This release note provides information about new features, enhancements, and fixes in ArcSight ESM version 6.0c. This version introduces the Correlation Optimized Retention and Retrieval (CORR) Engine for improved performance over Oracle storage. It also includes a new streamlined Management Console interface. While an in-place upgrade is not supported, the release provides a tool to migrate resources from a legacy ESM installation to the CORR-based version.
This document provides guidance on installing and configuring the Configuration Monitoring content package for ArcSight ESM 6.0c. It discusses installing the Configuration Monitoring package, configuring assets and categories, configuring active lists, ensuring filters capture relevant events, enabling rules, and configuring notifications, reports and trends. Configuring the network model, asset categories, and relevant active lists activates the Configuration Monitoring content for an organization's environment.
The document discusses network monitoring standard content from HP ArcSight. It includes content packages for network monitoring that provide comprehensive correlation, monitoring, reporting, alerting and case management for network traffic analysis. The content supports various network devices and helps calculate bandwidth usage. It also provides installation instructions and an overview of the network monitoring resources and reports included in the standard content.
Configuration Monitoring Standard Content Guide for ESM 6.5c Protect724migration
The document discusses standard content in ArcSight, which includes coordinated resources that address common security and management tasks. Standard content comes pre-installed and in optional packages that can be installed. The Configuration Monitoring content provides resources for monitoring device configurations and changes. It discusses installing the content package, configuring the resources, and the types of resources included for monitoring assets, configuration changes, security applications, and vulnerabilities.
NetFlow Monitoring 1.1 Standard Content GuideProtect724
The document is a standard content guide for NetFlow monitoring content in ArcSight ESM 5.2. It discusses what standard content is, how to install the NetFlow monitoring package, and how to configure the NetFlow monitoring content, including setting up smart connectors, modeling the network, categorizing assets, ensuring filters capture relevant events, scheduling reports, restricting access to vulnerability reports, and configuring trends.
The Configuration Monitoring content package monitors and reports on changes to network configurations. It identifies unauthorized modifications to systems, devices, and applications. Key tasks to configure the content include modeling the network, categorizing assets, configuring active lists, enabling rules, and ensuring filters capture relevant events. Notifications, reports, and trends can also be customized for the monitored network.
The document is a standard content guide for NetFlow monitoring that provides an overview of standard content and the NetFlow monitoring content package. It discusses installing and configuring the NetFlow monitoring package, the components of the NetFlow monitoring content, and upgrading standard content.
The document provides an overview of standard content in ArcSight ESM. Standard content includes packages that are installed automatically to provide system health monitoring and optional packages that address common security and network monitoring tasks. The network monitoring content focuses on bandwidth usage, device activity, hosts and protocols, top security risks, and overall traffic overview. It provides coordinated resources like filters, rules, dashboards and reports to monitor network activity and security out of the box with minimal configuration.
The document discusses NetFlow monitoring content included in the standard content package for ArcSight ESM. The content includes filters, rules, dashboards, and reports to provide comprehensive network monitoring, correlation, and reporting capabilities out of the box. The document provides instructions on installing and configuring the NetFlow monitoring content, including setting up smart connectors, categorizing assets, configuring filters, scheduling reports, and adjusting trends.
This document provides guidance on installing and configuring the Configuration Monitoring content package for ArcSight ESM 6.0c. It discusses installing the Configuration Monitoring package, configuring assets and categories, configuring active lists, ensuring filters capture relevant events, enabling rules, and configuring notifications, reports and trends. Configuring the network model, asset categories, and relevant active lists activates the Configuration Monitoring content for an organization's environment.
The document discusses network monitoring standard content from HP ArcSight. It includes content packages for network monitoring that provide comprehensive correlation, monitoring, reporting, alerting and case management for network traffic analysis. The content supports various network devices and helps calculate bandwidth usage. It also provides installation instructions and an overview of the network monitoring resources and reports included in the standard content.
Configuration Monitoring Standard Content Guide for ESM 6.5c Protect724migration
The document discusses standard content in ArcSight, which includes coordinated resources that address common security and management tasks. Standard content comes pre-installed and in optional packages that can be installed. The Configuration Monitoring content provides resources for monitoring device configurations and changes. It discusses installing the content package, configuring the resources, and the types of resources included for monitoring assets, configuration changes, security applications, and vulnerabilities.
NetFlow Monitoring 1.1 Standard Content GuideProtect724
The document is a standard content guide for NetFlow monitoring content in ArcSight ESM 5.2. It discusses what standard content is, how to install the NetFlow monitoring package, and how to configure the NetFlow monitoring content, including setting up smart connectors, modeling the network, categorizing assets, ensuring filters capture relevant events, scheduling reports, restricting access to vulnerability reports, and configuring trends.
The Configuration Monitoring content package monitors and reports on changes to network configurations. It identifies unauthorized modifications to systems, devices, and applications. Key tasks to configure the content include modeling the network, categorizing assets, configuring active lists, enabling rules, and ensuring filters capture relevant events. Notifications, reports, and trends can also be customized for the monitored network.
The document is a standard content guide for NetFlow monitoring that provides an overview of standard content and the NetFlow monitoring content package. It discusses installing and configuring the NetFlow monitoring package, the components of the NetFlow monitoring content, and upgrading standard content.
The document provides an overview of standard content in ArcSight ESM. Standard content includes packages that are installed automatically to provide system health monitoring and optional packages that address common security and network monitoring tasks. The network monitoring content focuses on bandwidth usage, device activity, hosts and protocols, top security risks, and overall traffic overview. It provides coordinated resources like filters, rules, dashboards and reports to monitor network activity and security out of the box with minimal configuration.
The document discusses NetFlow monitoring content included in the standard content package for ArcSight ESM. The content includes filters, rules, dashboards, and reports to provide comprehensive network monitoring, correlation, and reporting capabilities out of the box. The document provides instructions on installing and configuring the NetFlow monitoring content, including setting up smart connectors, categorizing assets, configuring filters, scheduling reports, and adjusting trends.
Network Monitoring Standard Content GuideProtect724
The document discusses network monitoring standard content in ArcSight, which includes pre-configured filters, rules, reports and trends. It is designed to provide comprehensive network monitoring capabilities out of the box with minimal configuration. The network monitoring content monitors bandwidth usage, device activity, hosts/protocols, and generates reports on top threats. It can be installed and customized further to model specific network environments and capture relevant network data.
Configuration Monitoring Standard Content GuideProtect724
The document discusses the Configuration Monitoring content for ArcSight ESM 5.2. It includes instructions for installing the Configuration Monitoring package, configuring the content by modeling the network, categorizing assets, configuring active lists and filters, and enabling rules, notifications, reports and trends. The content helps identify, analyze and remediate undesired modifications to systems, devices and applications on the network.
The document provides guidance on installing and configuring the Workflow content package in ArcSight ESM. It describes installing the Workflow package, modeling the network and categorizing assets, enabling rules, configuring notifications and cases, scheduling reports, and configuring trends. Proper configuration of these elements ensures the Workflow content functions as intended to support incident response tracking.
The Workflow content package provides resources for tracking security incidents and cases in ESM, including active channels and reports. Key configuration tasks include modeling the network, categorizing assets, enabling relevant rules, ensuring filters capture necessary events, configuring notification destinations, and enabling notifications and cases in rules. Reports can also be scheduled to run automatically and trends configured to gather long-term data for reporting.
The document provides instructions for configuring NetFlow monitoring content in ArcSight ESM, including installing the NetFlow monitoring package, modeling the network, categorizing assets, ensuring filters capture relevant events, scheduling reports, restricting access to vulnerability reports, and configuring trends.
This document provides an overview of standard content in ArcSight ESM, including what standard content is, the different standard content packages, and the workflow content package. Standard content includes coordinated resources that address common security and management tasks. It consists of packages that are automatically installed with ESM or can be optionally installed. The workflow content package contains resources for case tracking, notifications, and reporting related to security incidents.
This document provides an overview of standard content in ArcSight, including:
- Standard content consists of coordinated resources like filters, rules, and reports that address common security tasks.
- It includes packages for core security, administration, systems, and optional foundations that are organized by category.
- The IPv6 content package reports on data from networks using IPv6 addresses and is described in this guide.
Forwarding Connector User;s Guide for 5.1.7.6151 and 6154Protect724
This document provides instructions for installing and configuring the ArcSight Forwarding Connector to forward events from an ArcSight ESM Source Manager to various destinations, including an ArcSight ESM Destination Manager, ArcSight Logger, NSP Device Poll Listener, CSV file, McAfee ePolicy Orchestrator, and HP Operations Manager. It covers standard installation procedures, assigning privileges on the source manager, forwarding correlation events, and increasing the filestore size for the enhanced connector.
This document provides an overview of standard content for NetFlow monitoring in ArcSight ESM. It discusses what standard content is, including that it provides out-of-the-box correlation, monitoring, reporting, alerting and case management. It also describes the different types of standard content packages that are available and how the NetFlow monitoring content fits into the standard content framework.
Intrusion Monitoring Standard Content GuideProtect724
This document provides an overview and instructions for installing and configuring the Intrusion Monitoring content package for ArcSight ESM 5.2. It describes the various types of intrusion monitoring content included, such as alerts from IDS/IPS, anti-virus activity, attack rates, attackers, and login tracking. It also provides instructions on installing the content package, modeling the network, configuring rules and filters, and scheduling reports. The content is designed to help customers monitor, detect, and investigate potential security threats on their network.
Configuration Monitoring Standard Content Guide for ESM 6.8cProtect724migration
The document discusses HP ArcSight ESM standard content, which provides pre-configured monitoring, reporting, and analysis resources. It includes content packages that are automatically installed for system health monitoring and optional packages that can be selected during installation for specific monitoring needs like configuration monitoring. The standard content coordinates filters, rules, dashboards and other resources to address common security tasks with minimal configuration.
SafePeak offers a Plug & Play application acceleration solution for cloud, hosted and business SQL server applications.
SafePeak unique Dynamic Database Caching to resolve information access bottlenecks and latency without any change to existing applications or databases.
This document provides an overview and instructions for installing and configuring the Intrusion Monitoring standard content package for HP ArcSight ESM. The content package includes alerts, reports, and resources for monitoring intrusions, attacks, vulnerabilities, and other security events. It discusses the various resource groups and the types of events and information monitored by each. The document also provides instructions for modeling assets, configuring rules, notifications, and other settings to fully implement intrusion monitoring with the standard content.
