ArcSight user sharing best practices: “Clear Backlog of Old Events from Windows Hosts”

In our ArcSight online community you will find “How to” tips, best practices, and general helps to get the most out of ArcSight. This article is a great example of a community member sharing his knowledge.

ISSUE:

If you are monitoring the time difference between Manager Receipt Time and End Time on logs you may notice a large, ever increasing gap, from certain Windows hosts. At first glance it would appear the logs are getting older possibly indicating a degrading time on the log’s host machine. Most likely this is not the case as that would be very rare but doesn’t hurt to check.

The device is probably generating more logs than the windows unified connector (WUC) can grab on its rotation through the host list. This is a symptom of having too many hosts listed on the connector so the host-cycle takes too long. Optimally should take about 2-5 minutes to go through the list and grab events for each host if you have ~50-150 hosts listed.

Long-term solution…make another connector to divide the load. Short term solution…keep reading here.