to the infrastructure connectors cache state. This setup aims to provide a clear visual indicator (red or green) based on the caching status for better operational visibility and management. The document discusses a rule in the ArcSight system related to infrastructure connectors caching. Here's a summary of the key points from each section mentioned in your text: 1. **Rule Overview**: This rule is focused on determining if there is an issue with connector caching, specifically whether the number of active connectors exceeds zero or not (referred to as "Infrastructure Connectors Cache - Red or Green Determinant - Rule 6"). The rule activates based on two conditions being met: a specific file name and the activation of another rule called Infrastructure Connectors Cache - Number of Connectors Cache Active List Checker - Rule 5. 2. **Variable Usage**: The rule uses a dependent variable to evaluate whether the number of connectors in cache is greater than zero. This involves using one variable, Filter_Based_Condition_Function, which evaluates if flexNumber (a variable representing the count of connectors) is greater than 0. If it is, then the status is set to "RED" indicating an issue; if not, it is set to "GREEN". 3. **Filter Evaluation**: The filter named Infrastructure Connector Cache Counter Check Filter is used to assess whether the conditions for Rule 5 have been met and subsequently evaluate flexNumber1 (which holds a numeric value retrieved from DCS4 variable work). This conditional evaluation determines if the system should display "Daily RED" or "Daily GREEN". 4. **Field Aggregation**: The fields set by this rule are designed to be aggregated, which means they can be used in further analyses or actions within the ArcSight platform. Any variables created for use in Actions tab must also have an identical Aggregate field defined. 5. **Documentation Reference**: Each section is concluded with a reference number from the document, indicating where in the overall document these details are located (e.g., 27, 28, etc.). This helps to track and correlate information across different parts of the document. 6. **Confidentiality Notice**: Throughout the sections, there's a reminder that this content is confidential and proprietary to ArcSight, indicating its sensitivity and potential use in internal systems or environments where non-disclosure agreements may apply. This summary captures the main functionalities and technical details of the rule described in your provided text from the document regarding infrastructure connectors caching status determination within the ArcSight system. The provided text outlines the configuration and functionality of two rules within a system related to infrastructure connectors cache management. These rules are named "Infrastructure Connectors Cache - Red - Rule 7" and "Infrastructure Connectors Cache - Green - Rule 8". Both rules are triggered under specific conditions as determined by Rule 6, which sets desired variables according to the ESM schema fields. **Rule 7: Infrastructure Connectors Cache - Red - Rule 7**

• Triggered when certain criteria related to cache status (either "Red" or "Green") are met along with a flexString2 value of "Daily RED".

• Sets deviceCustomString2 to "Connector Cache Status" for use in monitoring the infrastructure connector cache status.

• Assigns a priority of 10, indicating that connectors have been caching data for at least 2 hours.

• Maps Rule Fire Name to last state data monitor settings to display an icon as RED on the dashboard.

**Rule 8: Infrastructure Connectors Cache - Green - Rule 8**

• Triggered when similar criteria are met but with a flexString2 value of "Daily GREEN".

• Also sets deviceCustomString2 to "Connector Cache Status" for monitoring purposes.

• Operates under the same conditions and priority settings as Rule 7, except it indicates functioning connectors that have recently cached data (within the configurable TTL period).

Both rules serve to visually represent the cache status of infrastructure connectors on a dashboard through appropriate icons (RED or GREEN) based on their respective conditions being satisfied. The text discusses a "Last State Data Monitor" for infrastructure connectors in the software ArcSight, focusing on connector caching status. Key points include:

• A declaration in the last state data monitor named "Infrastructure Connector Cache Status" allows only one icon (last state) to be displayed on the dashboard for connectors with caching enabled.

• The rule fire name is used in mapping within the data monitor, where "Name" maps to "Status" to set the value of all inclusive connector cache icons as green.

• A query viewer filters queries every minute to list the names of connectors currently in the process of caching.

• All these details are part of a larger dashboard named "All Inclusive Infrastructure Connectors State Status."

The document is intended for internal use within ArcSight and its content is marked as confidential.