How can I backup the complete data from the container so that the restore is successful?

Using the default "Backup Files" repository to backup up my container only contains the agent.properties file and the agent.wrapper.conf file. As a result, SmartConnectors that have needed certs, parser overrides, map files, etc, are not restored is successfully.

How can I backup the complete data from the container so that the restore is successful?

By default, the "Backup Files" Repository has the following regular expressions:

Download

Exclude regular expression : (agentdata/ |cwsapi_fileset_).*$

Upload

Delete exclude regular expression: (agentdata/ | agent.wrapper.conf | cwsapi_fileset_).*$

These regular expressions cause the necessary SmartConnector files (certs, parsers, etc) to not be copied over to the container backup.

Workaround:

Create a new Repository and do not include the "exclude regular expression" for either the Download nor the Upload section, as follows:

1. From the Connector Appliance UI, go to Setup > Repositories

2. Select New Repository

3. Enter the Name, Display Name, Item display name and Filename Prefix

4. Save the created Repository.

What is ArcSight Connector Appliance?

Connector Appliance in a nutshell is a self-contained, hardened appliance with:

1. Connector Software
SmartConnectors are pre-installed and are constantly running in their own 'Container'. Even without any configured connectors, they continue to run in their own Java memory space.

2. Connector Management functionality (web process)
A GUI that allows SmartConnectors to be locally and remotely managed, including configuration and monitoring of the processes.

Capabilities:

• Centralized management and full control of local, remote and software connectors
• Wizard based interface designed to automate common management tasks

There are three main types of appliance models : C1x00, C3x00, and C5x00.

For more information, refer to the Connector Appliance Release Notes (for platform changes and updates) and the Connector Appliance Administrator Guide.

I need to restore a Connector Appliance from an Appliance Backup. What are the requirements and how do I perform the restore?

Sometimes you need to completely reconfigure a Connector Appliance using an Appliance Backup. This can occur if you had to RMA your Connector Appliance and want to restore the entire configuration from your backup to this new Connector Appliance. Important Notes: For a successful restore, the following conditions must be met: 1. The backup file must be taken from a Connector Appliance which has the same number of onboard containers as the Connector Appliance to which you are restoring. Examples: A C1000 has only 1 container, while a C5200 has 8 containers, thus a backup from a C1000 to a C5200 will fail. However, a C5000 appliance and a C5200 both have 8 containers, thus the backup will succeed. 2. The Connector Appliance versions must be the same on both source and destination Connector Appliances. 3. The hostname must be the same on both source and destination Connector Appliances. Resolution: 1. Create an Appliance Backup, as follows: a. Go to Setup > Backup/Restore in the UI. b. Click on Appliance Backup c. Enter the paramters and click Save. d. The backup file created is named configs.tar.gz. 2. Ensure that the hostname on the Connector Appliance you are restoring to is the same as the hostname from the Connector Appliance where the backup was created. Note: If you still have access to the Connector Appliance where the backup was created, check the file /etc/sysconfig/network and compare the value for hostname (see example below) to that found in the same file on the Connector Appliance you are restoring to. Example: HOSTNAME= 3. Restore the Appliance Backup, as follows: a. Go to Setup > Backup/Restore in the UI. b. Click on Appliance Restore c. Click Browse and navigate to the location where you have the stored the configs.tar.gz file d. Click Upload. 4. If after restoring from the backup, the Web GUI is not available, modify /etc/sysconfig/network to reflect the correct HOSTNAME value.

We are getting slow response from UI on the Connector Appliance; all of the pages take long time to load or refresh.

This issue can often be caused by a mismatch between the hostname recorded in the 'hosts' file on the appliance and the actual hostname set via the UI.

If there is a mismatch, as it can cause local hostname lookup errors, which can cause severe delays when accessing certain features of the UI. This mismatch can also cause issues such as failure to generate and upload the Container SSL certificate to the UI after restoring a Container, making it unreachable or un-configurable.

