Personal blog of Alex Muratov

ESM ArcSight – how to convert events for Replay (Test Alert) agent

Posted on November 2, 2012 | in SIEM | by

The “Replay” (also known as Test Alert) agent at the ESM ArcSight – is a very powerful tool for developing and debugging rules. You don’t need to wait until a real (and probably rare!) event will be received by the ESM Manager only to check that the rule produced incorrect result.
Of course a test ESM ArcSight server is required.

Steps:

    1. Export events from the ESM Console:
      1. select events at an Active Channel, right click and press “Export”;
      2. choose a destination folder and click on the radio button “Selected rows only” because the option “All in channel” take forever!
    2. Copy the CSV file to the ESM ArcSight connector server, to the folder:
      <path to the connector>/current/replayagent
    3. make it writable: chmod 666 myevents.csv
    4. Convert the CSV file to the EVENTS replay file – this is the most tricky part because of the way how the script handles parameters

 

../bin/arcsight agent csvconvert -S /usr/local/arcsight/Replay/current/replayagent/myevents.csv -D myevents.events

The command “arcsight agent csvconvert” expects at least two parameters:

-S full_path_to_source_file
-D local_path_to_destination_file

now you see the difference. If everything is correct, the following output will be produced:

Assuming ARCSIGHT_HOME: /usr/local/arcsight/Replay/current
Assuming JAVA_HOME: /usr/local/arcsight/Replay/current/jre

Using agent Component

Assuming ARCSIGHT_HOME: /usr/local/arcsight/Replay/current
Assuming JAVA_HOME: /usr/local/arcsight/Replay/current/jre

ArcSight csvconvert starting…

[Fri Nov 02 15:05:12 EDT 2012] [INFO ] Initializing Agent Framework
Processing line 2
Processing line 3
Processing line 4
Processing line 5

Recorded in replayagent/myevents.events 5 messages out of 5
[Fri Nov 02 15:05:13 EDT 2012] [INFO ] Shutting Down Agent Framework

Shutting down Agent Modules now...
Shutting down Connector System Health...done.
Shutting down Persistance [genericupgrade_.genericupgrade_]...done.
Shutting down Agent Stats...done.
Shutting down Command File Listener...done.
Shutting down M1 id manager...done.
Agent shutdown completed.
[Fri Nov 02 15:05:13 EDT 2012] [INFO ] Shutting Down Agent Framework

Now go to the folder “bin” and start the agent:

./arcsight agents

Assuming ARCSIGHT_HOME: /usr/local/arcsight/Replay/current
Assuming JAVA_HOME: /usr/local/arcsight/Replay/current/jre

ArcSight Connectors starting...
...
[Fri Nov 02 15:28:37 EDT 2012] [INFO ] ArcSight Home: /usr/local/arcsight/Replay/current
[Fri Nov 02 15:28:37 EDT 2012] [INFO ] JVM name: Java HotSpot(TM) Server VM
[Fri Nov 02 15:28:37 EDT 2012] [INFO ] JVM path: /usr/local/arcsight/Replay/current/jre
[Fri Nov 02 15:28:37 EDT 2012] [INFO ] JVM vendor: Sun Microsystems Inc.
[Fri Nov 02 15:28:37 EDT 2012] [INFO ] JVM version: 20.1-b02
...
[Fri Nov 02 15:28:47 EDT 2012] [INFO ] Agent [TestAlert] started.

If everything OK (including the X-11), you will see the agent window:

Then click the tab “Replay”, it will show the list of available “events” files:

Click on the check mark and enable it:

Select desired speed and click on the button “Continue” to start feeding the ESM Manager:

That’s it! Now you can locate the Replay connector at the list of connectors and create a live active channel to see that the ESM Manager receives replayed events.

TAGS: , , ,

Leave a Reply

BOINC

BOINC

Ads

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Calendar

November 2012
M T W T F S S
« Oct   Dec »
 1234
567891011
12131415161718
19202122232425
2627282930  
%d bloggers like this: