ArcSight System Monitoring 3.0 Content

Summary:

The text you provided is a detailed description about updates and enhancements made in ArcSight System Monitoring package, which focuses on improving connector monitoring and device monitoring features. Here's a summary of what the content covers: 1. **Connector Monitoring**: - The system now detects if connectors are down or not receiving traffic properly, alerting when events stop coming into the logger interface. This helps maintain visibility of the connector status. 2. **Device Monitoring**: - New dashboard and reports have been introduced to monitor device quiet times and late event arrivals. Devices that remain quiet for more than 24 hours before triggering alerts are considered quite, with additional notifications sent if they continue to be silent. - A new dashboard for device statistics provides information on the status of devices and whether events are arriving on time, with a default setting allowing up to 20 minutes delay before considering events late. 3. **Reports**: - Generates reports on quiet devices, down connectors, and WUC (Wireless Universal Command) devices not reporting events to a connector. 4. **Fixes and Improvements**: - A bug in the ARB package was fixed where parts were left out during export and import across systems. Late event settings have been configured based on suggested configurations for better performance monitoring. 5. **Features Overview**: - Connector Monitoring includes status of connectors, whether they are up or down, if events are being cached properly, if the cache is empty, if events are dropping, and when a logger interface becomes dormant or a new connector is found. - Device Monitoring alerts for devices that have been quiet for more than 24 hours without activity, notifications of late-arriving events, and updates on device status changes like returning from quiet mode or finding new devices. - Dashboards provide visual representations of connectivity issues with connectors and device performance. - Reports summarize system health including devices not reporting events to connectors, down connectors, and WUC devices not sending event reports. 6. **Compatibility**: - The software version is not compatible with versions prior to 5.0 due to differences in global variable handling. Customers are advised to upgrade for full functionality of these features if they have older versions. 7. **Method of Delivery and Impact**: - This content is a discussion thread on SharePoint, likely related to work or project updates around ArcSight (an IT monitoring tool). The thread includes comments from various team members discussing the usefulness of certain templates, checklists, or documentation. - Feedback about a particular template used by Lisa Fiddler Moynihan was shared at the end of the discussion, and there are also comments on specific details in a document suggesting corrections or asking for clarifications. This content is intended to help users configure, troubleshoot, and maintain ArcSight appliances and connectors for optimal performance in event management and data forwarding.

Details:

ArcSight System Monitoring 3.0 is a software that helps users monitor and manage various content types such as blog posts, documents, discussions, questions, polls, ideas, events, videos, status updates, external activity, exchange distribution lists, JIRA issue tracking, Jive Community, Bugzilla Product, Google Group, Evernote Notebook, Dropbox Folder, Salesforce Chatter, Yammer Group, Twitter Handle/List, RSS Feed, Facebook Fan Page, and more. This software can be used with Activate and is designed to work with MSSP (Managed Security Service Provider). Some examples of content shared in this platform include:

• ArcSight Default Content - Ideas & Input Needed Urgently by Emrah Alpa

• Scissorhands or making our life easier with ESM logs by Daniel Bulai

• ArcSight pricing, licensing and quoting Information by Ofer Shezaf

• Syslog flexconnector for Huawei by Jesus Prieto

The platform is divided into different sections such as Use Cases, FlexConnectors, ESM support team, and ArcSight. Users can bookmark content they find useful or interesting to access later. There are also various actions that users can take on the content, like marking it as Reserved, Resolved, Outdated, for Action, Success, Helpful, Offic, etc. This document was created by John Dickinson on February 29, 2012, and last modified by him on November 11, 2014. The content has been moved to Protect 724, where the latest version will be available. There have been several updates since its creation, including changes in the logger and connectors which affected some functionalities, and improvements such as complete control of suppression for connectors, appliance monitoring (still under development), and identification of JVM restarts due to connector issues. Version 3.0 is almost ready for release with numerous improvements but will not require the base package of Activate when released on Protect 724, which requires at least the Activate base package starting from that version. The document also mentions some testing in a production environment and informs about potential issues to be resolved before final release. This document is a changelog for an unspecified software or system, likely related to network management or device monitoring. The entries provide details about updates and corrections made over time, including bug fixes, improved functionality, and documentation updates. Here's a summary of the key points mentioned in the changelog:

• **July 22, 2014:** Corrected a packaging problem.

