ESM 6.5c introduces the new ArcSight Command Center user interface, expands storage group configuration, and adds a pre-persistence rule type. It also includes updates to vulnerability and geographic data, supports additional platforms, and addresses issues from previous releases. While most functionality has been migrated from Oracle to the new CORR-Engine storage, some resources like actors cannot yet be synchronized across instances.
Forwarding Connector User;s Guide for 5.1.7.6151 and 6154Protect724
This document provides instructions for installing and configuring the ArcSight Forwarding Connector to forward events from an ArcSight ESM Source Manager to various destinations, including an ArcSight ESM Destination Manager, ArcSight Logger, NSP Device Poll Listener, CSV file, McAfee ePolicy Orchestrator, and HP Operations Manager. It covers standard installation procedures, assigning privileges on the source manager, forwarding correlation events, and increasing the filestore size for the enhanced connector.
Intrusion Monitoring Standard Content GuideProtect724
This document provides an overview and instructions for installing and configuring the Intrusion Monitoring content package for ArcSight ESM 5.2. It describes the various types of intrusion monitoring content included, such as alerts from IDS/IPS, anti-virus activity, attack rates, attackers, and login tracking. It also provides instructions on installing the content package, modeling the network, configuring rules and filters, and scheduling reports. The content is designed to help customers monitor, detect, and investigate potential security threats on their network.
This document provides instructions for administrators on basic tasks for managing an ArcSight deployment including starting and stopping components, license management, configuration changes, and securing communication using SSL certificates. It covers starting the ArcSight Manager, Console, Web, Command Center, and SmartConnectors as well as adjusting memory settings, installing licenses, configuring logging, and establishing SSL authentication. The document is confidential and includes revision history and contact information.
This document provides release notes for version 6.4 of the ArcSight Connector Appliance. New features in this version include enhanced system health events, allowing local user passwords to never expire, support for FTPS and passive mode FTP, and a warning for exceeding managed connectors. Instructions are provided for upgrading the appliance and software versions from 6.3 to 6.4. Information on licensing, supported browsers, upgrade files, and issues is also included.
Release Notes for ArcSight Express v4.0Protect724v2
ArcSight Express 4.0 release notes provide information about new features and enhancements in the latest version, including:
- Improved content organization around key use cases and new content for NetFlow monitoring, Microsoft Windows monitoring, and Cisco monitoring.
- Two pre-configured connectors (Syslog Daemon and Windows Unified Event Log) and the ability to install additional connectors.
- Enhancements to the management console including connector management capabilities and localization support for additional languages.
- Environment updates such as expanded geographical data and vulnerability information.
The Connector Appliance 6.4 Patch 1 release notes summarize the following:
[1] This patch is designed to run on new Connector Appliance hardware platforms C3500 and C5500 based on HP ProLiant G8 servers.
[2] It includes support for these new hardware platforms, an enhanced 2048-bit SSL certificate, expanded 500GB FTP directory size, and a simplified factory restore process for C3500 and C5500 models.
[3] Supported browsers remain IE 8/9 and Firefox 16/17 for the user interface. Supported smartconnectors include all syslog and SNMP connectors, database connectors using JDBC drivers on remote platforms, and file-based connectors
The document provides instructions for configuring ArcSight System and ArcSight Administration standard content after installation. Key configuration tasks include modeling the network, categorizing assets, configuring active lists, enabling rules, ensuring filters capture relevant events, configuring notification destinations, configuring notifications and cases, scheduling reports, and configuring trends. Guidance is provided for which specific resources require configuration within each content area.
The document provides an overview and instructions for installing and configuring the Intrusion Monitoring content for ArcSight ESM. It discusses installing the Intrusion Monitoring package, modeling the network and categorizing assets, configuring active lists, enabling rules, configuring filters and notifications, scheduling reports, and configuring trends. Proper configuration of these elements is required to fully utilize the intrusion monitoring capabilities provided by the content.
Forwarding Connector User;s Guide for 5.1.7.6151 and 6154Protect724
This document provides instructions for installing and configuring the ArcSight Forwarding Connector to forward events from an ArcSight ESM Source Manager to various destinations, including an ArcSight ESM Destination Manager, ArcSight Logger, NSP Device Poll Listener, CSV file, McAfee ePolicy Orchestrator, and HP Operations Manager. It covers standard installation procedures, assigning privileges on the source manager, forwarding correlation events, and increasing the filestore size for the enhanced connector.
Intrusion Monitoring Standard Content GuideProtect724
This document provides an overview and instructions for installing and configuring the Intrusion Monitoring content package for ArcSight ESM 5.2. It describes the various types of intrusion monitoring content included, such as alerts from IDS/IPS, anti-virus activity, attack rates, attackers, and login tracking. It also provides instructions on installing the content package, modeling the network, configuring rules and filters, and scheduling reports. The content is designed to help customers monitor, detect, and investigate potential security threats on their network.
This document provides instructions for administrators on basic tasks for managing an ArcSight deployment including starting and stopping components, license management, configuration changes, and securing communication using SSL certificates. It covers starting the ArcSight Manager, Console, Web, Command Center, and SmartConnectors as well as adjusting memory settings, installing licenses, configuring logging, and establishing SSL authentication. The document is confidential and includes revision history and contact information.
This document provides release notes for version 6.4 of the ArcSight Connector Appliance. New features in this version include enhanced system health events, allowing local user passwords to never expire, support for FTPS and passive mode FTP, and a warning for exceeding managed connectors. Instructions are provided for upgrading the appliance and software versions from 6.3 to 6.4. Information on licensing, supported browsers, upgrade files, and issues is also included.
Release Notes for ArcSight Express v4.0Protect724v2
ArcSight Express 4.0 release notes provide information about new features and enhancements in the latest version, including:
- Improved content organization around key use cases and new content for NetFlow monitoring, Microsoft Windows monitoring, and Cisco monitoring.
- Two pre-configured connectors (Syslog Daemon and Windows Unified Event Log) and the ability to install additional connectors.
- Enhancements to the management console including connector management capabilities and localization support for additional languages.
- Environment updates such as expanded geographical data and vulnerability information.
The Connector Appliance 6.4 Patch 1 release notes summarize the following:
[1] This patch is designed to run on new Connector Appliance hardware platforms C3500 and C5500 based on HP ProLiant G8 servers.
[2] It includes support for these new hardware platforms, an enhanced 2048-bit SSL certificate, expanded 500GB FTP directory size, and a simplified factory restore process for C3500 and C5500 models.
[3] Supported browsers remain IE 8/9 and Firefox 16/17 for the user interface. Supported smartconnectors include all syslog and SNMP connectors, database connectors using JDBC drivers on remote platforms, and file-based connectors
The document provides instructions for configuring ArcSight System and ArcSight Administration standard content after installation. Key configuration tasks include modeling the network, categorizing assets, configuring active lists, enabling rules, ensuring filters capture relevant events, configuring notification destinations, configuring notifications and cases, scheduling reports, and configuring trends. Guidance is provided for which specific resources require configuration within each content area.
The document provides an overview and instructions for installing and configuring the Intrusion Monitoring content for ArcSight ESM. It discusses installing the Intrusion Monitoring package, modeling the network and categorizing assets, configuring active lists, enabling rules, configuring filters and notifications, scheduling reports, and configuring trends. Proper configuration of these elements is required to fully utilize the intrusion monitoring capabilities provided by the content.
Admin and System/Core Standard Content Guide for ArcSight Express v4.0Protect724v2
The document provides installation and configuration instructions for ArcSight System and ArcSight Administration content. It describes modeling the network, categorizing assets, configuring active lists, filters, rules, notification destinations, and notifications. It also covers scheduling reports, configuring trends, and viewing use case resources. Basic configuration of these elements is recommended to tailor the content to the user's environment.
This document provides release notes for Connector Appliance version 6.4 Patch 3. It lists what is new in this version, supported platforms, browsers, and SmartConnectors. It also provides instructions for upgrading to this version and lists known issues, fixes, and limitations.
The document provides instructions for upgrading an HP ArcSight ESM installation from version 6.0c or 6.5c SP1 to version 6.8c. It outlines important prerequisites like backing up data and freeing up disk space. The upgrade process involves untarring the installation file, stopping ArcSight services, running the upgrade script, and completing post-upgrade tasks like upgrading connectors and checking existing content. The document provides detailed steps and cautions at each phase of the upgrade process.
The document is an administrator's guide for ArcSight Connector Appliance version 6.3 from April 2012. It provides information on installing, configuring, and using the Connector Appliance. The Connector Appliance is a platform that runs software connectors to collect security events from different sources and send them to ArcSight managers and loggers for processing. The guide describes the Connector Appliance's architecture, components, deployment scenarios, installation process, user interface, and backup/restore procedures.
Active channels allow monitoring events as they stream through the system. You can open channels from the home page or channels menu. When opened, channels display events in a grid that can be sorted and filtered. You can inspect individual events and their attributes. Common event data fields are described.
This document provides an overview of ArcSight Express 4.0, including:
- Key components like SmartConnectors, the ArcSight Manager, and user interfaces for collecting, processing, and analyzing security events.
- How events are normalized, categorized, looked up in network and actor models, and written to the CORR-Engine storage.
- Priority evaluation and correlation capabilities for identifying related events and security issues.
- Workflow features like annotations, cases, stages, and notifications to manage security incidents.
ESM 6.8c is an update to ArcSight Enterprise Security Management software. New features include active channels in the ArcSight Command Center to view and annotate events, up to 12TB of storage capacity, and automated optimization of rule and data monitor conditions. It also includes fixes and notes on usage, platforms, languages, and open issues.
The document provides installation and configuration instructions for ArcSight ESM 6.0c. It discusses the ESM components, including the ArcSight Manager, ArcSight CORR-Engine, ArcSight SmartConnectors, and ArcSight Console. It outlines the system requirements and steps to install ESM, including preparing the system, running the installation file, and completing the initial configuration. It also provides instructions for uninstalling ESM, migrating resources, and troubleshooting.
This document provides an installation and configuration guide for HP ArcSight ESM version 6.8c. It describes the ESM components, including the ArcSight Manager, CORR-Engine, ArcSight Command Center, ArcSight Console, and SmartConnectors. It covers installing and configuring ESM, installing the ArcSight Console, and includes appendices on troubleshooting, customizing ESM, and using public key cryptography.
The document provides guidance on basic administration tasks for ArcSight Express components. It describes how to start and stop the ArcSight Manager, Console, and SmartConnectors. It also covers license tracking, reducing antivirus impact, and setting a custom login banner.
This document provides an administrator's guide for version 6.4 of the ArcSight Connector Appliance. It includes information on installing, configuring, and managing the Connector Appliance. The guide covers topics such as installing the appliance hardware or software version, understanding the user interface, backup and restore, system administration settings, managing connectors, and monitoring the appliance.
This document provides an overview of the key concepts and components of ArcSight Enterprise Security Management (ESM) software:
ESM enables security analysts to gain situational awareness of their network security through collection, normalization, and correlation of event data from various sources. It includes SmartConnectors that collect data, a Manager that processes events and models the network, and user interfaces like the Console for analysis. Events are written to storage and evaluated against filters and correlations to detect potential threats. Analysts can then investigate further using workflow tools like annotations, cases, and notifications.
The document provides instructions for installing the ArcSight Express 4.0 virtual appliance, which includes downloading the OVA file, deploying it in VMware ESXi, and installing a license file. It is supported on VMware ESXi 5.5 and requires 12 CPU cores, 36GB of RAM, and 1.8TB of available disk space. The operating system is CentOS 6.2 with various security patches applied. Supported browsers for connecting to the appliance are Internet Explorer 9-10 and Firefox 24.
This document provides instructions for installing and configuring the ArcSight Database component. It includes guidelines for sizing and preparing the database platform, installing the Oracle database software, creating a new Oracle instance, and initializing the ArcSight schema, tablespaces and resources. The document also covers restarting or reconfiguring the database, and configuring partition management functionality.
The document provides instructions for installing and configuring the Intrusion Monitoring content package in ArcSight ESM. It describes installing the package, modeling the network and categorizing assets, configuring active lists, enabling rules, and configuring notifications, reports, and trends. Proper configuration of these resources is necessary to activate and customize the intrusion monitoring capabilities provided by the content.
This document is an administrator's guide for the ArcSight Connector Appliance version 6.2 from September 2011. It provides information on installing, configuring, and managing the Connector Appliance, which is a hardware appliance that runs software-based connectors to collect security events from network devices and forward them to ArcSight management and logging solutions. The guide covers topics such as installing the appliance, configuring network and system settings, managing connectors and events, and using diagnostic tools.
The document describes the standard content provided with ArcSight ESM, which includes coordinated active channels, dashboards, and reports organized into foundations that address common security and monitoring tasks. The standard content foundations cover areas like configuration monitoring, intrusion monitoring, network monitoring, and ArcSight system administration. The document provides information on how to get started using the standard content for various user roles like executives, operators and analysts.
