This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
All Inclusive Connector/No Connector Caching StateOverview
All Inclusive Connector/No Connector Caching State– Content will be available in future ESM Foundation Content– Will be part of the ArcSight Administration Package– Content will be located in:
Configuration– Clear Infrastructure Connectors Currently Caching and Infrastructure Connectors
Caching Active Lists entries upon initialization– Tweak the Infrastructure Connectors Currently Caching Active List TTL based on your
preference on how long a connector can cache before you are alerted (e.g. every 30 minutes, every 2 hours)
– Ensure Infrastructure Number of Connectors Caching Active List entry has File Name = Infrastructure Connectors Caching and Counter = 0 upon initialization
Content– Rules (Several Rules have Dependent Var iables) :
All Inclusive Connector/No Connector Caching StateContent Description
Active List: Infrastructure Connectors Currently Caching– Stores the l i st of all the connectors currently caching– Active list entries expire after connector has constantly cached for
2 hours or more (by default TTL=2)
Active List: Infrastructure Connectors Caching– Stores the l i st of all the connectors that have been constantly
caching for 2 hours or more– Active list entries never expire - cleared when connector cache is
emptied and rule fire action occurs
Active List: Infrastructure Number of Connectors Caching– Stores the t ot a l number of all connectors constantly caching for 2
hours or more– Active list entries never expire - cleared when connector cache is
All Inclusive Connector/No Connector Caching StateContent Description Continued - Rule 2
Rule: Infrastructure Connectors Cache - Failed - Rule 2– Fires when a connector constantly caches for more than 2 hours and falls off
the “Infrastructure Connectors Currently Caching” active list producing internal event act ivel ist : 104 with piped delimited value of expired active list entry
– Conditions around internal event act ivel ist : 104 set to make rule fire
to retrieve name of connector and connector resource URI for caching connector identified in active list entry expired internal event act ivel ist : 104in deviceCustomString4 piped delimited field
(getALCounterValue) used to retrieve values for “Infrastructure Connectors Caching” entry in “Infrastructure Number of Connectors Caching” active list
– (incrementALCounter) used to Add (1) to Counter field value retrieved for “Infrastructure Connectors Caching” entry in “Infrastructure Number of Connectors Caching” active list
Desired field and variable field set to ESM schema fields to be added to active list “Infrastructure Number of Connectors Caching”– Increments the count of the total number of connectors caching
Set flexNumber1 to the variable incrementALCounter–Variable is an increment value to be added to the total count of the number of connectors caching for more than 2 hours
1a action removes a previously noted caching connector entry from “Infrastructure Connectors Currently Caching” and “Infrastructure Connectors Caching” active lists
– Conditions around internal event act ivel ist : 102 (ent r y r emoved f r om AL) set to make rule fire
(getALCounterValue) used to retrieve values for “Infrastructure Connectors Caching” entry in “Infrastructure Number of Connectors Caching” active list
– (decrementALCounter) used to Subtract (1) to Counter field value retrieved for “Infrastructure Connectors Caching” entry in “Infrastructure Number of Connectors Caching” active list
Desired field and variable field set to ESM schema fields to be added to active list “Infrastructure Number of Connectors Caching”–Decrements the count of the total number of connectors caching
Set flexNumber1 to the variable decrementALCounter–Variable is a decrement value to be subtracted from the total count of the number of connectors caching for more than 2 hours
All Inclusive Connector/No Connector Caching StateContent Description Continued - Rule 5
Rule: Infrastructure Connectors Cache - Number of Connectors Cache Active List Checker - Rule 5– Fires when Infrastructure Connectors Cache - Failed Increment Counter - Rule 3
or Infrastructure Connectors Cache - Success Decrement Counter - Rule 4 increments/decrements (modifies) Counter field value entry in “Infrastructure Number of Connectors Caching” active list
– Conditions around internal event act ivel ist : 103 (ent r y changed in an AL) set to make rule fire
All Inclusive Connector/No Connector Caching StateContent Description Continued - Rule 5
Rule: Infrastructure Connectors Cache - Number of Connectors Cache Active List Checker - Rule 5– Rule uses dependent variables– 7 variables (IndexOf, Substring, LengthOf, Add, LengthOf, Substring and
Convert_String_To_Long) used to retrieve modified (act ivel ist : 103) values presented in deviceCustomString4 piped delimited field for entries in “Infrastructure Number of Connectors Caching” active list
– *Convert_String_To_Long variable is used to convert second value in DCS4 from string to long to be evaluated later as a long value
All Inclusive Connector/No Connector Caching StateContent Description Continued - Rule 6
Rule: Infrastructure Connectors Cache - Red or Green Determinant - Rule 6– Rule uses dependent variable– 1 variable (Filter_Based_Condition_Function) used to evaluate if number of
Set flexString2 to conditionalEval - the string value of “Daily RED” or “Daily GREEN” retrieved from Filter_Based_Condition_Function in Infrastructure Connector Cache Counter Check Filter variable work
All Inclusive Connector/No Connector Caching StateContent Description Continued - Rule 7
Rule: Infrastructure Connectors Cache - Red - Rule 7 Set deviceCustomString2 to “Connector Cache Status” to be used as key field
declaration in last state data monitor “Infrastructure Connector Cache Status” -allows only one icon last state to populate in dashboard for Connectors Caching
Set priority to 10 indicating connector(s) have been caching for 2 hours or more (remember the TTL=2 hours is configurable)
*Rule Fire Name will be used in data monitor Mapping: Name -> Status to set value of last state all inclusive Connector Cache icon to RED
All Inclusive Connector/No Connector Caching StateContent Description Continued - Rule 8
Rule: Infrastructure Connectors Cache - Green - Rule 8 Set deviceCustomString2 to “Connector Cache Status” to be used as key field
declaration in last state data monitor “Infrastructure Connector Cache Status” -allows only one icon last state to populate in dashboard for Connectors Caching
*Rule Fire Name will be used in data monitor Mapping: Name -> Status to set value of last state all inclusive Connector Cache icon to GREEN