• **July 17, 2014:** Fixed an issue where devices were not being detected; version number changed to 2.1.2.

• **March 21, 2014:** Attempted but failed to correct broken links in the content; corrected them later and tested import into a fresh system without issues.

• **March 14, 2014:** Fixed some broken links within the content.

• **April 2, 2014:** Corrected an error in the DSQuery Import Update rule which was causing NULL OS versions to be entered; tested in a live environment.

• **March 31, 2014:** Updated documentation and corrected some errors in the content; tested in a live environment.

• **Repackaged content** to fit the lightning folder structure.

• **Updated flex** to support different feed types.

• **Added support for notification control**, allowing individual devices and connectors to be controlled on how often they notify.

• **November 21, 2013:** Updated documentation to include features added on November 14, 2013.

• **November 14, 2013:** Clarified that the flex portion is optional and not required for functionality of the package; created a flex connector and script to populate the Devices Master List Import list.

• **October 31, 2013:** Corrected zone confidence rules to avoid firing on themselves.

• **October 17, 2013:** Corrected numerous spelling errors in the documentation.

These entries highlight improvements and corrections made to enhance the performance, usability, and accuracy of the system, along with updates to its documentation and optional features. I made changes to simplify the content for better user understanding and added more details about specific issues encountered during upgrades, connector naming, and notifications. The text provided is a log documenting changes and fixes made to software or systems related to connectivity, notifications, and reporting features over several dates starting from July 2013 until August 2013. Key improvements include fixing issues with connectors being displayed as "down" even when they were operational, updating the documentation for clearer guidance on using certain features, adding new reports such as event counts by device, connector type, and device/vendor, enhancing notification settings to prevent double notifications about connector status changes or events, improving the panel display of connector statuses and overall system health, and correcting bugs related to caching, device feed handling, zone confidence filters, and agent delivery attempts. The log also includes updates like adding a Dashboard Status History feature for better oversight of recent events, integrating reports with query viewers, and enhancing the Device Event Log Rotation functionality. This document outlines changes and improvements for ArcSight System Monitoring (ESM) versions 5.0SP1, 5.2, Express 3.0, and 6.0c, emphasizing a shift to ArcSight System Monitoring 2.0 with enhanced features such as improved connector detection and MSSP support enhancements. Key changes include: 1. **Simplified Lists**: The user interface has been streamlined with reduced lists for easier navigation, focusing on critical information that requires direct action from users. 2. **Automatic Connector Detection**: Connectors are automatically detected if registered to the ESM; no manual restarts are required. Behind-the-logger connectors require a restart to fully register details but still appear in the dashboard as "registered connector". If they need further details, they are marked as "restart connector". 3. **Improved MSSP Support**: Enhanced support for Managed Security Service Providers (MSSPs) allows attaching customers directly to connectors and using map files for multiple customer event collection. The package now detects how customers are attached and displays them accordingly in the dashboard. 4. **Functionality Enhancements**: There are several enhancements across the functionality of the content, particularly focusing on improving MSSP support and overall system performance through optimized rules and reduced unnecessary user interaction. The document describes a process of updating the ArcSight System Monitoring package, renaming it as "ArcSight System Monitoring 2.0," and improving its documentation with detailed instructions on installation, upgrade, and configuration for users. Key changes include simplifying functions, reducing package size, and enhancing documentation to cover new features and troubleshooting steps. The update also includes corrections to notification destinations and updates to connector versions dashboard. The document, titled "Device_Quiet_Fix_5.2_and_up.arb," outlines a fix to be applied after installing ArcSight System Monitoring version 5.2 or later. This update focuses on improving clean-up in Connector File Processing panels and addresses several bugs that affected the Device Quiet panel and other features: 1. **Bug Fixes:**

• Fixed an issue where devices quiet stopped working due to a misnamed list in the filter, corrected this in version 5.2.

• Resolved a bug with partial rule matches by updating the content.

• Adjusted the filter for Configurations Problems dashboard to fix bugs related to configuration issues.