This document provides an overview and instructions for installing and configuring the Intrusion Monitoring content package for ArcSight ESM 5.5. It contains information on modeling the network, categorizing assets, configuring rules, notifications, reports and trends. The content package includes alerts from IDS/IPS, anti-virus activity, attack rates, attackers, business impact analysis, denial of service attacks, environment state, login tracking, reconnaissance, regulated systems, resource access, revenue generating systems, and SANS top 5 and top 20 reports.
The document provides instructions for upgrading from ESM version 5.5 to 5.6. It outlines the following high-level steps:
1. Preparing existing content and downloading necessary installation files and scripts.
2. Upgrading the ArcSight database components and Oracle database software.
3. Upgrading the ArcSight Manager, Console, and Web applications.
4. Checking the state of existing content and upgrading SmartConnectors after the upgrade is complete.
It also provides guidance for upgrading hierarchical or multi-manager ESM installations.
Reputation Security Monitor (RepSM) v1.01 Solution Guide for ArcSight Express...Protect724v2
The document provides installation and configuration instructions for the HP Reputation Security Monitor (RepSM) solution on ArcSight ESM or ArcSight Express. Key steps include verifying the environment, increasing ESM's active list capacity, installing the RepSM content package and model import connector, and configuring the RepSM content which includes deploying rules to ensure the use cases produce results. The solution uses reputation data from the HP RepSM service to detect malware infection, zero day attacks, and dangerous browsing on the network.
ESM Service Layer Developers Guide for ESM 6.8cProtect724gopi
The document provides information about developing REST clients for ArcSight ESM services. It discusses finding a list of available services from the core-service and manager-service, using proper namespaces in requests, preparing the URL, request body, and sending HTTP requests. Examples are also provided on using various ESM services through REST calls.
Admin and System/Core Standard Content Guide for ArcSight Express v4.0Protect724v2
The document provides installation and configuration instructions for ArcSight System and ArcSight Administration content. It describes modeling the network, categorizing assets, configuring active lists, filters, rules, notification destinations, and notifications. It also covers scheduling reports, configuring trends, and viewing use case resources. Basic configuration of these elements is recommended to tailor the content to the user's environment.
This document provides release notes for Connector Appliance version 6.4 Patch 3. It lists what is new in this version, supported platforms, browsers, and SmartConnectors. It also provides instructions for upgrading to this version and lists known issues, fixes, and limitations.
The document provides instructions for upgrading an HP ArcSight ESM installation from version 6.0c or 6.5c SP1 to version 6.8c. It outlines important prerequisites like backing up data and freeing up disk space. The upgrade process involves untarring the installation file, stopping ArcSight services, running the upgrade script, and completing post-upgrade tasks like upgrading connectors and checking existing content. The document provides detailed steps and cautions at each phase of the upgrade process.
The document is an administrator's guide for ArcSight Connector Appliance version 6.3 from April 2012. It provides information on installing, configuring, and using the Connector Appliance. The Connector Appliance is a platform that runs software connectors to collect security events from different sources and send them to ArcSight managers and loggers for processing. The guide describes the Connector Appliance's architecture, components, deployment scenarios, installation process, user interface, and backup/restore procedures.
Active channels allow monitoring events as they stream through the system. You can open channels from the home page or channels menu. When opened, channels display events in a grid that can be sorted and filtered. You can inspect individual events and their attributes. Common event data fields are described.
This document provides an overview of ArcSight Express 4.0, including:
- Key components like SmartConnectors, the ArcSight Manager, and user interfaces for collecting, processing, and analyzing security events.
- How events are normalized, categorized, looked up in network and actor models, and written to the CORR-Engine storage.
- Priority evaluation and correlation capabilities for identifying related events and security issues.
- Workflow features like annotations, cases, stages, and notifications to manage security incidents.
ESM 6.8c is an update to ArcSight Enterprise Security Management software. New features include active channels in the ArcSight Command Center to view and annotate events, up to 12TB of storage capacity, and automated optimization of rule and data monitor conditions. It also includes fixes and notes on usage, platforms, languages, and open issues.
The document provides installation and configuration instructions for ArcSight ESM 6.0c. It discusses the ESM components, including the ArcSight Manager, ArcSight CORR-Engine, ArcSight SmartConnectors, and ArcSight Console. It outlines the system requirements and steps to install ESM, including preparing the system, running the installation file, and completing the initial configuration. It also provides instructions for uninstalling ESM, migrating resources, and troubleshooting.
This document provides an installation and configuration guide for HP ArcSight ESM version 6.8c. It describes the ESM components, including the ArcSight Manager, CORR-Engine, ArcSight Command Center, ArcSight Console, and SmartConnectors. It covers installing and configuring ESM, installing the ArcSight Console, and includes appendices on troubleshooting, customizing ESM, and using public key cryptography.
The document provides guidance on basic administration tasks for ArcSight Express components. It describes how to start and stop the ArcSight Manager, Console, and SmartConnectors. It also covers license tracking, reducing antivirus impact, and setting a custom login banner.
This document provides an administrator's guide for version 6.4 of the ArcSight Connector Appliance. It includes information on installing, configuring, and managing the Connector Appliance. The guide covers topics such as installing the appliance hardware or software version, understanding the user interface, backup and restore, system administration settings, managing connectors, and monitoring the appliance.
This document provides an overview of the key concepts and components of ArcSight Enterprise Security Management (ESM) software:
ESM enables security analysts to gain situational awareness of their network security through collection, normalization, and correlation of event data from various sources. It includes SmartConnectors that collect data, a Manager that processes events and models the network, and user interfaces like the Console for analysis. Events are written to storage and evaluated against filters and correlations to detect potential threats. Analysts can then investigate further using workflow tools like annotations, cases, and notifications.
The document provides instructions for installing the ArcSight Express 4.0 virtual appliance, which includes downloading the OVA file, deploying it in VMware ESXi, and installing a license file. It is supported on VMware ESXi 5.5 and requires 12 CPU cores, 36GB of RAM, and 1.8TB of available disk space. The operating system is CentOS 6.2 with various security patches applied. Supported browsers for connecting to the appliance are Internet Explorer 9-10 and Firefox 24.
This document provides instructions for installing and configuring the ArcSight Database component. It includes guidelines for sizing and preparing the database platform, installing the Oracle database software, creating a new Oracle instance, and initializing the ArcSight schema, tablespaces and resources. The document also covers restarting or reconfiguring the database, and configuring partition management functionality.
The document provides instructions for installing and configuring the Intrusion Monitoring content package in ArcSight ESM. It describes installing the package, modeling the network and categorizing assets, configuring active lists, enabling rules, and configuring notifications, reports, and trends. Proper configuration of these resources is necessary to activate and customize the intrusion monitoring capabilities provided by the content.
This document is an administrator's guide for the ArcSight Connector Appliance version 6.2 from September 2011. It provides information on installing, configuring, and managing the Connector Appliance, which is a hardware appliance that runs software-based connectors to collect security events from network devices and forward them to ArcSight management and logging solutions. The guide covers topics such as installing the appliance, configuring network and system settings, managing connectors and events, and using diagnostic tools.
The document describes the standard content provided with ArcSight ESM, which includes coordinated active channels, dashboards, and reports organized into foundations that address common security and monitoring tasks. The standard content foundations cover areas like configuration monitoring, intrusion monitoring, network monitoring, and ArcSight system administration. The document provides information on how to get started using the standard content for various user roles like executives, operators and analysts.
This document provides an overview and instructions for installing and configuring the Intrusion Monitoring content package for ArcSight ESM 5.5. It contains information on modeling the network, categorizing assets, configuring rules, notifications, reports and trends. The content package includes alerts from IDS/IPS, anti-virus activity, attack rates, attackers, business impact analysis, denial of service attacks, environment state, login tracking, reconnaissance, regulated systems, resource access, revenue generating systems, and SANS top 5 and top 20 reports.
The document provides instructions for upgrading from ESM version 5.5 to 5.6. It outlines the following high-level steps:
1. Preparing existing content and downloading necessary installation files and scripts.
2. Upgrading the ArcSight database components and Oracle database software.
3. Upgrading the ArcSight Manager, Console, and Web applications.
4. Checking the state of existing content and upgrading SmartConnectors after the upgrade is complete.
It also provides guidance for upgrading hierarchical or multi-manager ESM installations.
Reputation Security Monitor (RepSM) v1.01 Solution Guide for ArcSight Express...Protect724v2
The document provides installation and configuration instructions for the HP Reputation Security Monitor (RepSM) solution on ArcSight ESM or ArcSight Express. Key steps include verifying the environment, increasing ESM's active list capacity, installing the RepSM content package and model import connector, and configuring the RepSM content which includes deploying rules to ensure the use cases produce results. The solution uses reputation data from the HP RepSM service to detect malware infection, zero day attacks, and dangerous browsing on the network.
ESM Service Layer Developers Guide for ESM 6.8cProtect724gopi
The document provides information about developing REST clients for ArcSight ESM services. It discusses finding a list of available services from the core-service and manager-service, using proper namespaces in requests, preparing the URL, request body, and sending HTTP requests. Examples are also provided on using various ESM services through REST calls.
This document provides instructions for installing the HP ArcSight Database software. It discusses planning considerations such as hardware sizing and supported platforms. It then covers installing the Oracle database software, creating a new Oracle instance, initializing ESM tablespaces and resources, and configuring partition management for event archiving. The instructions are intended to ensure a successful database installation to support the ESM system.
The document is a configuration guide for the ArcSight Forwarding Connector version 7.0.7.7286.0. It provides instructions for installing the Forwarding Connector and configuring it to forward events from an ArcSight source manager to various destination types, including another ArcSight manager, ArcSight Logger, CSV files, and HP operations managers. The document also describes how to forward correlated events on demand or through automatic configuration of the source manager.
Forwarding Connector v5.2.7.6582.0 User's Guide for ArcSight Express v4.0Protect724v2
The document is a configuration guide for the ArcSight Forwarding Connector version 5.2.7.6582.0. It discusses installing and configuring the connector to forward events from an ArcSight source manager to various destination types, including ArcSight managers, Logger, CSV files, and HP OM/OMi. The guide covers installation procedures, configuration for different destinations, and using the connector with FIPS.
The document provides instructions for upgrading ESM from version 6.5c to 6.5c SP1. It discusses supported upgrade paths, important log files to reference in case of issues, planning steps like verifying the current ESM installation and opening a support ticket. The main steps include stopping services, running the upgrade installer, and post-upgrade tasks like upgrading connectors and checking existing content.
- ArcSight Web is the web-based interface for ArcSight ESM that allows for network and security monitoring from outside a firewall.
- The home page displays recent notifications, cases, dashboards, and active channels to provide an overview of security activity.
- Active channels display filtered events in real-time and allow inspection of individual events. Dashboards provide visual summaries of security data through data monitors. Reports allow generation and archiving of formatted security summaries.
Forwarding Connector User's Guide for version 6.0.4.6830.0 Protect724migration
This document provides instructions for installing and configuring the ArcSight Forwarding Connector to send event data from an ArcSight ESM Source Manager to various destinations, including an ArcSight ESM Destination Manager, ArcSight Logger, or non-ESM locations. It covers verifying the ESM installation, assigning privileges, creating filters, installing and upgrading the Forwarding Connector, and configuration for specific destinations.
ESM Asset Model Import Connector Release NotesProtect724gopi
This document provides release notes for version 7.0.7.7287.0 of the Asset Model Import FlexConnector. The connector allows importing asset model data from files to synchronize an asset management system with an HP ArcSight ESM network model. New platforms are supported and known issues are described for CSV file parsing and unused data fields.
This document provides release notes for ArcSight ESM Version 6.0c Patch 3, including:
- An overview of the purpose and usage notes for the patch.
- Instructions for upgrading to Red Hat Enterprise Linux 6.4.
- Details on fixes for issues in Analytics, the ArcSight Console, CORR-Engine, and installation.
- A list of open issues in the ArcSight Manager, installation, and ArcSight Web.
- Release notes for patches 1 and 2 are also included.
The Configuration Monitoring content package monitors and reports on changes to network configurations. It identifies unauthorized modifications to systems, devices, and applications. Key tasks to configure the content include modeling the network, categorizing assets, configuring active lists, enabling rules, and ensuring filters capture relevant events. Notifications, reports, and trends can also be customized for the monitored network.
This document provides instructions for installing and configuring ArcSight ESM 5.5. It discusses planning the installation, including sizing the database and identifying hardware requirements. It then covers installing the ArcSight database software, creating a new Oracle database instance, and initializing the ESM schemas and resources. The document also discusses partition management, which is used to archive old event data. Installation of other ESM components like the ArcSight Manager and SmartConnectors is not covered.
This document provides an overview and instructions for integrating Microsoft CRM with Avaya Contact Center Express Desktop. Key points include:
- MS CRM Gui Plug-in allows agents to view and edit Microsoft CRM records within the Contact Center Express Desktop interface.
- MS CRM Svc Plug-in collects Microsoft CRM activities from a public queue and distributes them to agents as work items.
- The MS CRM Phonebook Synchronizer synchronizes contact data between the Microsoft CRM and ASContact databases.
