Health Check
Tracy Barella
Chief Services Strategist
Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Q&A
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
1
Connectors
Up/Down Check
(Connector or Container)
Version Check
Connector Event Rate
Check (by EPS)
Cache Check
Connector
appliances
Version Check
Network Settings
Check
Configuration Backup
Check
Logs Check
Configuration Check
ESM Database
and storage
ESM Manager
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Loggers
CPU, Memory, and EPS In/Out
Check
Search Performance Check
Custom Report Performance
Check
Receivers and Forwarders Check
Storage Group Check
Index Configuration Check
Configured Alerts Check
Scheduled Task Check
Event Archive and Configuration
Backup Check
Logger System Health and Audit
Event Forwarding Check
Network Configuration Check
Online Event Storage Check
(Only Software-based or SAN
Logger)
Connectors
Connector (or Container) Up/Down Check
Connector Version Check
Are there any Connectors running a version older than ~1 year?
A minimum version of 4.8.1 is required to leverage the ESM v5.2 schema.
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Connectors (cont.)
Connector Cache Check
If most Connectors are continuously caching = Possible ESM level Event Insertion problem
If one or two Connectors are continuously caching = Possible Connector level problem or network issue
If a Connector caches for a moment and then clears the cache (batched events) = This is normal
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Connectors (cont.)
Connector Logs Check
../current/logs/agent.out.wrapper.log
Connectivity errors
End Devices
ArcSight Destinations
../current/logs/agent.log
Parsing errors
DOSProtector
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Connectors
Connector Logs Check (cont.)
Use Connector LogFu to graph the event
flow and memory utilization
10
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Connectors (cont.)
Connector Configuration
Check
Destination Settings
11
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Connectors (cont.)
Connector Configuration Check (cont.)
Only check the following on problematic Connectors discovered in previous checks
../current/user/agent/agent.properties
Optimal settings are different for each Connector type
High EPS Connectors (>1200 EPS) such as Syslog, WUC, CheckPoint, and Blue Coat can be tweaked quite a bit here
../current/user/agent/agent.wrapper.conf
Only increase the Java Heap size if memory issues were found in agent.out.wrapper.log
Default Java Heap is 256MB
Maximum configurable Java Heap is 1024MB (1 GB)
Reminder: If you have 50+ Connectors in your environment, try to stay focused on problematic Connectors!
12
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
1
Connectors
Up/Down Check
(Connector or Container)
Version Check
Connector Event Rate
Check (by EPS)
Cache Check
Logs Check
Configuration Check
Connector
appliances
Version Check
ESM Database
and storage
ESM Manager
Event Throughput Dashboard Check
Network Settings
Check
Configuration Backup
Check
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Loggers
CPU, Memory, and EPS In/Out
Check
Search Performance Check
Custom Report Performance
Check
Receivers and Forwarders Check
Storage Group Check
Index Configuration Check
Configured Alerts Check
Scheduled Task Check
Event Archive and Configuration
Backup Check
Logger System Health and Audit
Event Forwarding Check
Network Configuration Check
Online Event Storage Check
(Only Software-based or SAN
Logger)
Connector appliances
Connector appliance version check
Is the version outdated?
14
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Additional resources
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
16
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.