Resolution:

1. View the Setup > System Admin > Network tab. Note the System Hostname string configured.

2. View the Setup > System Admin > Network > Hosts tab. Confirm that the hostname listed in System Hostname, as you observed in Step 1, is listed.

3. If the System Hostname is not listed in the Hosts tab, add an entry for it and click Update File.

What commands are available under the ArcSight appliance Console?

rom console or DRAC, you see this prompt:

ArcSight Platform Console
Login:

Use the same login credentials as you use to access the web GUI (e.g Login as admin)

Type 'help' to get a list of possible commands:

System Command	Description
help	Prints this help
halt	Halts and powers off the Appliance
reboot	Reboots the Appliance
exit	Exits (restarts) the CLI
show admin	Shows Default Administrator Name
show config	Shows Appliance Configuration
show date	Shows current date
set date	Sets current date
show defaultgw	Shows Default Gateway for the interface
set defaultgw	Sets Default Gateway for the interface
show dns	Shows DNS Configuration
set dns	Sets DNS Configuration
show hostname	Shows Host Name
set hostname	Sets Host Name
show ip	Shows Ip Addresses of Network Interfaces
set ip	Sets IP Address of Network Interface
set password	Sets the password for this account
show sslcert	Shows SSL Server Certificate
reset sslcert	Installs/restarts https with temporary certificate
restart sslcert	Restarts https server
diag sslcert	Displays the SSL connection
show status	Shows System Configuration

Use shift+pageup and shift+page down to page up/down in the list.

How many of the suffixes listed will be used by the SmartConnector for DNS resolution?

When entering suffixes on the Setup > Network > DNS > Search Domains page on Connector Appliance running v6.1, only the first 6 search domains listed are used by the SmartConnectors for DNS resolution.

Any additional search domains added beyond the first 6 are not used for resolution by the DNS server.

Workarounds:

Depending on how many entries you have, there are a few options to work around this limitation:

1. Place the short names into /etc/hosts on the appliance.

2. Use fully-qualified names.

3. Create a 'virtual' domain to hold all the short names and re-configure DNS servers for that virtual domain to forward accordingly.

Note: For more information on virtual domains and forwarding, refer to the following site:

http://www.linuxquestions.org/questions/linux-general-1/resolv-conf-search-limited-to-six-725254/

What is the proper order in which to shut down all of these Appliances is we are preparing a power outage?

1. Connector or Logger Appliance:

The Connector Appliance and Logger Web Interface has a reboot option. (System Admin > Reboot > Start Reboot Now)

However, if the Appliance will need to be shutdown for an extended time for maintenance or other reasons, you will need to access the Appliance command line interface and issue the halt command.

Described below are 2 methods to access the Appliance's command line interface to shut down the appliance gracefully:

1. Physical access to Appliance console:

a. Attach a Keyboard and Monitor to the appliance.

b. From the monitor you will see the ArcSight logo and login prompt.

c. Enter the credentials to access the appliance - this will be the same credentials you enter in the appliance's web interface login prompt.

d. At the command line, enter the command: halt

2. Appliance Access via DRAC:

Note: the steps below assume that you have already configured the appliance for DRAC access. If you have not yet configured DRAC, refer to Document ID KM1271064.

a. Open the browser and specify the DRAC IP address in the browser's URL bar

b. Confirm the SSL security warning.

c. At the login prompt, enter the user name and password that was assigned.

d. Select the Console tab and select Connect. The Console session to the appliance appears.

e. Enter the credentials you use to access the appliance Web UI

f. Enter the command: halt

Note: Once the "halt" command has been issued (using either method) you will need to have physical access to the hardware in order to restart the appliance.

2. Express Appliance: KM1272277

To properly shut down the ArcSight Express Appliance (or other ArcSight Appliances), connect to the appliance using SSH to access the command line interface.

To enable SSH login, refer to the steps in

Document ID KM1271655.

To shutdown the appliance, issue the following command:

shutdown -h

To shutdown and restart the appliance, issue one of the following commands:

shutdown -r

OR

reboot

However, the order to shut down and turn off multiple Appliances in a complicated environment is depended on the configuration setting.

