ArcSight SmartConnector commands and features

If you have download for free the ArcSight Logger L750MB version, follow the installation guideline under Centos and install Windows Snare with ArcSight Syslog SmartConnector, you have now an operational lab or production environment. In this post we will describe you some SmartConnector commands and features. These commands and features are not documented in the provided ArcSight Logger L750MB documentation.

Starting the SmartConnector

If you don’t have specify, during the setup, to run the SmartConnector as a service, you will ne to start it manually. To start the SmartConnector you need to go in the “$ARCSIGHT_HOME/current/bin” directory and execute the “arcsight” script for Linux, or “arcsight.bat” script under Windows, with the following argument.

Starting ArcSight SmartConnector
Starting ArcSight SmartConnector

Once started, to confirm that the SmartConnector is working properly, you will have to check these outputs.

ArcSight SmartConnector starting outputs
ArcSight SmartConnector starting outputs

Eps” will give you the actual EPS throughput, and “Evts” the total number of events how have been processed by the SmartConnector. “ET” and “HT” should have twice the “Up” value in order to validate the the SmartConnector connexion with the Logger is working properly. If they are any communication troubles between the SmartConnector and the Logger you will have these kind of outputs.

ArcSight SmartConnector and Logger communication troubles
ArcSight SmartConnector and Logger communication troubles

Checking SmartConnector availability

To valide that the SmartConnector is up and running, you can use the following command.

ArcSight SmartConnector agent up
ArcSight SmartConnector agent up

If the SmartConnector is down, you will have this result.

ArcSight SmartConnector down
ArcSight SmartConnector down

This command will not validate that the communication between the SmartConnector and the Logger is up and running.

Restarting the SmartConnector

To restart the SmartConnector you will have to use the following command.

ArcSight SmartConnector restart
ArcSight SmartConnector restart

Stopping the SmartConnector

If you have start the SmartConnector in the standalone mode, a simple CTRL+C will terminate the activities. But you can also stop the activities with the following command :

Stopping ArcSight SmartConnector
Stopping ArcSight SmartConnector

Checking SmartConnector status

To check the complete SmartConnector status use the following command.

ArcSight SmartConnector status
ArcSight SmartConnector status

The output will provide you some useful informations about the SmartConnector activities (memory usage, agent type, agent version, processed events, EPS, last event processed date, etc.)

Checking SmartConnector DNS resolution

To verify that the SmartConnector is able to do DNS resolution you can execute the following command.

ArcSight SmartConnector DNS test
ArcSight SmartConnector DNS test

ArcSight Agent FlexAgent Regex Tester

ArcSight provide, with the SmartConnector, a tool how will permit you to create and test regex for your logs. SmartConnectors delivered for ArcSight Logger L750MB will not allow you to add FlexConnectors (custom agents), but you can still use this regex GUI for personal purposes. To start the regex GUI execute the following command.

ArcSight Agent FlexAgent regex tester
ArcSight Agent FlexAgent regex tester

For example, I have test the regex tool, with the following postfix log entry.

May 12 04:14:13 logger sendmail[3457]: p4C2EDU2003456: to=<[email protected]>, ctladdr=<[email protected]> (0/0), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=31483, dsn=2.0.0, stat=Sent

The regex tester will provide you a solution on how to parse this log.

ArcSight regex tester example
ArcSight regex tester example

2 thoughts on “ArcSight SmartConnector commands and features

  1. Could someone help me finding “ArcSight-5.2.4.6326.0-Connector-Win.exe” Smart Connector??
    Thanks in advance.

  2. is there any possibility to add a field to CEF with static value? like fileName

Comments are closed.