This document provides an administrator's guide for version 6.4 of the ArcSight Connector Appliance. It includes information on installing, configuring, and managing the Connector Appliance. The guide covers topics such as installing the appliance hardware or software version, understanding the user interface, backup and restore, system administration settings, managing connectors, and monitoring the appliance.
This document provides instructions for installing and configuring the ArcSight Database component. It includes guidelines for sizing and preparing the database platform, installing the Oracle database software, creating a new Oracle instance, and initializing the ArcSight schema, tablespaces and resources. The document also covers restarting or reconfiguring the database, and configuring partition management functionality.
This document provides an overview and administration guide for Oracle Clusterware and Real Application Clusters (RAC). It describes the Oracle Clusterware and RAC software architectures, components, installation processes, and key features. The document also covers administering Oracle Clusterware components like voting disks and the Oracle Cluster Registry, storage management, database instances, services, and backup/recovery in RAC environments. Administrative tools for RAC like Enterprise Manager, SQL*Plus, and SRVCTL are also discussed.
Poria Hospital in Israel was struggling to provide fast response times for its mission-critical applications like electronic medical records during periods of high usage. This was causing performance issues. The hospital installed SafePeak, an automated dynamic caching solution, to improve response times. With SafePeak, Poria Hospital saw SQL server load reduce by 50% on average and by 62% during peaks. It improved response times for applications, cutting response times for top queries by up to 94% and average response times by 45%. SafePeak helped Poria Hospital meet its service level agreements and improve performance of critical applications during busy times.
This document provides instructions for installing ArcSight ESM version 5.2 Patch 2. It includes steps for updating the ArcSight Database, ArcSight ESM Manager, ArcSight Console, and ArcSight Web Server components. Details are provided for installation on different platforms. The patch addresses critical issues in ESM v5.2 and provides updates to vulnerability mappings. Users should back up each component before installation and refer to release notes for any usage notes or known issues.
Safe peak installation guide version 2.1Vladi Vexler
This document provides instructions for installing SafePeak, a software that accelerates data access for Microsoft SQL Server. It discusses minimum system requirements, how to install SafePeak, adding a license, configuring SQL database instances, connecting applications, and configuring dynamic objects and SQL patterns. The installation process involves choosing an installation type and location, setting up a virtual IP address, adding the SafePeak license, providing login credentials, and adding SQL database instances. Dynamic objects and non-deterministic SQL queries may require additional configuration for optimal caching.
ArcSight Express Release Notes Version 3.0 featuring ESM + CORR-EngineProtect724
This document provides release notes for ArcSight Express v3.0, including:
- It features ESM with CORR-Engine for increased performance and more compact data storage.
- It includes ESM 5.1.0.1281.3, CORR-Engine BL1093, and Process Management 1.0-1117.
- Installation and configuration instructions are provided for the ESM Console, Forwarding Connector, and First Boot Wizard.
This document provides release notes for ArcSight ESM Version 6.0c Patch 3, including:
- An overview of the purpose and usage notes for the patch.
- Instructions for upgrading to Red Hat Enterprise Linux 6.4.
- Details on fixes for issues in Analytics, the ArcSight Console, CORR-Engine, and installation.
- A list of open issues in the ArcSight Manager, installation, and ArcSight Web.
- Release notes for patches 1 and 2 are also included.
Network Monitoring Standard Content GuideProtect724
The document discusses network monitoring standard content in ArcSight, which includes pre-configured filters, rules, reports and trends. It is designed to provide comprehensive network monitoring capabilities out of the box with minimal configuration. The network monitoring content monitors bandwidth usage, device activity, hosts/protocols, and generates reports on top threats. It can be installed and customized further to model specific network environments and capture relevant network data.
Configuration Monitoring Standard Content GuideProtect724
The document discusses the Configuration Monitoring content for ArcSight ESM 5.2. It includes instructions for installing the Configuration Monitoring package, configuring the content by modeling the network, categorizing assets, configuring active lists and filters, and enabling rules, notifications, reports and trends. The content helps identify, analyze and remediate undesired modifications to systems, devices and applications on the network.
The document provides guidance on installing and configuring the Workflow content package in ArcSight ESM. It describes installing the Workflow package, modeling the network and categorizing assets, enabling rules, configuring notifications and cases, scheduling reports, and configuring trends. Proper configuration of these elements ensures the Workflow content functions as intended to support incident response tracking.
The Workflow content package provides resources for tracking security incidents and cases in ESM, including active channels and reports. Key configuration tasks include modeling the network, categorizing assets, enabling relevant rules, ensuring filters capture necessary events, configuring notification destinations, and enabling notifications and cases in rules. Reports can also be scheduled to run automatically and trends configured to gather long-term data for reporting.
The document provides instructions for configuring NetFlow monitoring content in ArcSight ESM, including installing the NetFlow monitoring package, modeling the network, categorizing assets, ensuring filters capture relevant events, scheduling reports, restricting access to vulnerability reports, and configuring trends.
This document provides an overview of standard content in ArcSight ESM, including what standard content is, the different standard content packages, and the workflow content package. Standard content includes coordinated resources that address common security and management tasks. It consists of packages that are automatically installed with ESM or can be optionally installed. The workflow content package contains resources for case tracking, notifications, and reporting related to security incidents.
This document provides an overview of standard content in ArcSight, including:
- Standard content consists of coordinated resources like filters, rules, and reports that address common security tasks.
- It includes packages for core security, administration, systems, and optional foundations that are organized by category.
- The IPv6 content package reports on data from networks using IPv6 addresses and is described in this guide.
Forwarding Connector User;s Guide for 5.1.7.6151 and 6154Protect724
This document provides instructions for installing and configuring the ArcSight Forwarding Connector to forward events from an ArcSight ESM Source Manager to various destinations, including an ArcSight ESM Destination Manager, ArcSight Logger, NSP Device Poll Listener, CSV file, McAfee ePolicy Orchestrator, and HP Operations Manager. It covers standard installation procedures, assigning privileges on the source manager, forwarding correlation events, and increasing the filestore size for the enhanced connector.
This document provides an overview of standard content for NetFlow monitoring in ArcSight ESM. It discusses what standard content is, including that it provides out-of-the-box correlation, monitoring, reporting, alerting and case management. It also describes the different types of standard content packages that are available and how the NetFlow monitoring content fits into the standard content framework.
Intrusion Monitoring Standard Content GuideProtect724
This document provides an overview and instructions for installing and configuring the Intrusion Monitoring content package for ArcSight ESM 5.2. It describes the various types of intrusion monitoring content included, such as alerts from IDS/IPS, anti-virus activity, attack rates, attackers, and login tracking. It also provides instructions on installing the content package, modeling the network, configuring rules and filters, and scheduling reports. The content is designed to help customers monitor, detect, and investigate potential security threats on their network.
Configuration Monitoring Standard Content Guide for ESM 6.8cProtect724migration
The document discusses HP ArcSight ESM standard content, which provides pre-configured monitoring, reporting, and analysis resources. It includes content packages that are automatically installed for system health monitoring and optional packages that can be selected during installation for specific monitoring needs like configuration monitoring. The standard content coordinates filters, rules, dashboards and other resources to address common security tasks with minimal configuration.
SafePeak offers a Plug & Play application acceleration solution for cloud, hosted and business SQL server applications.
SafePeak unique Dynamic Database Caching to resolve information access bottlenecks and latency without any change to existing applications or databases.
This document provides an overview and instructions for installing and configuring the Intrusion Monitoring standard content package for HP ArcSight ESM. The content package includes alerts, reports, and resources for monitoring intrusions, attacks, vulnerabilities, and other security events. It discusses the various resource groups and the types of events and information monitored by each. The document also provides instructions for modeling assets, configuring rules, notifications, and other settings to fully implement intrusion monitoring with the standard content.
This document provides an administrator's guide for version 6.4 of the ArcSight Connector Appliance. It includes information on installing, configuring, and managing the Connector Appliance. The guide covers topics such as installing the appliance hardware or software version, understanding the user interface, backup and restore, system administration settings, managing connectors, and monitoring the appliance.
This document provides instructions for installing and configuring the ArcSight Database component. It includes guidelines for sizing and preparing the database platform, installing the Oracle database software, creating a new Oracle instance, and initializing the ArcSight schema, tablespaces and resources. The document also covers restarting or reconfiguring the database, and configuring partition management functionality.
This document provides an overview and administration guide for Oracle Clusterware and Real Application Clusters (RAC). It describes the Oracle Clusterware and RAC software architectures, components, installation processes, and key features. The document also covers administering Oracle Clusterware components like voting disks and the Oracle Cluster Registry, storage management, database instances, services, and backup/recovery in RAC environments. Administrative tools for RAC like Enterprise Manager, SQL*Plus, and SRVCTL are also discussed.
Poria Hospital in Israel was struggling to provide fast response times for its mission-critical applications like electronic medical records during periods of high usage. This was causing performance issues. The hospital installed SafePeak, an automated dynamic caching solution, to improve response times. With SafePeak, Poria Hospital saw SQL server load reduce by 50% on average and by 62% during peaks. It improved response times for applications, cutting response times for top queries by up to 94% and average response times by 45%. SafePeak helped Poria Hospital meet its service level agreements and improve performance of critical applications during busy times.
This document provides instructions for installing ArcSight ESM version 5.2 Patch 2. It includes steps for updating the ArcSight Database, ArcSight ESM Manager, ArcSight Console, and ArcSight Web Server components. Details are provided for installation on different platforms. The patch addresses critical issues in ESM v5.2 and provides updates to vulnerability mappings. Users should back up each component before installation and refer to release notes for any usage notes or known issues.
Safe peak installation guide version 2.1Vladi Vexler
This document provides instructions for installing SafePeak, a software that accelerates data access for Microsoft SQL Server. It discusses minimum system requirements, how to install SafePeak, adding a license, configuring SQL database instances, connecting applications, and configuring dynamic objects and SQL patterns. The installation process involves choosing an installation type and location, setting up a virtual IP address, adding the SafePeak license, providing login credentials, and adding SQL database instances. Dynamic objects and non-deterministic SQL queries may require additional configuration for optimal caching.
ArcSight Express Release Notes Version 3.0 featuring ESM + CORR-EngineProtect724
This document provides release notes for ArcSight Express v3.0, including:
- It features ESM with CORR-Engine for increased performance and more compact data storage.
- It includes ESM 5.1.0.1281.3, CORR-Engine BL1093, and Process Management 1.0-1117.
- Installation and configuration instructions are provided for the ESM Console, Forwarding Connector, and First Boot Wizard.