Scenario 1: Connector Appliance -> Logger -> Express

a. Shutting Down: When ESM is not available, Connectors can hold events in its cache file. Therefore, the order should be as follows:

Express > Logger > Connector Appliances

b. Starting Up: Start up the appliances in the reverse order which you shut them down. (ie. Connector Appliances, Logger, then Express.)

Scenario 2: Connector Appliance -> Express (Forwarding Connector) -> Logger

If there is ESM Forwarding Connector involved, the order is different than above:

a. Shutting Down: Forwarding Connector -> Express -> Logger and Connector Appliances

b. Starting Up: Logger and Connector Appliances-> Express -> Forwarding Connector

How can I disable the use of IPv6 by our Connector Appliances?

To disable IPv6 on the Connector Appliance, perform the following steps on on the Connector Appliance Command line:

1. Login to the Connector Appliance command line using SSH, after enabling the Support Login. Refer to Document ID KM1271655 for further details.

2. Check if the parameter NETWORKING_IPV6=yes exists in the file: /etc/sysconfig/network-scripts/ifcfg-eth0 by executing the following command:

cat /etc/sysconfig/network-scripts/ifcfg-eth0

If the line exists, edit the /etc/sysconfig/network-scripts/ifcfg-eth0 file and change it to the following:

NETWORKING_IPV6=no

3. Check if the parameter NETWORKING_IPV6=yes exists in the file: /etc/sysconfig/network-scripts/ifcfg-eth1 by executing the following command:

cat /etc/sysconfig/network-scripts/ifcfg-eth1

If the line exists, edit the /etc/sysconfig/network-scripts/ifcfg-eth1 file and change it to the following:

NETWORKING_IPV6=no

alias ipv6 off

4. Add the following parameters to the file /etc/modprobe.conf:

alias net-pf-10 off

5. Add the following to the file /etc/sysconfig/network:

NETWORKING_IPV6=no

6. After completing the above changes, restart networking on the Connector Appliance by typing the following command:

service network restart

7. If you encounter any problems with executing the above command, reboot the Connector Appliance.

How can I check which version(s) of Connector Appliance software the appliance has run previously?

There are two methods to check for previous software versions on the Connector Appliance:

1. Connect to the Appliance using an SSH client and then check the contents of the directory /opt/updates

OR

2. Retrieve the snapshot logs from the appliance and check the contents of /opt/updates, which is included in the logs.

Example Contents:

[root@connector-C5400 /]# cd /opt/updates

[root@connector-C5400 updates]# ls -l

total 356

drwxr-xr-x 3 root root 4096 Sep 7 13:21 appliance-6244

-rw-r--r-- 1 root root 5307 Sep 16 14:31 appliance-6244.history

-rw-r--r-- 1 root root 3 Sep 16 14:33 appliance-6244.id

-rw-r--r-- 1 root root 14613 Sep 16 14:33 appliance-6244.log

-rw-r--r-- 1 root root 1602 Sep 16 14:33 appliance-6244.res

Regardless of the method chosen to view the /opt/updates contents:

Check the names of the files in this directory. The file names contain the four-digit build number(s) from versions that have been applied.
In the example above, build number 6244 iis included in some of the file names, which is version 6.2.

What are the new features in ArcSight Connector Appliance v6.2?

ArcSight introduces the following new features and enhancements for Connector Appliance v6.2 GA:

Appliance Health and Performance Monitoring – The SNMPv2 MIB supports any SNMP-enabled network application to monitor Connector Appliance health and performance.

LDAP/Active Directory User Authentication – A Connector Appliance user can now be authenticated through LDAP/Active Directory.

Read-Only User Group – New read-only user groups are available for administrators to control access to and operation of the Connector Appliance. Users in the read-only user group can view appliance and connector configuration settings, but cannot make modifications to them.

SSL Server Certificate Expiration Notification – The Connector Appliance can generate an expiration alert for an SSL server certificate before it expires.

Automatic Password Reset – Once their email notification setting is properly configured, any Connector Appliance user can reset their forgotten password.

