The “Replay” (also known as Test Alert) agent at the ESM ArcSight – is a very powerful tool for developing and debugging rules. You don’t need to wait until a real (and probably rare!) event will be received by the ESM Manager only to check that the rule produced incorrect result.
Of course a test ESM ArcSight server is required.
Steps:
- Export events from the ESM Console:
- Copy the CSV file to the ESM ArcSight connector server, to the folder:
<path to the connector>/current/replayagent - make it writable: chmod 666 myevents.csv
- Convert the CSV file to the EVENTS replay file – this is the most tricky part because of the way how the script handles parameters
../bin/arcsight agent csvconvert -S /usr/local/arcsight/Replay/current/replayagent/myevents.csv -D myevents.events
The command “arcsight agent csvconvert” expects at least two parameters:
-S full_path_to_source_file
-D local_path_to_destination_file
now you see the difference. If everything is correct, the following output will be produced:
Assuming ARCSIGHT_HOME: /usr/local/arcsight/Replay/current
Assuming JAVA_HOME: /usr/local/arcsight/Replay/current/jre
Using agent Component
Assuming ARCSIGHT_HOME: /usr/local/arcsight/Replay/current
Assuming JAVA_HOME: /usr/local/arcsight/Replay/current/jre
ArcSight csvconvert starting…
[Fri Nov 02 15:05:12 EDT 2012] [INFO ] Initializing Agent Framework
Processing line 2
Processing line 3
Processing line 4
Processing line 5
Recorded in replayagent/myevents.events 5 messages out of 5
[Fri Nov 02 15:05:13 EDT 2012] [INFO ] Shutting Down Agent Framework
Shutting down Agent Modules now...
Shutting down Connector System Health...done.
Shutting down Persistance [genericupgrade_.genericupgrade_]...done.
Shutting down Agent Stats...done.
Shutting down Command File Listener...done.
Shutting down M1 id manager...done.
Agent shutdown completed.
[Fri Nov 02 15:05:13 EDT 2012] [INFO ] Shutting Down Agent Framework
Now go to the folder “bin” and start the agent:
./arcsight agents
Assuming ARCSIGHT_HOME: /usr/local/arcsight/Replay/current
Assuming JAVA_HOME: /usr/local/arcsight/Replay/current/jre
ArcSight Connectors starting...
...
[Fri Nov 02 15:28:37 EDT 2012] [INFO ] ArcSight Home: /usr/local/arcsight/Replay/current
[Fri Nov 02 15:28:37 EDT 2012] [INFO ] JVM name: Java HotSpot(TM) Server VM
[Fri Nov 02 15:28:37 EDT 2012] [INFO ] JVM path: /usr/local/arcsight/Replay/current/jre
[Fri Nov 02 15:28:37 EDT 2012] [INFO ] JVM vendor: Sun Microsystems Inc.
[Fri Nov 02 15:28:37 EDT 2012] [INFO ] JVM version: 20.1-b02
...
[Fri Nov 02 15:28:47 EDT 2012] [INFO ] Agent [TestAlert] started.
If everything OK (including the X-11), you will see the agent window:
Then click the tab “Replay”, it will show the list of available “events” files:
Click on the check mark and enable it:
Select desired speed and click on the button “Continue” to start feeding the ESM Manager:
That’s it! Now you can locate the Replay connector at the list of connectors and create a live active channel to see that the ESM Manager receives replayed events.