Destination Runtime Parameters

Batching

Connectors can batch events to increase performance and optimize network bandwidth. When activated, connectors create blocks of events and send them when they either (1) reach a certain size or (2) the time window expires, whichever occurs first. You can also prioritize batches by severity, forcing the connector to send the highest-severity event batches first and the lowest-severity event batches later.

Enable Batching (per event)

Create batches of events of this specified size (5, 10, 20, 50, 100, 200, 300 events).

Enable Batching (in seconds)

The connector sends the events if this time window expires (1, 5, 10, 15, 30, 60).

Batch By

This is Time Based if the connector should send batches as they arrive (the default) or Severity Based if the connector should send batches based on severity (batches of Highest Severity events sent first).

Time Correction

The values you set for these fields establish forward and backward time limits, that if exceeded, cause the connector to automatically correct the time reported by the device.

Use Connector Time as Device Time

Override the time the device reports and instead use the time at which the connector received the event. This option assumes that the connector will be more likely to report the correct time. (No | Yes)

Enable Device Time Correction (in seconds)

The connector can adjust the time reported by the device Detect Time, using this setting. This is useful when a remote device's clock isn't synchronized with the ArcSight Manager. This should be a temporary setting. The recommended way to synchronize clocks between Manager and devices is the NTP protocol. The default is 0.

Enable Connector Time Correction (in seconds)

The connector can also adjust the time reported by the connector itself, using this setting. This is for informational purposes only and allows you to modify the local time on the connector. This should be a temporary setting. The recommended way to synchronize clocks between Manager and connectors is the NTP protocol. The default is 0.

Set Device Time Zone To

Ordinarily, it is presumed that the original device is reporting its time zone along with its time. And if not, it is then presumed that the connector is doing so. If this is not true, or the device isn't reporting correctly, you can switch this option from Disabled to GMT or to a particular world time zone. That zone is then applied to the time reported. Default: Disabled.

Device Time Auto-correction

Future Threshold

The connector sends the internal alert if the detect time is greater than the connector time by Past Threshold seconds.

Past Threshold

The connector sends the internal alert if the detect time is earlier than the connector time by Past Threshold seconds.

Device List

A comma-separated list of the devices to which the thresholds apply. The default, (ALL), means all devices.

Time Checking

These are the time span and frequency factors for doing device-time auto-correction.

Future Threshold

The number of seconds by which to extend the connector's forward threshold for time checking. The default is 5 minutes (300 seconds).

Past Threshold

The number of seconds by which to extend the connector's rear threshold for time checking. Default is 1 hour (3,600 seconds).

Frequency

The connector checks its future and past thresholds at intervals specified by this number of seconds. Default is 1 minute (60 seconds).

Cache

Changing these settings will not affect the events cached, it will only affect new events sent to the cache.  

Cache Size

Connectors use a compressed disk cache to hold large volumes of events when the ArcSight Manager is down or when the connector receives bursts of events. This parameter specifies the disk space to use. The default is 1 GB which, depending on the connector, can hold about 15 million events, but it also can go down to 5 MB. When this disk space is full, the connector drops the oldest events to free up disk cache space. (5 MB, 50 MB, 100 MB, 150 MB, 200 MB, 250 MB, 500 MB, 1 GB, 2.5 GB, 5 GB, 10 GB, 50 GB.)

Notification Threshold

The size of the cache's contents at which to trigger a notification. Default is 10,000.

Notification Frequency

How often to send notifications after the Notification Threshold is reached. (1 minute, 5 minutes, 10 minutes, 30 minutes, 60 minutes.)

Network

Heartbeat Frequency

This setting controls how often the connector sends a heartbeat message to the destination. The default is 10 seconds, but it can go from 5 seconds to 10 minutes. Note that the heartbeat is also used to communicate with the connector; therefore, if its frequency is set to 10 minutes, then it could take as much as 10 minutes to send any configuration information or commands back to the connector.

Enable Name Resolution

The connector tries to resolve IP addresses to hostnames, and hostnames to IP addresses , if required and if the event rate allows. This setting controls this functionality. The Source, Target and Device IP addresses , and Hostnames might also be affected by this setting. By default, name resolution is enabled (Yes).

Name Resolution Host Name Only

Default: Yes.

Name Resolution Domain From E-mail

Default: Yes.