This document provides release notes for ArcSight ESM Version 6.0c Patch 3, including:
- An overview of the purpose and usage notes for the patch.
- Instructions for upgrading to Red Hat Enterprise Linux 6.4.
- Details on fixes for issues in Analytics, the ArcSight Console, CORR-Engine, and installation.
- A list of open issues in the ArcSight Manager, installation, and ArcSight Web.
- Release notes for patches 1 and 2 are also included.
This document provides an overview and instructions for installing the ArcSight Forwarding Connector. The Forwarding Connector allows events from a source ArcSight ESM Manager to be forwarded to a destination ESM Manager, ArcSight Logger, or other non-ESM locations. Standard installation procedures are outlined, including verifying the source ESM is correctly installed, assigning privileges, installing the Forwarding Connector, upgrading, and uninstalling. Configuration instructions are provided for forwarding events to various destinations such as ESM Managers, Logger, CSV files, and HP and McAfee systems.
This document provides instructions for installing and configuring the ArcSight Forwarding Connector to send events from an ArcSight ESM Source Manager to various destinations, including: an ArcSight ESM Destination Manager, ArcSight Logger, NSP Device Poll Listener, CEF Syslog, a CSV file, McAfee ePolicy Orchestrator, HP Operations Manager, and HP Operations Manager i. Standard installation procedures are outlined, as well as upgrading and uninstalling the Forwarding Connector. Configuration instructions are provided for each destination type.
The document provides instructions for migrating ESM resources from Oracle databases used in ESM 5.0 SP2, ESM 5.2, or earlier versions to the CORR-Engine database used in ESM 6.0c. It describes running a migration tool that transfers schema and data from the Oracle database to CORR-Engine. Several requirements and limitations of the migration process are outlined, such as event data not being migrated and domain fields having limited functionality after migration.
ESM 5.6 provides updates to Oracle, Red Hat Linux, and CentOS support. It addresses the POODLE vulnerability and fixes issues in ESM 5.5. This release also includes updates to geographical information and vulnerability mappings from July 2015. Usage notes cover Forwarding Connector version, browser requirements, and an Oracle Enterprise Manager issue. The release notes describe fixed issues and list several open issues remaining in areas like Analytics, the ArcSight Console, and the ArcSight Database.
Forwarding Connector User's Guide for version 6.0.4.6830.0 Protect724migration
This document provides instructions for installing and configuring the ArcSight Forwarding Connector to send event data from an ArcSight ESM Source Manager to various destinations, including an ArcSight ESM Destination Manager, ArcSight Logger, or non-ESM locations. It covers verifying the ESM installation, assigning privileges, creating filters, installing and upgrading the Forwarding Connector, and configuration for specific destinations.
This document provides instructions for upgrading the ArcSight database components from version 5.0 SP1 or SP2 to version 5.2. It describes preparing the Oracle database software, verifying the readiness of the existing database, and running the database installer to upgrade the database schema and partition archiver service. Post-upgrade steps include transferring partition archiver settings and completing additional tasks on AIX platforms.
ArcSight ESM Version 6.0c Patch 2 release notes provide instructions for installing the patch for multiple ESM components. The patch addresses critical issues, provides geographical and vulnerability updates, and can be installed by running executable files for each component. Detailed steps are outlined for installing the patch on the ESM suite, ArcSight Console, and uninstalling the patch. Issues fixed and known issues remaining in the patch are also documented.
The document provides instructions for upgrading from ESM version 5.5 to 5.6. It outlines the following high-level steps:
1. Preparing existing content and downloading necessary installation files and scripts.
2. Upgrading the ArcSight database components and Oracle database software.
3. Upgrading the ArcSight Manager, Console, and Web applications.
4. Checking the state of existing content and upgrading SmartConnectors after the upgrade is complete.
It also provides guidance for upgrading hierarchical or multi-manager ESM installations.
This release summary provides information on new features and enhancements in ArcSight ESM Version 5.2, including:
- Enhanced reporting capabilities such as distributing reports to multiple recipients and non-ESM users.
- New correlation rules for improved performance.
- Active list enhancements like storing data in time segments.
- Support for managing the asset model within ESM using a new Asset Model Import Connector.
- Updated geographical information and vulnerability mappings.
- Notes on usage considerations like required JRE and Oracle PSU versions.
Forwarding Connector 7.0.1.6992.0 User Guide for ESM 6.5c SP1Protect724mouni
The document provides installation and configuration instructions for the ArcSight Forwarding Connector version 7.0.1.6992.0. It allows sending events from a source ArcSight ESM installation to secondary destinations like another ESM Manager, ArcSight Logger, or non-ESM locations. The document covers verifying the ESM installation, installing the Forwarding Connector, configuring it to forward events to various destinations, and upgrading or uninstalling the connector.
The release notes summarize key information about version 6.2 Patch 1 of the ArcSight Connector Appliance software, including:
- New features that resolve known issues from the previous version
- Instructions for upgrading both local and remotely managed appliances to the latest patch
- Details on preserving the remote management configuration during upgrade
- Information on supported SmartConnectors and any limitations
The Network Monitoring content monitors network traffic and bandwidth usage. It provides statistics to identify network anomalies. Key configuration tasks include:
1. Configuring the SmartConnector to aggregate similar network events to improve performance.
2. Modeling the network and categorizing assets to activate standard content rules and filters.
3. Enabling relevant rules, configuring filters to capture needed data, and ensuring filters work as intended.
4. Configuring notifications, reports, trends, and cases to monitor the network and detect issues.
Forwarding Connector v5.2.7.6582.0 User's Guide for ArcSight Express v4.0Protect724v2
The document is a configuration guide for the ArcSight Forwarding Connector version 5.2.7.6582.0. It discusses installing and configuring the connector to forward events from an ArcSight source manager to various destination types, including ArcSight managers, Logger, CSV files, and HP OM/OMi. The guide covers installation procedures, configuration for different destinations, and using the connector with FIPS.
Migrating ESM Resources From Oracle to CORR-Engine for ESM 6.5c SP1Protect724mouni
The document provides instructions for migrating ESM resources from an Oracle database in ESM 5.5 to the CORR-Engine database in ESM 6.5c SP1. It outlines what is and is not migrated, how to configure exclusions, steps to prepare the source and destination environments, running the migration tool, and troubleshooting post-migration issues.
HP ArcSight ESM Express 6.9.0c release notes provide information about new features, enhancements, and bug fixes in this version. Key details include:
- ArcSight Command Center includes new tool command utilities and active channel improvements.
- The ArcSight Console has enhanced active lists and new type conversion functions.
- This version includes updates to geographical information and vulnerability mappings.
- Usage notes cover features like the asset model import FlexConnector and domains that are not supported in this release.
- Open issues are listed for analytics, searching, the console, command center, connectors and more.
This document provides release notes for version 6.1 GA of the ArcSight Connector Appliance. Key information includes:
- New features in v6.1 GA such as a FlexConnector development wizard and additional backup/restore options.
- Instructions for upgrading the Connector Appliance to v6.1 GA from v6.0 Patch 2.
- Notes on port changes, supported connector types, and issues resolved in this release.
This document provides instructions for installing and configuring the Asset Model Import FlexConnector in ArcSight ESM. It discusses prerequisites, supported platforms, and the installation process. It also covers configuring the FlexConnector, including running SmartConnectors, setting the model import user, CSV file format and parsing examples, and reloading asset model data. The goal is to enable importing asset model data from files into the ESM network model and keeping the data synchronized.
This document provides instructions for installing and configuring the Asset Model Import FlexConnector in ArcSight ESM. It assumes familiarity with writing FlexConnectors. The FlexConnector imports asset data from CSV files into the ESM network model based on a configured parser. It supports initial import and ongoing detection of updates. The document describes prerequisites, supported platforms, installation steps, configuration options and reloading of asset data.
This document provides instructions for configuring the ArcSight Express v3.0 appliance and its components. It includes:
- An overview of the pre-installed software on the appliance, including the ArcSight Manager, CORR engine, SmartConnectors, and Console.
- Steps for configuring the operating system and software components on the appliance after initial setup.
- A guide to running the Manager configuration wizard to configure authentication and connect the Console.
- Instructions for installing the Console on supported platforms and selecting the authentication method.
- Details on installing and configuring SmartConnectors to connect to the Manager.
- Troubleshooting tips and default settings for the components.
ArcSight Express v3.0 introduces ESM with the CORR-Engine for high-performance event storage and correlation. Key features include the CORR-Engine for fast storage and retrieval, a Management Console for administration, streamlined event archiving, real-time correlation and analytics, and interactive web-based monitoring. The document provides an overview of these features and ArcSight Express content.
This document provides an overview and instructions for installing and configuring standard content packages in ArcSight ESM 5.5, including:
- Standard content packages include resources for system health monitoring, security event processing, and addressing common security and management tasks.
- Installation involves deploying the packages, configuring network modeling and asset categorization, enabling relevant rules and filters, and setting up notifications and reports.
- The Workflow content package focuses on case tracking, event annotations and notifications to facilitate incident response.
This document is an administrator's guide for ArcSight Express v3.0. It provides instructions on basic administration tasks for the ArcSight Express appliance such as starting services, installing licenses, and configuring properties. It also covers more advanced topics like configuring SSL and certificates, managing users and passwords, and tuning appliance performance.
This document provides an overview and instructions for installing and configuring standard content packages in ArcSight ESM 5.5, including:
- Standard content packages provide coordinated resources for security monitoring, alerting and case management.
- Workflow content includes packages for case tracking, event annotations, and notification tracking.
- Installation involves deploying packages, modeling the network, configuring filters, notifications and reports.
This document is the user guide for the Management Console of ArcSight ESM 6.0c. It provides an overview of the Management Console and instructions for performing administrative tasks like managing users and user groups, configuring the CORR Engine, registering connectors, managing licenses and server settings, configuring authentication, and working with dashboards. It contains 4 chapters that cover navigation, administration, dashboards, and preferences.
The document provides installation and configuration instructions for ArcSight ESM 6.0c. It discusses the ESM components, including the ArcSight Manager, ArcSight CORR-Engine, ArcSight SmartConnectors, and ArcSight Console. It outlines the system requirements and steps to install ESM, including preparing the system, running the installation file, and completing the initial configuration. It also provides instructions for uninstalling ESM, migrating resources, and troubleshooting.
This document is the user guide for ArcSight Web and provides information on navigating and using the key features of ArcSight Web including active channels, dashboards, and monitoring events. It contains 3 chapters that cover basic navigation, using active channels to view and inspect events, and a detailed listing of event data fields and audit event types.