The document covers installing the components, configuring the MS CRM Gui Plug-in, setting up public Microsoft CRM queues, creating programs to route CR
This document provides an overview of the key concepts and components of the ArcSight Enterprise Security Management (ESM) system, including:
- SmartConnectors collect event data from devices and normalize the data before sending to the ArcSight Manager.
- The Manager processes events, applies categorization and priority evaluation, and writes events to the database. It also provides user interfaces for searching events and configuring the system.
- The database stores normalized event data and other system configuration information. It utilizes partitioning to improve performance and scalability.
- Users interact with the system through the ArcSight Console to search for events, configure rules and cases, and receive notifications. Additional tools provide capabilities like pattern discovery and interactive search
Configuration Monitoring Standard Content Guide for ESM 6.5c Protect724migration
The document discusses standard content in ArcSight, which includes coordinated resources that address common security and management tasks. Standard content comes pre-installed and in optional packages that can be installed. The Configuration Monitoring content provides resources for monitoring device configurations and changes. It discusses installing the content package, configuring the resources, and the types of resources included for monitoring assets, configuration changes, security applications, and vulnerabilities.
This document provides instructions for installing and configuring the ArcSight Forwarding Connector to send events from an ArcSight ESM Source Manager to various destinations, including: an ArcSight ESM Destination Manager, ArcSight Logger, NSP Device Poll Listener, CEF Syslog, a CSV file, McAfee ePolicy Orchestrator, HP Operations Manager, and HP Operations Manager i. Standard installation procedures are outlined, as well as upgrading and uninstalling the Forwarding Connector. Configuration instructions are provided for each destination type.
This release notes document summarizes version 6.3 GA of the ArcSight Connector Appliance. Some of the key details provided include:
- What's new in v6.3 GA, including scheduled configuration backups, a software version of Connector Appliance, and other new features.
- Information about upgrading to v6.3 GA, including the required upgrade files and steps for a locally managed or remotely managed appliance.
- General information about supported browsers, licensing, port changes, upgrading SmartConnectors, and other details administrators need to know.
- Lists of closed and open issues in this release.
- Notes about limitations and requirements for specific types of SmartConnectors when
Suse service virtualization_image_set up_guide_140214Darrel Rader
This document provides instructions for using a sample virtual environment for testing IBM Rational Service Testing and Virtualization products. The environment includes:
- SUSE Linux operating system
- IBM WebSphere MQ, WebSphere Application Server, and DB2
- Apache Tomcat
- Rational Integration Tester and Test Control Panel
It describes how to start and stop the included services like Tomcat and WebSphere Application Server. It also explains that the user needs to install libstatgrab and a SQLite JDBC driver for full functionality. The environment models a vacation booking system with flows for flight search, hotel booking, and flight confirmation that involve the various components.
The document provides an overview of standard content in ArcSight ESM. Standard content includes packages that are installed automatically to provide system health monitoring and optional packages that address common security and network monitoring tasks. The network monitoring content focuses on bandwidth usage, device activity, hosts and protocols, top security risks, and overall traffic overview. It provides coordinated resources like filters, rules, dashboards and reports to monitor network activity and security out of the box with minimal configuration.
Intrusion Monitoring Standard Content Guide for ESM 6.5c Protect724migration
The document provides an overview and instructions for installing and configuring the Intrusion Monitoring content package for ArcSight ESM 6.5c. It discusses modeling the network, categorizing assets, configuring active lists, enabling rules, configuring notifications and reports. The content package monitors intrusion activity and specific attacks like worms, viruses and DoS attacks. It also addresses some items on the SANS top 20 list of vulnerabilities.
The document provides installation and configuration instructions for the ArcSight Forwarding Connector. It discusses:
1. Sending events from an ArcSight ESM Source Manager to various destinations including another ESM Manager, ArcSight Logger, NSP, CSV files, and McAfee ePO.
2. Standard installation procedures including installing ESM, assigning privileges on the source Manager, and installing the Forwarding Connector.
3. Configuring the Forwarding Connector to send events to different destinations such as another ESM Manager, Logger, NSP, CSV files, McAfee ePO, and HP Operations Manager. It also discusses upgrading, uninstalling, and rolling back the connector
ArcSight Logger Forwarding Connector for HP Operations Manager Protect724manoj
This document provides instructions for installing and configuring the Logger Forwarding Connector for HP Operations Manager (OM). It allows events logged in ArcSight Logger to be forwarded to HP OM for analysis and monitoring. Key steps include installing the connector, creating a Logger forwarder to send events via UDP or TCP, and configuring an SNMP interceptor policy in HP OM to receive the forwarded events. Troubleshooting tips are also provided to address potential issues like duplicate or dropped events.
ArcSight Logger Forwarding Connector for HP Operations Manager i Protect724manoj
This document provides instructions for installing and configuring the Logger Forwarding Connector for HP OMi to send event logs from ArcSight Logger to the HP Operations Manager i (HP OMi). It describes creating a Logger forwarder to send events, creating an SNMP interceptor policy in HP BSM Integration Adapter to allow events to be accepted, and adjusting the event processing rate if needed.
ArcSight Logger Forwarding Connector for HP Network Node Manager i Protect724manoj
This document provides instructions for installing and configuring the ArcSight Logger Forwarding Connector for HP Network Node Manager i (NNMi) to send event logs from Logger to NNMi. It discusses setting up a Logger forwarder to specify the events to forward, installing the connector software, and applying a patch to NNMi to allow it to receive ArcSight events.
Here are the steps to configure the Forwarding Connector to automatically forward correlated events:
1. Locate the entityID by opening the $AGENT_HOME/user/agent/agent.properties file and copying the text string starting with "agents[0].entityid="
2. Locate the userid by opening the ArcSight Console and navigating to Navigator > Users to find the user account created for the Forwarding Connector.
3. Combine the entityID and userid strings to form the container ID, such as "3w+05uiYBABCCLKvzx0stdQ\\==myuserid".
4. Open the $ARCSIGHT_HOME/config/server.properties
ArcSight Logger Forwarding Connector for HP NNMi Configuration Guide 5.1.7.6081 Protect724manoj
This document provides instructions for installing and configuring the ArcSight Logger Forwarding Connector for HP Network Node Manager i (NNMi) to send event logs from ArcSight Logger to NNMi. It describes installing the connector, creating a forwarder in Logger to forward events to NNMi, and installing a patch in NNMi to allow it to accept events from Logger.
ArcSight Logger Forwarding Connector for HP OM Configuration Guide 5.1.7.6079 Protect724manoj
This document provides instructions for installing and configuring the Logger Forwarding Connector for HP Operations Manager (OM). It describes how to send event logs from ArcSight Logger to HP OM by creating a Logger forwarder to send events via SNMP, and generating an SNMP interceptor policy in HP OM to receive the events. The document also provides tips for troubleshooting issues with duplicate or dropped events, and adjusting the event processing rate.
ArcSight Logger Forwarding Connector for HP OMi Configuration Guide 5.1.7.6080 Protect724manoj
This document provides instructions for installing and configuring the Logger Forwarding Connector for HP Operations Manager i (OMi). It describes how to send event logs from ArcSight Logger to OMi by creating a Logger forwarder, installing the connector, and creating an SNMP interceptor policy in OMi. Troubleshooting tips are also provided for issues like duplicate or dropped events.
HP ArcSight Logger Forwarding Connector for HP NNMI Configuration Guide 5.2.1...Protect724manoj
The document provides installation and configuration instructions for the ArcSight Logger Forwarding Connector for HP Network Node Manager i (NNMi). It describes how to send event logs from Logger to NNMi using the connector. Key steps include installing the connector, creating a Logger forwarder to select events to forward, and configuring the forwarder destination settings to match the connector. The appendix lists specific Cisco router sub-message mappings supported by the connector.
ArcSight Logger Forwarding Connector for HP NNMi 5.2.3.6287.0 Configuration G...Protect724manoj
This document provides a configuration guide for installing and using the HP ArcSight Logger Forwarding Connector for HP Network Node Manager i (NNMi). It describes how Logger sends event logs to the connector using CEF syslog, which then forwards the events to NNMi. It also provides instructions for installing the connector, creating a Logger forwarder to send events to the connector, and lists the specific Cisco router, HP H3C, and HP ProCurve device messages that are supported.
Logger Forwarding Connector for HPE NNMi Release Notes 7.1.7.7609.0 Protect724manoj
This document provides release notes for version 7.1.7.7609.0 of the HPE Security ArcSight Logger Forwarding Connector for HP NNMi. The connector can receive events from a source logger and send them to HP Network Node Manager i. Key updates in this release include support for HP NNMi version 10.0, Windows 2012 R2, Red Hat Enterprise Linux 7.1, and both 32-bit and 64-bit installations. The document describes supported versions, new features, how to verify and apply the upgrade files, and includes a table of enhancements.
Logger Forwarding Connector for HPE NNMi Configuration Guide 7.1.7.7609.0 Protect724manoj
This document provides instructions for installing and configuring the HPE ArcSight Logger Forwarding Connector for HP NNMi to send event logs from Logger to HP Network Node Manager (HP NNMi). Key steps include installing the connector, configuring it with Logger and NNMi settings, creating a Logger forwarder to send events to the connector, and viewing supported events in the NNMi console. The connector allows network teams to view syslog messages from Logger for improved network monitoring and fault detection.
Logger Forwarding Connector for HPE OM Release Notes 7.1.7.7611.0 Protect724manoj
This document provides release notes for version 7.1.7.7611.0 of the HPE ArcSight Logger Forwarding Connector for HP Operations Manager. The connector can receive events from a source logger and forward them to supported versions of HP OM. This release contains important security updates. Installation files are provided for Linux, Linux 64-bit, Windows, and Windows 64-bit platforms.
Logger Forwarding Connector for HPE OM Configuration Guide 7.1.7.7611.0 Protect724manoj
This document provides instructions for installing and configuring the Logger Forwarding Connector for HP OM to send event logs from ArcSight Logger to HP Operations Manager (HP OM). It describes supported versions of HP OM, how to install the connector, create a Logger forwarder to send events, define an SNMP interceptor policy in HP OM, and troubleshoot issues with duplicate or dropped events.
Logger Forwarding Connector for HPE OMi Release Notes 7.1.7.7610 Protect724manoj
This document provides release notes for version 7.1.7.7610.0 of the HPE ArcSight Logger Forwarding Connector for HP Operations Manager i. It supports HP OMi versions 9.01, 9.10, and 9.20. The current release contains important security updates and users are encouraged to apply the latest OMi patch. Installation files are provided for Linux and Windows platforms.
Logger Forwarding Connector for HPE OMi Configuration Guide 7.1.7.7610.0 Protect724manoj
This document provides instructions for installing and configuring the Logger Forwarding Connector for HP Operations Manager i (HP OMi) to send log events from ArcSight Logger to HP OMi. It describes installing the connector, creating a Logger forwarder to send events, and generating an SNMP interceptor policy in HP OMi to allow the forwarded events. Troubleshooting tips are also provided.
Logger Forwarding Connector for NNMi 7.3.0.7837.0 Release Notes Protect724manoj
The document provides information on installing and configuring the ArcSight Logger Forwarding Connector for HPE NNMi. It allows events logged in Logger to be sent to HPE Network Node Manager (NNMi) for network monitoring and fault detection. The document covers installing the connector, configuring it to communicate with Logger and NNMi, and creating a Logger forwarder to select which events are forwarded. It also lists the specific sub-message types supported for parsing events from Cisco, H3C, and ProCurve devices.
Logger Forwarding Connector for NNMi 7.3.0.7837.0 Configuration Guide Protect724manoj
The document provides instructions for installing and configuring the HPE ArcSight Logger Forwarding Connector for HPE NNMi to send syslog events from HPE ArcSight Logger to HPE Network Node Manager (NNMi). Key steps include installing the connector, configuring it with Logger and NNMi settings, creating a Logger forwarder to send events to the connector, and viewing supported syslog messages in the NNMi console.
Logger Forwarding Connector for OM 7.3.0.7838.0 Release Notes Protect724manoj
This document provides release notes for version 7.1.7.7611.0 of the HPE ArcSight Logger Forwarding Connector for HP Operations Manager. It includes information on supported versions of HP OM, new features, and how to apply the connector release. The connector can receive events from a source logger and send them to HP Operations Manager.
Logger Forwarding Connector for OM 7.3.0.7838.0 Configuration Guide Protect724manoj
The document provides instructions for installing and configuring the ArcSight Logger Forwarding Connector for HPE Operations Manager (HPE OM) to send event logs from ArcSight Logger to HPE OM. It describes installing the connector, creating a Logger forwarder, and an SNMP interceptor policy in HPE OM. Troubleshooting tips are also provided for issues like duplicate or dropped events.
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemPeter Muessig
Learn about the latest innovations in and around OpenUI5/SAPUI5: UI5 Tooling, UI5 linter, UI5 Web Components, Web Components Integration, UI5 2.x, UI5 GenAI.
Recording:
https://www.youtube.com/live/MSdGLG2zLy8?si=INxBHTqkwHhxV5Ta&t=0
Microservice Teams - How the cloud changes the way we workSven Peters
A lot of technical challenges and complexity come with building a cloud-native and distributed architecture. The way we develop backend software has fundamentally changed in the last ten years. Managing a microservices architecture demands a lot of us to ensure observability and operational resiliency. But did you also change the way you run your development teams?
Sven will talk about Atlassian’s journey from a monolith to a multi-tenanted architecture and how it affected the way the engineering teams work. You will learn how we shifted to service ownership, moved to more autonomous teams (and its challenges), and established platform and enablement teams.
UI5con 2024 - Bring Your Own Design SystemPeter Muessig
How do you combine the OpenUI5/SAPUI5 programming model with a design system that makes its controls available as Web Components? Since OpenUI5/SAPUI5 1.120, the framework supports the integration of any Web Components. This makes it possible, for example, to natively embed own Web Components of your design system which are created with Stencil. The integration embeds the Web Components in a way that they can be used naturally in XMLViews, like with standard UI5 controls, and can be bound with data binding. Learn how you can also make use of the Web Components base class in OpenUI5/SAPUI5 to also integrate your Web Components and get inspired by the solution to generate a custom UI5 library providing the Web Components control wrappers for the native ones.
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...kalichargn70th171
In today's business landscape, digital integration is ubiquitous, demanding swift innovation as a necessity rather than a luxury. In a fiercely competitive market with heightened customer expectations, the timely launch of flawless digital products is crucial for both acquisition and retention—any delay risks ceding market share to competitors.
E-commerce Development Services- Hornet DynamicsHornet Dynamics
For any business hoping to succeed in the digital age, having a strong online presence is crucial. We offer Ecommerce Development Services that are customized according to your business requirements and client preferences, enabling you to create a dynamic, safe, and user-friendly online store.
Artificia Intellicence and XPath Extension FunctionsOctavian Nadolu
The purpose of this presentation is to provide an overview of how you can use AI from XSLT, XQuery, Schematron, or XML Refactoring operations, the potential benefits of using AI, and some of the challenges we face.
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian CompaniesQuickdice ERP
Explore the seamless transition to e-invoicing with this comprehensive guide tailored for Saudi Arabian businesses. Navigate the process effortlessly with step-by-step instructions designed to streamline implementation and enhance efficiency.
Project Management: The Role of Project Dashboards.pdfKarya Keeper
Project management is a crucial aspect of any organization, ensuring that projects are completed efficiently and effectively. One of the key tools used in project management is the project dashboard, which provides a comprehensive view of project progress and performance. In this article, we will explore the role of project dashboards in project management, highlighting their key features and benefits.
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...XfilesPro
Wondering how X-Sign gained popularity in a quick time span? This eSign functionality of XfilesPro DocuPrime has many advancements to offer for Salesforce users. Explore them now!
14 th Edition of International conference on computer visionShulagnaSarkar2
About the event
14th Edition of International conference on computer vision
Computer conferences organized by ScienceFather group. ScienceFather takes the privilege to invite speakers participants students delegates and exhibitors from across the globe to its International Conference on computer conferences to be held in the Various Beautiful cites of the world. computer conferences are a discussion of common Inventions-related issues and additionally trade information share proof thoughts and insight into advanced developments in the science inventions service system. New technology may create many materials and devices with a vast range of applications such as in Science medicine electronics biomaterials energy production and consumer products.
Nomination are Open!! Don't Miss it
Visit: computer.scifat.com
Award Nomination: https://x-i.me/ishnom
Conference Submission: https://x-i.me/anicon
For Enquiry: Computer@scifat.com
Mobile App Development Company In Noida | Drona InfotechDrona Infotech
Drona Infotech is a premier mobile app development company in Noida, providing cutting-edge solutions for businesses.
Visit Us For : https://www.dronainfotech.com/mobile-application-development/
Hand Rolled Applicative User ValidationCode KataPhilip Schwarz
Could you use a simple piece of Scala validation code (granted, a very simplistic one too!) that you can rewrite, now and again, to refresh your basic understanding of Applicative operators <*>, <*, *>?
The goal is not to write perfect code showcasing validation, but rather, to provide a small, rough-and ready exercise to reinforce your muscle-memory.
Despite its grandiose-sounding title, this deck consists of just three slides showing the Scala 3 code to be rewritten whenever the details of the operators begin to fade away.
The code is my rough and ready translation of a Haskell user-validation program found in a book called Finding Success (and Failure) in Haskell - Fall in love with applicative functors.
5. Confidential ESM Release Notes 5
ArcSight ESM 6.5c
These release notes discuss the following topics.
Welcome to ESM 6.5c
ESM delivers ArcSight’s world-class Security Information and Event Management (SIEM)
with ArcSight's proprietary storage solution, the Correlation Optimized Retention and
Retrieval (CORR)-Engine. The CORR-Engine powers ESM’s superior correlation capabilities
with significant performance improvements over the Oracle storage.
What’s New in This Release
This section describes the new features and enhancements added in this release.
ArcSight Command Center
The ArcSight Command Center is a web-based user interface for ESM. It enables you to
perform many of the functions found in the ArcSight Console and ArcSight Web, also
provided with ESM. It provides you the ability to:
View dashboards, do several kinds of searches, run reports, do case management,
notifications, and administrative functions for managing content, users, connectors,
storage, archives, search filters, saved searches, and peer configuration.
Synchronize your ESM content across multiple instances from a primary ESM source,
where all configurations are done, to multiple ESM destinations using the Content
Management feature. Synchronization is supported for all packages except those
including any of these resources: Actors, Assets or Asset Ranges, Cases, Connectors,
Packages, Partitions, Active or Session Lists, or Database Table Schemas.
Establish peer relationships with other ESM instances and perform searches across
peers.
“Welcome to ESM 6.5c” on page 5
“What’s New in This Release” on page 5
“Upgrade Support” on page 8
“Geographical Information Update” on page 9
“Vulnerability Updates” on page 9
“Supported Platforms” on page 9
“Verifying Secure Delivery” on page 9
“Usage Notes” on page 10
“Frequently Asked Questions about ESM with CORR-Engine” on page 11
“Fixed Issues in ESM 6.5c” on page 14
“Open Issues in ESM 6.5c” on page 17
6. ArcSight ESM 6.5c
6 ESM Release Notes Confidential
Saved Searches and Search Filters appear on the ArcSight Console resource tree to
leverage the resource grouping and packaging features.
Add and configure up to four storage groups in addition to two the come out-of-box.
Each storage group can have its own retention policy and archive settings. Send
events from a specific connector to a specific storage group using storage mappings.
Display context-sensitive online help.
Refer to the ArcSight Command Center User’s Guide for details.
Rules
Pre-persistence rule type
A pre-persistence rule type is now available. This event-enriching rule calls the Set
Event Field action to modify base events before they are persisted in storage, unlike
other rule types that set fields on rule correlation events. Event fields are modified
every time an incoming event matches the condition specified for the rule. The rule
does not have to wait to go through the process flow before executing the action.
Event fields set by a pre-persistence rule are available to normal, real-time rules that
run during post-persistence flow.
Rule actions to create and update a case
The rule actions, Create a New Case and Add to Case, now provide the ability to set
case attributes, such as ticket type, stage, frequency, and so on.
Refer to the topic “Rules Authoring” in the ArcSight Console User’s Guide for more
information about rules.
Lists
You can now specify active and session lists to be case-sensitive or case-insensitive.
You can further refine the case insensitivity setting for key fields only, value fields only,
or both.
Active and session lists can now support up to 5 million entries. Details for the required
setups are in the topic “List Authoring” in the ArcSight Console User’s Guide.
The IPv6 address format is now supported. This address is available as a subtype for
the Address data type in active and session lists.
Refer to the topic “List Authoring” in the ArcSight Console User’s Guide for more
information about lists.
Reports
If you are sending a PDF, XLS, RTF, or CSV-formatted report as an email attachment, you
can choose to compress (zip) that report before sending it.
Refer to the topic “Building Reports” in the ArcSight Console User’s Guide for information
about reports.
Cases
A case can now include correlated base events when you manually create a case or when a
rule action creates or updates a case.
Refer to the topic “Rules Authoring” in the ArcSight Console User’s Guide, for more
information about rules. Refer to the topic “Case Management and Queries” in the ArcSight
Console User’s Guide for information about cases.
7. ArcSight ESM 6.5c
Confidential ESM Release Notes 7
Actors
ESM now supports up to 500K actors. The Actor Model Import Connector has been
enhanced to support the new limit.
Refer to the topic “Actors” in the ArcSight Console User’s Guide for more information about
actors.
Saved Searches and Search Filters
The ArcSight Console now includes two new resources on the resource navigator panel:
Saved Searches and Search Filters. Configuration for these resources are done on the
ArcSight Command Center. On the ArcSight Console, you can leverage the resource
grouping and packaging features for these resources.
For details about creating searches and filters, refer to the following topics in the ArcSight
Command Center User’s Guide:
Searching for Events > Saved Queries (Search Filters and Saved Searches)
Administration > Search Filters
Administration > Saved Searches
Refer to the topics “Editing Resource Groups” and “Managing Resources” in the ArcSight
Console User’s Guide for details about resource groups and packages, respectively.
Variable Functions
This release provides the following new and enhanced variable functions to support list
authoring.
GetListElement is a new function that returns the element at a specified index in a
list of elements.
ConvertStringToIPAddress is a new type conversion function that converts an IP
address stored in string format into an IP address type.
ConvertStringToList is an enhanced type conversion function that now provides an
optional second parameter for you to set a separator string, such as a pipe (|), in
addition to the default comma separator.
AliasField is an enhanced Alias function that was previously available only to event
schemas. Now, you can use this function in all schemas such as Actors, Cases, and so
on.
Value List is a new function category containing GetListElement (a new function) and
GetSizeOfList (moved from Type Conversion).
Refer to the topic “Variable Functions” in the ArcSight Console User’s Guide for information
about variables and functions.
Event Priority Rating
You can now view an event’s priority rating, or score, through the Debug Event Priority
option. When you right-click an event on a channel, a popup displays the priority score
calculated for the selected event.
Refer to the topic “Priority Calculations and Ratings” in the ArcSight Console User’s Guide,
for more information about the Threat Level Formula that calculates priority scores.
8. ArcSight ESM 6.5c
8 ESM Release Notes Confidential
Migration of ESM Resources from Oracle to CORR-Engine
A utility is now available to help customers migrate their ESM resource data from Oracle to
CORR-Engine without engaging HP ArcSight Professional Services.
Refer to the document, “Migrating ESM Resources from Oracle to CORR-Engine,” for
instructions.
ArcSight Risk Insight
ArcSight Risk Insight is an add-on product that enables users to understand the business
impact of real-time threats on assets. In ESM, users define asset business layers (including
workstations, servers, laptops), use rules to calculate risks factors on these assets, and
import the data into Risk Insight. Risk Insight aggregates the scores following the business
model, and users assess the impact of a specific threat that could present a risk factor on
the business. Users build their own key performance indicators to monitor their
organization’s business risks continuously. Once installed, Risk Insight is accessed through
the ArcSight Command Center.
Refer to the Risk Insight User’s Guide for details.
Upgrade Support
Direct upgrade to ESM 6.5c is supported only from ESM 6.0c.
Upgrade From ESM 6.0c
Refer to the ESM 6.5 Upgrade Guide for instructions on how to upgrade your ESM 6.0c
installation to ESM 6.5c.
Migrating from ESM 5.x to ESM 6.5c
This release of ESM does not support a direct upgrade path from your ESM 5.x installations
to ESM 6.5c. However, if you would like to migrate from a version prior to ESM 6.0c (5.x),
you must do the following in the order listed below:
1 Install ESM 6.0c on a machine other than your existing ESM 5.x installation machine.
Refer to the ESM 6.0c Installation and Configuration Guide for detailed steps to do so.
2 Migrate the resources from your existing ESM (effectively from the underlying Oracle
database) to the newly installed ESM 6.0c.
ESM 6.0c uses CORR-Engine as its backend. The CORR-Engine-based ESM requires a
fresh installation. If you would like to migrate your resources from an existing (legacy)
ESM installation, you should do so on a freshly installed ESM on which resources
have not been altered or added. Any resources that are changed or added after the
ESM 6.0c installation along with their associations with any events will be wiped out
while migrating the resources. Use the Resource Migration tool to migrate your
resources from Oracle to the CORR-Engine.
The resource migration tool migrates only the resources. It does not migrate the data.
Keep your existing ESM instance running to maintain historical data according to your
retention policies.
Contact your HP Account Representative, if you plan to migrate your resources from
your legacy ESM installation, to discuss your specific requirements and coordinate
migration during the installation of the ESM 6.0c software.
9. ArcSight ESM 6.5c
Confidential ESM Release Notes 9
The Resource Migration tool is available for download from the HP Software Depot at
http://support.openview.hp.com/downloads.jsp. Refer to the Migrating ESM Resources
From Oracle to CORR-Engine document which can be downloaded from the HP SSO
website, for detailed steps to do so.
