ArcSight 2.8 Install failure

Hi All,

I am currently working to get ArcMC 2.8 installed on my AWS linux machine Red Hat Enterprise Linux Server release 7.5 (Maipo).   Thats the output from /etc/redhat-release.  I assume this should be on 7.4 instead, is this my issue or is this something else?

AIl ports are opened up in AWS, and for whatever reason I am unable to access the url. to access the ArcSight Management Center User Interface.  The page just keeps timing out.  Apache, aps, postgressql, and web show as up and running (even after restarting the services), ArcMC web shows as successfully started according to arcsight_arcmc.log, and the ArcMc daemon successfully started accroing to arcmc.logand. 

I have included the output of all 'error' and 'SEVERE' messages in logs I assumed were relvant, while attempting to reverse engineer.  Not sure where to go next.  Any help would be greatly appreciated so I can access the URL

1. catalina.2018-06-01.log

a. SEVERE: The web application [/platform-service] registered the JDBC driver [org.apache.derby.jdbc.ClientDriver] but failed to unregister it when the web application was stopped. To prevent a memory leak, the JDBC Driver has been forcibly unregistered.
b. SEVERE: The web application [/platform-service] appears to have started a thread named [Timer-6] but has failed to stop it. This is very likely to create a memory leak.
Jun 01, 2018 2:24:39 PM org.apache.catalina.loader.WebappClassLoaderBase clearReferencesThreads
Jun 01, 2018 2:24:39 PM org.apache.catalina.loader.WebappClassLoaderBase checkThreadLocalMapForLeaks
c.S EVERE: The web application [/storage-service] created a ThreadLocal with key of type [com.hp.autopassj.services.crypto.MarshallerFactory$3] (value [com.hp.autopassj.services.crypto.MarshallerFactory$3@39793ee7]) and a value of type [com.sun.xml.bind.v2.runtime.MarshallerImpl] (value [com.sun.xml.bind.v2.runtime.MarshallerImpl@6d40b537]) but failed to remove it when the web application was stopped. Threads are going to be renewed over time to try and avoid a probable memory leak.

 


SEVERE: Couldn't load specified error report valve class: com.arcsight.tomcat.ErrorHandlingValve
SEVERE: Context [/storage-service] startup failed due to previous errors

INFO: Illegal access: this web application instance has been stopped already. Could not load connector.mutable.properties. The eventual following stack trace is caused by an error thrown for debugging purposes as well as to attempt to terminate the thread which caused the illegal access, and has no functional impact.

INFO: Illegal access: this web application instance has been stopped already. Could not load com.hp.autopassj.core.usage.FeatureUsageUtility. The eventual following stack trace is caused by an error thrown for debugging purposes as well as to attempt to terminate the thread which caused the illegal access, and has no functional impact.

INFO: Illegal access: this web application instance has been stopped already. Could not load com.hp.autopassj.core.config.xml.XMLProductConfigurationManager$1. The eventual following stack trace is caused by an error thrown for debugging purposes as well as to attempt to terminate the thread which caused the illegal access, and has no functional impact.

2. error_log
[Fri Jun 01 15:16:05.538176 2018] [ssl:warn] [pid 15219] AH01909: arcsight:443:0 server certificate does NOT include an ID which matches the server name

3. arcmc_wizard.log
a. 2018-06-01 15:17:41,316][DEBUG][AutopassJException][pool-8-thread-5] [com.hp.autopassj.exception.AutopassJException : com.hp.autopassj.exception.AutopassJException] :: log

