Basically, we have a feature called “Export to external system” as an action for a rule. This allows you to export the data from ESM to some sort of external system for it to collect and process the data as needed. There are a few things you need to do to make this work, but you can export the correlated event AND the corresponding base events with it.
1. Change the /opt/arcsight/manager/config/archive/xml.external.case.xml file to uncomment the relevant section.
2. I have attached an example of the comment removed
3. Restart the ESM Manager
4. Configure all relevant rules to have the “Export to external system” rule trigger set
5. To do this, go to the rules, click on the action tab and then add the trigger where relevant. For example:
b. Simply select the active trigger section, click add and then select the Export to external system action
c. Press Apply to save the rule
6. Making the changes to the rules will take a little time, but there are a limited set of rules within ESM, so this should not take more than 20-30 minutes. It is a simple task and it is NOT excessive.
7. Once finished, all updated rules will then trigger an export of the events to a specific location:
a. Exports are stored in /opt/arcsight/manager/archive/exports
b. Exports are date and timestamped in their name, and you can clearly see which is which
ii. The format is fixed and XML defined and you can easily work out the data that is present
iii. Please note it is NOT possible to change the XML format and it is not recommended to change any template files in ESM for this.
iv. It is recommended that any external system should read the XML file as full and discard data that it does not need. XML by definition is formatted and includes the descriptions as standard and therefore it is an easy task to parse and process the relevant data.
v. A sample exported XML file is attached.
The exported XML file has the correlated event information at the beginning and then the corresponding events that generated it in the lower section. Fields are consistent, match the names of the fields in the schema and it is fine to process them this way. Please note that the exported XML files are not managed and therefore it is the responsibility of the external application to delete the files when they are processed. This must be done as they will continue to increase in number with each rule trigger that has been defined. Additionally, caution should be taken on this as a misconfigured rule could generate a lot of correlated events in error and this could issues in the receiving system!
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE archiveConfiguration SYSTEM "../../schema/xml/archive/arcsight-archive-configuration.dtd">
<!-- Added the DEFAULT because File attachments were not getting exported to external system-->