3 Upgrade to ESM 6.5c. Refer to the ESM 6.5c Upgrade Guide for detailed instructions.
Geographical Information Update
This version of ESM includes an update to the geographical information used in graphic
displays. The version is GeoIP-532_2013901.
Vulnerability Updates
This release includes recent vulnerability mappings (September 2013 Context Update) for
these devices:
Snort / Sourcefire SEU-957 updated Faultline, Bugtraq, CVE, Nessus
Enterasys Dragon IDS updated CVE
Cisco Secure IDS S741 updated Bugtraq, CVE
Juniper / Netscreen IDP update 2298 updated Faultline, CVE, Nessus, MSSB
TippingPoint UnityOne DV8469 updated Bugtraq, CVE
ISS SiteProtector updated Faultline, Bugtraq, CVE, X-Force, Nessus, CERT
Symantec Endpoint Protection updated Bugtraq, CVE
McAfee HIPS 7.0 updated CVE
Radware DefensePro updated CVE
Supported Platforms
ESM 6.5c is supported on Red Hat Enterprise Linux 6.4 64-bit platform for fresh installation
and Red Hat Enterprise Linux 6.2 64-bit for upgrades. Refer to the Product Lifecycle
document available on the Protect 724 site for further information on supported platforms
and browsers.
ESM Patches
This release includes fixes released with ESM 6.0C Patch1 but fixes in ESM 6.0c Patch2 are
not included in this release of ESM 6.5c.
Verifying Secure Delivery
To ensure that files have not been either corrupted or tampered with in transit, HP provides
an MD5 cryptographic hash for each product component and documentation file.
To verify a software file from the product download site, do the following:
1 On the product file download page, select the file you want to download.
2 In the "Selected media product information" section, find the 32-digit MD5 signature.
3 Verify the MD5 checksum using an independently generated MD5 checksum of the file.
10. ArcSight ESM 6.5c
10 ESM Release Notes Confidential
Usage Notes
Forwarding Connector
Make note of the following for the Forwarding Connector for ESM 6.5c:
The Forwarding Connector for ESM 6.5c is only supported on Red Hat Enterprise Linux
6.4 64-bit.
ESM 6.5c supports upgrading to Forwarding Connector 6.0.4.6830.0 from the
previous Forwarding Connector release 5.2.5.6403.0. If you are installing ESM 6.5c in
a hierarchical environment, please install Forwarding Connector 6.0.4.6830.0 directly.
If you are forwarding events from ESM 5.5 or ESM6.0c, the Forwarding Connector
version used must be the one released with the latest ESM version, in this case version
6.0.4.6830.0.
The automatic forwarding of base events offered with the Correlated Forwarding
Connector feature is not supported for ESM 6.5c. On-demand pulling of events is
supported.
Domains
The Domains feature is not supported for this release.
Browser Support in FIPS with Suite B Mode
If you have installed the product in FIPS with Suite B mode, use the Firefox browser to
connect to the Manager.
You cannot use the Internet Explorer browser to connect to the Manager, since Internet
Explorer does not support FIPS with Suite B.
Running Concurrent Searches
The number of concurrent searches is limited by the capacity of the event reader. By
default, the maximum capacity for the event reader is 4. So the system will perform well
with 4-6 concurrent searches. If you want to run more concurrent searches, increase the
event reader capacity and the java heap size for the Logger server.
Starting and Stopping Components
Running unsupported scripts may produce unexpected results, including system failure or
data loss.
For help on the supported "arcsight_services" enter the following command while logged in
as user “arcsight”:
/sbin/service arcsight_services -help
If you inadvertently run unsupported scripts, rebooting the system will restore proper
operation in most cases.
The commands for starting and stopping components in ESM 6.5c are different
than the commands for starting and stopping components that were used in
prior releases of ESM with Oracle backend.
Also, in ESM 6.5c, the commands for starting and stopping components should
be run as user “arcsight”.
11. ArcSight ESM 6.5c
Confidential ESM Release Notes 11
Issue When Subscriber is Added As a Peer
An error message is shown for manual pushes that are attempted if there are no enabled
subscribers. However, no similar error message is displayed for automatically scheduled
pushes if there are no enabled subscribers.
Discover Fields List - Top Values and Values by Time
The Field Summary > Discover Fields option in the Command Center Search feature is
not supported in ESM 6.5. If you search a version 5.3 SP1 peer Logger using the ArcSight
Command Center search feature, check both the Field Summary and Discover Fields
options, run a search, the "Values by time" link in the pop-up for any field in the
"Discovered Fields" list will not work.
Workaround: To use the Discover Fields option, run the search from the 5.3 SP1 Logger.
Frequently Asked Questions about ESM with CORR-
Engine
The following section answers some frequently asked questions about ESM with CORR-
Engine.
How many machines do I need for installing ESM 6.5c? What platform is ESM
6.5c supported on?
The ESM Manager and CORR-Engine components come integrated in a suite that is
installed on a single machine. Single machine install provides better scalability with
localized processing and storage tiers. ESM 6.5c should be installed on a single Red Hat
Enterprise Linux 6.4 64-bit machine. The Manager and CORR-Engine cannot be installed on
separate machines.
See the section, “Supported Platforms” on page 9, for more information on supported
platforms.
How do I plan my hardware requirements in order to get the maximum
performance from CORR-Engine?
The ESM 6.5c CORR-Engine solution scales better with additional cores. The more the CPUs
used, the better the performance. When compared to Oracle, the CORR-Engine is less
dependent on I/O. Call the HP Professional Services for help with the sizing requirements.
What are the hardware requirements for ESM 6.5c?
Refer to the “System Requirements” section in the “Installing ESM” chapter of the ESM
Installation and Configuration Guide.
Can ESM 6.5c be part of a mixed hierarchical architecture with ESM 5.x using a
Forwarding Connector?
Yes. You can forward events from ESM 5.0 SP2 with latest patch or 5.2 with latest patch to
ESM 6.5c. However, we recommend that you do not send events to ESM 5.x, and instead
send them directly to ESM 6.5c.
Will existing licenses work?
If you have a valid existing ESM license, you can use it with ESM 6.5c.
12. ArcSight ESM 6.5c
12 ESM Release Notes Confidential
Can I continue to use my existing Loggers with ESM 6.5c?
Yes. You can forward events from Logger 5.3 to ESM 6.5c and vice versa.
Can I upgrade my existing ESM installation to ESM 6.5c?
Direct upgrade is supported only from ESM 6.0c to ESM 6.5c.
Direct upgrade of an ESM 5.x installation to ESM 6.5c is not supported. Refer to the
section, “Migrating from ESM 5.x to ESM 6.5c” on page 8 for more details.
How do I get to manage.jsp?
manage.jsp and other advanced troubleshooting tools, such as license.jsp and
resource.jsp, are available from the new ArcSight Command Center Console using this
URL:
https://servername:8443/arcsight/web/manage.jsp
manage.jsp and the other advanced troubleshooting tools are not supported for general
customer use without guidance from HP Customer Support.
Does the CORR-Engine use event side tables?
The CORR-Engine does not use event side tables. You see a significant improvement in the
CORR-Engine’s performance over Oracle because the need to join with side tables is
eliminated in the CORR-Engine.
Can I archive my events with CORR-Engine?
Yes, the event archiving functionality in CORR-Engine works in a similar way as it did in
ESM 5.x with Oracle. There is significant improvement in this feature, such as:
better compression
faster reactivation/deactivation
easy to use
no DBA needed
has a web interface
easier to scale
See the ESM Administrator’s Guide and the ArcSight Command Center User’s Guide for
further details.
How do I backup and restore my data in ESM 6.5c?
Refer to the ESM Administrator’s Guide and the ArcSight Command Center User’s Guide for
details on how to backup and restore your data.
How/When do I migrate my resources from my legacy ESM installation?
You will need to install ESM 6.0c first. Once you have installed the ESM 6.0c software, you
can migrate your resources from a legacy ESM 5.x installation. See “Upgrade Support” on
page 8 for more details.
The resource migration tool migrates only the resources. It does not migrate event data or
events attached to cases. Keep your existing ESM instance running to capture historical
data according to your retention policies.
13. ArcSight ESM 6.5c
Confidential ESM Release Notes 13
If you would like to migrate your resources from an existing (legacy) ESM installation, you
should do so on a freshly installed ESM 6.0c on which resources have not been altered or
added. Any resources that are changed or added after installation along with their
associations with any events will be wiped out while migrating the resources.
What fields are indexed in CORR-Engine?
The CORR-Engine indexes every field, including customer-created fields. The CORR-Engine
does not index LOB-based fields, whereas Oracle only had a subset of fields that were
indexed. You do not need to add any custom indexes. This speeds up the searches
significantly.
Can the storage size of the CORR-Engine be changed after installing the
product?
Yes. Please contact HP Professional Services through your HP Account Representative for
information and assistance on this.
How do I view my archive/storage info?
You can view your archive and storage information using the ArcSight Command Center.
How does CORR-Engine do compression on archives?
The CORR-Engine’s archive file size is smaller than that of Oracle. You do not need to use
GZIP on data files since data is compressed inside the data files.
Are there any Oracle-based ESM features that are not supported in CORR-
Engine-based ESM?
The Domain feature is not supported in CORR-Engine-based ESM.
Auto-forwarding of base events is not supported.
Daily partitioning on trend and session list data is replaced by weekly partition.
14. ArcSight ESM 6.5c
14 ESM Release Notes Confidential
Fixed Issues in ESM 6.5c
Analytics
ArcSight Console
Issue Description
NGS-6359 A trend would fail to run if the trend query contained a custom conditional
evaluation.
This issue is fixed. The trend query can now contain a custom conditional
evaluation.
NGS-5266 A query that is used in a report, query viewer, or channel that uses event
annotation could affect the system performance if it has a large event annotation
data. This is still an issue, but can be fixed by optimizing the query dynamically.
To do so, set the event.annotation.optimization.enabled flag in the
/opt/arcsight/manager/config/server.properties file to true.
NGS-3686 Users can now delete a Trend used in a Query that in turn is used in a Query
Viewer.
Issue Description
ESM-50538 The Add, Remove, and Replace column selector has been reverted back to the
same look as previous ESM versions, such that it moves the root level columns
back into a "root" group.
ESM-47163 The previous releases were missing a variable function to convert a string to an IP
address. A new variable function, ConvertStringToIPAddress, has been added in
this release to convert a string to an IP address.
ESM-46773 In this release, there is an added option in the email format to compress a
scheduled report before emailing. The option is, 'Attach Compressed Report,'
under Report Parameters.
The new feature is documented in the What's New for ESM 6.5c, and in the
ArcSight Console User's Guide, in the "Building Reports" topic under the subtopic
"Report Parameters: Default and Custom."
ESM-33943 If you moved a resource, the search result would output the wrong URI even if
you ran a Resource Search Index Updater. At the same time, the URI shown in
Resource properties was correct and matched the updated location. This has now
been fixed and the search result outputs the correct URI if you run a Resource
Search Index Updater.
ESM-33489 When a connector was updated or the Manager restarted, occasionally it showed
an incorrect user name in the editor. Now, when it is changed by a user, it shows
the correct username. If the Manager is restarted, then it shows a blank
username.
NGS-5582 There were performance issues in the ArcSight Console when navigating through
the groups. The ArcSight Console was slow when Dashboards were open in a low-
bandwidth/high-latency network.
This issue is now fixed and the ArcSight Console's performance is as expected.
NGS-4387 Previously the HTML text in a payload viewer used non-HTML line breaks.
These are now replaced with HTML line breaks: <br />.
15. ArcSight ESM 6.5c
Confidential ESM Release Notes 15
NGS-3129 When you selected the geographic view from events in an active channel, both
Longitude and Latitude information were shown as 0.
This bug is fixed and now the geographic view shows the correct Longitude and
Latitude information for the events.
NGS-1072 Displaying EventGraph data monitors from within the ArcSight Console custom
layout internal browser is no longer supported. You must launch an external
browser from the ArcSight Console custom layout or use the ArcSight Command
Center dashboard module in order to view any dashboard with EventGraph data
monitors.
Issue Description
16. ArcSight ESM 6.5c
16 ESM Release Notes Confidential
ArcSight Manager
ArcSight Web
Issue Description
ESM-50704 An export would fail to complete using the package command.
This is now fixed. Now you can export large packages using the CLI command in
standalone mode.
NGS-5483 Excessive temporary file space gets used when Group By (or sorting) is performed
on the Event table. This issue now has a workaround.
Workaround: Use the ArcSight substring function on varchar/string event fields to
minimize the data manipulation during grouping. You can use existing local or
global variables to achieve this behavior and replace the existing field in the query
with the variable.
If the file space usage is still not satisfactory, you can convert the character set
automatically to Latin which uses less space. To do so, set the
event.query.charset.conversion property to 1 in the
/opt/arcsight/manager/config/server.properties file to convert the existing charset
to latin1. Alternatively, set the property to 2 for conversion to binary and then to
Latin (to minimize conversion error for non-English character set). The default
value of this property is zero.
