This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Documentation for Test Alert SmartConnector

Is there somewhere a proper documentation for the Test Connector?

I only found one from 2010 [1] which is not working for me. I installed the connector but it is shown as down continously in ESM. The service on the SmartConnector's server is running actively. The logs of it look good and do not display any errors or warnings.
Do I have to start it somehow else?

[1] community.microfocus.com/.../Using-the-ArcSight-Test-Alert-SmartConnector.pdf

  • 0

    Open command prompt as administrator

     

    CD to

     

    C:\Program Files\ArcSightSmartConnectors8.3\current\bin

     

    Run

    arcsight connectors

  • 0  

    If Carl's recommendations do not work, or if you need more information then open a Support ticket and we will be glad to assist you.

  • 0 in reply to 

    Tried that and as expected it says:
    [Tue Aug 16 05:57:56 UTC 2022] [WARN ] It seems that another instance of ArcSight SmartAgents is running.

    which makes sense since the connector itself is running properly just not connecting to our ESM.

    I thought that I missed something in the configuration and hoped for a installer documentation.

  • 0 in reply to 

    What version of the connector are  you trying to install? This way I can send you the correct installation document. Or if you prefer, please open a support ticket so we can further assist  you.

  • 0

    The connector information can be found at All SmartConnectors (microfocus.com) However, there doesn't appear to be current information for the test alert connector.  Does the test alert functionaly work?  I would be curious what the logStatus lines in the connector logs look like.  You should see lines similar to this:

    [2020-11-03 11:13:39,662][INFO ][default.com.arcsight.agent.fp][logStatus] {C=0, ET=Up, HT=Up, N=[your destination name], S=475, T=3.6158229746392507}

    The entries break down like this:

    C = If this value is non-zero, then the SmartConnector is caching. 

    S = Running total of events which have been sent to the Manager since the SmartConnector was last started. 

    T = Shows the average number of events being passed to the Manager per second (Throughput).

    HT = Heartbeat Transport. This gives the status of the connection between SmartConnector and Manager. 

    ET = Event Transport. This indicates whether the Manager is accepting events from the SmartConnector. If this is Down, it means that the Manager has paused the SmartConnector. 

    N = Name of the SmartConnector

  • 0 in reply to 

    There are a bunch of logStatus messages in the log file. E.g.:
    [2022-08-18 06:01:20,324][INFO ][com.arcsight.agent.f9] [logStatus]{Agent Type=testalertng, Agent Version=8.3.0.8616.0, CommandResponses Processed=1949, Current Max Rate=-1, Custom Filtering: Events Filtered Out=0, Custom Filtering: Events Filtering State=Events Filtering Disabled by the user, Event rate LTC=Thu Aug 18 05:50:48 UTC 2022, Events Processed(SLC)=0, Events/Sec(SLC)=0.0, FCP Version=0, FIPS Enabled=false, First CommandResponse Processed=Tue Aug 16 07:44:46 UTC 2022, Host Address=10.76.149.3, Host Name=10.76.149.3, Last CommandResponse Processed=Thu Aug 18 05:50:48 UTC 2022, Max Rate=50, Parser AUP Version=8.3.0.8616.0, Tracking: device count=1, Tracking: event count=70, Tracking: event size=0, Tracking: original timestamp=Tue Aug 16 07:44:45 UTC 2022, Tracking: source count=1, activeThreadCount=120, autoload=false, contcachesize=10000, continuous=true, eventrateunit=Minute, loadall=false, maxrate=50, maxsleeptime=30, overridearcsightcategory=false, overridezoneinfo=false, preserveagenttime=false, preservedetecttime=false, randomizeratetime=0, setagenttimeasnow=true, setdetecttimeasnow=true, startpaused=true, timefactor=0, uienabled=true}
    So the connector itself seems to work but kind of has no proper connection to the ESM since it is shown as Down there.


    I have opened up a ticket at the support. As soon as they have something I will post it here. Nevertheless, thankful for every idea :)

  • Verified Answer

    +1

    So we had a talk with the support and found out where it got stuck. We had to adjust the agent.properties in the following way:

    • agents[0].autoload=true
    • agents[0].loadall=true
    • agents[0].startpaused=false
    • agents[0].uienabled=false

    I do not know which property exactly was the fix of these four but now the connector is working as it was supposed to.

  • 0 in reply to 

    The first two deal with the loading of the event files.  If you're using the UI, you'd have to pick which event files you wanted to load.  These to parameters basically say load all of the event files.  The third sets up the connector to start replaying events when the connector start.   I've typically run the connector with the GUI so I wasn't aware of the uienabled option.  But it sounds like it just disables the interface. So it sounds like you're able to start the connector and send events without the GUI starting up.  

    Thanks for posting that. I'm sure others will  find this useful. 

  • 0 in reply to 

    Hi Carl,

    The Connector is a testalertng 8.3.0.8616.0.

    It is working now connecting properly to ESM but I seem to miss the point how to generate the event file.

    I tried to run

    ./arcsight replayfilegen -i console

    but get the error that replayfilegen is not supported. And indeed, there is no shell script for that in the scripts folder.

    Now, is there a proper documentation how I can send test alerts via the Test Alert SmartConnector?

    Thanks

    Anton

  • 0   in reply to 

    Hi Anton - you can use csvconvert to generate the replay events file.  This thread below has information about the command.  It says to run it on the db server, but you can run this on the connector once you've exported the csv events file from ESM. 

    community.microfocus.com/.../how-do-i-get-a-replay-file-on-my-test-connector