Out of Sync devices

Document created by tliu on Aug 8, 2009Last modified by GCA on Aug 9, 2009
Version 2Show Document
  • View in full screen mode

This document was generated from the following thread: Out of Sync devices by GCA

 

 

I developped this rule to detect incorrectly synchronized devices. Rule is based on a timediff between end time and manager receipt time.

 

A few notes :

 

  • The acceptable time needed to get an event in the manager from a device can vary depending on the network location or connector type. So it could be useful to create several rules with different timediff.

 

  • Results can sometimes not be perfectly accurate. For instance, if your connector is emptying its cache, the timediff for older events will be higher than your threshold and the device will be considered as being out of sync which is not necessary the case. To circumvent this issue, you can exclude from the rule events coming from connector emptying its cache. ( see http://forum.arcsight.com/showthread.php?t=1453 ) for more info.

 

Even if not always 100% accurate, I found this indicator to be very useful when used in conjunction with a report to pinpoint time synchronization problems.

 

Enjoy Gaetan

Attachments

Outcomes