Bulk Certificate Import – ArcSight users can now conduct bulk downloads of destination certificates from ESM and bulk import them into any SmartConnector.

Login Banner Customization – The Connector Appliance user interface has been enhanced to allow and support user customization of the login banner.

FTP Enabled for BlueCoat SmartConnector – Connector Appliance allows for FTP enabled events file processing in support of the BlueCoat Proxy SG Multi-File SmartConnector.

Windows CIFS Operation Improvement – The Connector Appliance can now provide better operation support under Microsoft Windows network environment.

Microsoft NTLMv2 Support – The Connector Appliance supports the Microsoft NTLMv2 authentication.

UNC Path Naming – The Connector Appliance supports CIFS mounts using Microsoft Windows Uniform Naming Convention (UNC) or naming notation.

New SmartConnector Support – The Connector Appliance can now support versions of both Microsoft Forefront Threat Management Gateway File and Microsoft Network Policy Server File SmartConnectors via the latest SmartConnector release.

Latest SmartConnector Release Bundle – This release provides bundled versions of the most up-to-date, new and updated ArcSight SmartConnectors.

Important Information about Connector Appliance

Below are highlighted important Connector Appliance information.

Remote Management AUP Importing

When importing a remote management AUP for remotely managed hosts onto an appliance, you may see an error message that states “Wrong appliance model in remote management AUP file”. If this occurs, upgrade the appliance to version 6.2.

Port Change for HTTP Requests

Connector Appliance now redirects HTTP requests for port 80 to port 443 so that you can access the Connector Appliance login page by typing just the appliance hostname or IP address into the browser address field. If you are using port 80 on your SmartConnectors, reconfigure the connectors to use a different port before you upgrade Connector Appliance.

Upgrading to the Latest SmartConnector Version

To upgrade the connectors you manage on the Connector Appliance to the latest SmartConnector version, you need to apply the latest build to the container that contains those connectors. For information about upgrading a container to a specific connector version, refer to the ArcSight Connector Appliance Administrator’s Guide

Supported SmartConnectors

The list of SmartConnectors available in the Connector Type pull-down includes all supported SmartConnectors. Some SmartConnectors are not currently supported for use on the Connector Appliance, but can be managed remotely.

For the current list of SmartConnectors supported for installation on Connector Appliance, including those that require additional setup, refer to the article Supported Products for Connector Appliance from the ArcSight Knowledge Base.

Syslog and SNMP SmartConnectors

You can install all syslog and SNMP SmartConnectors on the Connector Appliance.

Note: To prevent performance degradation, ArcSight strongly recommends that you do not have more than one syslog connector in a container.For more information, refer to the article Running Multiple Syslog SmartConnectors in a Single Containerin the ArcSight Knowledge Base.

Database Type SmartConnectors

You can run database SmartConnectors that connect to Windows-based databases (such as Microsoft SQL Audit DB) on Linux or other platforms using JDBC drivers. The ArcSight Connector Appliance Administrator’s Guide describes how to obtain and install the required JDBC drivers, and how to use the user-defined JDBC Repository feature to install the drivers on the local Connector Appliance.

Note: Database SmartConnectors that use Microsoft SQL Server 2005 JDBC Driver 1.2 do not run in FIPS mode. For the database connectors to run in FIPS mode, you need to install Microsoft SQL Server 2005 JDBC Driver 1.1.

File Type SmartConnectors
Any event sources, including scanners running in automatic mode and Windows-based sources, can write to files on a Remote File System (also known as NFS and CIFS Storage) that the Connector Appliance can mount and access.

Note: Appliance-based, file-type SmartConnectors require NFS or CIFS storage mounts, as appropriate.

Configure an NFS mount (Setup > System Admin > Storage > Remote File System > NFS) or a CIFS mount (Setup > System Admin > Storage> Remote File System > CIFS) before configuring the SmartConnector. For more information, see the ArcSight Connector Appliance Administrator’s Guide.