The document discusses the Configuration Monitoring content for ArcSight ESM 5.2. It describes how to install the Configuration Monitoring package, configure various resources like asset categories and active lists, enable rules, configure notifications and reports. It also provides an overview of the Configuration Monitoring content which identifies, analyzes and remediates undesired modifications to systems, devices and applications on the network.
This document provides an introduction and user guide for ArcSight Web, the web interface for monitoring and reporting features of ArcSight ESM. It includes information on navigating the ArcSight Web interface, using the content included with ArcSight Express deployments, monitoring events with active channels and dashboards, managing cases, handling notifications, running and viewing reports, and customizing preferences and branding.
Management Console User's Guide for ESM + CORR-EngineProtect724
This document provides an overview of the ArcSight Management Console user interface. It allows the user to manage accounts, data storage, connectors, and authentication settings. The Management Console provides dashboards to monitor events and resources. It also provides access to license updates and the ArcSight Web interface. The CORR-Engine in ArcSight Express enables scheduled archiving of event data and real-time correlation and analytics.
Upgrading from ESM 5.0 SP2 or 5.2 to ESM 5.5Protect724
This document provides instructions for upgrading the ArcSight database components from version 5.0 SP2 or 5.2 to version 5.5. It includes steps for upgrading the Oracle software to version 11.2.0.3, preparing the ArcSight database, and upgrading the database software and partition archiver. It also describes how to transfer partition archiver settings during the upgrade process.
This document provides a support matrix for ArcSight ESM and its components, including supported operating systems and end of support dates. It lists supported operating systems and browsers for the ESM Manager, Console, and Express. Products at end of support include ESM versions 5.0.x and earlier as well as appliance models E7400 and E7200. Supported operating systems include recent versions of RHEL, CentOS, Windows Server and Mac OS X. The document defines key terms and provides detailed version and patch level information.
This document is the Administrator's Guide for ArcSight ESM 6.0c with CORR Engine. It provides instructions on basic administration tasks for ArcSight, including starting and stopping components, license tracking, configuration, understanding and configuring SSL, and managing passwords. The guide contains information to help administrators securely configure and manage their ArcSight deployment.
The document discusses installing and configuring the standard content Workflow package in ArcSight ESM. It describes installing the Workflow package, configuring the network model and asset categories, enabling relevant rules, ensuring filters capture necessary events, configuring notification destinations and cases, scheduling reports, and configuring trends. The goal of these configuration steps is to activate the Workflow content and customize it for the user's environment.
Standard Content Guide for ArcSight Express w/ CORR-Engine v3.0Protect724
The document provides guidance on using and configuring the standard content provided with ArcSight Express. It describes what ArcSight Express content is and how it is organized to monitor different types of devices. It outlines steps to set up SmartConnectors, model the network, and apply asset categories. It also provides instructions for configuring ArcSight Express users, notification destinations, asset auto-creation filters, rules to send notifications and open cases, and scheduled reports. The document serves as a guide for administrators to optimize the ArcSight Express content for their environment.
Malibou Pitch Deck For Its €3M Seed Roundsjcobrien
French start-up Malibou raised a €3 million Seed Round to develop its payroll and human resources
management platform for VSEs and SMEs. The financing round was led by investors Breega, Y Combinator, and FCVC.
Unveiling the Advantages of Agile Software Development.pdfbrainerhub1
Learn about Agile Software Development's advantages. Simplify your workflow to spur quicker innovation. Jump right in! We have also discussed the advantages.
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemPeter Muessig
Learn about the latest innovations in and around OpenUI5/SAPUI5: UI5 Tooling, UI5 linter, UI5 Web Components, Web Components Integration, UI5 2.x, UI5 GenAI.
Recording:
https://www.youtube.com/live/MSdGLG2zLy8?si=INxBHTqkwHhxV5Ta&t=0
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Łukasz Chruściel
No one wants their application to drag like a car stuck in the slow lane! Yet it’s all too common to encounter bumpy, pothole-filled solutions that slow the speed of any application. Symfony apps are not an exception.
In this talk, I will take you for a spin around the performance racetrack. We’ll explore common pitfalls - those hidden potholes on your application that can cause unexpected slowdowns. Learn how to spot these performance bumps early, and more importantly, how to navigate around them to keep your application running at top speed.
We will focus in particular on tuning your engine at the application level, making the right adjustments to ensure that your system responds like a well-oiled, high-performance race car.
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfVALiNTRY360
Salesforce Healthcare CRM, implemented by VALiNTRY360, revolutionizes patient management by enhancing patient engagement, streamlining administrative processes, and improving care coordination. Its advanced analytics, robust security, and seamless integration with telehealth services ensure that healthcare providers can deliver personalized, efficient, and secure patient care. By automating routine tasks and providing actionable insights, Salesforce Healthcare CRM enables healthcare providers to focus on delivering high-quality care, leading to better patient outcomes and higher satisfaction. VALiNTRY360's expertise ensures a tailored solution that meets the unique needs of any healthcare practice, from small clinics to large hospital systems.
For more info visit us https://valintry360.com/solutions/health-life-sciences
Transform Your Communication with Cloud-Based IVR SolutionsTheSMSPoint
Discover the power of Cloud-Based IVR Solutions to streamline communication processes. Embrace scalability and cost-efficiency while enhancing customer experiences with features like automated call routing and voice recognition. Accessible from anywhere, these solutions integrate seamlessly with existing systems, providing real-time analytics for continuous improvement. Revolutionize your communication strategy today with Cloud-Based IVR Solutions. Learn more at: https://thesmspoint.com/channel/cloud-telephony
SOCRadar's Aviation Industry Q1 Incident Report is out now!
The aviation industry has always been a prime target for cybercriminals due to its critical infrastructure and high stakes. In the first quarter of 2024, the sector faced an alarming surge in cybersecurity threats, revealing its vulnerabilities and the relentless sophistication of cyber attackers.
SOCRadar’s Aviation Industry, Quarterly Incident Report, provides an in-depth analysis of these threats, detected and examined through our extensive monitoring of hacker forums, Telegram channels, and dark web platforms.
Microservice Teams - How the cloud changes the way we workSven Peters
A lot of technical challenges and complexity come with building a cloud-native and distributed architecture. The way we develop backend software has fundamentally changed in the last ten years. Managing a microservices architecture demands a lot of us to ensure observability and operational resiliency. But did you also change the way you run your development teams?
Sven will talk about Atlassian’s journey from a monolith to a multi-tenanted architecture and how it affected the way the engineering teams work. You will learn how we shifted to service ownership, moved to more autonomous teams (and its challenges), and established platform and enablement teams.
When it is all about ERP solutions, companies typically meet their needs with common ERP solutions like SAP, Oracle, and Microsoft Dynamics. These big players have demonstrated that ERP systems can be either simple or highly comprehensive. This remains true today, but there are new factors to consider, including a promising new contender in the market that’s Odoo. This blog compares Odoo ERP with traditional ERP systems and explains why many companies now see Odoo ERP as the best choice.
What are ERP Systems?
An ERP, or Enterprise Resource Planning, system provides your company with valuable information to help you make better decisions and boost your ROI. You should choose an ERP system based on your company’s specific needs. For instance, if you run a manufacturing or retail business, you will need an ERP system that efficiently manages inventory. A consulting firm, on the other hand, would benefit from an ERP system that enhances daily operations. Similarly, eCommerce stores would select an ERP system tailored to their needs.
Because different businesses have different requirements, ERP system functionalities can vary. Among the various ERP systems available, Odoo ERP is considered one of the best in the ERp market with more than 12 million global users today.
Odoo is an open-source ERP system initially designed for small to medium-sized businesses but now suitable for a wide range of companies. Odoo offers a scalable and configurable point-of-sale management solution and allows you to create customised modules for specific industries. Odoo is gaining more popularity because it is built in a way that allows easy customisation, has a user-friendly interface, and is affordable. Here, you will cover the main differences and get to know why Odoo is gaining attention despite the many other ERP systems available in the market.
How Can Hiring A Mobile App Development Company Help Your Business Grow?ToXSL Technologies
ToXSL Technologies is an award-winning Mobile App Development Company in Dubai that helps businesses reshape their digital possibilities with custom app services. As a top app development company in Dubai, we offer highly engaging iOS & Android app solutions. https://rb.gy/necdnt
Mobile App Development Company In Noida | Drona InfotechDrona Infotech
Drona Infotech is a premier mobile app development company in Noida, providing cutting-edge solutions for businesses.
Visit Us For : https://www.dronainfotech.com/mobile-application-development/
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian CompaniesQuickdice ERP
Explore the seamless transition to e-invoicing with this comprehensive guide tailored for Saudi Arabian businesses. Navigate the process effortlessly with step-by-step instructions designed to streamline implementation and enhance efficiency.
5. Confidential ESM Release Notes 1
ESM™ 6.0c Release Notes
Welcome to ESM™ 6.0c
ESM delivers ArcSight’s world-class Security Information and Event Management (SIEM)
with ArcSight's proprietary storage solution, the Correlation Optimized Retention and
Retrieval (CORR)-Engine. The CORR-Engine powers ESM’s superior correlation capabilities
with significant performance improvements over the Oracle storage.
What’s New in This Release
This topic describes the new features and enhancements added in this release.
CORR-Engine Storage and Archive Management
ESM 6.0c introduces the Correlation Optimized Retention and Retrieval
Engine (CORR-Engine), a proprietary data storage and retrieval framework
that replaces Oracle. CORR-Engine is optimized to run on systems with a
large number of cores and:
Provides significant performance improvements over Oracle storage
Reduces storage size significantly for online and archived data
Receives and processes events at high rates, and performs high-speed searches
Provides streamlined archive compression, storage, and management
Refer to the Management Console User’s Guide for details.
Management Console Interface
ESM 6.0c's new Management Console is a streamlined interface for:
Monitoring and investigating events using dashboards and drill-downs
Managing users, storage, and event data
Accessing information on archives
Updating licenses and setting up storage notifications
6. ESM 6.0c
2 ESM Release Notes Confidential
The Management Console is based on Web 2.0 technologies and uses an HTML5 charting
engine.
Refer to the Management Console User’s Guide for details.
Resource Migration
ESM 6.0c supports the migration of customer-created resources from Oracle
storage to the CORR-Engine with a simple engagement from HP ArcSight
Professional Services.
