ArcSight license and enforcement information

Updated to HPE ArcSight new pricing model, December 2015

License terms

The following documents set up the terms in which ArcSight products are licensed.

  • HP Software contract and licenses – base licenses in case no ArcSight specific contract or license exists as well as documents explaining contracts and licensing processes and terms.
  • Additional License Authorization (ALA) - the document defining what each term in our pricing and licensing model actually means, for example what devices, consoles or HA mean. The HP Software overall ALA can be found here and points to the product specific ALAs.
  • HP Standard end user license for terms not covered in any other document.
  • Copyright notice for ArcSight products are available here. Also includes copyright notice and license terms for included open source products.
  • contains additional terms and conditions.

The following sections are provided for convenience and in any case of doubt the official documents above are authoritative. Note that older versions of some of ArcSight products were sold using different pricing models.If you need details on those please contact HPE sales or an HPE partner.

License metrices

EPS vs. GB/d

  • ArcSight ESM and Express appliances are licensed based on sustained EPS (events per second)
  • ESM software is sold either by GB/d (Gigabyte per day) or by EPS (new option available starting December 2015).
  • Logger and ArcSight Data Platform (ADP) appliances and software are licensed based on GB/d.
  • Translating EPS to GB/d is customer specific as depends on the customer’s log sources. The ratio depends on the average length of an event.

Peak vs. sustained EPS

  • ArcSight products licensed by ESP are licenses only sustained EPS.
  • For Express appliances, sustained EPS in measured and enforced based on events per day, i.e. a sustained EPS of 1000 is actually 86.4 million events per day (1000*60*60*24). For ESM appliances EPS is not enforced.
  • Any published peak EPS number, usually taken as twice the sustained EPS, is used only as a guideline and is not a license limit. Customers are allowed to bypass the peak EPS as long as sustained EPS is maintained and as long as the hardware supports it.
  • The hardware limit for all Express appliances is defined as 15,000 EPS but may change in practice based on specific use, for example the number of rules applied and number of concurrent users. The appliances would not block a higher (peak) EPS rate, but if customers encounter issues at rates above that support may tell them that they needs better HW (which implies moving to an ESM software solution)

Devices

  • Logger, The ArcSight Data Platform (ADP), ESM Express EE-7600 and EPS based ESM software licenses do not have a device limit.
  • For older Express appliances, ESM appliances and GB/d license ESM software:
    • For Express appliances the total number of purchase devices (NSS and desktop) cannot be more than 2500.
    • ESM appliances or software there is no limit to the number of devices that can be purchased.
    • Device licenses are per manager or appliance, so if the customer has several managers, each user needs a console license for each manager.

Consoles

  • Logger, The ArcSight Data Platform (ADP), ESM Express EE-7600 and EPS based ESM software licenses do not have a console limit.
  • For older Express appliances, ESM appliances and GB/d license ESM software:
    • ArcSight console and web console are license on a "named user" (sometimes called per-seat) basis, so each user defined in the system as having console or web console. This included the administrator user. If you want to understand better the difference between named and concurrent user licensing, you may want to read the wikipedia article on the subject.
    • Console licenses are per manager or appliance, so if the customer has several managers, each user needs a console license for each manager.
    • Access to the  ArcSight Command Center (ACC) requires either a full console license or a web console license.

License support

Customers can contact the regional HP Software licensing team in case of license issues:

Additional information on these support teams is available here

License enforcement

  • The official information about license enforcement is included in the product documentation for each ArcSight product. any information below is provided only for convenience.
  • License enforcement is not the same as license entitlement. ArcSight choses in most cases to be more flexible in enforcement to avoid any chance of limiting customers below their entitlement level.

Does ArcSight block if license limits are reached?

In any case, ArcSight products never block even collection and may only block user access to certaian features or issue a warning.

ESM and ESM Express EE-7600

  • ESM (software or appliances) does not enforce devices, EPS or GB/d.
  • For certain add-on options including consoles and actors, if they are limited by the license, ESM alerts and audit the violation but does not block use.

ArcSight Express (up to version 4.0)

  • Express appliances enforce EPS. Details can be found in the Express documentation.
  • Express appliances do not enforce devices.
  • In addition alerts and audit is performed for options in a similar manner to ESM.

Logger and ArcSight Data Platform (ADP)

  • As of Logger 5.5, Logger is licensed on GB/d only for appliances and for software.
  • Devices and storage are licensed and are limited by technical limitations only.
  • Enforcement
    • Enforcement is performed for Logger SW only.
    • Violations are calculated on a 24 hour period once per day.
    • Up to 5 violations are allowed in every 30 days sequence (sliding window).
    • If more than 5 violations happen, events still collect but the console is locked.
    • Size calculation is based on the RAW EVENT SIZE and not CEF event size.

License files

Note that the values in license files do not always represent the actual entitlement or enforcement.

Specifically:

  • Logger license files include device and EPS limits which do not affect entitlement and enforcement as of Logger 5.5.
  • ESM license files include "maximum-capacity" limit, set by default to 8TB. There is no capacity entitlement limit. Up to ESM 6.8c this value is taken to be the maximum event storage limit. Contact the licensing team if you need larger storage. Starting ESM 6.9.1c the value is ignored.