Some types of events are not visible in ESM Console

Document ID:KM03793331
Creation Date:02-Apr-2021
Modified Date:06-May-2021
- Micro Focus Products:
  arcsight enterprise security manager

Summary

Some types of events are not visible in Active channel of ESM Console, but in Command Center they are searchable

Question

Some of events are not visible in Active channel of ESM Console, but physically they are stored in the database and searchable of event search in Command Center. Those categories of events can be visible in the logger as well. It can happen when receiving events from Flex Connector.

Answer

Session Id field causing this problem.The Active Channel of ESM Console can't see events with this parameter enabled, it happened because Active Channels use the Session Id field to work out internally, where events should be showing for the time period, they are buckets for.

The Session Id is NOT an Arcsight CEF field according to the guide "Micro Focus Security ArcSight Common Event Format v 2.5":

https://community.microfocus.com/t5/ArcSight-Connectors/ArcSight-Common-Event-Format-CEF-Implementation-Standard/ta-p/1645557

Solution of this issue is removing Field "Session Id" from outgoing events of FlexConnector (in the parser properties file).