Arcsight Health monitoring

Arcsight Monitoring tools

Since there are many elements in an ArcSight environment, ensuring continuous operation of all might require:

·         Ensuring that source devices keep sending events.

·         Ensuring that connectors operate properly.

·         Ensuring that the ArcSight systems (Logger, ESM, Express) operate properly.

·         Ensuring that the infrastructure used by those elements, including operating system and network.

Some of the solutions you might want to check to monitor an ArcSight environment are:

ArcSight Management Center

ArcSight Management Center (ArcMC) is an ArcSight product that can be used to manage and monitor ArcSight systems. It currently can have managed and monitors Loggers, Connectors, Connector Appliances and other ArcMC systems.

ESM health monitoring

ESM has system resources that are useful for monitoring:

Resource	URI	What can you find there?
Database performance statistics	/All Dashboards/ArcSight Administration/ESM/System Health/Storage/CORR Engine/Database Performance Statistics	free space available for the tables such as Arc_Event_Data and Arc_System_Data
ESM system Information	/All Dashboards/ArcSight Administration/ESM/System Health/ESM System Information	Memory use
Event throughput	/Dashboards/System Health/Events/Event Throughput	Peak and average EPS
Connector status	Right click "connectors-->All Connectors" and select "Grid View" to quickly see if any connector is down.

Other tools available are:

·         You can also try the ESM Health Monitoring package developed at HP CDC, is a combination of scripts and ESM content to monitor the ESM manager itself. It monitors the like of as IO, heap usage, garbage collections, cpu, eps and connector caching. The package is robust, but complex and not fully documented.

·         Monitor ESM/CORR with JMX, ELK and TICK - Use Java JMX monitoring API to monitor the manager and connectors operating environment (community contribution)

Logger content packs

·         Logger Operations Health Dashboards is a presentation which contains queries for creating Logger dashboards for monitoring event ingress rate and quality.

Other options

·         We! Analyze (open source: discussion, download) - a stand alone tool for monitoring connectors and devices to ensure they send events. The tool analyzes connector logs files rather than events and therefore has pros and cons when compared to the "ArcSight System Monitoring" package above.

·         ArcSight Connector watchdog FlexConnector - a Flex connector for analyzing agent.log and providing the results as events to ESM/Logger. As a FlexConnector, it is a great starting point for others to add their own parsing code.