Note: Use this property carefully to avoid character conversion error of multi-byte
character to one byte (latin1) truncation.
NGS-4335 A memory leak in the CORR-Engine which caused the Manager to become
unresponsive has been fixed in this release.
NGS-4202 Even though an initial query for event data timed out, the Active Channel would
show the status as "Loading...". An issue that caused the Active Channel to stay in
"Loading..." forever has now been fixed.
Issue Description
ESM-50148 An issue where session cookies for ArcSight Web were set on the client web
browser without the HTTPOnly directive enabled has now been fixed.
ESM-49935 Previously, the exception stack would display in the page source. This is now fixed
by the addition of a new property. To NOT display the exception stack in page
source, add the following property in webserver.properties:
web.display.exception.stack=false
Then clear the browser cache.
This is now documented in the "Preferences" section of the ArcSight Web User's
Guide.
NGS-4219 A report would fail to run if a web user logged in to ArcSight Web and selected a
user's email address using the 'Email to' button. The problem occurred when the
web user was configured with an Active Directory external id.
This issue is now fixed. You can now use the 'Email to' button to select a user's
email address successfully.
NGS-4056 The payload value in ArcSight Web was HTML encoded and an XSS vulnerability
was encountered. This issue is now fixed and you will no longer encounter an
error.
17. ArcSight ESM 6.5c
Confidential ESM Release Notes 17
CORR-Engine
Open Issues in ESM 6.5c
Analytics
Issue Description
NGS-4229 Archive stopped working after the Daylight Saving Time ended in Brazil at
midnight on 10/22 when the clock was turned back one hour. The following error
appeared in the Logger log file: "An archive with duplicate date already exists in
the database". This issue is now fixed and this error no longer appears in the log
file.
Issue Description
ESM-49283 For a hostname to be properly interpreted from the Request URL, the host name
needs to be enclosed either within // (double slash) and / (single slash); or within
// (double slash) and : (colon). For example:
https://<hostname>:8443
Such an event is retrieved correctly with the filter 'Request Url Host Is Not Null'
(do not use filter 'Request Url Host != Null' as this is an invalid filter).
ESM-48858 System audit events, such as those resulting from a rule being disabled by the
system, are given a low TTL (time-to-live) value to prevent excessive rule
triggering. A single rule can correlate such audit events, but any subsequent
chaining rules are suppressed.
ESM-48307 If you have the Compliance Insight Package for IT Governance, note that the
DeviceEventclassId for Windows 2008 has the same value as Windows 2003.
ESM-40449 When exporting events from the Case Details channel, archived events are not
exported.
ESM-39405 If you create a report whose name contains Chinese characters, then send the
report as a PDF attachment, the received email does not display the attachment's
name correctly. The content of the report is correct; only the email attachment
field is affected.
ESM-37810 For scheduled reports, when the user's "Run as" read and write privileges are
taken away, the scheduled report is generated by the user who created the
schedule (and not by the "Run as" user). If the "Run as" user has read privilege
only, then the report is not generated.
ESM-35070 Verify Rules with Events (replay with rules) does not work for the following types
of active lists if one of the rules adds to the active list and the second rule uses
that data in a condition:
- An event-based active list with values
- A field-based active list with values, where all fields are mapped to event fields
Verify Rules with Events does work for other types of active lists and when only
one rule is used. Also, valid active lists work properly with real-time rules when
they are deployed, including the two types of active lists described above.
ESM-34531 When you set the Schedule Frequency for a report, the Next Run Time field is
displayed incorrectly in the Editor. Even though the time is displayed incorrectly,
the report runs at the time specified in the editor.
18. ArcSight ESM 6.5c
18 ESM Release Notes Confidential
ESM-29633 Occasionally, after changing a trend's description, another trend that depends on
this trend may become invalid.
Workaround: You can usually re-enable a trend that was incorrectly disabled by
making any minor change on the trend (for example, you could toggle the trend's
enabled state off and then back on) and then save it. This will force the re-
validation of the trend and re-enable the trend.
ESM-29348 For trends, the Scheduled Time column in the Scheduled Runs view covers both
time ranges for runs that have already occurred and for runs that are pending. As
a result, you will see some discrepancy in the time ranges shown in the column.
For example, against the runs that have already occurred, you will see the lower
end of the time range. (For trends set to run hourly, if the time range is between
1:00 pm - 2:00 pm you will see 1:00 pm). The pending runs show the upper
range (if the time range is between 1:00 pm - 2:00 pm you will see 2:00 pm).
Trends that have already occurred will have a time difference that reflects the
trend query schedule (for example, one hour for hourly queries), while the
pending runs will have a time difference that reflects the overall task schedule (for
example, 24 hours if run once a day).
NGS-7906 In a Query, the GetHour variable returns the hour translated from local time to
GMT. For example, if your local time is 20:31:47, the GetHour variable might
return 3, instead of 20, as expected.
NGS-7896 Some rules under /All Rules/ArcSight Core Security can get triggered twice,
because they are linked to other packages (for example, when the Intrusion
Monitoring Foundation is installed). Workaround: Remove one of the links from
the Real-Time Rules group.
NGS-7876 If the ConvertStringToList variable function was used in any resources prior to
upgrading to 6.5c, those resources will be broken after upgrade, and the variables
(local or global) will display as empty definitions in the editor.
Workaround: open the affected variable and reenter the function and parameters.
NGS-7865 A rule will be marked invalid if it contains a condition using the ContainsValue
operator.
Workaround: move the condition to a Filter, and use a MatchesFilter condition in
the rule.
NGS-7181 Queries are very slow when they have a combination of aggregation, groupby,
orderby, and a condition on a large active list or session list.
NGS-6521 The Day function does not convert time-stamp data correctly. For the event count
history, this issue causes the Event Count Last 7 Days query viewer to show the
wrong data.
NGS-6509 If you have the IdentityView 2.5 solution and have 500 K actors, the actor
channels are not being loaded. This happens intermittently.
NGS-5756 From within a Query Viewer drill down for Active Channel, you cannot drill down to
Field Set having IP address as part of Global Variable.
NGS-4187 Trend tables that exceed 1 GB may cause a signal 11 error in the CORR-Engine.
Workaround: Keep trend tables small (< 1G). Trends running on ESM with Oracle
were often created to provide improved report performance on a subset of
columns. This is no longer needed with CORR-Engine.
The best way to reduce an overgrown trend table is to edit the trend and reduce
the "retention" period. For the change to take effect, rerun the trend. If the trend
data is no longer needed, you can delete the trend and the space that was used
by the trend gets freed up.
Issue Description
19. ArcSight ESM 6.5c
Confidential ESM Release Notes 19
NGS-3139 While trying to query on a case, specify the ID of the user instead of the name of
the user.
For instance:
if owner=admin, this will not work
if owner=1UOtZMTkBABCA0qd7zsU1lQ==, this will work
Issue Description
20. ArcSight ESM 6.5c
20 ESM Release Notes Confidential
ArcSight Console
Issue Description
ESM-51217 ContainsValue is an operator on the Common Conditions Editor which is not
currently documented. ContainsValue is used where the left-hand-side operand is
a list of some data type, and the right-hand side operand is a single value (field or
literal) of the same data type.
For example, a variable "IPList" is a list of IP Addresses obtained from a multi-
mapped active list, with values {192.0.2.0, 192.0.2.1, 192.0.2.2}. The
ContainsValue operator can be used in following conditions:
IPList ContainsValue TargetAddress (This returns true or false depending on
whether TargetAddress value is contained in IPList.)
IPList ContainsValue 192.0.2.0 (This returns true because the right-hand side
value is contained in IPList.)
IPList ContainsValue 192.0.2.24 (This returns false because the right-hand side
value is not contained in IPList.)
ContainsValue can be used in both query and in-memory resources.
ESM-51149 The geographical location mapping for some IP addresses may be wrong. For
example, the values in the source and target "Country Code", "Region Code",
"Country Flag URL" and" Country Name" fields may be wrong.
Workaround: None at this time.
ESM-50470 The filter (Source FQDN Is NOT "") does not work on Active Channels.
ESM-49990 To display the correct icon for forwarded correlation events, add the Locality Field
column to the field set of the channel.
ESM-47213 Case-related events are copied to a special table so they can remain available
after being archived. The channel is unable to find and display such events
correctly after the partition is archived.
Workaround: Use the case event editor or Reports, which can correctly find and
display these events.
ESM-41641 On Mac OS X only: If you open a channel, select some rows, right-click on them
and select Print Selected Rows from the resulting menu without a default printer
set up, the Console will abruptly terminate.
Workaround: Before you start the Console, make sure to set up a default printer
to which to print.
ESM-41019 When you have client-side authentication set up, and if the Manager is configured
with the Password Based and SSL Client Based Authentication, an error will be
returned when accessing the product documentation using a Web browser.
Workaround: Generate a key pair for the browsers and import the browser's
certificate into the Manager's trust store. Alternatively, copy the Console's key
into the browser's keystore. See the Administrator's Guide for details on how to
do this.
ESM-40587 Correlation events may occur before the base event that triggered the correlation
event in channels sorted by time. This happens if the event end time for the
correlation event is the same as that for the base event.
Workaround: Add a sort column in the channel to sort events, first by end time,
and second by type of event. Base event type is 0 and correlation event type is 1.
ESM-39980 The Console can become unresponsive if you access other resources while
building category models with a large number of actors.
21. ArcSight ESM 6.5c
Confidential ESM Release Notes 21
ESM-39829 Deleting actors will require category models, if any, to be re-built. Each rebuild
should only take a few seconds. However, when thousands of actors are deleted,
the cumulative deletion period may last for hours.
ESM-39331 Actor channels can only display fields that are part of a pre-defined field set. If
you want to view any additional fields in an Actor channel, first add the fields to
the field set that the Actor channel uses instead of adding them directly to the
channel.
Workaround: To view additional fields in an Actor channel, add the fields to an
Actor field set and use it in the actor channel.
ESM-37344 On the ArcSight Console, when a large number of cases reside in a single group,
you can't pick a case for "Add to Existing Case" rule action in the Rule editor. This
is because the resource selector only shows leaf nodes when there are less than
1000 cases in a group. This happens for all resources.
Workaround: Arrange the resource hierarchy so there are no more than 1000
resources in a single group. Alternatively, use a dynamic case name (a case name
that includes a variable).
ESM-36055 In the Query Editor, if you have read permission to a query but not to the global
variables that are being used in the query, the resulting display will be incomplete.
None of the global variable-related fields will be displayed. Also, no error will be
displayed indicating that you are not able to view some resources in the query due
to lack of sufficient permissions.
ESM-33462 Stages resources are erroneously not locked as system content and are editable
from the ArcSight Console, on the resource Navigator > Stages resource tree. Do
not customize or move these stages resources, as doing so might cause the
Manager to become unusable. The system content stages are Closed, Final,
Flagged as Similar, Follow-up, Initial, Monitoring, Queued, and Rule Created.
ESM-33440 If you right-click on a block in a Hierarchy Map Data Monitor and select Show
Events, no events are returned if variables are present in the Source Node
Identifier.
ESM-26488 If you import the content of an older package into an existing newer package, the
contents from the two packages are merged. The resulting package will consist of
contents from both packages. The relationships will be merged, but the attributes
will be picked up from the old package.
Workaround: Export the new package to a bundle file so that you can recover it if
need be. Then delete the new package before you import the old one.
NGS-7884 Four other packages are dependent on the ArcSight Core Security package, it is
strongly recommended not to uninstall this package. However, notification actions
should not be enabled in any rules under /All Rules/ArcSight Core Security if you
really need to uninstall this package.
NGS-7735 An overlapping session list contains duplicate entries for the same key field. The
session list is part of variable definition and used in filter. If the filter is used in
active channel and the session list entry is deleted, the deleted entry may
continue to be displayed on the active channel.
NGS-7526 Non-admin users need to have read permission manually added to /All
Trends/ArcSight Core Security for Default User group.
NGS-7233 When using the ContainsValue operator in the Common Conditions Editor, the user
is allowed to enter a value in the editor. However, this value is invalidated and an
error message instructs the user to use the popup editor instead to input values.
This happens for correct as well as incorrect values entered.
The workaround is to use the popup editor instead of entering the values in the
editor directly.
Issue Description
22. ArcSight ESM 6.5c
22 ESM Release Notes Confidential
NGS-7173 The Console may become temporarily unresponsive for a few seconds when
working with large active and session lists.
NGS-5975 If you are accessing query viewers with actor content, and you have a large
number of actors, there may be a pause in the user interface while it waits for
data from the Manager. This could result in a delay of several seconds.
NGS-4091 If the arc_notification_history and arc_notification_registry are too big, the
ArcSight Console will hang.
NGS-4060 On ArcSight Console only: When viewing a dashboard such as "/All
Dashboards/ArcSight Foundation/Intrusion Monitoring/Executive
Summaries/Executive View" in Custom Layout mode, the titles may appear to be
cut off. This happens because the window is too small to show its entire contents.