Error code : 8028
Error message : Unknown message id
Custom message : Unique lock value is not specified for node type '4'.
at com.hp.autopassj.core.usage.FeatureUsageUtility.checkLockValue(FeatureUsageUtility.java:55)
at com.hp.autopassj.core.usage.FeatureUsageUtility.checkAndProcessLock(FeatureUsageUtility.java:115)
at com.hp.autopassj.core.usage.FeatureUsageManager.getFeatureUsage(FeatureUsageManager.java:119)
at com.hp.autopassj.core.LicenseHandler.getFeatureUsage(LicenseHandler.java:3114)
at com.hp.autopassj.core.events.EventAccessor.getFeatureUsage(EventAccessor.java:188)
at com.hp.autopassj.core.connector.buffer.scheduler.XMLBufferFileWriter.getUsedCapacityFromUseFeatureStore(XMLBufferFileWriter.java:946)
at com.hp.autopassj.core.connector.buffer.scheduler.XMLBufferFileWriter.updateFeatureInfoWithImplicitFeature(XMLBufferFileWriter.java:1040)
at com.hp.autopassj.core.connector.buffer.scheduler.XMLBufferFileWriter.updateFeatureInfoBufferToLatest(XMLBufferFileWriter.java:915)
at com.hp.autopassj.core.connector.buffer.scheduler.XMLBufferFileWriter.processFlush(XMLBufferFileWriter.java:507)
at com.hp.autopassj.core.connector.clients.CoreClient.notifyAutopassEvent(CoreClient.java:81)
at com.hp.autopassj.core.events.EventQueueManager$EventNotifier$1$2.run(EventQueueManager.java:334)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)

b. [2018-06-01 15:17:41,993][DEBUG][PlatformCapabilities][main] Problem with license: com.arcsight.common.config.PropertyNotFoundException: An error occured in configuration. Unable to find requested property 'Cannot find appliance.model property!'.

4. arcmc_web.log
a. [2018-06-01 15:20:02,778][ERROR][ConnectorManager$6][forceUpdateCache][pool-8-thread-2] //Default/Localhost/Software ArcMC: java.rmi.RemoteException: java.io.FileNotFoundException: Localhost:443/.../AccessControlledAgentService; nested exception is:
org.apache.avro.AvroRemoteException: java.io.FileNotFoundException: Localhost:443/.../AccessControlledAgentService
[2018-06-01 15:20:02,778][INFO ][ConnectorManager$6][run][pool-8-thread-2] Done updating cache for [//Default/Localhost/Software ArcMC]
[2018-06-01 15:20:11,681][INFO ][ConnectorManager$3][stats][pool-7-thread-3] Memory Usage: 287Mb out of 795Mb
[2018-06-01 15:20:21,682][INFO ][ConnectorManager$3][stats][pool-7-thread-3] Memory Usage: 300Mb out of 795Mb
[2018-06-01 15:20:31,682][INFO ][ConnectorManager$3][stats][pool-7-thread-1] Memory Usage: 305Mb out of 795Mb
[2018-06-01 15:20:41,682][INFO ][ConnectorManager$3][stats][pool-7-thread-2] Memory Usage: 310Mb out of 795Mb
[2018-06-01 15:20:51,683][INFO ][ConnectorManager$3][stats][pool-7-thread-2] Memory Usage: 312Mb out of 795Mb
[2018-06-01 15:21:00,001][INFO ][EventBrokerScheduledJob][collectEBClusterMetrics][task-scheduler-9] START
[2018-06-01 15:21:00,001][INFO ][EventBrokerScheduledJob][updateEBStatus][task-scheduler-10] START
[2018-06-01 15:21:00,001][INFO ][EventBrokerScheduledJob][collectStreamProcessorMetrics][task-scheduler-6] START
[2018-06-01 15:21:00,001][INFO ][EventBrokerScheduledJob][collectEBClusterMetrics][task-scheduler-1] START
[2018-06-01 15:21:00,010][INFO ][EventBrokerScheduledJob][updateEBStatus][task-scheduler-10] FINISH
[2018-06-01 15:21:00,026][INFO ][EventBrokerScheduledJob][collectEBBrokerNoderMetrics][task-scheduler-9] FINISH
[2018-06-01 15:21:00,029][INFO ][EventBrokerScheduledJob][collectEBClusterMetrics][task-scheduler-1] FINISH

