This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

P-Microsoft Windows

This is the official forum for discussing the basic ArcSight Activate P-Microsoft Windows product package as described in the Wiki.

P-Microsoft_Windows_1.0.0.arb.zip
  • Do we need to set the Windows parser to V1 or the package will work if we use the default parser ?

  • Recursive rule

    /ArcSight Activate/Solutions/Product Rules/Microsoft Windows/System and Services Errors/Application Crash Detected doesn't check to make sure its not firing on itself.  Need to add a type != Correlation to the rule.

    This brings up two questions:

    1)  How should we report bugs we find in the content

    2)  How do I customize content (say add an external ID linking to a wiki) without it getting overwritten by an update?

  • Recursive rule

    /ArcSight Activate/Solutions/Product Rules/Microsoft Windows/System and Services Errors/Application Crash Detected doesn't check to make sure its not firing on itself.  Need to add a type != Correlation to the rule.

    This brings up two questions:

    1)  How should we report bugs we find in the content

    2)  How do I customize content (say add an external ID linking to a wiki) without it getting overwritten by an update?

  • Recursive rule

    /ArcSight Activate/Solutions/Product Rules/Microsoft Windows/System and Services Errors/Application Crash Detected doesn't check to make sure its not firing on itself.  Need to add a type != Correlation to the rule.

    This brings up two questions:

    1)  How should we report bugs we find in the content

    2)  How do I customize content (say add an external ID linking to a wiki) without it getting overwritten by an update?

  • Don,

    Thanks for the feedback.  I'll get this corrected and post an update shortly, I have a few other bugs that need fixing with this package.

    As for customizing, it gets a little tricky, especially if you don't want to share particulars.  I put this document together to help out; it is on the wiki: <HOST>/foswiki/ArcSightActivate/ArcSightActivateCustomizingContent

    Are you a SIOC customer?  This is something that they've built into their wiki as well but we haven't tied our stuff together yet.

    As for reporting bugs, posting here will get our attention going forward.  If you feel comfortable fixing the problem, you can repackage it and PM me. I'll have a look at the changes, run some tests and share with the community crediting you accordingly.

  • Don,

    Thanks for the feedback.  I'll get this corrected and post an update shortly, I have a few other bugs that need fixing with this package.

    As for customizing, it gets a little tricky, especially if you don't want to share particulars.  I put this document together to help out; it is on the wiki: <HOST>/foswiki/ArcSightActivate/ArcSightActivateCustomizingContent

    Are you a SIOC customer?  This is something that they've built into their wiki as well but we haven't tied our stuff together yet.

    As for reporting bugs, posting here will get our attention going forward.  If you feel comfortable fixing the problem, you can repackage it and PM me. I'll have a look at the changes, run some tests and share with the community crediting you accordingly.

  • John,

      We are not a SIOC customer,  having read your document it makes sense how to customize content.

      In your updated Windows arb are you including any way to suppress events?  It doesn't look like any of the rules use the suppression lists, and I'm hoping that will be coming in the next release....otherwise I'll have to add it and send it to you. 

  • John,

      We are not a SIOC customer,  having read your document it makes sense how to customize content.

      In your updated Windows arb are you including any way to suppress events?  It doesn't look like any of the rules use the suppression lists, and I'm hoping that will be coming in the next release....otherwise I'll have to add it and send it to you. 

  • John,

      We are not a SIOC customer,  having read your document it makes sense how to customize content.

      In your updated Windows arb are you including any way to suppress events?  It doesn't look like any of the rules use the suppression lists, and I'm hoping that will be coming in the next release....otherwise I'll have to add it and send it to you. 

  • Actually, I do not have any suppression lists on my to-do list for this package. Can you PM me with more information about what you are suggesting. Maybe your direct contact info so we can work through your request in the background.