ARCSIght System Monitoring with MSP Customer Support

Summary:

This update to the ESM (Extended System Management) version introduces several key changes aimed at enhancing the monitoring and alerting capabilities for connectors, as well as improving overall system efficiency. The new version includes updates to dashboards and data monitors that provide more detailed information on connector statuses, while emphasizing compatibility with versions post 5.0 due to differences in global variables and rules specific to those versions. ### Key Features of the Update: 1. **Comprehensive Monitoring and Alerting:** - The update includes improvements such as updating dashboards and data monitors to reflect accurate information without blank fields, allowing for better visibility into connector statuses. - Enhanced monitoring in maintenance lists helps avoid alerts during active servicing of connectors. - Re-notification every 4 hours is implemented for connectors experiencing ongoing issues, ensuring timely attention to potential problems. - Consideration for cached events that trigger rules when a connector has been down for more than 24 hours, particularly if the cached events are older than 1 day (configurable). 2. **Compatibility and System Requirements:** - The document highlights that the new version is not backward compatible with previous versions (pre-5.0) due to changes in global variables and rules. It recommends customers upgrade their systems to take advantage of these enhanced features. - DNS must support forward and reverse lookups across all ArcSight appliances, regardless of hardware type, ensuring proper network configuration. - Correct IP addressing is crucial; if encountering issues with loopback or specific internal IPs (such as 127.0.0.1 or 192.168.36.35), refer to article KM1271768 for resolution steps. - A working network model is essential for the proper functioning of the system. ### Implementation and Functionality: 1. **Filtering for Multiple Destinations:** - When forwarding events from a connector to multiple destinations (such as logger and ESM), it is recommended to apply filters at both the logger forwarder and the ESM on the logger connector to avoid duplication or triplication of events, using criteria like "deviceVendor != “ArcSight”" when forwarding to ESM. 2. **Device Monitoring:** - The system includes features for detecting changes in device status such as new devices, devices that have stopped sending data, and those that remain quiet or return from silence. Alerts are designed to minimize unnecessary notifications during maintenance mode for connectors and devices. 3. **Dashboard and Statistics:** - A new dashboard has been added to display the status of devices, caching status in connectors, and latency of event delivery to ESM. Customization is available via global or rule-specific variables, with default settings for late events set at 20 minutes, which can be adjusted according to specific needs. 4. **Reporting:** - Down connectors and quiet devices are highlighted in reports, providing a clear overview of system health and potential issues. 5. **Bug Fixes and Testing:** - A bug related to the ARB package leaving out parts during export has been fixed, with thorough testing in a new environment to ensure smooth import and export capabilities. 6. **Late Event Settings:** - Configuration for late events is set up according to recommended settings to ensure timely response to potential issues within the system. ### Conclusion: The update to ESM version introduces an enhanced monitoring solution focused on maintaining overall system efficiency and responsiveness through improved device and connector monitoring, updated dashboards, and detailed reporting. It emphasizes the importance of upgrading systems to take advantage of these new features and highlights compatibility requirements for proper functionality.

Details:

The document titled "ArcSight System Monitoring 2.1.2 Content + arb (With MSSP Customer Support)" is a version-controlled, updated document primarily focused on enhancing system monitoring capabilities within the ArcSight platform. It includes improvements such as correcting bugs related to device detection and addressing issues with broken links that were initially resolved but resurfaced in subsequent tests. The content has undergone multiple revisions including corrections of errors in DSQuery Import rule and documentation updates to enhance user experience and functionality, all while ensuring compatibility with different environments and feedtypes. Notably, updates have also been made to support notification controls across devices and connections within the system. The documentation has undergone several updates and enhancements since its initial creation on September 4, 2013. Key changes include adding functionality for controlling notification frequency through a flex connector, which is optional but not essential for basic package operation. On November 14, 2013, the document was updated to introduce a new feature where the system automatically populates a Devices Master List Import list, which is used on the Devices dashboard to identify non-reporting servers. This list can be fine-tuned using Organizational Units (OUs) and later utilized to populate Wireless User Catalogs (WUCs). Servers' details such as name, IP address, and version are included in this list. Additionally, updates were made on November 21, 2013, addressing issues like the correction of zone confidence rules that could trigger notifications unintentionally and correcting numerous spelling errors. On October 31, 2013, support for whitelisting specific vendors or products from the Devices Quiet List was added to prevent certain products (like EPO) from being reported as devices. A significant update on October 17, 2013, involved simplifying configuration options by allowing only one destination per connector and recommending the use of filter outs instead of style filters for better performance in handling multiple vendor/product types, such as syslog. It is crucial to set the connector destination settings list according to the manual instructions to ensure proper functionality. Finally, on September 4, 2013, the capability to name connectors behind the logger was added, although this naming function may occasionally yield incorrect results due to potential duplicate names across different connectors. From August 12, 2013, to August 28, 2013, I have observed several issues and improvements in connector functionality and notifications. The main issue involved new connectors incorrectly representing their host name as an IPv6 address, which is a cosmetic bug specific to version 6.0.4 (though it worked fine in previous versions). To resolve this, the correct hostname should be displayed within brackets [] when guessing the name from the destination registered to the manager. Additionally, there was an issue with upgrading packages where parts of the package might not upgrade during installation of a newer version if the package was already installed. This problem could be resolved by simply removing and reinstalling the package. During this process, I also converted more variables to global variables and optimized several filters in rules to decrease unnecessary fires. Another improvement involved correcting an issue where connectors were falsely reported as "down" even when they were operational. To address this, a new connector status green/red light panel was added for quicker display of connector status compared to the query viewer. Notably, reports for event counts based on devices, connector types, and device vendors were introduced starting from August 14, 2013. Lastly, an enhancement was made to notifications by allowing users to disable specific destination-based notifications, preventing double notifications when connectors are stopped or started. This feature was detailed in the documentation for implementation instructions. The document outlines various updates and corrections made to ArcSight System Monitoring (ESM) software versions from July 2013 to August 2013. Key changes include updating documentation, improving caching panel functionality, adding a Dashboard Status History feature, fixing issues with connector ID detection, enhancing device event log rotation, correcting bugs in the configuration dashboard, and adjusting notifications for customers. Notably, ArcSight System Monitoring 2.0 was introduced as a replacement for previous versions, featuring improved performance and optimization of content without user interaction. Connectors are now automatically detected if registered to ESM, eliminating the need for restarts or additional steps from users. The new version of ArcSight System Monitoring (ArcSight_System_Monitoring_6.0cFULL.arb) has been rewritten as a complete re-write and now goes by the name ArcSight System Monitoring 2.0. This update includes consolidating required functions from versions prior to 5.2, integrating previously add-on features into the base package, reducing the size of the package, and minimizing overhead on the Enterprise Security Manager (ESM). The upgrade eliminates the need for patches when used with ESM versions 5.2, 3.0Express, and up. The documentation has been completely rewritten to include detailed information about new features such as MSSP support, how to install, upgrade, and configure configurable components. In terms of MSSP support, if a customer is an Managed Security Service Provider (MSSP), the connector attaches the customer directly to the event, tagging it appropriately. However, in some cases, a map file might be necessary to attach customers. The updated system automatically detects how customers are attached and displays them correctly in dashboards. One of the significant improvements is the MSSP support which allows an MSSP to attach a customer to the connector, facilitating event collection from multiple customers using a single connector. This feature now detects how customers are attached and displays the correct customer details in the dashboard. The documentation has been re-written to provide comprehensive guidance on installing, upgrading, configuring, and utilizing these new features effectively. This document outlines several updates and fixes applied to an ArcSight System Monitoring (ESM) tool, focusing on enhancing connector management and performance improvements for better user experience. Key highlights include: 1. **Enhancements in Connector Management**:

• Updated the Connector URI data to display the logger's hostname even when connectors are behind it. This helps in tracking event sources more effectively.

• The Configuration Problems dashboard was improved to specifically show only those connectors that are registered but sending events through loggers, thus clarifying the status of these connectors.

2. **Performance Improvements**:

• A fix for the Device Quiet panel has been applied (though not in version 5.0 SP1) to address issues with null fields being populated as "null". This issue is resolved in version 5.2, and users are advised to apply this version or its corresponding fix.

• Improved clean-up processes in the Connector File Processing panels for better system performance.

3. **Bug Fixes**:

• A bug related to filtering on quiet devices was fixed where a list had been renamed without updating the filter settings, causing some devices to stop functioning as expected.

• Additional drill-downs and tuning were implemented to reduce unnecessary rule firings in version 5.2.

4. **Update Instructions**:

• For users who have already applied fixes or updates, specific instructions are provided on how to remove the fix before updating the ArcSight System Monitoring content, then reapply the fix after the update.

5. **Release Notes**:

• Release dates for these changes (e.g., March 8, 2013) and future releases or updates that might address related issues are noted.

This document serves as a guide to ensure smooth operation of the ArcSight System Monitoring tool by addressing known issues and enhancing its functionality through regular updates and fixes. From February 11, 2013, to August 24, 2012, various updates were made to an ArcSight package with a focus on enhancing functionality for MSSP implementations. Key changes include fixing bugs in filters and configurations dashboard issues (January 16, 2013), removing customer names from reports (December 12, 2012), adding additional customer information for Managed Security Service Providers (MSSPs) (December 1, 2012), and introducing new dashboards showcasing all connectors and their versions. Enhancements to the network model confidence panel, device duplicated feed, WUC discrepancy, and device connection down panel were also implemented in November 2012, with corrections made for detection issues of older version events (November 2, 2012). The package was updated to include connector URI details on a dashboard. A notable mention is that all notifications within the package are initially disabled by default due to most environments being noisy until issues are resolved; they can be enabled by adjusting notification settings in the rule or through the ArcSight Administrators group (December 10, 2012). The updated content supports ESM 5.0 SP1, Express 3.0, and ESM 5.2 but does not support older versions like ESM 5.0 GA. A newer version includes many new features and dashboards, reflecting suggestions from users. The document describes an update to a package related to DNS resolution with connectors, which should still resolve in DNS despite changes in software versions like Express 3.0 or upcoming versions such as 5.0. This update is compatible with Express 3.0 and likely Express 5.0, removing version-specific properties for better compatibility. Key new features include a Network Model Confidence dashboard that lists connectors whose network model might not be functioning correctly, requiring a configured customer URI for accurate identification. The package also introduces enhanced monitoring of connector status changes including installation, deletion, caching, return from caching, and connectivity issues like being down or back up. It includes maintenance lists to prevent alerts during active work on connectors and adjusts the notification frequency for ongoing issues based on cached events. The update does not aim to make the software backwards compatible by converting global variables into local ones but recommends customers upgrade to newer versions due to differences in global variables and rules that are specific to versions pre-5.0. The package includes improvements such as updating dashboards and data monitors, which now provide more detailed information on connector statuses. The document outlines the update to a new version of ESM (Extended System Management) that includes comprehensive monitoring and alerting features for connectors, ensuring proper information flow even with intervening loggers. It emphasizes compatibility with versions post 5.0, highlighting new global variables and rule structures not present in previous versions. The content is designed to detect various states of a connector such as installation, deletion, caching, return from cache, down, and up. Key features include: 1. Monitoring connectors in maintenance lists to avoid alerts during active servicing. 2. Re-notification every 4 hours if the connector continues to experience issues. 3. Consideration for cached events that can trigger rules when a connector is down more than 24 hours, especially if cached events are older than 1 day (configurable). 4. Updates to dashboards and data monitors to reflect accurate information, with no blank fields. To ensure functionality:

• DNS must support forward and reverse lookups across all ArcSight appliances, regardless of hardware type.

• Correct IP addressing must be used; if receiving loopback or specific internal IPs (127.0.0.1 or 192.168.36.35), refer to article KM1271768 for resolution.

• A working network model is mandatory.

The document advises that the new version does not support backward compatibility and recommends upgrading customers' systems to benefit from these enhanced features. The document outlines steps to ensure proper functionality of both device and connector monitoring within a system, specifically focusing on ArcSight's capabilities. 1. **Filtering for Multiple Destinations**: When sending events to more than one destination from a connector (e.g., logger and ESM), it is crucial to apply filters at the logger forwarder and the ESM on the logger connector to prevent duplication or triplication of events. The filter should be tailored to exclude events intended for the other destination, specifically using "deviceVendor != “ArcSight”" as a criterion when forwarding to the ESM. 2. **Device Monitoring**: This involves detecting changes in device status such as new devices, devices that have gone quiet (stopped sending data), and those that continue to be quiet or return from silence. Alerts are designed to avoid unnecessary notifications during maintenance mode for connectors and devices. An alert is triggered if a connector stops receiving traffic, indicating potential issues with the logger interface. 3. **Dashboard and Statistics**: A new dashboard was added to display device status and latency of event delivery to the ESM, which can be customized via global or rule-specific variables. The default setting for late events is set at 20 minutes; this time variance can be adjusted according to specific needs. 4. **Reporting**: Down connectors and quiet devices are highlighted in reports, providing a clear overview of system health and potential issues. 5. **ARB Package Issues**: A bug was fixed where the ARB package might leave out parts during export. The package has been thoroughly tested in a new environment to ensure smooth import and export capabilities. 6. **Late Event Settings**: Configuration for late events is set up according to recommended settings, ensuring timely response to potential issues within the system. The document concludes by highlighting that all these changes are part of an integrated device and connector monitoring solution aimed at maintaining overall system efficiency and responsiveness. This document outlines various statuses and features in a system called ArcSight System Monitoring (ESM), which is used to monitor connectors, devices, dashboards, and reports. The connector monitoring includes the following states: "Connector Up," "Connector Down," "Connector Caching," "Connector Cache Empty," "Connector Dropping Events," "Logger Interface Dormant," and "New Connector Found." Device monitoring features include events such as "Device Quiet - 24 Hours" and "Device Returned from Quiet." Dashboards display information like the status of connectors, caching status, and devices. Reports cover topics such as devices quiet, down connectors, and WUC devices not reporting events to connectors. The document also mentions that this version of ESM is not compatible with previous versions (pre-5.0) due to global variables specific to later versions. Lastly, the document provides information on attachments including late event time settings, a zip file containing system monitoring details, another zip file in different versions, and an image file related to connector status.