ArcSight troubleshooting

This section provides information to help you solve problems you might encounter when using Kaspersky CyberTrace with ArcSight.

If you encounter a problem while using Kaspersky CyberTrace, the specialists at Kaspersky can assist you. Contact your Technical Account Manager (TAM) for more information about solutions to problems.

Problem: ArcSight does not display the events from Feed Service or displays them incorrectly

To solve this problem, try the following actions:

• Make sure that the Feed Service computer is turned on and Feed Service is running (for Windows version, see section "Managing Feed Service using the script (Windows)").
• Make sure that the ArcSight computer is accessible from the Feed Service computer.
• Make sure that the port specified in the output connection string is open.
• Make sure that ArcSight Forwarding Connector and ArcSight SmartConnector (for Windows version, see section "Installing ArcSight SmartConnector (Windows)") are running.
• Make sure that Feed Service listens on the port to which Forwarding Connector sends data from ArcSight ESM.
• Make sure that Feed Service sends the events to ArcSight SmartConnector.
• Check that ArcSight SmartConnector is configured properly.

  For this purpose, run the following command:

  • %ARCSIGHT_HOME%/current/bin/runagentsetup.sh (in Linux)
  • %ARCSIGHT_HOME%\current\bin\runagentsetup.bat (in Windows)

  Here %ARCSIGHT_HOME% is the directory where ArcSight SmartConnector is installed.

Problem: An active channel does not display events after a new ARB package is imported

To solve this problem, try the following actions:

Check the filter used in the active channel:

1. Go to Filters > Shared > All Filters > Public > Kaspersky CyberTrace Connector.
2. Make sure that the device product field has the value of Kaspersky CyberTrace for ArcSight.

Create a new active channel:

1. Delete the current active channel and create a new one.
2. Configure the new active channel as follows:
   • Set the Start Time and End Time parameters as you wish.
   • Set the Use as Timestamp parameter to Manager Receipt Time.
   • If you want the active channel to be updated automatically, select Continuously evaluate in the Time Parameters section of the active channel's properties.
   • In the Filters section, specify the filter that has the same name as the active channel itself. You can find available filters in the tree view of ArcSight Console, at the Filters > Shared > All Filters > Public > Kaspersky CyberTrace Connector location when the Filters item is selected in the drop-down box.
   • In the Fields section, specify the item that has the same name as the active channel itself.

     You can find available fields in the tree view of ArcSight Console, at the Field Sets > Shared > All Field Sets > Public > Kaspersky CyberTrace Connector location when the Field Sets item is selected in the drop-down box.

Problem: Feed Service does not receive events from ArcSight

To solve this problem, try the following actions:

• Make sure that the Feed Service computer is turned on and Feed Service is running (for Windows, see section "Managing Feed Service using the script (Windows)").
• Make sure that the ArcSight computer is turned on and ArcSight is running.
• Make sure that the Feed Service computer is accessible from the ArcSight computer.

  You can use the ping utility for this purpose.

• Make sure that the port that is specified in the input connection string is open on the Feed Service computer.

  You can use the netcat utility for this purpose.

• Check the regular expressions in the Feed Service configuration file or by using the Settings > Events Format tab in Kaspersky CyberTrace Web.
• Make sure that the ArcSight forwarding connector that you installed is running.

  In Linux, you can use the following command for this purpose:

  ps -Af | grep %DIR_NAME%/current/bin

  Here %DIR_NAME% is the directory in which the forwarding connector is installed. If the forwarding connector process is running, the information about it will be displayed in the console.

• If Feed Service stopped receiving events from ArcSight after a new ARB package is imported, register ArcSight Forwarding Connector once more by running the following command and following the instructions of the wizard:

  %ConnectorInstallDir%/current/bin/runagentsetup.sh

  Here %ConnectorInstallDir% is the directory in which ArcSight Forwarding Connector is installed.

Problem: an authentication error occurs in ArcSight Forwarding Connector or the account intended for use by ArcSight Forwarding Connector is absent

To solve this problem, try the following actions:

1. Run ArcSight Console.
2. Select Users > Shared > Custom User Groups.
3. Create the Kaspersky CyberTrace Connector group.
4. Right-click the Kaspersky CyberTrace Connector group, and then select Edit Access Control.
5. Select the Events tab.
6. Click Add.
7. Select the CyberTrace forwarding events filter.
8. Click Save.
9. In the Kaspersky CyberTrace Connector group, specify the following options for the account:
   • Any user name (for example, FwdCyberTrace)
   • In the type field, the Forwarding Connector type
   • Password

These credentials will be used to forward events from ArcSight to Kaspersky CyberTrace.

Page top