Upgrade Support
Instead of an in-place upgrade of Oracle-based ESM, CORRE-based ESM requires a fresh
installation. Your HP representatives have a special tool developed for migrating resources
from Oracle-based ESM to CORRE-based ESM. The tool needs to be run at the time of
installing CORRE-based ESM. Please contact your HP Account Representative for help with
this resource migration.
Migrating Resources
If you would like to migrate your resources from an existing (legacy) ESM installation, you
should do so on a freshly installed ESM on which resources have not been altered or
added. Any resources that are changed or added after the ESM 6.0c installation along with
their associations with any events will be wiped out while migrating the resources.
The resource migration tool migrates only the resources. It does not migrate the data.
Keep your existing ESM instance running to maintain historical data according to your
retention policies.
7. ESM 6.0c
Confidential ESM Release Notes 3
Contact your HP Account Representative, if you plan to migrate your resources from a
legacy ESM installation, to discuss your specific requirements and coordinate migration
during the installation of the ESM 6.0c software.
Geographical Information Update
This version of ESM includes an update to the geographical information used in graphic
displays. The version is GeoIP-532_20120201.
Vulnerability Updates
This release includes recent vulnerability mappings (August 2012 Context Update) for
these devices:
Snort / Sourcefire SEU 680 updated Faultline, Bugtraq, CVE, Nessus
Enterasys Dragon IDS updated CVE
Cisco Secure IDS S661 updated Bugtraq, CVE
Juniper / Netscreen IDP update 2172 updated Faultline, CVE, MSSB
TippingPoint UnityOne DV8360 updated Faultline, Bugtraq, CVE, Nessus, MSSB
Symantec Endpoint Protection updated Faultline, Bugtraq, CVE
McAfee HIPS 7.0 updated CVE
Radware DefensePro updated CVE
Supported Platforms
ESM 6.0c is supported on Red Hat Enterprise Linux 6.2 64-bit platform. Refer to the
Product Lifecycle document available on the Protect 724 site for further information on
supported platforms and browsers.
ESM Patches
This release includes fixes released with ESM 5.0 SP2 Patch 3. ESM 5.0 SP2 Patch 4 and
any future patch fixes including ESM 5.2 Patch 1 are not included in this release of ESM
6.0c.
Verifying Secure Delivery
To ensure that files have not been either corrupted or tampered with in transit, HP ArcSight
provides an MD5 cryptographic hash for each product component and documentation file.
To verify a software file from the product download site, do the following:
1 On the product file download page, select the file you want to download.
2 In the "Selected media product information" section, find the 32-digit MD5 signature.
3 Verify the MD5 checksum using an independently generated MD5 checksum of the file.
8. ESM 6.0c
4 ESM Release Notes Confidential
Usage Notes
Forwarding Connector
Make note of the following for the Forwarding Connector for ESM 6.0c:
The Forwarding Connector for ESM 6.0c is only supported on Red Hat Enterprise Linux
5.5 64-bit. The uninstallation process and any other commands are only supported on
Red Hat Enterprise Linux 5.5 for ESM 6.0c.
ESM 6.0c does not support upgrading to Forwarding Connector 5.2.5.6403.0 from any
previous Forwarding Connector release. If you are installing ESM 6.0c in a hierarchical
environment, please install Forwarding Connector 5.2.5.6403.0 directly.
If you are forwarding events from ESM 5.2, the Forwarding Connector version used
must be the one released with the latest ESM version, in this case version
5.2.5.6403.0.
The correlated Forwarding Connector functionality is not supported for ESM 6.0c.
The automatic forwarding of base events offered with the Correlated Forwarding
Connector feature is not supported for ESM 6.0c. On-demand pulling of events is also
not supported.
Domains
The Domains feature is not supported for this release.
System Content Active List
The /All Active Lists/ArcSight Administration/ESM/System
Health/Resources/Query Running Time active list is a partially cached active list. At
high EPS, there is a possibility of some performance impact.
To work around this issue:
1 Edit /All Active Lists/ArcSight Administration/ESM/System
Health/Resources/Query Running Time to change the "Capacity (x1000)"
attribute from 10 to 500.
2 Restart the Manager for this change to take effect.
Browser Support in FIPS with Suite B Mode
If you have installed the product in FIPS with Suite B mode, use the Firefox browser to
connect to the Manager.
You cannot use the Internet Explorer browser to connect to the Manager, since Internet
Explorer does not support FIPS with Suite B.
9. ESM 6.0c
Confidential ESM Release Notes 5
Starting and Stopping Components
Running unsupported scripts may produce unexpected results, including system failure or
data loss.
For help on the supported "arcsight_services" enter the following command while logged in
as user “arcsight”:
/sbin/service arcsight_services -help
If you inadvertently run unsupported scripts, rebooting the system will restore proper
operation in most cases.
Dashboard Warnings
An open dashboard periodically queries the Manager for new data to update itself. If the
dashboard doesn't get a timely response for the request, either because of network latency
or slow response from the Manager, the web browser will display the following warning
dialog:
Unresponsive Script - A script on this page might be busy or
stopped responding"
Choose Yes to clear the message and stop the dashboard from updating itself. You need to
manually reload the browser as needed. If you choose no, the dashboard will continue
trying to update itself, and the warning dialog will continue to pop up.
ArcSight Web and Management Console
In Safari only: When accessing ArcSight Web from the Management Console for the very
first time, after you accept the Manager’s certificate, ArcSight Web opens up in a new tab
in the browser instead of opening within the Management Console itself.
Dashboards Containing Geographic Event Graph or Event
Graph Data Monitors
On Internet Explorer only: In order to load dashboards that contain a Geographic Event
Graph or an Event Graph Data Monitor the Google Chrome Frame plugin is required.
Workaround: Install the plugin manually from http://www.google.com/chromeframe.
Online Help in Internet Explorer with Chrome Frame Plugin
On Internet Explorer only: When using the Management Console, if you click the Help
link, the online Help does not open.
To work around this issue:
The commands for starting and stopping components in ESM 6.0c are different
than the commands for starting and stopping components that were used in
prior releases of ESM with Oracle backend.
Also, in ESM 6.0c, the commands for starting and stopping components should
be run as user “arcsight”.
10. ESM 6.0c
6 ESM Release Notes Confidential
1 Refresh the browser page or click the refresh button. The browser prompts you
whether to accept the Manager’s certificate.
2 Click Yes. The browser will display the Help content.
Performance Considerations When Using Pattern
Discovery
Using Pattern Discovery can cause performance degradation when discovery is performed
over a large number of matching events in a high EPS environment. When using an
environment with high EPS, define a filter to limit the events sent for Pattern Discovery
processing to be less than 1000 EPS.
Deploying a New License
If you need to swap your expired license for a new valid license, do so by running the
managersetup utility. Refer to the ESM Administrator’s Guide for details on running the
managersetup utility.
Frequently Asked Questions about ESM with
CORR-Engine
The following section answers some frequently asked questions about ESM with
CORR-Engine.
How many machines do I need for installing ESM 6.0c? What platforms are ESM
6.0c supported on?
The ESM Manager and CORR-Engine components come integrated in a suite that is
installed on a single machine. Single machine install provides better scalability with
localized processing and storage tiers. ESM 6.0c should be installed on a single Red Hat
Enterprise Linux 6.2 64-bit machine. The Manager and CORR-Engine cannot be installed on
separate machines.
See the section, “Supported Platforms” on page 3, for information on supported platforms.
How do I plan my hardware requirements in order to get the maximum
performance from CORR-Engine?
The ESM 6.0c CORR-Engine solution scales better with additional cores. The more the CPUs
used, the better the performance. When compared to Oracle, the CORR-Engine is less
dependent on I/O. Call the HP ArcSight Professional Services for help with the sizing
requirements.
What are the hardware requirements for ESM 6.0c?
Refer to the “System Requirements” section in the “Installing ESM” chapter of the ESM
Installation and Configuration Guide.
Can ESM 6.0c be part of a mixed hierarchical architecture with ESM 5.x using a
Forwarding Connector?
Yes. You can forward events from ESM 5.0 SP2 with latest patch or 5.2 with latest patch to
ESM 6.0c. However, we recommend that you do not send events to ESM 5.x, and instead
send them directly to ESM 6.0c.
11. ESM 6.0c
Confidential ESM Release Notes 7
Will existing licenses work?
If you have a valid existing ESM license, you can use it with ESM 6.0c.
Can I continue to use my existing Loggers with ESM 6.0c?
Yes. You can forward events from Logger 5.3 to ESM 6.0c and vice versa.
Can I upgrade my existing ESM installation to ESM 6.0c?
Upgrade of an existing ESM installation is not supported for ESM 6.0c. However, you can
migrate your resources from your existing Oracle-backend ESM installation to your ESM
6.0c installation. See “Migrating Resources” on page 2 for further details on this.
How do I get to manage.jsp?
manage.jsp and other advanced troubleshooting tools, such as license.jsp and
resource.jsp, are available from the new Management Console by adding the following
string to the end of the Management Console home page URL: ?advancedadmin=true.
For example,
https://servername:8443/www/management-ui/com.arcsight.product.man
agement.ui.WorkbenchLauncher/?advancedadmin=true
manage.jsp and the other advanced troubleshooting tools are not supported for general
customer use without guidance from HP ArcSight Customer Support.
Does the CORR-Engine use event side tables?
The CORR-Engine does not use event side tables. You see a significant improvement in the
CORR-Engine’s performance over Oracle because the need to join with side tables is
eliminated in the CORR-Engine.
Can I archive my events with CORR-Engine?
Yes, the event archiving functionality in CORR-Engine works in a similar way as it did in
ESM 5.x with Oracle. There is significant improvement in this feature, such as:
better compression
faster reactivation/deactivation
easy to use
no DBA needed
has a web interface
easier to scale
See the ESM Administrator’s Guide and the Management Console User’s Guide for further
details.
How do I backup and restore my data in ESM 6.0c?
Refer to the ESM Administrator’s Guide and the Management Console User’s Guide for
details on how to backup and restore your data.
How/When do I migrate my resources from my legacy ESM installation?
Once you have installed the ESM 6.0c software, you can migrate your resources from a
legacy ESM 5.x installation with the assistance of your HP ArcSight Account Representative.
12. ESM 6.0c
8 ESM Release Notes Confidential
The resource migration tool migrates only the resources. It does not migrate event data or
events attached to cases. Keep your existing ESM instance running to capture historical
data according to your retention policies.