• Removed customer names from reports to reduce clutter and streamline information displayed on dashboards.

• Simplified rule fires to minimize unnecessary data, improving dashboard readability.

• Added more customer-specific details when used in MSSP setups to enhance identification within multi-tenant environments.

• All notifications are disabled by default in the package due to initial environmental noise and must be manually enabled if desired.

• Included customer data for better usage in Multi-Source Multi-Purpose (MSSP) implementations, which aids in managing multiple clients efficiently.

• Introduced a new dashboard that displays all connectors along with their versions, aiding in overall system monitoring and troubleshooting.

• A rule to automatically clean up active lists, including deleted connectors, was added to maintain efficiency.

These changes aim to enhance the performance and usability of the ArcSight System Monitoring tool by addressing specific issues while improving the presentation and management of data within the platform. The document outlines updates made to various components in ESM (Event Management System) for devices, such as connectors and network models. Key improvements include: 1. **Connector URI Details in Dashboard**: This feature provides the path within the ESM where the connector is registered, enhancing visibility and management of connected devices. 2. **Updated Network Model Confidence Panel**: The confidence level of the network model has been improved by fixing issues related to outdated versions being detected as current ones. 3. **Device Duplication Feed**: This feature now offers a drill-down option to view all connectors associated with a device, improving troubleshooting efficiency. 4. **WUC Discrepancy Fix**: A bug that incorrectly flagged some events as older version issues has been resolved, ensuring accurate event detection and management. 5. **Device Connection Down Panel**: This panel now only displays connectors experiencing down connections, with added drill-down functionality to show all affected hosts. **Compatibility**: The updates are applicable from ESM 5.0 SP1 onwards and do not support versions prior to this. Notably, the package works well with Express 3.0 but may require further testing for compatibility with version 5.0 or later (without guaranteed functionality). **Version History**: Versions before August 24, 2012 are not compatible with the new features introduced in the package update on November 2, 2012. The latest version now supports direct connection without DNS resolution issues and is designed to be used with Express versions 3.0 and potentially higher (though untested for compatibility with ESM 5.0). **New Features**: Among numerous other enhancements, the Network Model Confidence dashboard stands out by listing connectors where the network model is not functioning correctly, suggesting that configuration using a customer URI is crucial for optimal performance and accurate identification of network models. This update underscores ongoing efforts to improve system functionality and usability while maintaining compatibility within specific versions of ESM and related systems like Express 3.0 and higher. This document outlines enhancements made to a software management system (ESM) that helps monitor connectors, including new features like detecting installed or deleted connectors, handling caching and returning from caching, and alerting for downed connectors. The content introduces maint lists to prevent alerts during maintenance, notifies analysts every 4 hours if issues persist, and accounts for cached events without triggering unnecessary alerts. It also allows configuration of the age threshold (up to 1 day) for cached events affecting up/down/caching rules. Additionally, updates were made to dashboards and data monitors to display accurate information, even with a logger between the connector and ESM. The package is not backwards compatible with versions prior to 5.0 due to the presence of global variables and simple rules that do not exist in older versions. The author does not plan to convert these elements into local variables for compatibility reasons; therefore, customers are advised to upgrade their systems if they wish to use this updated content. The article outlines specific guidelines for ensuring reliable operation of a system involving ArcSight appliances and connectors. Key points include: 1. **Down/Caching Rules**: These rules are configured to account for cached events, preventing unnecessary firing unless the cache is older than one day, which can be adjusted by an administrator as per their preference. This feature helps prevent overwhelming systems with alerts following a resolution of issues. 2. **Device IP Addresses and DNS Configuration**: Ensure proper functioning of DNS settings on all ArcSight appliances for accurate forward and reverse lookups. Incorrect configurations may result in blank host names, which could indicate issues that need to be resolved before the system operates reliably. 3. **Logger Issues Resolution**: If systems show IP addresses like 127.0.0.1 or 192.168.36.35, it signals a problem. These must be addressed for full functionality. 4. **Multiple Destination Events**: When sending events to more than one destination (e.g., logger, second logger, and ESM), apply specific filters:

• At the logger forwarder: Apply ^CEF:0\|ArcSight

• At the ESM on the logger connector: Ensure deviceVendor ≠ "ArcSight" to prevent duplicate or triplicate events.

