Solved: Integration Command - [Logger Search] - Micro Focus Community

chris.lee@excer1 · ‎2013-05-20

Hi Guy,

i have a en-quire to search raw log from ArcSight Console. and understand that ArcSight can achieve that by using integration command which will redirect URL to ArcSight Logger.

i have done the configuration base on the Express User Guide but i keep receive error HTTP 404 and error message" Failed to negotiate single use session token, please check with administrator. Proceeding with alternative authentication method ."

i try many time but can't found the root cause. my logger is latest version and Express is version 5.1

Attach error page.

hope anyone can give me a hand on this.

Many thanks!

Regards,

Chris LEE

balahasan.v1 · ‎2015-06-26

Hi Aniruddh,

Try the below query. Tested

https://10.63.140.73/logger/search.ftl?ehr=1&ausm_query=destinationAddress=$selectedItem&from=$Now-2h&to=$Now

View solution in original post

katzmandu1 · ‎2014-07-16

Sorry for the delay. I ran into this with a customer. I found your thread when searching for a solution. The URL format has changed a bit between what is pre-programmed into ArcSight and what actually works on the Logger.

Change the URL between #else and #end in the "Quick Search Integration Command"

Delete the /app/redirect?user=${LoggerUser}&pass${LoggerPassword}&redirectUrl=

The URL will look like https://${LoggerHost}/logger/search.ftl?search.ftl&[...]

This will launch a new browser window where you'll have to authenticate. However, once you authenticate the search you've selecetd will run.

vaish_11 · ‎2014-07-22

Update URL:

https://{hostname or IP address}/logger/search.ftll?ehr=1&ausm_query={event field to query on}=$selectedItem&from=${start time}&to=${end time}

Example:

https://0.0.0.0/logger/search.ftll?ehr=1&ausm_query=destinationAddress=$selectedItem&from=${Now-1w}&to=${Now}

This will open a browser with the login screen. Once you login you will be automatically redirected to the results page.

Glasscock · ‎2015-05-21

I am trying to get the logger integration commands to work with Logger without any luck. Does your example above still work?

aniruddh.shriva · ‎2015-06-26

Hi Vaishnavi,

Query you have mentioned is not working,

I am giving inputs like this:

https://10.63.140.73:9000/logger/search.ftll?ehr=1&ausm_query={destinationAddress}=$selectedItem&from=${Now - 1d}&to=${Now}

Error I am getting

We're sorry, but the page was not found.

Can You help here?

need your inputs too.

balahasan.v1 · ‎2015-06-26

Hi Aniruddh,

Try the below query. Tested

https://10.63.140.73/logger/search.ftl?ehr=1&ausm_query=destinationAddress=$selectedItem&from=$Now-2h&to=$Now

View solution in original post

aniruddh.shriva · ‎2015-06-26

Amazing...Thanks alot Bala

rkent1 · ‎2015-07-27

, , isn't Jonathan Katz' response the correct answer here?

grace.chang · ‎2015-07-27

, nominated his answer as being correct here. , what do you think?

balahasan.v1 · ‎2015-07-28

Hi Grace,

Yes. It's Jonathan's the actual response is the correct here. There was a separate track question from Aniruddh and John. I thought it was the actual question thread... My bad.. Please mark Jonathan's Answer

Thanks for Noticing

rkent1 · ‎2015-07-29

Yep, looking at the whole thread in context, I can see where it forked from one question to another. We should try to flag those in the future and encourage the question-askers to create a new discussion. , it'd be great if power-users could tag comments for stuff like this. Just a thought

grace.chang · ‎2015-07-29

Yes, that would be great. Thanks for keeping a close eye on it and I saw where the fork diverged too. Keep it up!

Integration Command - [Logger Search]

ESM

Logger

Smart Connector