Open topic with navigation

Checking the Status of the Distributed Correlation Cluster

This topic applies to ESM installed in distributed correlation mode.

The Console toolbar contains the Cluster View icon to show the health of your distributed correlation cluster. It provides the link to the Cluster View dashboard on the ArcSight Command Center.

Cluster Status Color Indicators

Color

Meaning
Red

Indicates any of these conditions:

  • All aggregators are down.

  • All correlators are down.

  • All connections to MBus are down.

  • All connections to DCache are down.

  • If the properties are set, the message lag on correlator or aggregator is above threshold set for a Red icon. See the topic, Defining Message Lag Thresholds for procedures.
Yellow

Indicates any of these conditions:

  • An aggregator is down.

  • A correlator is down.

  • Some connections to MBus are down.

  • Some connections to DCache are down.

  • If the properties are set, the message lag on correlator or aggregator is above threshold set for a Yellow icon. See the topic, Defining Message Lag Thresholds for procedures.

Green

Cluster is operational.

To access the Cluster View dashboard on the Command Center:

  1. Click the Cluster View icon.

    This launches the login popup to the ArcSight Command Center.

  2. Enter your login credentials and click OK.

Defining Message Lag Thresholds

You can define two levels of thresholds each for the aggregator and correlator: thresholds to change the Cluster View icon to yellow, and thresholds to change the icon to red. By default, no message lag thresholds are tracked through the icon colors.

The following table describes property settings to include in the properties file:

Property Description 
aggregator.lag.alert.yellow.threshold

The threshold of message lag at the aggregator. Specify a positive integer value. If message lag is above your specified value, the Cluster View icon turns to yellow.

 
aggregator.lag.alert.red.threshold

The threshold of message lag at the aggregator. Specify a positive integer value. If message lag is above your specified value, the Cluster View icon turns to red at the aggregator.

 
correlator.lag.alert.yellow.threshold

The threshold of message lag at the correlator. Specify a positive integer value. If message lag is above your specified value, the Cluster View icon turns to yellow.

 
correlator.lag.alert.red.threshold

The threshold of message lag at the correlator. Specify a positive integer value. If message lag is above your specified value, the Cluster View icon turns to red.

To set the threshold values for the message lag:

Refer to the instructions in the ESM Administrator's Guide for the proper way to edit the server.properties file. See the topic, "Managing and Changing Properties File Settings."

To the server.properties file, add the properties mentioned in the above table to the thresholds you want. If you enter -1, then the Cluster View icon will not be affected by any message lags in aggregators and correlators.

Note: The color of the Cluster View icon is affected by a combination of additional factors, like MBus and DCache connections, in addition to message lag in aggregators and correlators if you set the thresholds.