API Type SmartConnectors
On the Connector Appliance, you cannot use Microsoft and other API-type SmartConnectors that need to be located on the host they are monitoring. CheckPoint OPSEC SmartConnectors are supported in sslca mode using the pull cert command described in the ArcSight Connector Appliance Administrator’s Guide. The following API-type SmartConnectors work with the Connector Appliance, but with the limitations listed below:

API SmartConnector	Limitation
Check Point FW-1/VPN-1 OPSEC	Only clear and sslca modes are supported. sslopsec mode is not supported.
Check Point FW-1/VPN-1 OPSEC (Legacy)	Only clear and sslca modes are supported. sslopsec mode is not supported.
Sourcefire Defense Center eStreamer	Not supported in FIPS mode. Windows Unified Not supported in FIPS mode.

Why does ArcSight Support require logs and what log files I need to provide to them?

ArcSight Technical Support requires the logs to perform the problem analysis and to provide the most optimal solution to the customers.

To perform the detailed problem analysis, the logs are needed for the following reasons:

1. To look at the details of the error messages.

2. To find out and to compare the time stamps of the error in various logs

3. To find out how many times the error has occurred and how the system is reacting to it.

4. To replicate the scenario in the ArcSight's test systems and to compare test logs with the customer's logs.

Note: Always provide the latest logs to the ArcSight Support.

ArcSight Logs overview

ArcSight Console

Log Name: console.log

Location: <ARCSIGHT_HOME>/current/logs

Log Contents:
* Console exceptions
* Login failures
* Server exceptions passed to the Console
* Certificate problems

Oracle Logs

1. Log Name: alert_arcsight.log

Location: /admin/arcsight/bdump:

* Information/errors related to database down or database being hung
* Information/ errors related to redo archive logging
* Information/errors related to db file/ OS corruption

2. Log Name: Listener.log

Location: \network\log

Log Contents
* Information related to startup/shutdown of the Oracle Listener

3. Log Name: Sqlnet.log

Location: \network\log
* Information/errors related to connection failures

ArcSight DB Logs:

1. Log name: On Database Server /logs/agent.log

Log Contents:
* information and errors on archiving and reactivation errors

2. Log name: On Database Server /logs/agent.out.wrapper.log

* Information and related errors on the startup of the PA

ArcSight Web

Location: All of the ArcSight Web logs are located on the server with ArcSight Web at /logs/default

1. Log Name: Server.status.log

Log Contents:
* Information on open sessions
* General health status

2. Log Name: Webserver.log

* Communication with the Manager
* Related errors/warnings

3.Log Name: Webserver.std.log Log

Log Contents:
* Server start/stop messages
* Information on thread dumps
* Information on startup exceptions
* Information on memory status

ArcSight SmartConnector

Location: All of the SmartConnector logs are located on the connector server at /current/logs

1. Log Name: Agent.log

Log Contents:
* Startup information, i.e. loaded parsers and categorization files
* Connector/Manager communication information
* Device communication information
* Event throughput statistics
* Operational errors and warnings
* Connector files, i.e. queue and cache files

2. Log Name: Agent.out.wrapper.log

Log Contents:
* Startup messages
* JVM details
* Environment details
* Simple event throughput statistics
* Memory information

3. Log Name: agent.properties file

Location: <ARCSIGHT_HOME>\current\user\agent

Contents:
* SmartConnector Configuration

ArcSight Connector Appliance

Log Location: All of the logs can be collected from GUI: Manage > Localhost > Containers tab. Check the Container you need logs for and click Logs Button. Follow the wizard.

1. Container logs are the same as ArcSight SmartConnector logs above. Container logs are for issues with a single container or SmartConnector.

a. Agent.out.wrapper.log pertains to the logs for the Container

Log Contents:

* Startup messages
* JVM details
* Environment details
* Simple event throughput statistics
* Memory information

b. Agent.log file pertains to the SmartConnectors running inside the Container

Log Contents:

* Startup information, i.e. loaded parsers and categorization files
* Connector -> Manager communication information
* Device communication information
* Event throughput statistics
* Operational errors and warnings
* SmartConnector files, i.e. queue and cache files

Log Location: Setup > Backup/Restore > Appliance Snapshot

Snapshots include logs for all Containers, Platform, and System.
Snapshot logs are for issues with the appliance.

