Our vBulletin migration is complete.
Welcome vBulletin users! All content and user information from the Micro Focus Forums (vBulletin) site has been migrated to this site. READ MORE.
meirwah Absent Member.
Absent Member.
3521 views

Fetching events using ArcSight API

I'm looking at using  ArcSight API , inorder to  be able:

  1. Query ArcSight events , similar to the capability of search..
  2. Fetch security events , which are a result of a correlation , or marked as incidents.

So looking in the API guides, I see several options for that… which seem to be quite clunky :

For 1 :

A. Use the soap API of ArcSight Looger  : https://arcsight-esm.localdomain:9000/soap/services/SearchService/SearchService.wsdl

B. Use ArcSight web services of QueryService + QueryViewerService , in that case seems like I need create a resource of query, then triggered it somehow, and then use viewer (getMatrixData) to see results, doc is really missing here…

C. ManagerSearchService ? Seem to be searching only internal ArcSight stuff.. No “real” events

For 2:

  1. query an active list , where customers has his “security” events
  2. model import connector?
  3. Using the securityEventsService?

Am I missing something?

What is the preferred way to go?

Can you point me to some other company that did similar integration?

Labels (2)
Tags (2)
0 Likes
15 Replies
Frequent Contributor.. ali3n0ne1 Frequent Contributor..
Frequent Contributor..

Re: Fetching events using ArcSight API

Hint:

  • Eventually on the ESM end of the spectrum you will realize there is a query limit for how many correlated events you can pull via the ESM API
  • server.properties
  • persist.resource.dependentids.fetch.max=100000
0 Likes
Acclaimed Contributor.. Shaun Acclaimed Contributor..
Acclaimed Contributor..

Re: Fetching events using ArcSight API

1) You are pretty much correct.  Logger API you can query the events using logger search syntax.  On the ESM you need to build a Query + QueryViewer and then use the QueryViewerService->getMatrixData to retrieve the data from the query viewer.

2) If you know the security event id's you can query them directly using the ESM API SecurityEventService.

0 Likes
meirwah Absent Member.
Absent Member.

Re: Fetching events using ArcSight API

so on that some questions...


1.

     a. Does ArcSight always exposes the logger soap API ? because I understand in some deployments the logger can be detached from the ESM itself..  (ESM and Logger cannot coexist on the same machine)

     b. How do I build a query using the REST API? I see no example for that in the docs.. I see in QueryService an insert method, but what params does it get?

2. How can I know the security events id's ? is there any API to get those?

0 Likes
alexeynl Honored Contributor.
Honored Contributor.

Re: Fetching events using ArcSight API

Hi, Shaun.

Is it possible to built query from scratch or change period of time or condition of existing query using ESM API in order to fetch then events using QueryViewer service?

0 Likes
scottlsattler
New Member.

Re: Fetching events using ArcSight API

seems like hp loves soap, we have tickets open on rest...

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Fetching events using ArcSight API

Logger and ESM are two different products that use a similar underlying storage engine. This is not a detached Logger from ESM; they are two separate products.

If you are looking to get events from ESM, you should use the ESM API (REST).

If you are looking to get events from Logger, you should use the Logger API (SOAP or REST).

The ESM REST API is documented.

The Logger REST and Logger SOAP API are documented.

0 Likes
SinhaS Frequent Contributor.
Frequent Contributor.

Re: Fetching events using ArcSight API

Hi,

I want to query ESM uing rest API. I have not been able to locate document for the parameters for API requests and sequence of API requests. I have followed instructions provided in this thread but I am unsuccessfull to find information which I require. Guidance is much appreciated.

I have referred to following documents for the same:

manager-client-1.4.0.release.175.pdf

ESM_ServiceLayerManagerSvcs_Javadoc_Vol2_1.1_7.0.pdf

ESM_ServiceLayer_DevGuide_7_0.pdf

https://h41382.www4.hpe.com/gfs-shared/downloads-273.pdf

 

Thanks

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Fetching events using ArcSight API

I would really recommend to create a new topic, as this one is very old, with an explanation on what you want to achieve, and i can then provide you with the necessary API details 🙂

-----------------------------------------------------------------------------------------
All topics and replies made is based on my personal opinion, viewpoint and experience, it does not represent the viewpoints of MicroFocus.
All replies is based on best effort, and can not be taken as official support replies.
//Marius
0 Likes
sberkholz Absent Member.
Absent Member.

Re: Fetching events using ArcSight API

Anybody know where that XML schema definition is for SOAP?  Our loggers are throwing 500 errors to the client on the SOAP API.  It's the strangest thing, it doesn't seem to be there:

xmlns:xsd=http://www.arcsight.com/logger/xsd

0 Likes
alexeynl Honored Contributor.
Honored Contributor.

Re: Fetching events using ArcSight API

Have you success with fetching events using ESM's SOAP or REST?

0 Likes
alexeynl Honored Contributor.
Honored Contributor.

Re: Fetching events using ArcSight API

Scott Sattler написал(а):

seems like hp loves soap, we have tickets open on rest...

Notes from the HP Arcsight Logger Web Service API Guide:

HP is planning to move all of Logger's Web Services to simpler RESTful services. The SOAP Web Services will be deprecated in a future release. Therefore, we encourage users to move toward using the RESTful Web services where available.

0 Likes
Highlighted
sberkholz Absent Member.
Absent Member.

Re: Fetching events using ArcSight API

For the SOAP API, you have to get an authentication token before you can request from the SearchService.  For REST API, you have to login with userid and passwd, have an account configured, and use the POST method rather than GET, because if you use GET your account credentials end up in the Apache logs   I noticed you were wanting to query logger <above>?  If that is true I'd not point the client's destination at what looks like an ESM

Aaron Kramer (HP) pointed out a few weeks ago that the ESM has it's own very special REST API, that is slightly different from Logger's.  We are still trying to track down the manual for that, it's supposed to be out there.  The Logger on the other hand has two APIs, one is SOAP and one is REST.  Your priority for establishing API connectivity then, as Alexey noted above would likely lean towards REST.  It is good to see that we have more eyes on this.

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Fetching events using ArcSight API

Most if not all Product documentation is here on Protect724, including the ESM API docs.

From the main page

https://www.protect724.hpe.com/welcome      click on ArcSight

From here:   click on "Product Documentation"

From here:   click on "ArcSight ESM and ArcSight Express Documentation"

Drill down by ESM version you are using.

Look for "Service Layer"

0 Likes
alexeynl Honored Contributor.
Honored Contributor.

Re: Fetching events using ArcSight API

Aaron Kramer написал(а):

If you are looking to get events from ESM, you should use the ESM API (REST).

If you are looking to get events from Logger, you should use the Logger API (SOAP or REST).

The ESM REST API is documented.

The Logger REST and Logger SOAP API are documented.

I've read the documentation but didn't find a way to form query to fetch events from ESM.

What API service and method should i use for this purpose?

I see the list of REST services and the first simple question is: what does it mean "supported services"? Does it mean that unsupported services exist?

ESM_API_Services.png

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.