ArcSight System Monitoring 2.1_1
- Pavan Raja
- Apr 8, 2025
- 17 min read
Summary:
This document appears to be part of a user manual or guide for managing and monitoring devices using ArcSight System Monitoring (ESM). The primary focus is on Windows devices within the context of this system, providing detailed instructions and visual aids through panels and dashboards designed to track device status, connectivity issues, and event reporting.
### Key Points Discussed: 1. **Device Connection Issues**: Tools are provided for diagnosing connection problems, including right-clicking on affected connectors to drill down into specific details about the devices. Metrics such as total count of devices experiencing connection issues and detailed breakdowns like "Drilldown" can help in identifying and resolving connectivity issues promptly.
2. **Device Connection Down - Total Count**: This panel serves as a summary of all devices with connection issues, aiding in overall system health monitoring and troubleshooting.
3. **Devices Late Events**: This feature is crucial for ensuring that events are timely reported to the Event Storage Module (ESM). It includes configurable time frames and mechanisms to exclude certain vendors or products from being marked as late if they experience temporary downtime due to planned maintenance, power outages, etc.
4. **Devices Quiet**: Identifies devices not reporting any activity to ESM for extended periods, which might indicate issues like hardware failures, software glitches, or network problems. Users can add specific products and vendors to an exclusion list to prevent false positives.
5. **Devices Reporting Last 24 Hours**: This panel lists all active devices that have reported events within the last 24 hours, requiring IP addresses for accurate identification. DNS issues are addressed by mapping files or host entries to ensure correct device tracking.
6. **Windows Device Status Dashboard and Panels**: These specific tools are designed for Windows-based devices, providing detailed insights into late events, quiet devices, and total count of reporting devices. They help in maintaining a close watch on the performance and connectivity of these critical systems.
7. **Technical Support Resources**: The document includes a link to technical support resources from HP OpenView, offering assistance for any issues related to ArcSight System Monitoring, including Windows devices. This resource is crucial for users who might encounter difficulties in managing or troubleshooting their monitoring setup.
### Conclusion: This documentation provides comprehensive guidance on how to monitor and manage device connectivity within an ArcSight-based system specifically tailored for Windows environments. It uses a series of interconnected panels and dashboards that help in real-time tracking, diagnostics, and support for resolving issues related to late events, quiet devices, and overall connectivity concerns. The document is part of the proprietary knowledge base provided by Hewlett-Packard Development Company, reflecting its role as a valuable resource in enterprise security management solutions.
Details:
This document provides technical commentary on ArcSight System Monitoring 2.1 (ASM), which is part of HP Enterprise Security Products. The purpose of this document is to provide recommendations for maximizing the value of ArcSight solutions based on experience with similar customers and environments. It includes information about installing, upgrading, and managing ASM, as well as addressing potential issues like known unknown connectors, bulk batch settings, device decommissioned lists, filters, network models, and more. The content is proprietary and confidential, copyrighted by Hewlett-Packard Development Company, L.P., with a date of 4/2/14. HP Enterprise Security Products Global Services provides education and consulting services to help customers plan security strategies, compliance monitoring, and enhance existing security measures.
HP Enterprise Security Platform (ESP) offers customized training, tools, and expertise to help businesses succeed with their enterprise security projects. With experience across various industries and company sizes, HP ESP provides education services like instructor-led training, computer-based learning, and certification programs; consulting for project strategy, requirements gathering, implementation, and operations; and security operations support for internal monitoring and response capabilities. The service integrates ArcSight ESM infrastructure to enhance operational efficiency and cost savings. HP ESP follows a four-phase project strategy: initiation (Phase I), planning (Phase II), execution (Phase III), and deployment (Phase IV).
The text outlines a methodology for deploying technologies, specifically focusing on HP's Enterprise Security Product (ESP) deployment. This process is divided into four main phases:
1. **Assess & Design**: In this phase, the methodology aims to deeply understand the customer's environment by defining business drivers, identifying stakeholders, and deriving requirements or use cases. Based on this information, a solution is designed and architected to meet these specified requirements. Resource needs are also communicated, and tasks are prioritized according to the customer's needs.
