Beruflich Dokumente
Kultur Dokumente
From:
Date:
6/2/2014
Re:
Here are the steps I followed to create / export / and import a Logger report for counting
the byte count of raw events feeding in to ArcSight Logger.
Note 1: The GB/day byte counts are based on connector raw event statistics
(deviceEventClassId = agent:050, deviceCustomString4Label of Raw event
length (SLC). For report to return data, events from external connectors
(not just internal demo data feeds) must be being collected by Logger.
Note 2: For the import step of this guide, I took the export created in Logger 5.5
Patch 1, and successfully imported into the following other
systems/versions:
Note 3: By default, reports cannot be imported into a report category (folder) that
already contains content.
For this guide, a new category folder is created to avoid any folder
conflicts on imports to other ArcSight Loggers
Based on an iRock post (https://irock.arcsight.com/docs/DOC1930), CAB can be set to not overwrite. This modification is not
covered in this guide / has not been tested here
Creating a new report category (folder) for the new ByteCount query and report
Creating the underlying ByteCount query to access the ArcSight Logger CORRe
data store and sum raw byte information
Running the ByteCount report
Using iPackager in Logger to export the report category (folder), report, and
underlying query (exports a .cab file, and a .config file)
Using Deploy Report Bundle in Logger to import the report folder, report, and
underlying query (imports the .cab file)
2.
Click the Add New Category button located on top of the box that displays all
existing categories.
3.
Pick the new name for the category, as well as the access criteria on who can see
the category (page 151 of Logger 5.5 Admin Guide includes full details)
4.
Click Save to add the Category to the main list of available categories
Page 2 of 17
2.
3.
Click in the Name field and set the name for the query
-
4.
5.
In the Select section, modify the select string to match the following
format:
DATE(events.arc_deviceReceiptTime) as "Day",
sum(events.arc_deviceCustomString4) as "Total (Bytes)",
sum(events.arc_deviceCustomString4)/1024 as "Total
(Kilobytes)", sum(events.arc_deviceCustomString4)/1024/1024
as "Total (Megabytes)",
sum(events.arc_deviceCustomString4)/1024/1024/1024 as
"Total (Gigabytes)"
Clicking on the Result tab at the top of the window will display the
column naming:
Page 3 of 17
Operand1: events.arc_deviceVendor
2.
Operator: =
3.
4.
Relation: AND
Operand1: events.arc_deviceEventClassId
2.
Operator: =
3.
Page 4 of 17
The Save Query Object window closes, and a status of the save displays
in the Query Object Editor window
Building the Logger ByteCount report (using the new ByteCount query)
1.
2.
Page 5 of 17
Click the Create Chart section (bottom of Adhoc Report Designer page,
small arrow next to text to expand it)
2.
3.
Page 6 of 17
2.
3.
3.
4.
5.
Click Save
Page 7 of 17
Running the Logger ByteCount report (using the new ByteCount query)
1.
2.
3.
Click the top report running icon (Quick Run with default options)
4.
In the report parameters window, change the Start time to match your
requirement. For example:
-
5.
6.
$Now 1w
Example report
Page 8 of 17
Exporting the Report and related Queries (for sharing with other ArcSight Logger users)
1.
Log on to the source Logger (from which the report / underlying query will be
exported)
2.
3.
If Java security warnings are listed, follow these steps; if iPackager build window
displays, skip to Step 4.
Note:
From Windows system, Start > All Programs > Java > Configure
Java
Click Security tab
Page 9 of 17
At the
Page 10 of 17
When all prompts are accepted, the iPackager CAB builder window
is displayed
4.
5.
Page 11 of 17
6.
7.
Click Next
8.
Expand the repository list displayed (click on the + symbol), and check the
content to be exported.
-
9.
Click Next
-
Page 12 of 17
11. From the main Build Properties window, fill in the details about the package that
was just built. Include Author, Company, Version, and a Comment
-
At the bottom of the window, a summary of the actions taken for the
import are listed
Page 13 of 17
13. Name the .conf file, and browse to the destination directory
-
The .conf file contains the definition of the content included in the CAB
file, and is needed if you want to modify the contents of the CAB file in
the future (which contain the content being deployed on Logger)
18. Details about the file saves is also displayed in the Messages tab
Page 14 of 17
19. From the destination directory for the conf and cab files, can browse to target
directory to access files.
-
For sharing newly-created content, the CAB file is the one that needs to
be shared
For updating the contents of the CAB file (for example, adding new
reports and queries), the CONF file is used
Importing the Report and related Queries (for sharing with other ArcSight Logger users)
1.
Log on to the target Logger (to which the report / underlying query will be
imported)
2.
Page 15 of 17
3.
Click Browse, click on the CAB file to be imported, and click Open
4.
Click Upload
-
5.
Page 16 of 17
6.
7.
Access Reports > Report Explorer to verify the report category and report were
imported
8.
###
Page 17 of 17