Clear Host Names Same as IP Addresses

Default: Yes.

Limit Bandwidth To

A list of bandwidth options you can use to constrain the connector's output over the network. (Disabled, 1 kbit/sec to 100 Mbits/sec.)

Transport Mode

You can configure the connector to cache to disk all the processed events it receives. This is equivalent to pausing the connector. However, you can use this setting to delay event-sending during particular time periods. For example, you could use this setting to cache events during the day and send them at night. You can also set the connector to cache all events, except for those marked with a very-high severity, during business hours, and send the rest at night. (Normal | Cache | Cache (but send Very High severity events).

Address-based Zone Population Defaults Enabled

This field applies to v3.0 ArcSight Managers. This field is not relevant in ESM v3.5 because the system has integral zone mapping. Default: Yes.

Address-based Zone Population

This field applies to v3.0 ArcSight Managers. This field is not relevant in ESM v3.5 because the system has integral zone mapping.

Customer URI

Applies the given customer URI to events emanating from the connector. Provided the customer resource exists, all customer fields are populated on the ArcSight Manager. If this particular connector is reporting data that might apply to more than one customer, you can use Velocity templates in this field to conditionally identify those customers.

Source Zone URI

Shows the URI of the zone associated with the connector's source address. Required for ESM v3.0 compatibility.

Source Translated Zone URI

Shows the URI of the zone associated with the connector's translated source address. The translation is presumed to be NAT. Required for ESM v3.0 compatibility.

Destination Zone URI

Shows the URI of the zone associated with the connector's destination address. Required for ESM v3.0 compatibility.

Destination Translated Zone URI

Shows the URI of the zone associated with the connector's translated destination address. The translation is presumed to be NAT. Required for ESM v3.0 compatibility.

Connector Zone URI

Shows the URI of the zone associated with the connector's address. Required for ESM v3.0 compatibility.

Connector Translated Zone URI

Shows the URI of the zone associated with the connector's translated address. The translation is presumed to be NAT. Required for ESM v3.0 compatibility.

Device Zone URI

Shows the URI of the zone associated with the device's address. Required for ESM v3.0 compatibility.

Device Translated Zone URI

Shows the URI of the zone associated with the device's translated address. The translation is presumed to be NAT. Required for ESM v3.0 compatibility.

Field Based Aggregation

This feature is an extension of basic connector aggregation. Basic aggregation aggregates two events if, and only if, all the fields of the two events are the same (the only difference being the detect time). However, field-based aggregation implements a less strict aggregation mechanism; two events are aggregated if only the selected fields are the same for both alerts. It is important to note that field-based aggregation creates a new alert that contains only the fields that were specified, so the rest of the fields are ignored.

Connector aggregation significantly reduces the amount of data received, and should be applied only when you use less than the total amount of information the event offers. For example, you could enable field-based aggregation to aggregate “accepts” and “rejects” in a firewall, but you should use it only if you are interested in the count of these events, instead of all the information provided by the firewall.

Time Interval

Select a time interval, if applicable, to use as a basis for aggregating the events the connector collects. It is exclusive of Event Threshold (disabled, 1 sec, 5 sec, and so on, up to 1 hour).

Event Threshold

Select a number of events, if applicable, to use as a basis for aggregating the events the connector collects. This is the maximum count of events that can be aggregated; for example, if 150 events were found to be the same within the time interval selected (that is, contained the same selected fields) and you select an event threshold of 100, you then receive two events, one of count 100 and another of count 50. This option is exclusive of Time Interval (disabled, 10 events, 50 events, and so on, up to 10,000 events).

Field Names

Specify one or more fields, if applicable, to use as the basis for aggregating the events the connector collects. The result is a comma-separated list of fields to monitor. For example, "eventName,deviceHostName" would aggregate events if they have the same event- and device-hostnames. Names can contain no spaces and the first letter must not be capitalized.

Fields to Sum

Specify one or more fields, if applicable, to use as the basis for aggregating the events the connector collects.

Preserve Common Fields

Choosing Yes adds fields to the aggregated event if they have the same values for each event. Choosing No, the default, ignores non-aggregated fields in aggregated events.

Filter Aggregation

Filter Aggregation is a way of capturing aggregated event data from events that would otherwise be discarded due to an agent filter. Only events that would be filtered out are considered for filter aggregation (unlike Field-based aggregation, which looks at all events).

