• ArcSight Threat Intelligence Feed/Galaxy SmartConnector

    ArcSight Threat intelligence Feed or GTAP suddenly stops sending logs to the ESM server, even though the connector status shows as running. When I check the logs, only the connector statistics are displayed. I attempted to reinstall it, but I couldn't…
  • Healthy ESM Thread Count

    Dears, How to know what is the healthy thread count for the ESM and the Agents? We have the next values in server.properties: - agent.threads.max=437 - serverletcontainer.jetty311.threadpool.maximum=674 However, the active thread count is always…
  • send logs from smart connector to another smart connector

    Hello, thank you for giving me an idea on the instructions to follow to achieve the following diagram: 1- collect logs from the AD server to a server_X located at the same private VlAN. 2- collect AD logs from server_X to another server in public…
  • flex connector properties file not working

    I'm having some troubles with the flexconnector. I did the parser file but everytime I run the flexconn and I send some SSH Logs the parser do not work. My parser file is called Vendor_syslog.subagent.sdkrfilereader.properties. I modified in agent…
  • Detecting Actual Rogue Systems versus Rogue Sensor Source Servers

    Hello experts! Is it possible that the parser is querying the wrong epo Table Name, or could I just need newer parser version? Attempting to 'fire alerts' for McAfee Rogue Systems from "RSD Version 5.0.5" yet it seems that all events captured reflect…
  • Destination caching & 'stalling incoming sender' related messages - some info

    Hello, While reviewing connector health via ArcMC I found several connectors reported as caching (consistently). I started looking in to them and found several things that may be useful to others. Behavior seen - delayed events in Console - agent.log…
  • Smart Connector for Microsoft Right Management Services (RMS)

    Dear All, I got the task recently to collect and analyze events coming from Microsoft RMS. I did not find any out-of-the box collector nor my regular ArcSight contacts were able to help me on that. I am trying to avoid the "reinventing the wheel" case…
  • Smart connector cache only for destination ESM

    Hi everyone. Connector send events (syslog) from any systems to two destination ESM and Logger. Issue with cache events inside connector but only with ESM. Events doesn't have troubles send to Logger. I saw logs in connector but not found something interesting…
  • Connectors down after renewing certificate

    Hi All, Our ESM 6.1 certificate was expired and after renewing it on manager and on all connectors,few of the connectors at a particular geographical location didnt come up.Attached is the agent.log.Anyone please help me identify the root cause.
  • [default.com.arcsight.agent.bq.c][parseTokensNow] error in smart connector WebSphere

    Will not parse the input stream correctly just returns: UserDataField>] did not match the common regular expression [(?:\[(\d /\d /\d \d :\d :\d :\d \S )\]\s (.*?)\s (.*?)\s (.*?)\s (?:\[:\])?\s*(?:.*?\b(?<!\.)([A-Za-z0-9_-]{5,}):?)?\s*(?:\[(.*?)\](?…
  • SmartConnector - Does post-processing cache affect pre-processing cache?

    Dear All, Before my question, here is what i know about Log flow in a smart connector (E.g. Syslog connector). Please correct me if i am wrong about any details Cache Details: Pre-processing cache File extension for Pre-processing cache files: .queue…
  • Which SmartConnectors cannot run on ConApp/ArcMC?

    Hi all, I'd like to ask if anyone has a list of all SmartConnectors *not installable* on ConApp / ArcMC platforms. For example, requires .NET4.5 and can only be installed on Win2008 and 2012 Microsoft Exchange Powershell SmartConnector requires Powershell…
  • Load Balancing on ArcSight Logger 6.0

    Good morning Protect724 Community! I apologize in advance if this is something that has been previously discussed, but I did spend some time searching and could not find information that would apply to my situation. We have just purchased two HP ArcSight…
  • Issue while adding Logger Destination

    Hi All, I encountered an issue while installing smart connector with windows unified format, whenever I want to add Logger destination, we get error: =========================================================================================== Following…
  • Anyone else having problems parsing Barnyard logs sent via syslog?

    So we have multiple snort instances running and we were originally sending the alerts into a smartconnector on the connapp via syslog as snort alerts. This worked just fine. However to increase performance and make better use of resources in our environment…
  • Connector upgrade

    Dear all, Has anybody experience with upgrade of a connector ? Is it a complete re-installation or is there a possibility to keep the current settings (e.g. agent.properties). Thanks, Miloš
  • Some Important Connector Settings

    Below are some smartconnector settings that you may find useful in your environment, especially in a high EPS setup. 1. init and max java heap memory of smartconnectors Default setting on smartconnectors is 256 MB. On high EPS setups, 256 MB of heap memory…
  • SmartConnector HP OpenVMS File -- File processing ended: Failure

    Hi, We run the SmartConnector HP OpenVMS File. Till now, it worked properly. During the last days, the processing of one file starts and stops immediately after that. No event from that system makes it to the Logger. Two other files work fine All we have…
  • Error message received in email (Cisco Ironport)_Pull logs from Cisco ESA/WSA

    Hello expert, Sorry if my question is not related to ArcSight. I just want to confirm whether it's ArcSight SmartConnector or Cisco Ironport issue. Products: Cisco Ironport, Cisco ESA, Cisco WSA ArcSight SmartConnector Appliance with latest SmartConnector…
  • Stopping ".processed" on Exchange connector?

    Is it possible to make the "Microsoft Exchange Message Tracking Log Multi Config" connector stop appending ".processed" to the logs with out just removing write access to the account running the connector service? The team that runs my Exchange service…
  • smart connector on windows 2012 core

    Is smart connector supported if installed on windows 2012 core? From which version?
  • HPUX Audit fil getting rotated and not processed, events received but with no information

    Hi, I have created a HPUX Audit file smart connector and provided the mount path where the HPUX file were transferred through NFS. These files get picked from the mount but I see that the logs are rotated and are meaningless. There is one more connector…
  • Syslog Connector UDP

    Hi Guys, Currently we have more than 9000EPS for syslog, and it will come more and more. In order to solve this issue, I have 2 sln, one is to setup few syslog connectors within same host(Windows Base), the other is using the F5 to load balance to different…
  • SmartConnector - Sizing

    Dear all, Our env is SC->Logger->ESM Express, I need to resize all the SC which host in windows server 2003. Is there any doc for SC sizing for FW, Proxy, WUC and SQL DB? Our env contains Juniper Firewall, Cisco Routers, Cisco Core SW&SW, Bluecoat Proxy…
  • Cisco IronPort S370 web security appliance Smart Connector

    I have my IronPorts FTP the access files in the squid format to a Windows server with SmartConnector software installed, I have the IronPort connector pick up and parse the logs and forward them to a logger. Does anyone know how I can set the SmartConnector…