5. arcmc_web.out.log

a. 018-06-01 15:18:31,207 ERROR [com.arcsight.license.client.AutoPassLicenseClientImpl] - <AutoPass Exception Error Code 7073>
b. 2018-06-01 15:18:31,207 ERROR [com.arcsight.license.client.AutoPassLicenseClientImpl] - <AutoPass Exception Error Custom message:Failed to Create AutoPass Property file :- '/opt/arcsight/userdata/autopass/data/autopass.properties'>
c. 2018-06-01 15:18:31,207 ERROR [com.arcsight.product.platform.business.util.PlatformCapabilities] - <Inside IPlatformCapabilities getInstance(); Exception while setting license>
com.arcsight.arcmc.scheduled.eventbroker.EventBrokerScheduledJob.updateEBStatus TimeoutException: : [ERROR] null
class com.arcsight.frogger.connector.ConnectorManagerUtil.**DEBUG&&**installArcMCAgent: [ERROR] Failed to install ArcMCAgent.on host Localhost. Error: java.lang.Exception: update installation script failed to run.Could not find the res file
d. 2018-06-01 15:33:02,763 ERROR [default.com.arcsight.frogger.connector.ConnectorManager$6][forceUpdateCache] - <//Default/Localhost/Software ArcMC: java.rmi.RemoteException: java.io.FileNotFoundException: Localhost:443/.../AccessControlledAgentService; nested exception is:

  • The check for the supported version numbers should still work in theory even if your version is not on the supported list yet.

    I myself installed it on a 6.7 RHEL machine but in theory the minimum version is 6.9. I had no issues with the installation at all:

    For me this seems like a licensing issue to be honest, what i would recommend trying is, and if that does not work, it is the machine and not it's software i would say.

    Stop all services, remove tmp files created, remove tmp installation files, and rm the whole /opt/arcsight directory.

    Ensure that the hostname you want to use (the one you typed in during installation) is resolving to the local IP of one of your interfaces.

    Set all required fields specified in the requirements on the 2.8 Admin guide (Page 21)

    Start the installation as a non root user and finish the default installation process. During your licensing step you are prompted for a license, leave it blank (which will trigger a 30 day trial).

    Create the startup script as described on page 27 and 28.

    Start the service if not started, with your non root user, and ensure all processes except monit is now running as arcsight (using ps-ef etc)

    Access the webpage from your local arcsight installation using wget or curl, just to ensure that the service is up. If you want to test SSL you can use the openssl client.

    Last but not least, access it through your browser, using the hostname you choosen before, and port 9000.

    Mostly with installation issues your error logs are filled with many different messages, most of them not relevant, they are just broken because something went wrong, but these errors stands out, and it is why i asked you to reinstall:

    [com.hp.autopassj.exception.AutopassJException : com.hp.autopassj.exception.AutopassJException] :: log

    [Fri Jun 01 15:16:05.538176 2018] [ssl:warn] [pid 15219] AH01909: arcsight:443:0 server certificate does NOT include an ID which matches the server name

    a. 018-06-01 15:18:31,207 ERROR [com.arcsight.license.client.AutoPassLicenseClientImpl] - <AutoPass Exception Error Code 7073>
    b. 2018-06-01 15:18:31,207 ERROR [com.arcsight.license.client.AutoPassLicenseClientImpl] - <AutoPass Exception Error Custom message:Failed to Create AutoPass Property file :- 

  • Thank you!  Installing again and will circle back.

  • Thanks for the help.  Unfortunatly, I kept getting wierd install issues. So I just gave up and went with the AMI.  Unfortunatly, the admin password to get into the UI is not specified in the location provided.  

    Where can I go to get the initial password to login to ArcMC?

    Even if I head/tail the /var/log/boot.log during startup with the arcsight user the file has zero bytes.  

  • Page 31 of the ArcMC admin guide should tell you that :)

    It should be:

    username:admin

    password: password

  • Verified Answer

    I have not actually tried that, because when you setup ArcMC you can mostly just use "forgotten password" on the web interface, if SMTP is working, so that has mostly covered us.

    Looking at your link i would start with the very last post, instead of the very long explanation, see if that works out for you.