Connector aggregation significantly reduces the amount of data received, and should be applied only when you use less than the total amount of information the event offers.

Time Interval

Select a time interval, if applicable, to use as a basis for aggregating the events the connector collects. It is exclusive of Event Threshold (disabled, 1 sec, 5 sec, and so on, up to 1 hour).

Event Threshold

Select a number of events, if applicable, to use as a basis for aggregating the events the connector collects. This is the maximum count of events that can be aggregated; for example, if 150 events were found to be the same within the time interval selected (that is, contained the same selected fields) and you select an event threshold of 100, you then receive two events, one of count 100 and another of count 50. This option is exclusive of Time Interval (disabled, 10 events, 50 events, and so on, up to 10,000 events).

Fields to Sum

(Optional) Select one or more fields, if applicable, to use as the basis for aggregating the events the connector collects.

Processing

Preserve Raw Event

For some devices, a raw event can be captured as part of the generated alert. If that is not the case, most connectors can also produce a serialized version of the data stream that was parsed/processed to generate the ArcSight event. This feature allows the connector to preserve this serialized "raw event" as a field. This feature is disabled by default since using raw data increases the event size and therefore requires more database storage space. You can enable this by changing the Preserve Raw Event setting. The default is No. If you choose Yes, the serialized representation of the "Raw Event" is sent to the destination and preserved in the Raw Event field.

Turbo Mode

You can accelerate the transfer of a sensor's event information through connectors by choosing one of two “turbo” (narrower data bandwidth) modes. The default transfer mode is called Complete, which passes all the data arriving from the device, including any additional data (custom, or vendor-specific).

Complete mode does indeed use all the database performance advances of ArcSight ESM v3.x.

The first level of Turbo acceleration is called Faster and drops just additional data, while retaining all other information. The Fastest mode eliminates all but a core set of event attributes, in order to achieve the best throughput.

The specific event attributes that apply to these modes in your enterprise are defined in the self-documented $ARCSIGHT_HOME/config/connector/agent.properties file for the ArcSight Manager. Because these properties might have been adjusted for your needs, you should refer to this file for definitive lists. Only scanner connectors need to run in Complete mode, to capture the additional data.

Note: Connector Turbo Modes are superseded by the Turbo Mode in use by the ArcSight Managers processing their events. For example, a Manager set to Faster will not pass all the data possible for a connector that is set for the default of Complete.

Enable Aggregation (in seconds)

When enabled, aggregates two or more events on the basis of the selected time value (disabled, 1, 2, 3, 4, 5, 10, 30, 60).

The aggregation is performed on one or more matches for a fixed subset of fields:

• Agent ID

• Name

• Device event category

• Agent severity

• Destination address

• Destination user ID

• Destination port

• Request URL

• Source address

• Source user ID

• Source port

• Destination process name

• Transport protocol

• Application protocol

• Device inbound interface

• Device outbound interface

• Additional data (if any)

• Base event IDs (if any)

The aggregated event shows the event count (how many events were aggregated into the displayed event) and event type. The rest of the fields in the aggregated event take the values of the first event in the set of aggregated events.

Limit Event Processing Rate

You can moderate the connector's burden on the CPU by reducing its processing rate. This can also be a means of dealing with the effects of event bursts.

The choices range from Disabled (no limitation on CPU demand) to 1 eps (pass just one event per second, making the smallest demand on the CPU).

Fields to Obfuscate

Store Original Time in

Disabled or Flex Date 1.

Enable Port-Service Mapping

Default: No.

Enable User Name Splitting

Default: No.

Split File Name into Path and Name

Default: No.

Generate Unparsed Events

Default: No.

Preserve System Health Events

Yes, No, or Disabled.

Enable Device Status Monitoring (in minutes)

Disabled or 1, 2, 3, 4, 5, 10, 30, 60, or 120 minutes.

Filters

Filter Out

NA

“Very High Severity” Event Definition

NA

“High Severity” Event Definition

NA

“Medium Severity” Event Definition

NA

“Low Severity” Event Definition

NA

“Unknown Severity” Event Definition

NA

Payload Sampling

When available.

Max. Length

Discard, 128 bytes, 256 bytes, 512 bytes, 1 kbyte

Mask Non-Printable Characters

Default: False.