2. **Implement**: This phase involves the actual implementation and integration of various technologies required to satisfy the previously defined requirements. Specific activities in this phase include installing and configuring ESM (Enterprise Security Manager), Logger, Connector Appliance, and NSP (Network Security Platform).
3. **Mature**: During this phase, efforts are directed towards optimizing and tuning technology, performing health checks, identifying additional use cases to extend solution capabilities, and incorporating these into the existing solution.
4. **Transition**: The final phase involves transferring knowledge in areas such as intrusion analysis, incident response, and escalation procedures. This ensures that customers can effectively utilize the implemented solution for responding to incidents, leveraging defined processes and procedures.
The chart provided visually represents how a typical deployment aligns with this methodology. It details the integration of business requirements with technical refinement and optimization, aiming to align the solution with the customer's environment and enhance production capabilities through end-user training and career path development.
The provided text is a summary of instructions for installing and upgrading to ArcSight System Monitoring (ASM) version 2.1, developed by Hewlett-Packard Development Company, L.P. Here's an overview of the key points mentioned in the document:
### Key Points:
1. **Installation Process:**
**Installing ASM 2.1:**
Follow these steps to install ArcSight System Monitoring 2.1:
1. Install the new ArcSight System Monitoring 2.1 package.
2. Link rules to Real-Time Rules as per instructions in the ArcSight System Monitoring section of this document.
3. Some connectors need to be restarted for complete information display. They will auto-detect and re-add themselves if registered to ESM.
**Upgrading from ASM 2.0 to ASM 2.1:**
If custom lists have been altered in `/All Active Lists/ArcSight Solutions/ArcSight System Monitoring/`, export them for future import as defaults will be applied during installation of the new package.
Move notification objects from Device Administrators to a new folder before deleting the old package.
Delete the old ASM 2.0 package, ensuring all resources are removed without leaving any behind; if locked objects appear during deletion, select "skip" and click OK.
Check for straggling objects with names containing "ArcSight System Monitoring" and remove them safely.
Install the new ArcSight System Monitoring 2.1 and import exported lists from `/All Active Lists/ArcSight Solutions/ArcSight System Monitoring/Configuration/` that were saved during step 1 of upgrading.
### Additional Notes:
**Documentation:** Ensure all configurations, rules, and dashboards are documented properly before making any changes.
**User Feedback:** Collect user feedback to refine improvements in the platform through use cases.
**High Availability:** Implement strategies for high availability as detailed in the framework provided by ArcSight.
**Automate Reporting:** Develop advanced integrations to automate reporting processes using proprietary tools and frameworks that are considered confidential and proprietary to Hewlett-Packard Development Company, L.P.
This document is intended for IT professionals responsible for managing and updating the ArcSight System Monitoring software within an organization's security infrastructure.
The instructions provide a guide for deploying ArcSight System Monitoring Rules following an upgrade or installation of the package. Key steps include:
1. Navigate to the /All Rules/ArcSight Solutions/ArcSight System Monitoring location to find the rules.
2. If the Real-Time Rules folder does not exist, create it under /All Rules/Real-time Rules/ArcSight Solutions.
3. Move the ArcSight System Monitoring rules from the /All Rules/ArcSight Solutions/ArcSight System folder to the Real-Time Rules folder.
4. Link the rules to ensure they are activated and function properly within the system.
5. Some connectors may need to be restarted for complete information to appear, which will auto-detect and re-add themselves if registered with ESM.
6. Disable default content in ArcSight System Monitoring where necessary to recover resources for other content, as leaving both packages enabled can cause notification duplication.
7. Go to the resource /All Data Monitors/ArcSight Administration/Connectors/System Health and disable all data monitors except Top Event Sources.
The document outlines settings and configurations related to notifications, connectors, and devices in a monitoring or system management tool. Key points include:
1. **Connector Settings**:
**DestinationAlert**: To prevent duplicate notifications for connector status, adjust the setting from "yes" to "no". This is case-sensitive; recommended settings are as follows: Destinations sending events to the ESM should be set to "yes", while others (sending through a logger) should be set to "yes".
