Our vBulletin migration is complete.
Welcome vBulletin users! All content and user information from the Micro Focus Forums (vBulletin) site has been migrated to this site. READ MORE.

ArcSight Investigate 2.20 from the ground up build guide - v1c

ArcSight Investigate 2.20 from the ground up build guide - v1c

This build guide is for Investigate 2.20. Instructions for Investigate 2.30 are below in the comments.


This guide shows how to install Investigate in a lab environment. This guide was created by the ArcSight PreSales Technical Enablement team as a resource for the ArcSight PreSales organization. This guide is not official documentation. Please read and refer to the official product documentation for additional information. Please see the ArcSight Event Broker 2.21 from the ground up build guide for instructions on installing the ArcSight Installer and Event Broker.

Vertica on 3 nodes

3 nodes.jpg



  • Renamed to v1c, no changes to the guide.


  • Configuring the ArcSight Investigate Vertica database connection in the documentation says to use a comma to separate the Vertica hosts (<vertica-node1-IP>,<vertica-node2-IP>,<vertica-node3-IP>). A comma does not work but a space does.


  • Changed the OS version for the Vertica nodes from 7.4.1708 to 7.3.1611.
  • Changed the ArcSight Investigate Configuration in the Installer from 3 Vertica hosts to 1 host; you can only specify 1 Vertica host.


Labels (1)


Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.

Here are some notes on Investigate 2.30 and Installs/Upgrades.

  1. With Investigate 2.30, the Vertica nodes are only supported on RHEL/CentOS 7.3, where with Investigate 2.20 it was RHEL/CentOS 7.3 or later.
  2. With Investigate 2.30, in the Installer configuration parameters for Vertica, you can only specify 1 Vertica host. This is also true for Investigate 2.20.



For a fresh install of 2.30

  • Follow the same steps in the build guide but use arcsight-investigate-2.30.12.tar

For an upgrade from Investigate 2.20 to 2.30

  • Upload the offline images using arcsight-investigate-2.30.12.tar and /opt/arcsight/kubernetes/scripts/uploadimages.sh
  • Doing an UPGRADE did not work for me, I saw a "Failed to load model group list" error
  • I did an UNDEPLOY of 2.20 and DEPLOY of 2.30 and Investigate worked fine



Due to a file permissions issue that is not currently documented, use /opt or do a chmod 755 on /root (I prefer using /opt and the instructions below are based on that).

For a fresh install of 2.30

  • Extract arcsight-vertica-installer_2.30.0-1.tar.gz to /opt/install-vertica
  • cd /opt/install-vertica
  • vi /opt/install-vertica/config/vertica_user.properties
  • vi /opt/install-vertica//vertica.properties
  • ./vertica_installer install
  • ./vertica_installer create-schema
  • ./sched_ssl_setup --disable-ssl
  • ./kafka_scheduler create
  • ./kafka_scheduler start

For an upgrade from Investigate 2.20 to 2.30

  • The original Vertica files initially need to be in /root/install-vertica
  • Extract arcsight-vertica-installer_2.30.0-1.tar.gz to /opt/upgrade-vertica
  • cd /opt/upgrade-vertica
  • ./investigate_upgrade -c upgrade-investigate
  • Move the original Vertica files from /root/install-vertica to /opt/install-vertica
  • cd /opt/install-vertica
  • ./sched_ssl_setup --disable-ssl
  • ./kafka_scheduler start


Top Contributors
Version history
Revision #:
7 of 7
Last update:
‎2019-02-22 12:52
Updated by:
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.