ArcSight Manager

Location: On the Manager serverARCSIGHT_HOME/logs/default

1. Log Name: Server.log

Log Contents:
* Most detailed information about manager’s health, contains errors or exceptions

2. Log Name: Server.std.log

Log Contents:
* Memory information, persistence times, thread dumps

3. Log Name: Server.status.log

Log Contents:
* Detailed information about every component

4. Log Name: Server.report.log

Log Contents:
* Contains information about every report including report ID and query

5. Log Name: Server.sql.log

Log Contents:
* Contains sql explain plans when requested

6. Log Name: Partitionmanager.log

Log Contents:
* Errors related to partition creation failures
* General information about Partition Manager tasks

7. Log Name: Partitionarchiver.log

Log Contents
* Errors related to Partition Archiver problems(also see agent.log on the database)
* General information about Partition Manager tasks

8. Log Name: Partitioncompressor.log

Log Contents:
* Errors related to Partition Compressor failures
* General information about Partition Compressor tasks

9. Log Name: Partitionstatsupdator.log

Log Contents:
* Errors about partition stats jobs
* General information about Partition Stats collection

ArcSight Logger

Log Location: All of the Logger logs can be collected from Logger GUI: GUI Configuration>retrieve logs

ArcSight NSP

1. Log Name: Command Log.

Log Location:
- For the NCM issues get the NCM Job Log from the GUI: NCM > View NCM Job Log > View details of the Config Management (CM) action > View Tasks > Command Log

- For the TRM issues get the TRM Job Log from the GUI: TRM > View Response Log > View Details > View Tasks > Command Log

2. Log Name: System's Error Log

Log Location: From the GUI: Admin > System > Error Log > copy/paste.

3. Log Name: Device Debug log

Location: From the GUI: Network Devices > Debug Log > click on the device IP > copy/paste.

4. Log Name: Support logs (most complete logs from NSP system):

Log Location: From the GUI: Admin > System > Error Log > click Support Logs

ArcSight Express

The log file for each component can be found in the following location:

1. On ArcSight Express Appliance:

1. First Boot Wizard: /opt/arcsight/manager/logs/firstboot.log

2. ArcSight Database: /opt/arcsight/db/logs

3. ArcSight Manager: /opt/arcsight/manager/logs/default

4. ArcSight Web: /opt/arcsight/web/logs/default

5. ArcSight Forwarding Connector: /opt/arcsight/connector/current/logs

2. On ArcSight Express Storage Appliance

ArcSight Logger: /opt/arcsight/logger/logs

3. On the machine where Console is installed:

ArcSight Console: \current\logs

Other Related Articles:

1. Run RDA for slow Database
Installing and running the Oracle Remote Diagnostic Agent on UNIX.Installing and running the Oracle Remote Diagnostic Agent on UNIX.

2. Take Manager Thread dumps:

Generate Thread Dumps

3. Enable SQL Explain Plans

What are Connector Appliance Health Events?