**InMaintenance**: To disable notifications for a connector, set "InMaintenance" to "yes".
**NotificationDelay**: With a setting of 0, notifications are sent on every event. If set higher than 0, it is used in conjunction with NotificationDelayVariance.
**NotificationDelayVariance**: This can be set as Minute, Hour, Day & Batch (all case sensitive). It adjusts the delay between events for notifications. For example: A setting of "Batch" means every 24 hours or upon the first event after a batch period.
2. **Device Settings**:
**InMaintenance**: To disable device notifications, set "InMaintenance" to "yes".
**NotificationDelay**: When set to 0, notifications are sent on each event; if set higher than 0, it is used with NotificationDelayVariance for more controlled timing.
These settings and their implications help in optimizing the notification system's efficiency and effectiveness based on specific operational needs.
The provided text discusses configuration settings related to notifications, device administration, and batch processing in a system or software environment. Here's a summary of the key points:
1. **NotificationDelay and NotificationDelayVariance**:
These settings control how frequently notifications are sent for events.
Possible values include minutes, hours, days, and batches.
The "NotificationDelay" is set to 0 with a variance that can be "* Hour Batch". This means the first event triggers a notification, followed by one every hour in batch mode.
Asterisk (*) indicates any value, allowing flexibility in setting the interval.
2. **Destinations and Connectors**:
The ArcSight Administrator is used to send email alerts for all events in the package, requiring at least one destination setup under "/All Destinations/ArcSight Administrators/".
A list should be maintained for known connectors that are registered to a logger but not to the Event Specification Module (ESM), to avoid triggering unknown connector reports.
3. **Batch Settings**:
The Bulk Batch Settings feature auto-populates device lists with vendor, product, and feed type in batch mode using "NotificationDelayVariance".
This is particularly useful when dealing with numerous devices that need to be set to batch processing mode.
4. **Device Decommissioned List Import**:
This list includes IP addresses of decommissioned devices, ensuring these are excluded from reports and indicating the status of decommissioned equipment.
Overall, these settings and features support efficient management of event notifications, system administration, and data handling within a structured environment. The text discusses managing devices in an environment using a system called ArcSight, which is part of software for monitoring and analyzing network traffic to detect security threats and other issues. To start with, there's a need to clean out objects from Active Directory (AD) that are associated with devices not reporting data correctly. For this purpose, you can create a master list where you enter the details such as IP address and feed type for all expected devices. The feed type differs based on whether it’s related to Windows events or specific vendor products like syslog, sdkrfilereader, or bluecoat_file. Optionally, you can use a Flex connector from WUC AD Host Import Fex to automatically fetch data from Active Directory including host names, IP addresses, and OS versions of Windows servers without needing direct input from administrators. Next, there's the Device Late Time Settings section where you configure how long the system should wait before displaying devices in the late panel. This setting can be adjusted between minutes, hours, or days based on requirements. Some products like Enterprise Policy Orchestrator (EPO) might report each workstation as a device, and these quiet events from shut-down machines are usually unnecessary for analysis. To avoid including such events, you should add the vendor name and product name to an exclusion list. Lastly, there’s information about how notifications can be set up in rule sets according to event priority levels 1 through 4 with corresponding urgency (from urgent to less critical). This text discusses notification settings and their implications, as well as procedures for resolving issues related to host resolution names in ArcSight appliances. It provides guidelines on how to exclude certain products from being considered "quiet devices" by adding vendor and product names to a specified list. Additionally, it highlights the importance of proper functioning DNS or host files for name resolution across all ArcSight appliances, emphasizing that blank host names or incorrect IP addresses can lead to system issues. The text also advises on correcting such problems in connector or logger appliance settings when encountering specific device addresses like 127.0.0.1 or 192.168.36.35. It stresses the need for using fully qualified domain names (FQDNs) and creating map files to resolve hostnames or IP addresses not present in the system. The provided text outlines steps for correcting hostname settings and related DNS suffix issues, as well as discussing filters for event forwarding and network model requirements in specific contexts of connector servers, logger forwarders, and ESM (Event Management System) receivers within a larger system framework. It emphasizes the importance of accurate settings to avoid performance and name resolution issues. The text also suggests implementing filters like "^CEF:0|ArcSight" for the logger forwarder and "deviceVendor != “ArcSight”" for the ESM receiver, ensuring proper event handling and preventing data duplication or misrouting. Lastly, it highlights network model requirements including assignment of networks to customer objects and setting URI values for connectors, along with ensuring all zones are assigned to the network, which is crucial for a functional system configuration. This document describes the functionality of a Status History Dashboard within ASM 2.1, which is part of ArcSight System Monitoring (ASM). It includes two main panels: Device Status Summary and Connector Status Summary. The Device Status Summary panel shows notifications related to devices, while the Connector Status Summary panel displays notifications related to connectors. These notifications are displayed in a sliding view history for the last 7 days. The Analyst View Active channel is used by analysts to see actionable events in detail. This channel also sends email notifications to the ArcSight Administration notification group. The configuration of this channel can be adjusted to modify which events are notified about, and how they are handled through priority settings. Notifications can be disabled by setting a low priority (7 or lower) or enabled by setting a high priority (8 or higher). The Configuration Dashboard in ASM provides assistance for correcting overlooked configurations within the system. It includes specific information on connectors, such as when a connector's customer URI is missing. This indicates that the configuration should always include the customer details, even if not acting as a managed security service provider (MSSP). The text discusses using a map file to create a customer URI for collecting events from multiple customers, ensuring that the customer object is created in the ESM (Enterprise Security Manager). It mentions that deleted connectors can still send events, which should be reported by "Deleted Connector Reporting Events" and checked under the specified path. Additionally, it covers Zone Confidence issues, where events not belonging to any zone are received, requiring creation of a new IP space zone for resolution. The rules related to Zone Confidence are initially disabled but can be activated once the network model is complete, helping to populate missing zones in the dashboard. The provided information discusses issues related to device duplication, connector status, and cache management in ArcSight System Monitoring (ESM) solutions. Here's a summary of the key points: 1. **Devices Duplicated Device Feed**: This feature alerts users when multiple connectors are receiving events from the same device due to misconfiguration or server movement between connectors without proper decommissioning. To resolve this, right-click on the duplicated device in the list and select "Details" to view a dashboard displaying all related connectors and their details, enabling cleanup of duplicate entries. 2. **Connector Status Dashboard**: This tool provides an overview of connector health status, including whether they are down, caching events, dropping events, processing files, or experiencing other issues. It helps in monitoring the performance and operational status of each connector within the system. 3. **Current Connector Status**: Offers statistical data such as estimated cache size and EPS (Events Per Second) rates to assess the efficiency of event processing across connectors. The goal is for all connectors to have an estimated cache size of 0, while EPS rates indicate how many events are processed per second on each connector. 4. **Connector Down**: This panel identifies when a connector has been intentionally shut down by an administrator or has stopped sending any events to ESM due to failure. If the connector remains inactive for a prolonged period, it will be flagged as "down." In such cases, simply restarting the connector might resolve the issue. When a connector is down, no events are received, and it does not cache any events. These features collectively help in maintaining system performance, identifying misconfigurations, and ensuring continuous event processing within the ArcSight System Monitoring environment. The provided document outlines details about a UDP-based connector, specifically Syslog or SNMP, which is crucial for event communication between an Enterprise Security Manager (ESM) and a logger. The status of this connector can be either "Down" if it's not communicating with the ESM due to network issues or other problems, or "Shutdown" when intentionally stopped by an administrator or through system error, signaling the shutdown event to the ESM. The connector has three displayed names in its column: 1. "
" indicates that the connector is hidden behind a logger and will update to its actual name after restart. This action doesn't affect functionality but is cosmetic.
2. "syslog_connector" suggests the connector is either registered with the ESM or functioning correctly, with brackets indicating it might need a refresh post-restart.
3. The final representation is the actual connector name, which shows when direct registration to the ESM or after any restart.