If you would like to migrate your resources from an existing (legacy) ESM installation, you
should do so on a freshly installed ESM 6.0c on which resources have not been altered or
added. Any resources that are changed or added after installation along with their
associations with any events will be wiped out while migrating the resources.
What fields are indexed in CORR-Engine?
The CORR-Engine indexes every field, including customer-created fields. The CORR-Engine
does not index LOB-based fields, whereas Oracle only had a subset of fields that were
indexed. You do not need to add any custom indexes. This speeds up the searches
significantly.
Can the storage size of the CORR-Engine be changed after installing the
product?
Yes. Please contact HP ArcSight Professional Services through your HP Account
Representative for information and assistance on this.
How do I view my archive/storage info?
You can view your archive and storage information using the Management Console.
How does CORR-Engine do compression on archives?
The CORR-Engine’s archive file size is smaller than that of Oracle. You do not need to use
GZIP on data files since data is compressed inside the data files.
Are there any Oracle-based ESM features that are not supported in
CORR-Engine-based ESM?
The Domain feature is not supported in CORR-Engine-based ESM.
Refer to the section, “Forwarding Connector” on page 4 on forwarding of events,
specifically note that auto-forwarding of base events is not supported.
Daily partitioning on trend and session list data is replaced by weekly partition.
13. ESM 6.0c
Confidential ESM Release Notes 9
Fixed Issues in ESM 6.0c
The following issues that were reported in the previous ESM release have been fixed in this
release of ESM 6.0c.
Analytics
ArcSight Console
ArcSight Manager
Management Console
Issue Description
NGS-448 In some cases, a query would run for more than 10 hours (but less than 20 hours)
before being canceled. The system now detects these situations and causes the
query to time out.
Issue Description
NGS-2167
TTP#66337
The server.log file showed an exception when a custom view dashboard was
launched on a system running in FIPS mode. This has now been fixed; Custom
View dashboards on a FIPS mode system are launched in an external browser.
NGS-1795 On non-Windows platforms, when you viewed dashboards with Custom layout
option in the Console, you got an error, "Failed to create embedded browser,
launching external browser" This issue has now been fixed.
Issue Description
NGS-1847 InActiveList condition on a multimapped active list did not work when all fields
(both key and non-key fields) were not mapped.
This did not affect non-multimapped active lists. The workaround was to map all
the key and value fields. This was a partial workaround, because all the mapped
fields need to match the values stored in the MultiMapAL. This has now been
fixed.
Issue Description
NGS-2259
TTP#68477
This release supports using bar charts in a dashboard.
NGS-2258 The issue with a dashboard rendering slowly in the browser has been fixed in this
release.
NGS-2256 This release supports using stacked bar chart in a dashboard.
NGS-2245 In the Custom Layout of a dashboard, if you tried to change the display format of
a data monitor, say from "Bar Chart" to "Table" and you saved the dashboard, the
next time that you reloaded the dashboard, the data monitor would still display in
the "Table" format. The display format could not be changed in the Custom
Layout.
This bug has been fixed.
14. ESM 6.0c
10 ESM Release Notes Confidential
Open Issues in ESM 6.0c
These open technical issues merit your review to avoid difficulties.
Analytics
NGS-2184 The issue with a dashboard occasionally not loading predefined background
color/image has been fixed in this release.
NGS-1523 User group creation was failing when the user group name field contained '&'. The
system now detects '&' as an invalid character and does not create the resource
until valid characters are used.
NGS-1435 The Pie Chart view of a Data Monitor or Query Viewer used to have a legend area
that, if too long, would shrink the pie chart considerably. The pie chart no longer
has a legend area.
NGS-1425 The Custom Layout view of a Dashboard, Data Monitor, or Query Viewer displayed
in chart view such as bar chart, pie chart or line chart was failing due to an issue
with the Adobe Flash Player. The Adobe Flash Player is no longer used.
NGS-1149 When using the Internet Explorer browser to access the Management Console, in
the "Dashboards" section of the Management Console, the Close Dashboard menu
command appeared enabled even though it was not an applicable command. This
issue has now been fixed.
NGS-1072 Displaying EventGraph data monitors from within the ArcSight Console custom
layout internal browser is no longer supported. You must launch an external
browser from ArcSight Console custom layout or use the Management Console
dashboard module in order to view any dashboard with EventGraph data
monitors.
Issue Description
ESM-49187 The Text (Column Names/Field Names/Aliases) in the Table Header do not display
CJK characters even if the table has been set to use Arial Unicode MS font.
ESM-48858 System audit events, such as those resulting from a rule being disabled by the
system, are given a low TTL (time-to-live) value to prevent excessive rule
triggering. A single rule can correlate such audit events, but any subsequent
chaining rules will be suppressed.
ESM-48307 The DeviceEventclassId for Windows 2008 has the same value as Windows 2003.
ESM-47918 Occasionally, TRM does not return an appropriate response when an update to
Quarantine Node by IP command is sent.
ESM-40449
TTP#66622
When exporting events from the Case Details channel, archived events do not get
exported.
ESM-39405
TTP#64400
If you create a report whose name contains Chinese characters, then send the
report as a PDF attachment, the received email does not display the attachment's
name correctly. (The content of the report is correct; only the email attachment
field is affected.)
ESM-38079
TTP#62044
If you rename a resource that has dependent resources, do not re-use the deleted
resource's name when creating another resource of the same type because the
dependent resources may refer to the new resource with the old name.
Issue Description
15. ESM 6.0c
Confidential ESM Release Notes 11
ESM-37810
TTP#61524
For scheduled reports, when the "Run as" user's read and write privileges are
taken away, the scheduled report is generated by the user who created the
schedule (and not by the "Run as" user). If the "Run as" user has read privilege
only, then the report is not generated.
ESM-35070
TTP#54507
Verify Rules with Events (replay with rules) does not work for the following types
of active lists:
- An event-based active list with values
- A field-based active list with values, where all fields are mapped to event fields
Verify Rules with Events does work for other types of active lists. Also, valid active
lists work properly with real-time rules when they are deployed, including the two
types of active lists described above.
ESM-34531
TTP#53435
When you set the Schedule Frequency for a report, the Next Run Time field is
displayed incorrectly in the Editor. Even though the time is displayed incorrectly,
the report runs at the time specified in the editor.
ESM-29633
TTP#40230
Occasionally, after changing a trend's description, another trend that depends on
this trend may become invalid.
Workaround: You can usually re-enable a trend that was incorrectly disabled by
making any minor change on the trend (For example, you could toggle the trend's
enabled state off and then back on) and then save it. This will force the
re-validation of the trend and re-enable the trend.
ESM-29348
TTP#39407
The Scheduled Time column in the Scheduled Runs view covers both time ranges
for runs that have already occurred and for runs that are pending. As a result, you
will see some discrepancy in the time ranges shown in the column. For example,
against the runs that have already occurred, you will see the lower end of the
time range. (For trends set to run hourly, if the time range is between 1:00 pm -
2:00 pm you will see 1:00 pm). The pending runs show the upper range (if the
time range is between 1:00 pm - 2:00 pm you will see 2:00 pm). Trends that
have already occurred will have a time difference that reflects the trend query
schedule (for example, one hour for hourly queries), while the pending runs will
have a time difference that reflects the overall task schedule (for example, 24
hours if run once a day).
NGS-3955 The /All Active Lists/ArcSight Administration/ESM/System
Health/Resources/Query Running Time active list, is a partially cached active list.
At high EPS, it is possible that there could be some performance impact.
Workaround: Edit /All Active Lists/ArcSight Administration/ESM/System
Health/Resources/Query Running Time and change the "Capacity (x1000)"
attribute from 10 to 500.
NGS-3686
TTP#61694
When you try to delete a Trend being used in a Query and in turn used in a Query
Viewer, you will get an error and the Trend will not be deleted. This is a
dependency chain. Remove the use of this trend in other resources first before
using it.
NGS-3294 Base events cannot be retrieved from the source Manager by the destination
Manager.
NGS-3139 While trying to query on a Case, please specify the ID of the user instead of the
name of the user.
For instance,
owner=admin --- won't work
owner=1UOtZMTkBABCA0qd7zsU1lQ== --- will work
Issue Description
16. ESM 6.0c
12 ESM Release Notes Confidential
ArcSight Console
NGS-2917 When a lightweight rule is scheduled, the rule actions that update data lists may
not work correctly if the fields mapped to the list columns are not used in any rule
conditions.
Workaround: Add a simple condition on the mapped fields. For example, if field
DeviceCustomNumber1 is used in the mapping for an AddToList action, add a rule
condition such as "DeviceCustomNumber1 IS NOT NULL". Then, the field value
for that event will be queried from the database when the scheduled rule task is
executed.
Issue Description
ESM-47213 Case-related events are copied to a special table so they can remain available
after being archived. The channel is unable to find and display such events
correctly after the partition is archived.
Workaround: Use the case event editor or Reports, which can correctly find and
display these events.
ESM-41641
TTP#69565
On Macintosh only: If you open a channel, select some rows, right-click on them
and select Print Selected Rows from the resulting menu, it causes the Console to
crash.
Workaround: Before you start the Console, make sure to set up a default printer
to which to print. This problem occurs when you do not have a printer set up.
ESM-41019
TTP#67856
When you have client-side authentication set up, if the Manager is configured with
the "Password Based and SSL Client Based Authentication", you will get an error
when accessing the ESM documentation using both the embedded browser in the
Console as well as the external browser.
Workaround: Generate a key pair for the browsers and import the browser's
certificate into the Manager's truststore. Alternatively, copy the Console's key into
the browser's keystore. See the ESM Administrator's Guide for details on how to
do this.
ESM-40587
TTP#66906
Correlation events may occur before the base event that triggered the correlation
event in channels sorted by time. This happens if the event end time for the
correlation event is the same as that for the base event.
Workaround: Add a sort column in the channel to sort events, first by end time,
and second by type of event. Base event type is 0 and correlation event type is 1.
ESM-39980
TTP#65708
The Console can become unresponsive if you access other resources while
building category models with a large number of actors.
ESM-39963
TTP#65671
If an Active Channel uses a filter that applies conditions to a List data type field,
then multiple rows will be seen in the Active Channel for the same event or
resource.
Ignore the duplicate rows.
ESM-39856
TTP#65477
If you use the embedded browser in Windows to view a report, the report may not
appear until you resize the panel.
Workaround: Resize the panel before running a report. You may want to try
several resizings to get the desired results.
ESM-39829
TTP#65421
Deleting actors will require category models, if any, to be re-built. Each rebuild
may take seconds. So, when thousands of actors are deleted, the whole deletion
period may last for hours since actor deletion launches a category model rebuild.