System health events were added to the SmartConnectors primarily for the Connector Appliance. These events are normally generated every 10 minutes (which can be changed or completely disabled using the agent.system.health.interval property in agent.properties). These events are not preserved by default unless the Preserve System Health Events parameter in the Processing section is changed to Yes (in the Console, managed through a Connector Appliance, or in setup). Note that this means that if there are multiple destinations, the system health events can be preserved for some destinations and discarded for others. All of the results are logged and available through the Get Status command, even if the events are not preserved. Below are the details of the internal events that are generated for SmartConnector system health. In all cases the event Name field is set to Connector System Health Event. The value is stored in the Device Custom Number 1 field and the units are indicated in the Device Custom String1 field. The Signature is stored in the Device Event Class ID field. Here are some of the sample Connector Appliance Health Events: Item Platforms Category Signature Source Item Platforms Category Signature Source Global CPU Linux /Monitor/CPU/Usage cpu:100 /proc/stat Per CPU Linux /Monitor/CPUn/Usage cpu:101 /proc/stat Per disk read Linux /Monitor/Disk/drive/Read disk:102 /proc/diskstats Per disk write Linux /Monitor/Disk/drive/Write disk:103 /proc/diskstats JVM memory All /Monitor/Memory/Usage/Jvm memory:101 MemoryMXBean JVM heap memory All /Monitor/Memory/Usage/Jvm/Heap memory:105 MemoryMXBean JVM non-heap memory All /Monitor/Memory/Usage/Jvm/NonHeap memory:106 MemoryMXBean Per interface network input Linux /Monitor/Network/Usage/iface/In network:100 /proc/net/dev Per interface network output Linux /Monitor/Network/Usage/iface/Out network:101 /proc/net/dev Per interface network packet input Linux /Monitor/Network/Usage/iface/PacketsIn network:102 /proc/net/dev Per interface network packet output Linux /Monitor/Network/Usage/iface/PacketsOut network:103 /proc/net/dev Platform memory Linux /Monitor/Memory/Usage/Platform memory:100 /proc/meminfo Platform buffers memory Linux /Monitor/Memory/Usage/Platform/Buffers memory:102 /proc/meminfo Platform cached memory Linux /Monitor/Memory/Usage/Platform/Cached memory:103 /proc/meminfo Platform free memory Linux /Monitor/Memory/Usage/Platform/Free memory:104 /proc/meminfo

How to retrieve logs from Connectors installed on a Connector Appliance?The Retrieve Logs command uploads logs from the selected Connectors onto the C

The Retrieve Logs command uploads logs from the selected Connectors onto the Connector Appliance. Uploaded logs can be found in the Connector Log Archive.

To request logs from one or more Connectors, follow the steps for your Connector Appliance version:

Versions 4.7 and prior:

1 .Click the Bulk Operations tab, then click Connector Logs. Click the Retrieve Connector Logs button.

2. Check the box for each Connector from which you want to retrieve logs, then click Retrieve.

3. To download the retrieved logs, use the Connector Log Repositories.

4. To retrieve a specific log, Click the Bulk Operations tab, then click Connector Logs and click the Connector Log Repositories tab.

5. Find the specific log file in the table, then click the Retrieve icon. Specify a name and location for the log file to be saved locally.

Version 5.0

1. Click the Advanced Operations tab, then click Logs from the left-side panel. Click the Retrieve Connector Logs tab.

2. Check each connector from which to retrieve logs, then click Retrieve.

3. To download the retrieved logs, use the View Retrieved Logs tab.

4. Find the specific log in the table, then click the Retrieve button (Down Arrow). Specify a name and location for the log file to be saved locally.

Version 5.1 and onwards:

1. Go to Manage. On the left pane, choose the host you would like to get the logs from.

2. Check the appropriate Containers and press the Logs button.

3. Press Next to generate the logs, wait for the logs to be generated, then press Done.

4. To download the retrieved logs, go to Setup > Repositories > Logs. Press the down arrow icon on the right to the log name to save the log.

General configuration guidelines for Connector Appliance

1. For high-throughput SmartConnectors (i.e., Syslog, Windows Unified, Blue Coat, etc) install only one SmartConnector per Container.

2. Tune the polling interval to reduce the network traffic. This is especially true for slower links (i.e., remote sites connected via satellite link)

3. Newer Connector Appliance models have more memory and CPU, and thus are more stable.

4. Ensure that each Container's JVM heap is not maxed-out (check agent.out.wrapper.log)

5. Check if on-board connectors are caching or generating queue files.

6. Check the process status (System Admin > Process Status)

7. Confirm that the appliance is configured with correct DNS server and hostname.

8. Check on possibility of multi-threading the connector transport, which facilitates greater event flow & less latency.

9. Lower the thread count if you want to run multiple high-throughput SmartConnectors in a single container.