The document also discusses the Connector Caching panel under "Connector Caching" and "Connector Dropping Events" panels within the ArcSight System Monitoring suite. These sections are crucial for understanding if events from a connector are being lost due to issues like network connectivity between the connector and the ESM or logger. If events are cached too long, they can cause the connector to start dropping them, which should be addressed immediately to avoid data loss.
The document discusses various aspects of connector operations within ArcSight, focusing on handling events when a connector stops processing files or when it's stopped. It provides information for users who need to address issues such as connectors dropping events or stopping unexpectedly. When a connector stops processing events, these events are not lost; they remain in the system until the issue is resolved and the connector restarts. The connector may take some time to catch up if there are many log entries, particularly if logs are large. Additionally, the document mentions how connector versions can be monitored through the Connector Versions dashboard, which also includes logger forwarder connectors.
This summary provides an overview of several interconnected components within ArcSight System Monitoring, focusing on connectors and devices that are not reporting as expected. It outlines specific features and resources available through various interfaces, such as query viewers and dashboards, all tied into a unified solution for monitoring system performance and connectivity issues across different devices connected via connectors.
1. **Connector Versions Report**: This report provides detailed information about the versions of connectors deployed in the environment. The path to this resource is /All Connectors/Path/ConnectorName under the Connectors section within ArcSight Solutions, specifically within the ArcSight System Monitoring module. Users can access the Connector Versions Report via the /All Reports/ArcSight Solutions/ArcSight System Monitoring/Connectors/Connector Versions route.
2. **Connector Versions Count**: This feature displays a count of all connector destinations registered in the system. It is located at /All Query Viewers/ArcSight Solutions/ArcSight System Monitoring/Connectors/Connector Versions Count. Users can view this information through their query viewer to gain an understanding of how many connectors are actively used across the organization.
3. **Device Remediation Dashboard**: This dashboard, named Device Remediation within the Devices section under ArcSight System Monitoring, flags potential issues related to devices that are not reporting or have incorrect configurations in the connector setup. The key panel here is the Devices Never Reported In, which lists any known devices for whom events are not being received. To resolve this issue, users need to ensure IP addresses corresponding to device hostnames are correctly mapped either through the host file or a map file.
4. **Devices Master List**: This list can be populated manually or partially automatically via scripts and connectors bundled with specific packages. The Device Master List will include details such as IP Address, Host Name, and Server Version for all Windows Servers in the organization’s domain. Users can filter this list by organizational units (OU's).
5. **Devices Never Reported In**: This panel specifically identifies devices that haven't reported events within the system. The list is dynamically updated based on devices that have either stopped reporting or were never configured correctly in connectors. To maintain an accurate list, the IP Address must be recorded; if DNS does not provide this information, manual intervention via host file or map file update is necessary.
6. **Exporting Devices List**: The Devices Never Reported In report can be exported as a CSV file for further analysis and potential import into other systems as needed. This functionality allows users to leverage the data collected in reporting tools for broader enterprise-level use cases, ensuring that all devices connected via connectors are accounted for and monitored effectively.
To summarize the provided text, it is important to ensure that devices listed in the Devices Master List for the Windows Unified Communications (WUC) connector have accurate IP addresses and can be resolved automatically or manually if needed. If hosts cannot be resolved due to DNS issues or being decommissioned, appropriate actions should be taken by adding them to DNS, host files, map files, or using the Devices Decommissioned List Import. For cases where the wrong version of Windows is entered in the WUC, it can lead to data loss and incorrect event parsing; these discrepancies should be addressed promptly. The summary focuses on ensuring correct information in the Devices Master List for effective communication between devices and systems.
The document provides information about two panels within ArcSight System Monitoring (ASM) solutions, specifically designed to monitor device connectivity issues and late events in event collection.
1. **Device Connection Down**: This panel alerts users when a connector has lost its connection to the device it is monitoring. For instance, if a Windows Server Connector (WUC) fails to pull events from the server, this will be indicated by an entry in the Device Connection Down panel. The issue could stem from network problems, faulty devices or cables between the connector and server. If multiple devices on a connector are affected, the problem is likely at the connector level; if only one device is impacted, the issue may lie with that specific device. To view details about the affected devices, right-click on the affected connector and select "Drilldown" then click on "Device Connection Down Detail".
2. **Device Connection Down - Total Count**: This panel shows the total number of devices experiencing connection issues across all connectors. It helps in tracking overall connectivity problems within the system.
3. **Devices Late Events**: This feature highlights instances where events are not received into the Event Storage Module (ESM) within the designated time frame, which is configurable from minutes to hours or days based on user settings.
These tools collectively contribute to ASM's ability to diagnose and resolve connectivity issues in real-time across various devices monitored by ArcSight connectors.
This document pertains to monitoring and managing devices in a system using ArcSight System Monitoring (ESM). The main features discussed are:
1. **Devices Late Events - Total Count**: This panel displays the total number of devices that have been late in reporting events to ESM, defined as not reporting within 24 hours. Users can add vendors and products to a list to exclude them from being marked as quiet if their workstations shut down.
2. **Devices Quiet**: Indicates when a device has stopped reporting events to ESM for more than 24 hours. If the device becomes active again, it will be removed from this list. Specific products like EPO might report each workstation as a device; shutting down these workstations would mark them as quiet. Vendors and products can be added to an exclusion list to avoid this.
3. **Devices Quiet Report**: Provides a detailed report on devices that are marked as quiet, following the same criteria as mentioned above.
4. **Devices Quiet - Total Count**: Shows the cumulative count of all devices currently listed as quiet in the system.
5. **Devices Reporting Last 24 Hours**: This panel lists the devices that have reported events to ESM within the last 24 hours, requiring an IP Address for identification. If DNS does not provide the IP address from the host name, adjustments such as populating a host file or map file are necessary to ensure accurate monitoring.
These features help in maintaining oversight of device activity and ensuring that all devices are actively contributing data to the system, with mechanisms to handle exceptions like workstations being powered down temporarily.
This document outlines the network model and dashboard structures for monitoring devices in the ArcSight System Monitoring solution, specifically tailored for Windows devices. The system includes several panels designed to track device status and report events from these devices over the last 24 hours or total count of reporting devices. Key components include:
1. **Devices Reporting Last 24 Hours**: This panel displays all devices that have reported within the last 24 hours, providing a snapshot of active connections or activities across the network.
2. **Devices Reporting Last 24 Hours - Total Count**: A summary panel showing the total number of devices detected in this time frame, serving as an essential metric for overall system health and activity monitoring.
3. **Windows Device Status Dashboard**: This dashboard is specifically designed to highlight issues related to Windows devices, providing insights into potential problems or anomalies such as late events, quiet devices, or any other device status indicators relevant to the Windows environment.
4. **Windows/Devices Late Events and Total Count**: These panels focus on specific types of late events involving Windows devices, indicating delays in reporting or operations that could indicate issues requiring immediate attention.
5. **Windows/Devices Quiet and Total Count**: Panels dedicated to identifying "quiet" devices—those not actively reporting—and their total count, which can be indicators of potential device failures or network connectivity issues.
6. **Technical Support Resources**: The document provides a URL for technical support resources, directing users to the HP OpenView support portal where assistance can be sought regarding any issues encountered with the ArcSight System Monitoring solution, including Windows devices and configurations.
The panels are interconnected within the broader system monitoring framework of ArcSight solutions, designed to facilitate centralized management and troubleshooting of network-connected devices. The proprietary nature of this document is underlined by its copyright notice protecting the intellectual property rights of Hewlett-Packard Development Company, L.P., reflecting a commitment to maintaining competitive advantages in enterprise security software offerings.
The text confirms the availability of specific systems through the URL openview.hp.com/, requesting access confirmation. It provides support contact details for North America and EMEA regions, including a phone number and email address for technical assistance or issues related to accessing the mentioned systems. Additionally, it mentions that the information is proprietary and confidential, indicating its sensitivity, with copyright notices from Hewlett-Packard Development Company dated 2011.
Comments