Issue Description
17. ESM 6.0c
Confidential ESM Release Notes 13
ESM-39331
TTP#64251
Actor channels can only display fields that are part of a pre-defined field set. If
you want to view any additional fields in an Actor channel, first add the fields to
the field set the Actor channel uses instead of adding them directly to the channel.
ESM-38961
TTP#63568
In the Image View mode, when a background file is uploaded, the Console does
not provide an option for a location. The file automatically gets uploaded into your
personal folder.
Workaround: After the upload, move the file to a preferred folder.
ESM-37344
TTP#60500
On the Manager, when a large number of cases reside in a single group, you can't
pick a case for "Add to Existing Case" rule action in the Rule editor. This is because
the resource selector only shows leaf nodes when there are less than 1000 cases
in a group. This happens for all resources.
Workaround: Make the resource hierarchy less flat so that there are no more than
1000 resources in a single group.
ESM-36055
TTP#57050
In the Query Editor, if you have read permission to a query but not to the global
variables that are being used in the query, the resulting display will be incomplete.
None of the global variable-related fields will be displayed. Also, you will not get
an error saying that you are not able to view some resources in the query due to
lack of sufficient permissions.
ESM-35998
TTP#56865
On Linux only: If you right-click on the port field in a channel and select
Integration Commands > Portinfo (Linux), you will get an error.
ESM-33453
TTP#51094
On Unix systems: The drag-and-drop feature does not work on the Console.
Workaround: Use the cut-and-paste feature instead.
ESM-33440
TTP#51072
If you right-click on a block in a Hierarchy Map Data Monitor and select Show
Events, no events are returned if variables are present in the Source Node
Identifier.
ESM-33360
TTP#50968
If you delete an escalation-level notification resource, you will receive the error,
"Group does not exist" in the console.log file. This error is incorrect and can be
ignored.
ESM-32705
TTP#49608
In a Hierarchy Map Data Monitor, once a color range is specified, you cannot
change the color mappings on the range.
Workaround: Delete the existing color mapping and create a new one with the
color mapping of your choice.
ESM-28890
TTP#38270
While installing a package, if you cancel the installation before it is completed, the
Import button is disabled.
Workaround: Refresh the Console or log in to the Console again to enable this
button.
ESM-27970
TTP#36148
To search for Resource IDs that begin with non-alphanumeric characters (such as
the Resource IDs for Trends and Queries), enclose the ID in double quotes. For
example, to search for
^VVsOXg4BABCAIEuBhILMyg==
Enter
"^VVsOXg4BABCAIEuBhILMyg=="
in the query text field.
Issue Description
18. ESM 6.0c
14 ESM Release Notes Confidential
ESM-26488
TTP#33835
If you import the content of an older package into an existing newer package, the
contents from the two packages get merged. The resulting package will consist of
contents from both packages. The relationships will be merged, but the attributes
will be picked up from the old package.
Workaround: Export the new package to a bundle file so that you can recover it if
need be. Then delete the new package before you import the old one.
NGS-3930 Adding a stacked bar chart to a dashboard where this chart is based on a Query
Viewer on an Active List can cause the Console to hang.
NGS-3850 If you have trouble with the internal browser on a Win64 system, please use the
external browser.
NGS-2499 The time field in the Image Dashboard will be displayed as a number instead of
displaying as formatted date and time.
Workaround: Use regular dashboard instead of Image Dashboard.
NGS-2241 When you first create or view a new custom view dashboard with one or more
data monitors or query viewers, the dashboard elements might overlap. To fix
this, you must define the arrangement and save it. This can be done in one of
these ways:
1) Using auto-arrange: Go to Edit->Auto Arrange and then click 'Save' to preserve
the changes.
2) Manual arranging: Go to Edit->Arrange and move/resize all dashboard
elements to the desired position. When finished, click 'Done Arranging' and then
'Save'.
NGS-1262 If a dashboard contains a Query Viewer that has a large row limit, the Console
may hang while loading this dashboard in Custom Layout view. It is a good
practice to keep the row limit of Query Viewers to less than 100 before viewing
the dashboard in custom layout format.
NGS-1088 If a regular or inline filter with a condition involving Event Annotation Flag is
applied to an Active Channel, the Active Channel will not load any events.
Workaround: Avoid using Event Annotation Flag in filter conditions.
NGS-146 Occasionally, event-based Active Channels that include InCase filtering condition
will not display events that belong to a case but have been removed from the
main event table (arc_event) due to the retention period limit.
This issue will rarely be seen because the CORR-Engine provides powerful event
compression and it can support very long retention periods given sufficient disk
space. This reduces the chance of events expiring while bound to an open case.
Issue Description
19. ESM 6.0c
Confidential ESM Release Notes 15
ArcSight Manager
Issue Description
ESM-41331
TTP#68451
After the resource validation process is run, assets that are actually invalid appear
to be valid.
Workaround: To produce a correct report, run the resource validation script
manually using '-persist false' as a parameter:
arcsight resvalidate -persist false
In general, if you need to run the resource validation script, you have to run it
twice: the first time with '-persist true' (default) to validate and fix invalid
resources, and the second time with '-persist false' to generate a correct report:
arcsight resvalidate
arcsight resvalidate -persist false
ESM-40889
TTP#67567
The "group:101" audit event may fail to be sent in some cases where there are
many role memberships being added or changed for an actor. There will be an
error in the server log related to this, which includes the IDs of the affected
objects.
ESM-37488
TTP#60808
When you export a large Active List with 10 million entries or more, or export
rules that use such Active Lists, you will see an exception in the server.std.log file.
Additionally, the Manager runs out of memory and therefore automatically
restarts itself.
Workaround: Use the export format instead of the default format while exporting
the rule or Active List definition using an archive or a package. This will not export
the Active List data.
ESM-33462
TTP#51112
Stages resources are editable from the ESM Console, although these should not
be moved or customized. (See ESM Console Navigator > Stages resource tree.)
Keep stages provided as standard content in the given folders and do not move
them into another folder. Standard content stages are Closed, Final, Flagged as
Similar, Follow-up, Initial, Monitoring, Queued, and Rule Created. (For more
information, See the "Standard Content" topic in the Console Help.
ESM-31433
TTP#46276
You may see the following exception in the Manager's log file:
ERROR: java.lang.NullPointerException at
org.apache.lucene.index.IndexReader.open
Workaround: This error automatically gets resolved within one week of the
Manager startup during which time the Manager rebuilds the resource search
index (done weekly). Optionally, you can manually do a rebuild at any time by
running this command from the Manager's bin directory:
arcsight searchindex -a create -m <manager-hostname> -u <admin-user-name>
-p <password>
ESM-30670
TTP#43678
If the search index file becomes corrupted, the search index will be out-of-date
and the following message appears in the Manager's log file:
[ERROR][default.com.arcsight.server.search.index.IndexResources][_init]
java.io.IOException: read past EOF
Workaround: Re-generate the index by issuing the following command from the
Manager's bin directory:
arcsight searchindex -a create
ESM-30314
TTP#42730
You cannot move an asset using Auto Zone if the asset is locked.
20. ESM 6.0c
16 ESM Release Notes Confidential
NGS-3909 If you have a high-end system (refer to specifications given in the System
Requirements section of the ESM Installation and Configuration Guide) that's
running content that requires a high level of system resources, and/or high EPS,
contact HP ArcSight Customer Support for instructions on how to increase the
heap size beyond 16 GB if needed.
NGS-3856 When you try to display an Active List with a large number of entries (for example
10 million entries), you will see an error in the server.log file.
Workaround: Increase the memory size for ESM to ensure that the Active List size
is within limit. Also, if possible avoid displaying Active Lists with large number of
records.
NGS-3825 If the field size of an event exceeds 32 KB, that event does not get persisted.
NGS-3803 The command "arcsight manager-reload-config" fails to dynamically reload the
configuration. Restart the Manager if you make any configuration changes such as
the ones that go in the config/server.properties file.
NGS-1937
TTP#56123
The Archive tool can occasionally fail to import entries into an active list due to
transient errors. In such situations, you may not see any errors, but the list does
not get populated.
Workaround: Re-import the same package.
NGS-1718 If an event-based active list contains both a resource reference (for example,
Agent Zone) and a related field (for example, Agent Zone Name), then when
adding a new active list entry in the Console editor (for example, using the "+"
button in the Show Entries display), care should be taken that the related field
value matches the value implicit in the resource itself. In the example given, the
Zone Name should match the Name of the Zone resource. This can cause some
cases of active list lookup (for example, trying to "Edit Entry" in the Show Entries
pane), not to match. In this case, it will result in an unpopulated edit pane.
NGS-1449 When you shut down services using the arcsight_services command, you may see
exceptions in the log file. These exceptions are due to timing issues of different
components and can be ignored.
NGS-264 When integration with iDefense is enabled and you create a Case in ESM, the Case
notes may have some special characters garbled. The text can alternately be
viewed in iDefense or in the Event Inspector panel.
NGS-172 Base events do not get annotated automatically after rules trigger.
Workaround: Annotate the events manually.
Issue Description
21. ESM 6.0c
Confidential ESM Release Notes 17
ArcSight Web
CORR-Engine
Issue Description
ESM-41321
TTP#68431
If the report name contains the hash character "#", there may be a problem
displaying the report correctly. In such a case, remove the "#" character from the
report name.
ESM-35801
TTP#56258
If you create a Case and set the Estimated Resource Time in ArcSight Web, it does
not get set.
Workaround: Define this setting on the Console. See the Console online Help for
steps to do this.
ESM-33922
TTP#52336
On ArcSight Web, there is no row limit imposed on Query Viewer chart displays
(unlike on the ESM Console). Query Viewer charts with more than 100 rows do
not display properly and are virtually unreadable.
On the ArcSight Console, the chart renders only the first 100 rows and displays an
error message indicating that only 100 rows can be properly displayed. No such
restriction is available for Query Viewer charts on ArcSight Web dashboards, so
rows beyond the 100th row will not display properly on the Web.