Increasing the size of the window should solve this issue. If the issue still persists,
open the dashboard in an external browser.
NGS-3084 Global variable fields of the type "GetActiveList" are not displayed on custom
layouts and Image Dashboards. This behavior is seen on custom layouts when
using the ArcSight Console, and image dashboards when using ArcSight Web and
ArcSight Command Center. To view these fields correctly, use the standard layout
on ArcSight Console.
NGS-2499 The time field in the Image Dashboard will be displayed as a number instead of
displaying as formatted date and time.
Workaround: Use regular dashboard instead of Image Dashboard.
NGS-2241 When you first create or view a new custom view dashboard with one or more
data monitors or query viewers, the dashboard elements might overlap.
Workaround: Define the arrangement and save it. This can be done in one of
these ways:
1) Using auto-arrange: Go to Edit->Auto Arrange and then click 'Save' to preserve
the changes.
2) Manual arranging: Go to Edit->Arrange and move/resize all dashboard
elements to the desired position. When finished, click 'Done Arranging' and then
'Save'.
NGS-1745 When viewing a Management Console dashboard in custom layout mode, such as
"/All Dashboards/ArcSight Administration/ESM/System
Health/Resources/Rules/Rules Status", if the DataMonitors or Query Viewers
overlap, click on Edit->Auto-Arrange to correctly display them. You can then save
the arranged dashboard.
NGS-1262 If a dashboard contains a Query Viewer that has a large row limit, the Console
may hang while loading this dashboard in Custom Layout view. It is a good
practice to keep the row limit of Query Viewers to less than 100 before viewing
the dashboard in custom layout format.
NGS-1088 If a regular or inline filter with a condition involving Event Annotation Flag is
applied to an Active Channel, the Active Channel will not load any events.
Workaround: Avoid using Event Annotation Flag in filter conditions.
NGS-146 In some cases, event-based Active Channels that include InCase filtering
condition will not display events that belong to a case but have been removed
from the main event table (arc_event) due to the retention period limit.
Issue Description
23. ArcSight ESM 6.5c
Confidential ESM Release Notes 23
ArcSight Manager
Issue Description
ESM-47625 When exporting a case, the Creation Time is changed to the time of the export.
ESM-41331 After the resource validation process is run, assets that are actually invalid appear
to be valid.
Workaround: To produce a correct report, run the resource validation script
manually as follows:
1. Run the script using "arcsight resvalidate."
2. Run the script again using "arcsight resvalidate -persist false."
In general, the resource validation script should be run twice: the first time with '-
persist true' (the default) to validate and fix invalid resources, and the second
time with '-persist false' to generate a correct report.
ESM-40889 The "group:101" audit event might not be sent when there are many role
memberships being added or changed for an actor. An error about this is written
to the server log, indicating the IDs of the affected objects.
ESM-37488 Exporting a large active list with 10 million entries, or exporting rules that use
such active lists, results in an exception in the server.std.log file. Additionally, the
Manager runs out of memory and automatically restarts itself.
Workaround: Use the export format instead of the default format while exporting
the rule or active list definition using an archive or a package. This will not export
the active list data.
ESM-31433 The following exception might appear in the Manager's log file:
ERROR: java.lang.NullPointerException at
org.apache.lucene.index.IndexReader.open
Workaround: This error is not serious. It is automatically resolved within one
week of the Manager startup during which time the Manager rebuilds the resource
search index (done weekly). You may choose to ignore the error, or manually do a
rebuild at any time by running the following command from the Manager's bin
directory:
arcsight searchindex -a create -m <manager-hostname> -u <admin-user-name>
-p <password>
ESM-30670 If the search index file becomes corrupted, the search index will be out-of-date
and the following message appears in the Manager's log file:
[ERROR][default.com.arcsight.server.search.index.IndexResources][_init]
java.io.IOException: read past EOF
Workaround: Re-generate the index by issuing the following command from the
Manager's bin directory:
arcsight searchindex -a create -m <manager-hostname> -u <admin-user-
name> -p <password>
ESM-30008 Installing an exported package from a bundle file occasionally results in the
following error:
Install Failed: Resource in broker is newer than modified resource.
Workaround: Re-import the package.
NGS-7580 In Content Management, when running multiple package operations at the same
time (both manual and scheduled operations), occasionally, one of the operations
might fail due to a database deadlock.
Workaround: Avoid executing concurrent package operations. Schedule Content
Management package pushes at a time when no one is installing or uninstalling
packages.
24. ArcSight ESM 6.5c
24 ESM Release Notes Confidential
NGS-6236 Long reports might cause an OutOfMemoryError error in ESM processes.
Workaround: If you expect a report to return a large amount of data, run the
report when there is no other activity in ESM.
NGS-4837 With certain long running queries, a deadlock might occur in the JDBC driver. You
might notice decreased throughput. If you suspect this, request a thread dump
through manage.jsp and determine if the end of the dump specifically indicates
"deadlock."
Workaround: If a deadlock does occur and is an issue for you, restart the Manager
to resume normal operations.
NGS-3825 If the field size of an event exceeds 32 KB, that event does not get persisted.
NGS-3803 The command "arcsight manager-reload-config" fails to dynamically reload the
configuration.
Workaround: Restart the Manager after you make any configuration changes,
such as those in the config/server.properties file.
NGS-3294 At very high EPS rates and with too many annotated events, the source Manager
cannot send base events to the destination Manager.
NGS-1937 The Archive tool occasionally fails to import entries into an active list due to
transient errors. In such situations, you might not see any errors, but the list does
not get populated.
Workaround: Re-import the same package.
NGS-1449 Shutting down services by using the arcsight_services command might results in
exceptions in the log file. These exceptions are due to an issue with the order in
which the components are shut down, and can be safely ignored.
NGS-172 Base events are not automatically annotated after rules trigger.
Workaround: Set logger.base-event-annotation.enabled=true in server.properties
and annotate the events manually.
Issue Description
25. ArcSight ESM 6.5c
Confidential ESM Release Notes 25
CORR-Engine
Command Center
Issue Description
NGS-4790 To resolve a "database full" condition, you can free up space by doing the
following:
1. Delete any unused trends. Deleting the trend frees up any data in the table
associated with this trend.
2. Reduce the retention period of specific trends. By default, trends retain 180
days of data. You can set this retention time on a per-trend basis. Any data falling
outside this range will be removed the next time the trend runs.
3. Examine the contents of your session lists. Data is not usually removed from
session lists. Running "bin/arcsight dropSLPartitions -h" will explain how to
remove data older than a specified time. Note that this will apply to ALL session
lists on your system.
Issue Description
LOG-12033 Pipeline searches for IP address fields do not display the results correctly.
Workaround: When running pipeline searches for IP addresses, use field's Display
Name; do not use the CEF name.
If the IP Address is not correctly displayed in the search results, you can click the
+ next to the event in the search results, and view the field in the RAW data.
For the chart operator, do not use functions like avg(), min(), max() etc.
Do not use the operators eval, replace, rex, and regex on IP address fields.
LOG-12032 Command Center search will return the error message "There is a problem: null"
when charting the aggregation results certain fields, if you fail surround the field
name with parenthesis, as in the following example.
... | chart sum bytesIn by deviceEventClassId span=5m
Workaround: If you receive this error message, check your query, and add
parenthesis if needed, as in the following example.
... | chart sum(bytesIn) by deviceEventClassId span=5m
LOG-12018 IPv6 addresses do not display properly in the results of Command Center
Searches using the Chart operator.
Workaround: You can view the values of the IPv6 fields in the list of Events in the
regular search results.
LOG-12017 When you click an IPv6 address field name in Field Summary Selected Fields list,
the Field Value is not properly displayed in the resulting dialog box.
Workaround: You can view the values of the IPv6 fields in the list of Events in the
regular search results.
LOG-12016 Command Center searches using the "where" condition with the field operators
">=", "=", or "<=" to search IPv6 fields do not return the correct results.
Workaround: Rewrite your search to avoid using the "where" condition.
LOG-8484 The stdev function in the chart operator does not work on fields that have more
than 10 digits. The result of such computations is a blank field.
Workaround: None at this time.
26. ArcSight ESM 6.5c
26 ESM Release Notes Confidential
NGS-7912 In peer search, the search result is not refreshed responsively if one peer node
has high hits or it's busy due to high injection rate or multiple searches running.
As a workaround, cancel the search and ensure that the peer node has enough
resources to process the search.
NGS-7907 When user perform peer search using IN operators for IP, MAC or Enum fields, no
results are returned and an error message is displayed.
Workaround: None at this time.
NGS-7891 In Command Center Search, queries using some operators, such as chart, eval,
rename, replace, rex, and regex, may not return the correct results when
searching the following types of fields.
IPv4 fields such as sourceAddress, MAC address fields such as
destinationMacAddress, IPv6 fields such as dvc_custom_ipv6_address1, Geo
Location fields such as: dest_geo_latitude, as well as the agentSeverity and
locality fields.
For example the following queries may not return the correct results:
... | chart max(agentSeverity) by name
... | chart max(dest_geo_longitude) by name
... | replace Low with notToWorry in agentSeverity
... | replace Local with localevents in locality
Workaround: None at this time.
NGS-7888 The fields listed in the Export Options dialog box may vary based on the browser
you are using and the user you log in with. Even though only a partial list of fields
is displayed, all fields are exported when you have the All Fields checkbox
checked.
Workaround: To export only certain fields, uncheck All Fields and enter the fields
you want to include.
NGS-7861 When using Internet Explorer 10, nodes in the Event Graph Data Monitor are not
displayed properly when viewed in ACC-Dashboards.
Workaround: Use Firefox or Chrome to view Event Graph Data Monitor properly.
NGS-7847 If you are a non-admin user, you cannot select yourself from the Resource
selector in the Case Editor or if you select "Run as user" or "Email to" in the
Report parameters dialog.
Workaround: The admin give this User's Group read permission. To do this, edit
the Access Control List (ACL) for the group that the user belongs to, open the
Resources tab, select "User" from the "Set Permissions for" drop-down, and add
the Read permission.
Navigate to an existing user group and click Edit.
The Editing User Group screen displays information about the group.
Click Advanced Permissions.
The Advanced Permissions screed displays the currents permissions for that
group.
Open the Operations tab and click Add.
The Permission Selector displays a list of available permissions.
Select ArcSight System > Search Filter Operations.
The parent permission, Search Filter Operations, makes its children, Search Filter
Read, Search Filter Write, effective.
Workaround: is to give Read access to non-admin user group which user belongs
to.
Issue Description
27. ArcSight ESM 6.5c
Confidential ESM Release Notes 27
NGS-7833 The default field set that is displayed in search results is a limited set. If you use
any search pipeline operators that result in selecting specific fields (apart from the
default set) or creating new ones, then these selected fields won't be displayed
(nor highlighted) in the search results unless you select the "All Fields" field set.
NGS-7796 While using the Command Center and switching between the Dashboards and
Search sections, you may encounter a "Session Timeout" message that prompts
you to log in again. If you log in again, the message and prompt are displayed in
a loop.
Workaround: If you see this problem, clear/delete all the cookies for this web site
in your browser, and log in to the Command Center again. If your browser can be
configured to never cache cookies, you may want to enable this setting.
LOG-7651 On the Internet Explorer browser, data is truncated in the Advanced Search
calendar popup window. This issue affects users' ability to select a date using the
date picker (icon) when setting CCE rules in the Advanced Search feature. When a
user clicks the date picker, the calendar widget that comes up is not wide enough
to display the full calendar content, truncating columns with the latter days of the
week.
Workaround: Use the Tab key to scan along the part of the calendar that is initially
hidden, then use Shift+Tab to scan back in the other direction. Alternatively, use
another browser, such as Firefox.
NGS-7648 The performance of peer search is slow in the current implementation.
Workaround: None at this time. We will address this performance issue in future
release.
NGS-7584 A condition in a Case Query Group with owner = <username> will return an error
while viewing cases of a case query group in any UI. Workaround: Use owner =
<user resource_id> instead of owner = username.
NGS-7570 When running very large report, the Report view becomes very slow and is
unresponsive as report is being downloaded for viewing.
Workaround: Run a very large report from console.
NGS-7518 In a Safari browser on a Mac OS, the search results page my not include a
horizontal scroll bar.
Workaround: Resize the browser to get the horizontal scroll bar.
NGS-7489 The session time out does not occur while the home page is loaded. If leaving a
session unattended for an extended period, make sure you log out.
NGS-7315 If you delete a permission and then re-add the same permission and save it, the
added permission is NOT saved.
Workaround: After deleting a permission, save before re-adding or adding any
permissions.
Issue Description
28. ArcSight ESM 6.5c
28 ESM Release Notes Confidential
LOG-7099 When values for user fields such as sourceUserId, sourceUserName,
destinationUserId, and cs1 contain "n" character, the search results are not
displayed correctly.
