how to troubleshoot smartconnector issues using log files ? – ArcSight SIEM

Posted by

As a SIEM Administrator and specifically if you work with ArcSight SIEM, a very important part of the ArcSight infraestructure are the connectors. The connector is the “agent/client” that will act as a listener, [syslog] can read from specific files, folders, multiplefolders, databases, etc. will depend on the connector type, the purpose and how it was built.

For this example we will use the following specs,

Connector Type:

Microsoft Windows Event Log – Native // [agents[0].type=winc]

Connector Name:

wrapper.ntservice.displayname= ArcSight Microsoft Windows Event Log – Native

Connector Version:

<ArcSight Connector Version:>

Parser Version:

<ArcSight Parser Version:>

OS installed: == Microsoft Windows Server 2008 R2 Enterprise

Connector Memory Heap Size:

# Initial Java Heap Size (in MB)

# Maximum Java Heap Size (in MB)


This connector [WINC] normally will read events from different log files, “custom logs, also it works with WEC and WEF features from Windows OS“, after that the connector processes all the information and send that information to the destination already configured. Other connectors like “syslog connectors” will act only as [listeners], so you just need to install the connector, configure the source devices to send events to that specific port and that is all, you will start receiving the events. “Also you will need to check the firewall rules, and more configurations related to permissions and communication to succesfully work

The other connector types, folder and multifolder can read different files from one specific path or from multiple folders on one specific path. Database connectors will read from different databases engines, tables, etc. will need to establish the connection between the connector and the database engine to successfully works. So, to check the connection between both is a basic step when you are troubleshooting database connetors to know if is working as expected or not.

Right now not sure but maybe exist more than 200 different ArcSight connector types.

The previous specs were collected from different log files, probably these are the most important.

The following log files are:

On you can see all the properties and most of the configuration is there. On that log file, [] you can check information about the destinations configured, the “connector type“, You can find log file on the following path of your installation folder: /current/user/agent

Remember that all this parameters and configuration will differ for every connector


On agent.wrapper.conf you can see information like memory configuration, JVM Java configuration, service name, display name, etc. a very important specs from here are:

– connector memory heap size
– connector name

By default the memory is 256MB and the maximum allowed is 4096MB “also, that will depend on the host resources but remember that the maximum allowed for the connector is 4096MB“.

Note: Will be good to check what is the maximum allowed according the guide if possible.

You can find agent.wrapper.conf log file on the following path of your installation folder: /current/user/agent


On this log file, “ArcSight_SmartConnector_Install_….” a important fact is the date the connetor was installed, you can see that information even on the filename, but inside you can see the specific time the installation begin/end. Also, there you can see information regarding the operating system were you installed the connector, the user you used, the JAVA version you are using, etc.


Installed Feature(s) SmartCo of ArcSight SmartConnector

Install Begin: OCTOBER 6, 2018 4:18:53 PM PDT
Install End: OCTOBER 6, 2018 4:31:06 PM PDT

You can find ArcSight_SmartConnector_Install_10_06_2018_16_19_57 log file on the following path of your installation folder: /current/logs/install

agent.log & agent.out.wrapper.log

This log file is basically the most important if we talk about behavior of the connector, also [agent.out.wrapper.log] both are the two most used log files to see what is happening with the connector.

You can find them on the following path, /current/logs/

The most common keywords to search on this logs are:

– {c=
– {eps=

For ERROR, WARN and FATAL is basically to find specific errors of the connector, comunication, queuing, caching, performance, etc. If you want to search if the connector is doing cache or not, just search for {c=, if the result is c=0, the connector is not doing cache otherwise the connector is doing cache. If the connector is doing cache, maybe you will need to increase the memory, the batch size and probably you will need to use some specific parameters to release the cache. The {eps= will show you the number of events send per second {eps=0 means the connector is not processing and sending events, so probably you will need to double check why you are not receiving, or processing events.

If you see some RED ZONE or YELLOW ZONE warnings on this logs, probably you have performance issues and maybe you will need to increase the memory and split the load in several connectors, that will depend on the number of events the connector is handling.

Finally, the connectors are developed in JAVA, so if you previously worked with JAVA you will be familiarized. JAVA exceptions sometimes are very specific because the programmer handle the workflow exception with common words, so will be easy to understand the errors and what is happening with the connector.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s