Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Super Contributor.. tonyssbear Super Contributor..
Super Contributor..
249 views

Arcsight || Data Migration || Manage multiple ESM

Jump to solution

Hi all,

 

We have a case which have an existing ESM express

And planning to have a new ESM

 

May anyone know if below is workable?

1. Upgrade all existing connector (which window base), and send logs to both ESM (I thank yes, but just consider a high version connector send logs to a lower version)

2. Connect ESM to ESM express and load log from existing ESM (Is it possible?)

3. If 2 is not possible, Do Arc MC can do that?

 

Many thanks

Tony

1 Solution

Accepted Solutions
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Arcsight || Data Migration || Manage multiple ESM

Jump to solution

HI @tonyssbear 

 

>>1. Upgrade all existing connector (which window base), and send logs to both ESM (I thank yes, but just consider a high version connector send logs to a lower version)

not exactly sure what you are trying to do here, is it an MSSP environment, where you send logs from one SC (at cutomer)  to another SC (at your place)? However upgrading needs to be planned, as somtimes odd things can happen as you might know. But i assuem you do CEF syslog forwarding, so the only thing i would be thinking about, if you forward CEF 0.1 or CEF 1.0; depending on your IPv6 information.

If you sending to a second destination, remeber all destination settings need to be manually "copied" over from the source ESM to the destination ESM (aggregation/filter etc.)

I wounder if it would be possible to do an export system tables here, and just give the new esm the same IP address and hostname... but i think this might be "risky" as there might be unforseen side effects, and I am not sure, if you can import system tables from an express to ESM.

Do you also need to move rules/trends/filters/AL/SL?

>>2. Connect ESM to ESM express and load log from existing ESM (Is it possible?)

about how many days of retention do we speek? could you just doublefeed, for 30/60 days, or do you do also archiving?

>>3. If 2 is not possible, Do Arc MC can do that?

ArcMC can still not talk to ESM, so my assumption is no.

 

Hope my answers are helping your thoughts and plannings

Cheers

A

 

View solution in original post

0 Likes
2 Replies
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Arcsight || Data Migration || Manage multiple ESM

Jump to solution

HI @tonyssbear 

 

>>1. Upgrade all existing connector (which window base), and send logs to both ESM (I thank yes, but just consider a high version connector send logs to a lower version)

not exactly sure what you are trying to do here, is it an MSSP environment, where you send logs from one SC (at cutomer)  to another SC (at your place)? However upgrading needs to be planned, as somtimes odd things can happen as you might know. But i assuem you do CEF syslog forwarding, so the only thing i would be thinking about, if you forward CEF 0.1 or CEF 1.0; depending on your IPv6 information.

If you sending to a second destination, remeber all destination settings need to be manually "copied" over from the source ESM to the destination ESM (aggregation/filter etc.)

I wounder if it would be possible to do an export system tables here, and just give the new esm the same IP address and hostname... but i think this might be "risky" as there might be unforseen side effects, and I am not sure, if you can import system tables from an express to ESM.

Do you also need to move rules/trends/filters/AL/SL?

>>2. Connect ESM to ESM express and load log from existing ESM (Is it possible?)

about how many days of retention do we speek? could you just doublefeed, for 30/60 days, or do you do also archiving?

>>3. If 2 is not possible, Do Arc MC can do that?

ArcMC can still not talk to ESM, so my assumption is no.

 

Hope my answers are helping your thoughts and plannings

Cheers

A

 

View solution in original post

0 Likes
ahof6480 Trusted Contributor.
Trusted Contributor.

Re: Arcsight || Data Migration || Manage multiple ESM

Jump to solution

I doubt it's officially supported, but you can migrate an ESM Express configuration backup to a software version of ESM using Config Backup and Restore, and then load archives that Express generated... but you're going to have a challenge with the metadata.

The metadata of the archives (a gzip file) is slightly different between Express and standard ESM, so anytime you need to restore an archive generated by Express you would first need to unzip the metadata, modify the version field and possibly timestamp field to look the same as the metadata the new archives have, and it will work. 

This of course assumes you successfully backed up Express Config and restored it to a new software ESM installation.  WIthout that Backup/Restore it won't be able to read the archives at all.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.