This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ArcSight ESM - Active Channel Odd Issue/Bug

Hi, everyone. I'm facing an odd issue with active channels in arcsight 6.9.1 esm. I have a connector named "MISPtoCEF", when I create an active channel directly from connector, with create channel with filter option,

image.png

 

I get this logs:

image.png

I have logs from deviceVendor DiSIEM. However, when I try to create an active channel with exact same condition and time range I can only get the logs originated from ArcSight.

image.png

You can confirm that the DiSiem logs are missing. Please help me troubleshouting this odd issue, I have no clues about what may be causing this problem. 

  • 0

    The first channel appears to be sorted by "Manager Receipt Time" and the second by "End Time".  Try editing your channel and change the timestamp and sort order to Manager Receipt Time.

  • Verified Answer

    0

    Hi Ricardomaia,

     

    It is exactly what the other community member noticed but if you check your logs more precisely, you will see that the deviceVendor logs (not ArcSight) are past events as there are a huge difference between ManagerReceiptTime and EndTime.

    Either, you have a time config issue or those events are cached logs you have retrieved the first time you have started the connector.

    Because sincerely, I have never seen such issue with ESM v6.9.1, it was just which time you used and which logs you collect very old and not real-time.

    The best test is to put your ActiveChannel Time Parameters in Continuously evaluate and you choose last 10min. 

    Thanks
    Regards

    Michael

  • 0 in reply to 

    As you mentioned the difference between both manager time and end time was a problem that i did not noticed. However, somehow, to get the things work I had to change the connector to log "DiSIEM" also in fileType arcsight field, then I applied an filter for fileType instead of deviceVendor. Everything is working fine, thanks for your help