5. **Updating Dashboards and Data Monitors**: These should be updated to reflect accurate information, with no blank fields. 6. **System Monitoring Content Updates**: All related device and connector monitoring updates are integrated into the ArcSight System Monitoring package for comprehensive device detection, status tracking, and maintenance management. In summary, this content provides detailed steps to configure, troubleshoot, and maintain a system involving ArcSight appliances and connectors for optimal performance in event management and data forwarding. The text discusses enhancements and features implemented in a software system, specifically for monitoring devices and connectors to keep them from triggering alerts when they are in maintenance mode. Key points include: 1. **Connector Monitoring**: The system now detects if a connector is down or not receiving traffic properly, providing an alert when events stop coming into the logger interface. This helps maintain visibility of the connector status. 2. **Device Monitoring**: Introduced new dashboard and reports to monitor device quiet times and late event arrivals. Devices are considered quiet for 24 hours before triggering alerts; if they remain quiet beyond this, additional notifications are sent. 3. **Dashboards**: A new dashboard for device statistics shows the status of devices and whether events are arriving on time. The default setting allows up to 20 minutes delay before considering events late. 4. **Reports**: Generates reports on quiet devices, down connectors, and WUC (Wireless Universal Command) devices not reporting events to a connector. 5. **Fixes and Improvements**: A bug in the ARB package was fixed where parts were left out during export and import across systems. The late event settings were configured based on suggested settings for better performance monitoring. 6. **Features Overview**:

• **Connector Monitoring**: Includes status of connectors, whether they are up or down, if events are being cached properly, if the cache is empty, if events are dropping, and when a logger interface becomes dormant or a new connector is found.

• **Device Monitoring**: Alerts for devices that have been quiet for 24 hours (or more) without activity, notifications of late-arriving events, and updates on device status changes like returning from quiet mode or finding new devices.

• **Dashboards**: Visual representations of connectivity issues with connectors and device performance.

• **Reports**: Detailed summaries of system health including devices that are not reporting events to connectors, down connectors, and WUC devices not sending event reports.

7. **Compatibility**: The software version discussed is not compatible with versions prior to 5.0 due to differences in global variable handling. It advises customers who have older versions to upgrade for full functionality of these features. The text concludes by noting the method of delivery and the number of views this content has received, as well as tagging it under specific categories like "arcsight" and "network." This content is a discussion thread on a SharePoint platform, likely related to work or project updates around "ArcSight," which seems to be an IT monitoring tool used in professional services at HP Enterprise Security Products (ESP). The thread includes comments from various team members and professionals discussing the usefulness of certain templates, checklists, or documentation labeled with terms like "system asset_modeling" and "monitoring." The discussion is marked as final, which means no further inputs are expected. Comments include positive feedback about a particular template used by Lisa Fiddler Moynihan, who shares her contact information at the end of the thread. Other comments focus on specific details in a document, suggesting corrections or asking for clarifications, while some express appreciation for the efforts put into maintaining and updating content related to system monitoring tools like ArcSight. The document "ArcSight System Monitoring Content + arb (With MSSP Customer Support)" modified by John Dickinson has been shared on a platform with the link https://irock.jiveon.com/docs/DOC-6142. The document provides information about monitoring and managing an ArcSight environment, including configuration problems that users should be aware of. John Dickinson, who is part of Professional Services - Enterprise Business Software - Security at HP, has shared this document with others in the community. He encourages anyone to report bugs or errors for corrections. Donald Chapell noticed a small spelling error and informed John Dickinson about it, which was fixed promptly by John. The document also contains links to related content such as "ArcSight System Monitoring 4.0" and "UBS-Health-Monitoring-Implementation-Report-V1.3.docx". This is a webpage header from the software product ArcSight, which suggests that it works in conjunction with another service called "Activate." The main purpose of this tool seems to be mapping use cases for their solution offerings. It includes Jive Software's branding and version information at the bottom. There's also navigation links like Home, Top of page, and Help provided by the software.