Highlighted
pbrettle Acclaimed Contributor.
Acclaimed Contributor.
1410 views

Export to External System - including base events

Basically, we have a feature called “Export to external system” as an action for a rule. This allows you to export the data from ESM to some sort of external system for it to collect and process the data as needed. There are a few things you need to do to make this work, but you can export the correlated event AND the corresponding base events with it.

1.       Change the /opt/arcsight/manager/config/archive/xml.external.case.xml file to uncomment the relevant section.

2.       I have attached an example of the comment removed

3.       Restart the ESM Manager

4.       Configure all relevant rules to have the “Export to external system” rule trigger set

5.       To do this, go to the rules, click on the action tab and then add the trigger where relevant. For example:

a.       export1.jpg

b.      Simply select the active trigger section, click add and then select the Export to external system action

c.       Press Apply to save the rule

6.       Making the changes to the rules will take a little time, but there are a limited set of rules within ESM, so this should not take more than 20-30 minutes. It is a simple task and it is NOT excessive.

7.       Once finished, all updated rules will then trigger an export of the events to a specific location:

a.       Exports are stored in /opt/arcsight/manager/archive/exports

b.      Exports are date and timestamped in their name, and you can clearly see which is which

                                                               i.      export2.jpg

                                                             ii.      The format is fixed and XML defined and you can easily work out the data that is present

                                                            iii.      Please note it is NOT possible to change the XML format and it is not recommended to change any template files in ESM for this.

                                                           iv.      It is recommended that any external system should read the XML file as full and discard data that it does not need. XML by definition is formatted and includes the descriptions as standard and therefore it is an easy task to parse and process the relevant data.

                                                             v.      A sample exported XML file is attached.

The exported XML file has the correlated event information at the beginning and then the corresponding events that generated it in the lower section. Fields are consistent, match the names of the fields in the schema and it is fine to process them this way. Please note that the exported XML files are not managed and therefore it is the responsibility of the external application to delete the files when they are processed. This must be done as they will continue to increase in number with each rule trigger that has been defined. Additionally, caution should be taken on this as a misconfigured rule could generate a lot of correlated events in error and this could issues in the receiving system!

sample file:

xml.external.case.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE archiveConfiguration SYSTEM "../../schema/xml/archive/arcsight-archive-configuration.dtd">

<archiveConfiguration version="1">

    <parameters/>

    <handlers>

        <Field>external.field</Field>

        <SecurityEvent>external.event</SecurityEvent>

        <Case>external.case</Case>

        <Note>external.note</Note>

        <!-- Added the DEFAULT because File attachments were not getting exported to external system-->

        <DEFAULT>default.resource</DEFAULT>

    </handlers>

</archiveConfiguration>

Labels (3)
2 Replies
zargaran Honored Contributor.
Honored Contributor.

Re: Export to External System - including base events

Dear paul

This is very useful and effective. 

Thanks  


BR

Amir

0 Likes
Frequent Contributor.. 1209514 Frequent Contributor..
Frequent Contributor..

Re: Export to External System - including base events

Dear Paul,

I have few quires Regd "Export to External System - including base events"

When I right click on anhy alert in active channel then events and export to external event tarking system it works (manually), but in rule's action tab added trigger "Export to External System" .xml files are not generating. Can you please help me on this.

From the above I got to know that we need to uncomment relevant section in /opt/arcsight/manager/config/archive/xml.external.case.xml filr but which relevant section needs to be uncomment and more over xml.external.case.xml in ESM Server is similar to the one which you posted above.

But ".xml" files are not generating.

 

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.