ArcSight Smart Connectors has a very useful feature: it is possible to set up a filter to filter out unwanted events and don’t send them to a destination (ESM ArcSight, Logger, etc). It works very well at the ESM ArcSight – you just need to open connector’s properties, select the “Filter” tab and create a filter that will match unwanted events. See an example below. A Smart Connector re-reads configuration on regular basis and will apply a new filter within next 5 minutes.
Things are completely different when you have Connector Appliance or there are Smart Connectors are managed via a Connector Appliance. HP/ArcSight defines some special syntax to create filter sentences. For example:
deviceVendor EQ “Unix” and deviceEventId EQ “1001”
But there is a problem, it does not work. The Smart Connector updates configuration and … nothing happens. Events are still coming out to a destination like there is no any defined filter. What happens? It appears that the ESM ArcSight updates connector’s configuration properly but the Connector Appliances does the same thing incorrectly.