Workaround: In the Console, set row limits on Query Viewers. This will control
chart displays in the Console and ArcSight Web. Determine which Query Viewers
you want to display as charts. In the ArcSight Console, edit those Query Viewers
to set the Row Limit to 100 (or less). To do this:
1. Log in to the ArcSight Console.
2. Select Query Viewers in the Navigator.
3. Right-click the Query Viewer you want to edit.
4. In the Query Viewer Editor, if Use Default is enabled, click to deselect it.
5. Enter a row limit of 100 or less.
6. Click Apply or OK to save the changes.
ESM-30675
TTP#43702
Due to a limitation in Adobe Flash Player, to view dashboards within ArcSight Web
on a 64-bit operating system, you must use a 32-bit browser with a 32-bit version
of Flash player installed. Refer to the Adobe web site that discusses this issue:
http://www.adobe.com/go/6b3af6c9
NGS-3605 The Management Console does not support a user-configurable banner which is
commonly used to display custom login messages.
NGS-2017 The "arcsight webserversetup" wizard does not detect the certificate name of the
webserver. It defaults to displaying the hostname or IP address depending upon
the OS configuration. If you run this wizard, make sure to change the webserver
name to the name as it appears on the certificate of the Manager or the
webserver.
Issue Description
NGS-3948 When restoring archives from an old ESM 6.0c system to another ESM 6.0c
system, if the archives contain forwarded events, the restore of that archive will
fail due to a highly restrictive eventID check.
22. ESM 6.0c
18 ESM Release Notes Confidential
Connectors
NGS-3689 If MySQL needs to be restarted, we recommend using the following steps:
1. Stop the Manager by running: /sbin/service arcsight_services stop manager
This is because the Manager communicates with MySQL. If the Manager is
running, MySQL takes longer to close the TCP communication, causing more error
messages to be logged in the log files.
2. Stop MySQL by running: /sbin/service arcsight_services stop mysqld
3. Start MySQL by running: /sbin/service arcsight_services start mysqld
4. Start the Manager by running: /sbin/service arcsight_services start manager
NGS-1429 You can only restore archives from a single CORR-Engine. Do not combine
archives residing in multiple CORR-Engines.
Issue Description
NGS-3806 Auto-import of the Manager's certificate does not work if your connector is
installed in FIPS with Suite B mode.
Workaround: Import the Manager's certificate manually. Refer to the ESM
Installation and Configuration Guide for instructions on manually importing the
Manager's certificate into the connector.
NGS-3498 The certificate auto-import feature in connectors will only import certificates from
the initial configuration.
Workaround: Any changes or additions to the destinations require you to
manually import the certificate for those destinations.
NGS-2052 When using Asset Model Import Connector to import assets, the connector does
not uniquely identify assets by Zone and a unique IP address or a unique host
name.
For updating existing assets, please make use of one of the following attributes to
identify them:
- An External ID, or
- a resource ID, or
- a URI
NGS-1423 On Windows machines, while a connector is being upgraded from the ArcSight
Console, if any process is using the connector's 'current' folder, the upgrade fails.
Workaround:
1. Make sure that you don't have any files in the connector's 'current' folder open.
2. Do not start the connectors using the 'arcsight agents' command. Instead, start
the connector from <Start> -> <Programs> -> <Connector Programs>
Issue Description
23. ESM 6.0c
Confidential ESM Release Notes 19
Installation and Upgrade
Issue Description
NGS-3971 When running the installer in console mode, make sure that a X11 (X Window) is
NOT configured for the console. An X11 setup will cause the installation to abort
with the following exception in the database.configuration.log file:
"java.lang.NoClassDefFoundError: Could not initialize class
sun.awt.X11GraphicsEnvironment".
Should this happen, follow the clean-up instructions in the ESM Installation and
Configuration Guide and re-launch the installer from a console that does not use
X11 (X Window).
NGS-3962 In GUI installation mode, the installation process automatically invokes the Suite
Installer and the Configuration Wizard in sequence. If the Configuration Wizard
fails with an error message, the Suite Installer will still indicate that the Suite has
been successfully installed.
Workaround: Either manually re-launch the Configuration Wizard from a
command line after fixing the issue or uninstall the Suite installation and start
over again. Refer to the ESM Installation and Configuration Guide for the
command to use and the clean-up steps.
NGS-3926 When uninstalling ESM 6.0c with migrated resources (after running the Resource
Migration tool), to ensure that all files get removed under the /opt/arcsight/
directory, uninstall the Resource Migration tool first. Uninstalling the Resource
Migration tool before uninstalling ESM 6.0c will allow for clean uninstallation of
ESM 6.0c.
NGS-3880 If /opt/arcsight/ has been created as a separate file system, directories other than
those installed by ESM 6.0c may exist. These directories should not be deleted.
The following directories under /opt/arcsight/, when removed, will uninstall ESM
6.0c:
logger
manager
services
suite
web
NGS-3871 Under certain circumstances, the Uninstaller may not be able to remove all ESM
6.0c files under the /opt/arcsight/ directory. Refer to the Troubleshooting
appendix in the ESM Installation and Configuration Guide on how to do the
cleanup manually.
NGS-3839 Occasionally, the First Boot Wizard may fail to proceed due to some errors. If this
happens, you will need to terminate the process. After checking the logs and
correcting the errors, follow the clean up instruction in the ESM Installation and
Configuration Guide and re-launch the installer.
NGS-3814 If you reboot your system immediately after the First Boot Wizard completes, but
before you run the setup_services.sh command as the "root" user, the machine
may come back in an unstable state. Running the setup_services.sh command
now may not be able to bring up all arcsight services.
Workaround:
1. Do not reboot without running the setup_serivces.sh command while logged in
as the "root" user.
2. If you reboot without running the setup_services.sh command, uninstall, then
re-install the product.
24. ESM 6.0c
20 ESM Release Notes Confidential
Localization
Management Console
NGS-3808 After you hit "Next" on the "About to Configure ESM v6.0c" panel, if there is any
failure, you will need to uninstall the product before you can reinstall it. Please
follow the "Uninstalling ESM" section in ESM Installation and Configuration Guide.
NGS-3445 In some situations, the Installer panel may indicate the installation is successful
while Web Server fails to start. Refer to the ESM Administrator's Guide on how to
manually configure and start the Web Server.
NGS-3344 This release supports ESM installation while logged in as user "arcsight" only.
NGS-3322 Due to the timing of some components' start-up, there may be some harmless
error messages in the log files such as:
[FATAL][default.com.arcsight.logger.distributed.DirectConnection$ReadChannel][r
un]
java.io.IOException: end of communication channel
[FATAL][default.com.arcsight.logger.distributed.ClientDirectConnection][run]
java.nio.channels.ClosedChannelException
NGS-3067 When configuring the product using the First Boot Wizard, if you use a wrong IP
address or an unresolved IP address in the Manager Hostname panel, the First
Boot Wizard will continue installing but fail during Arcsight Web configuration.
Make sure the Manager's hostname or IP address is correct and can be resolved
otherwise the Manager will not start.
Issue Description
NGS-3824 Some pages and labels have not been translated into the localized language, so
they will appear in English.
NGS-2435 For non-English locale environments, only English characters are supported for
user name and password. Using non-English characters for user name and
password might result in authentication issues.
Issue Description
NGS-3892 In the Management Console, Dashboards that contain a Data Monitor of type
'System Monitor' or 'System Monitor Attribute' will display only the first 100 rows.
NGS-3862 In the Management Console, under Administration->Configuration
Management->Server Management the Save button does not get enabled right
away after changing the value of a field, but only after the field that is being
changed loses the focus.
Workaround: If you make a valid change, click the Save button even if it is grayed
out.
NGS-3858 The minimum and default heap size for the Manager is 8GB, the maximum heap
size is 16GB. You can change this size based on total available memory on your
system. The error message related to this heap size in the Management Console
does not reflect this accurately. If you need to configure the heap size beyond 16
GB, please contact HP ArcSight Customer Support before doing so.
NGS-3084 Global variable fields do not get displayed in an Image Dashboard.
Issue Description
25. ESM 6.0c
Confidential ESM Release Notes 21
NGS-3001 On some Macintosh platforms, when running FireFox 3.6.x, you will not be able to
open the right-click menu for Image Dashboards of graph/chart type.
Workaround: You can use the Safari browser and use the right-click menu for
image dashboards of graph/chart type.
NGS-2849 If the refresh rate is set to a low interval so that the refresh happens too
frequently, under slow network connections or when having network problems,
this might impact browser performance and dashboard behavior. To avoid this
problem, set the refresh rate to a higher value. You can manually refresh the
dashboard if needed.
NGS-2301 The Management Console does not support 3D bar charts.
NGS-1582 In the Advanced Permissions dialog, if you choose to set permissions on the Field
resource, you may see a hidden folder called customCells under your personal
folder. This will only happen if you have created some customCells using the ESM
Console. If you see such a folder, do not change the ACL settings on it. Doing so
will affect the working of custom cells in ESM Console.
NGS-1451 If a custom view dashboard contains a query viewer with a large row limit, the
browser may hang while loading this dashboard. It is a good practice to keep the
row limit of Query Viewers below 100 before viewing the dashboard in custom
layout format.
NGS-1283 You must have administrator privileges to access the user/connector management
feature.
NGS-1275 The Notification Groups attribute is missing from the connector management
page.
Workaround: Use the ESM Console to view the Notification Groups through the
Configure Connector option.
NGS-1256 In the Management Console, after clicking the tab to navigate into a module, you
may encounter a blank screen.
Workaround: Refresh the screen by reloading the browser page.
NGS-1254 When using some versions of the Firefox browser, occasionally your login fails and
you see the following exception in the server.log file:
" java.lang.SecurityException: Blocked request without GWT permutation header
(XSRF attack?)"
This happens because of an issue in Firefox which occasionally drops GWT
headers beginning with x.
Workaround: Add the following property to the server.properties file:
cross.domain.enabled=true
and restart the Manager in order for it to take effect.
NGS-277 You cannot select the docked items (icons such as admin, dashboards etc.) using
the keyboard shortcuts. The only way to select them is by using the mouse.
Issue Description
26. ESM 6.0c
22 ESM Release Notes Confidential
Pattern Discovery
Issue Description
ESM-35048
TTP#54452
A java.lang.InterruptedException might be logged in the ESM Manager
server.std.out.logs file when a scheduled Pattern Discovery job is run. The
exception is caused by an incorrect database pooling time-out mechanism in the
Manager. This does not have any adverse effect on database connections or the
functionality of the Pattern Discovery job, and the exception can be safely
ignored.
NGS-3527 Pattern Discovery jobs can be resource intensive. Under high EPS, Pattern
Discovery jobs can cause a degradation in performance, and may fail to return a
matching result set. We recommend that you reduce the number of events over
which the Pattern Discovery search runs and/or frequency of Pattern Discovery
jobs when running a system with high EPS.