Self-Solve Knowledge Search

Minimize Maximize error retrieving stats from aud...
Title : error retrieving stats from audit event
Document ID :
Product - Version:
arcsight enterprise security manager ;
OS :
Updated :
Tue Apr 12 10:48:37 GMT 2016
Summary :
Troubleshooting error


The Throughputmeter error can be seen in server.log in two cases.

The first case (Rule) can be when audit event agent:050 does not have any value in Device Custom String 4 (DCS 4) field. Audit events agent:050 cannot have null value in Device Custom String 4.
The second case (Connector's aggregation) can happen if there is an aggregation applied for 5 or more minutes.

Rule and Connector's aggregation scenarios:

Rule's settings, which creates agent:050 with Null value in DCS 4:
 1. In aggregation tab is Device Event Class ID (DEC ID) and no Device Custom String 4 field. 
 2. Any other setting which creates event with DEC ID = agent:050 ( Actions > Set event field, etc.)

1. If there is an aggregation applied for 5 minutes or more.
    Even if there is in a field based aggregation applied Preserve common fields feature, there could be a null value in Device Custom String 4 field.
    Preserve common fields feature preserves only those fields which are identical for all aggregated events. If a field has different values then the values are not preserved and the field will be left   
    In such a scenario Device Event Class ID will have always agent:050 value and thus this field will be preserved, whereas Device Event Class ID field might have different value and will not 
    be preserved.
2. If a connector is caching, it may release two agent:050 at the same time. When the aggregation is set even for less than 5 minutes, in this scenario two agent:050 could be aggregated.


To identify which event is causing this error message:

1. Create any resource (Active Channel, report, query, etc.) with filter/condition parameters:
    Device Event Class ID = agent:050
    Device Custom String 4 Is NULL

2. Inspect Event and search for a Generator of the event.
    If it is rule, Type would be Correlation and the rule creating such an event can be identified from Generator URI field.
    If the event is not Correlation, but Based, from Agent Name field can be found a Generator of this event.

 1. Remove Device Event Class ID from Aggregation tab
 2. Add into the filter, a condition which would exclude agent:050 audit event to be evaluated by this rule.

(Device Event Class ID != agent:050)

1. Decrease time interval of aggregation to less than 5 minutes
2. Disable aggregation of internal events:
  a) On the SmartConnector in add this line:
  b) Restart the SmartConnector