Solved: Re: Access to Arcsight Logger database with an external software? - Micro Focus Community

simone · ‎2015-08-25

Hi, i'd like to know if there is a way to access to the internal Arcsight Logger Database with an external software, for example if i create a program in java, does exists a jar component to import into the program that gives functions to access and query the database?

Thank you.

AlexMuratov1 · ‎2015-08-25

Simone, if you would like to query a Logger events DB using a 3rd arty software - it is possible using the Web API:

If you are looking for abilities to install some custom java (or something else) app to a Logger - forget about it, it is black box.

Regarding the API - it is much much slower than running a "native" report at Logger, believe me. But if you would like to run a specific query and then import results (data set) to an external software, it will work. Some people use it for 3rd party report generators and visualization. You can find samples here at Protect724.

View solution in original post

EricLamer · ‎2015-08-25

Hi,

do you mean the database with the events or the database with the internal log (ex: login in the logger etc)?

Thanks.

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.

simone · ‎2015-08-25

I mean the database with all events gotten from external devices.

EricLamer · ‎2015-08-25

What do you want to do exactly?

Databse use mysql but with special index, so you can see the data not indexed. You need to modify the config of mysql to be able to access it remotely. Not much you can do.

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.

AlexMuratov1 · ‎2015-08-25

Simone, if you would like to query a Logger events DB using a 3rd arty software - it is possible using the Web API:

If you are looking for abilities to install some custom java (or something else) app to a Logger - forget about it, it is black box.

Regarding the API - it is much much slower than running a "native" report at Logger, believe me. But if you would like to run a specific query and then import results (data set) to an external software, it will work. Some people use it for 3rd party report generators and visualization. You can find samples here at Protect724.

View solution in original post

DanyK7 · ‎2015-08-26

Thanks for the info Alex.

I agree its the way to go, and we have some plan to devellop in this area as well.

Could you please further define "it is much much slower than running a "native" report at Logger, believe me" with a ball park figure of what you experienced ?

Thanks,

Dany

Shaun · ‎2015-08-26

The max I could get was about 1000 EPS out of a logger using the API.

DanyK7 · ‎2015-08-26

Thanks,

Just to be sure:

1000 Search-EPS or 1000 extracted-EPS (with a normal Search-EPS rate) ?

Shaun · ‎2015-08-27

That was actually extracting events out of the API.

AlexMuratov1 · ‎2015-08-27

Exactly! I observed the same speed of 1K EPS for retrieving events as the result of a query.

So what I mean regarding "much slower":

when you run a query at Logger GUI you can see as it counts 1 million events in few seconds. But you will need ~ 1,000 seconds to retrieve this data set via Web API. I suspect (but can't confirm) that reporting engine consumes less time for it.

A-Aron · ‎2015-11-13

*****

In September 2015, we released Logger 6.1 which includes the ability to pull events MUCH MUCH faster out of Logger using the API, by using an increased batch size parameter.

See more here:

https://protect724.hp.com/message/64045#64045

Please try it out with Logger 6.1 and let us know how it works for you!

To be very specific, the new capability is in the "EVENTS" API call, and the LENGTH parameter.

The default size is 1000 events, but you can now ask for up to 10,000 events per iteration.