Understanding: The current software interprets a value that contains "n" as a
newline character. For example, user name "nancy" in example domain,
"examplenancy", is interpreted as "example[newline]ancy".
Workaround: Disable the multi-line feature by adding the following properties to
/user/logger/logger.properties. The following examples use the default values.
- To on/off the multiline support
search.multiline.fields.supported=true
- To on/off the n and t support
search.double.backslash.newlines.supported=false
- To on/off the DOS/Windows path support for CEF and/or syslog
search.keep.windows.path.cef=true
search.keep.windows.path.syslog=true
NGS-7079 If your environment contains more than 10,000 cases in one single group,
displaying them in ArcSight Command Center might be very slow.
Workaround: Avoid accumulating a large number of cases in one single group of
your system. If your system contains more than 10,000 cases in one single group,
display them in the ArcSight Console rather than Command Center.
LOG-7046 The time displayed on the histogram might not match the event time. This
behavior is observed when the /etc/localtime file is not symbolically linked to the
correct timezone.
Workaround: Make sure that the /etc/localtime file is symbolically linked to the
correct timezone in the /usr/share/zoneinfo file as shown in the following
example. Then, restart the system.
sudo ln -s /usr/share/zoneinfo/<timezone>
/etc/localtime
LOG-6965 When the time change due to Daylight Savings Time (DST) takes place, the
following issues are observed on Logger:
- The 1 a.m. to 2 a.m. time period is represented in DST as well as standard time
on the histogram.
- The histogram displays no events from 1 a.m. to 2 a.m. DST even though the
Logger received events during that time period.
- The events received during 1 a.m. to 2 a.m. DST are displayed under the 1 a.m.
to 2 a.m. standard time bucket, thus doubling the number of events in the
histogram bucket that follows an empty bucket.
- Because the 1 a.m. to 2 a.m. time period is represented in DST as well as
standard time on the histogram, the bucket labels might seem out of order. That
is, 1:59:00 a.m. in DST may be followed by 1:00:00 in standard time on the
histogram.
- If the end time for a search falls between 1 a.m. and 2 a.m., all of the stored
events might not be returned in the search results.
Workaround: To ensure that all events are returned, specify an end time of
2:00:01 or later.
NGS-6933 The home page does not display the correct data monitors.
Workaround: Manually add read permission to the Default User Group for the
following data monitor:
/All Data Monitors/ArcSight Administration/Connectors/System Health/Current
Event Sources/Current Connector Status
Issue Description
29. ArcSight ESM 6.5c
Confidential ESM Release Notes 29
NGS-6896 In the Chrome browser, the Select Resource drop-down sometimes doesn't work
properly.
Workaround: If this occurs, refresh the page to restore the content. Alternatively,
use another browser.
NGS-6886 When a system has several peers and a peer stops responding, some pages in the
ArcSight Command Center user interface might become slow to display. The delay
happens regardless of the reason the peer system stopped responding.
Workaround: Identify the peer that is not responding and remove its peer
relationship on the Administration > Peers page, Peer Configuration tab. You can
re-add the Peer later, when it is back in service.
NGS-6812 The ESM server log and the Logger server log may contain messages that say
"...NotSerializableException: ...PeerLoggerRequestDestination".
These messages do not indicate an active problem. You can ignore them.
NGS-6805 When using the Chrome browser, the drop down to edit the Notification State or
Storage Mapping might remain displayed when you move somewhere else by
clicking outside the drop-down.
Workaround: Click inside the drop-down and then click outside of it again to cause
it to be removed from display.
NGS-6668 When report output is loading and you run another report, the current report is
cancelled and new report output is displayed.
Workaround: Wait until the report output finishes loading before running another
report.
NGS-6634 Storage Group names are limited to contain only ASCII letters, digits and spaces.
NGS-6026 When using the Chrome or Safari browser, scroll bars may appear inside the data
grid on the Storage Mapping tab when the page is loaded for the first time. Adding
another row eliminates the scroll bars. Subsequently, adding or deleting rows
works as expected.
Workaround: Use Internet Explorer or Firefox browsers to avoid this issue.
NGS-5888 The Push History is only shown for subscribers that are online. If a peer is not
online, the Push Status field in the Push History will be blank.
LOG-5181 Search results are not highlighted for values that match the IN operator in a
query.
Workaround: None at this time. Highlighting works if there's only 1 item in the
square brackets. As soon as there's more than 1, no highlighting occurs.
NGS-3892 In the ArcSight Command Center, Dashboards that contain a Data Monitor of type
'System Monitor' or 'System Monitor Attribute' will display only the first 100 rows.
NGS-2849 If the refresh rate is set to a low interval so that the refresh happens too
frequently, under slow network connections or when having network problems,
this might impact browser performance and dashboard behavior.
Workaround: To avoid this problem, set the refresh rate to a higher value. You can
manually refresh the dashboard if needed.
NGS-2301 While the Dashboards you create in the ArcSight Console can have 3D bar charts,
ArcSight Command Center does not support 3D bar charts.
Workaround: To see 3D bar charts correctly, you need view them in the ArcSight
Console.
Issue Description
30. ArcSight ESM 6.5c
30 ESM Release Notes Confidential
NGS-1582 In the Command Center's Advanced Permissions dialog, if you choose to set
permissions on the Field resource, you may see a hidden folder called customCells
under your personal folder. This will only appear if you have created some
customCells using the ArcSight Console.
If you see such a folder, do not change the ACL settings on it. Doing so will affect
the working of custom cells in ArcSight Console.
NGS-1451 If a custom view dashboard contains a query viewer with a large row limit, the
browser may hang while loading this dashboard.
Workaround: Set the row limit of Query Viewers below 100 before viewing the
dashboard in custom layout format.
NGS-1283 Non-admin users cannot access the Users, Connectors, & Configuration page in
ArcSight Command Center, even when provided with the permissions to do so.
Workaround: You must have administrator privileges to access the Users,
Connectors, & Configuration page in ArcSight Command Center.
Issue Description
31. ArcSight ESM 6.5c
Confidential ESM Release Notes 31
Connectors
Installation and Upgrade
Issue Description
NGS-5137 Deleting hosts from the WUC host table results in the hosts below the deleted
hosts being shifted up in the table. However, the eventpollcount setting for the
shifted hosts is not shifted accordingly.
NGS-3806 Auto-import of the Manager's certificate does not work if your connector is
installed in FIPS Suite B mode.
Workaround: Import the Manager's certificate manually. Refer to the
Configuration Guide for instructions on manually importing the Manager's
certificate into the connector.
NGS-3498 The certificate auto-import feature in connectors will only import certificates from
the initial configuration.
Workaround: Any changes or additions to the destinations require you to
manually import the certificate for those destinations.
NGS-2052 When using Asset Model Import Connector to import assets, the connector does
not uniquely identify assets by Zone and a unique IP address or a unique host
name.
For updating existing assets, please make use of one of the following attributes to
identify them:
- An External ID, or
- a resource ID, or
- a URI
NGS-1423 On a Windows machine, upgrading a connector from the ArcSight Console will fail
if any process is using the connector's "current" folder.
Workaround:
1. Make sure there are no files in the connector's "current" folder open.
2. Start the connector by using Start > Programs > Connector Programs. Do not
start the connectors using the "arcsight agents" command.
Issue Description
NGS-7497 Console installation on localized path is working in some Windows 7 machines
when installed in a French name like "C:d'enquête" but not in other
Windows 7 machines.
Workaround: Due to the inconsistent behavior in Windows 7 machines, use
English filenames only in installation paths. French names in path may cause
installation to fail in certain Windows 7 environments.
NGS-7274 In this release, the generation of audit events for the Top Value Counts data
monitor is disabled by default. This was enabled in a previous release (ESM 6.0c).
If you upgraded to this release, you will not see those audit events.
Workaround: If you want to continue seeing audit events for the Top Value Counts
data monitor, log in to the ArcSight Console. Edit the Top Value Counts data
monitor and select the Send Audit Events option.
NGS-7027 There might be some inconsistencies between a fresh install and an upgrade, such
as rules that are disabled or missing.
32. ArcSight ESM 6.5c
32 ESM Release Notes Confidential
NGS-6996 There might be some data monitors disabled after the upgrade, while they are
enabled in a fresh installation and vice versa.
NGS-6983 There might be some unassigned assets removed after the upgrade.
NGS-5255 As part of a resource migration and upgrade, if you perform the step to upgrade
the Content, this error message is displayed:
Error importing appliance post install archive
To recover from this error, refer to the document, MigrateTo_CORRE.pdf, and see
the Troubleshooting section.
NGS-4874 During the resource upgrade or migration from 5.0 SP2 Patch 4 to AE 4.0 some
exceptions related to the references to deprecated resources show up in the logs
even though the resources are all valid.
NGS-3971 When running the installer in console mode, make sure that X11 (X Windows) is
NOT configured for the console. A X11 setup will cause the installation to abort
with the following exception in the database.configuration.log file:
"java.lang.NoClassDefFoundError: Could not initialize class
sun.awt.X11GraphicsEnvironment".
Should this happen, follow the clean-up instructions in the ESM Installation and
Configuration Guide and re-launch the installer from a console that does not use
X11 (X Windows).
NGS-3962 In GUI installation mode, the installation process automatically invokes the Suite
Installer and the Configuration Wizard in sequence. If the Configuration Wizard
fails with an error message, the Suite Installer will still indicate that the Suite has
been successfully installed.
Workaround: Either manually re-launch the Configuration Wizard from a
command line after fixing the issue or uninstall the Suite installation and start
over again. Refer to the ESM Installation and Configuration Guide for the
command to use and the clean-up steps.
NGS-3909 If you have a high-end system, as described in the System Requirements section
of the ESM Installation and Configuration Guide, running content that requires a
high level of system resources and/or high EPS, contact HP ArcSight Customer
Support for instructions on how increase the heap size beyond 16 GB.
NGS-3871 Under certain circumstances, the Uninstaller may not be able to remove all ESM
6.0c files under the /opt/arcsight/ directory. Refer to the Troubleshooting
appendix in the ESM Installation and Configuration Guide on how to do the
cleanup manually.
NGS-3839 Occasionally, the First Boot Wizard may fail to proceed due to some errors. If this
happens, terminate the process. After checking the logs and correcting the errors,
follow the clean up instruction in the ESM Installation and Configuration Guide and
re-launch the installer.
NGS-3814 If you reboot your system immediately after the First Boot Wizard completes, but
before you run the setup_services.sh command as the "root" user, the machine
may come back in an unstable state. Running the setup_services.sh command
now may not be able to bring up all Arcsight services.
Workaround:
1. Do not reboot without running the setup_serivces.sh command while logged in
as the "root" user.
2. If you reboot without running the setup_services.sh command, uninstall and
then re-install the product.
NGS-3808 After you select "Next" on the "About to Configure ESM v6.5c" panel, if there is
any failure, you will need to uninstall the product before you can reinstall it. Refer
to the "Uninstalling ESM" section in ESM Installation and Configuration Guide.
Issue Description
33. ArcSight ESM 6.5c
Confidential ESM Release Notes 33
NGS-3445 In some situations, the Installer panel may indicate that the installation was
successful even though Web Server fails to start. Refer to the Administrator's
Guide on how to manually configure and start the Web Server.
NGS-3344 This release supports ESM installation while logged in as user "arcsight" only.
NGS-3322 Due to the timing of some components' start-up, there may be some harmless
error messages in the log files such as:
[FATAL][default.com.arcsight.logger.distributed.DirectConnection$ReadChannel][r
un]
java.io.IOException: end of communication channel
[FATAL][default.com.arcsight.logger.distributed.ClientDirectConnection][run]
java.nio.channels.ClosedChannelException
Issue Description
34. ArcSight ESM 6.5c
34 ESM Release Notes Confidential
Localization
Pattern Discovery
Issue Description
NGS-4220 In the Traditional Chinese localized environment, the Reports display code.
Workaround:
1. Log in to ArcSight Console and open the report.
2. Create the report with a Chinese name.
3. Select the report template.
4. Edit the template with "Open in Designer."
5. Edit the header and other fields which need to display in Chinese characters.
6. Set the fonts to Arial Unicode for the fields that need to display Chinese
characters.
7. Save the template.
8. Run the report with PDF format.
9. Open the generated report with Acrobat Reader version 9 to check if the
Chinese characters display properly.
NGS-2435 For non-English locale environments, only English characters are supported for
user name and password. Using non-English characters for user name and
password might result in authentication issues.
Issue Description
ESM-35048 A java.lang.InterruptedException might be logged in the Manager's
server.std.out.logs file when a scheduled Pattern Discovery job is run. The
exception is caused by an incorrect database pooling time-out mechanism in the
Manager. This does not have any adverse effect on database connections or the
functionality of the Pattern Discovery job, and the exception can be safely
ignored.
NGS-3527 Pattern Discovery jobs can be resource intensive. Pattern Discovery jobs can
cause a degradation in performance, and may fail to return a matching result set.
HP recommends that you reduce the number of events over which the Pattern
Discovery search runs and/or the frequency of Pattern Discovery jobs.