Highlighted
rhydham.joshi@h Regular Contributor.
Regular Contributor.
1097 views

L2-Entity Monitoring - Situational Awareness

This is the official forum for discussing the ArcSight Activate L2-Entity Monitoring - Situational Awareness package, as described in the Activate Wiki

Labels (2)
0 Likes
12 Replies
tkachouba Trusted Contributor.
Trusted Contributor.

Re: L2-Entity Monitoring - Situational Awareness

Having trouble installing this package. I get a Cipher Suite error and my account gets locked out in the ESM.  I believe it's due to special characters in the password.  L1-Entity monitoring installed fine.

0 Likes
rhydham.joshi@h Regular Contributor.
Regular Contributor.

Re: L2-Entity Monitoring - Situational Awareness

Hello Taras,

I believe this installation error occured due to the wrong password. The script instead of exiting upon failed credentials keeps on trying to login to ESM using the provided username and password and this would have led to the user account locked out.

Can you please try to install the package by re-enabling the user? If not, please let us know so that we may help you further.

Command to re-enable the user is as follows:

[arcsight@esmsystem bin]$<%ArcSight Home%>/manager/bin/arcsight reenableuser <%UserAccount%>

Thanks,

Rhydham Joshi

0 Likes
tkachouba Trusted Contributor.
Trusted Contributor.

Re: L2-Entity Monitoring - Situational Awareness

Thanks for your response.  I'll will try re-installing the packing.

0 Likes
rhydham.joshi@h Regular Contributor.
Regular Contributor.

Re: L2-Entity Monitoring - Situational Awareness

Hello Taras,

I hope you are able to install L2-Entity Monitoring - Situational Awareness package.

Please let me know in case of any issues.

Thanks,

Rhydham Joshi

0 Likes
tkachouba Trusted Contributor.
Trusted Contributor.

Re: L2-Entity Monitoring - Situational Awareness

Hi Rhydham,

Myself and a co-worker both tried the installation of the L2-Entity Monitoring Package with the same result.  The package did not install successfully.  When the batch script is running there are errors related to ciphersuites being used then the account gets locked out due to too many failed authentication events.  I've identified this ciphersuite error in older versions of Activate Base and some other packages.  It has something to do with the variables being used and special characters in the password.  This was the only package that did not successfully install for me and I've pulled down and installed almost every package available in the HPE Marketplace.

INFO: adjustCiphersuitesToPlatform: Excluding cipher suite TLS_RSA_WITH_3DES_EDE

_CBC_SHA, it is not supported by this JVM.

failure.

Your user account has been disabled temporarily. Please try again later.

0 Likes
rhydham.joshi@h Regular Contributor.
Regular Contributor.

Re: L2-Entity Monitoring - Situational Awareness

Hello Taras,

We are sorry to hear about the package installation error. I will try to work with you to resolve the issue.

Now, to identify the exact root cause, I need the entire log file to determine what went wrong.

Can you please post the entire log message here by hiding the sensitive information or can you mail the entire log file to me @rhydham.joshi@hpe.com?

This can be done as follows:

1) Open CMD and navigate to <%ARCSIGHT_HOME%>/current directory

2) Execute L2-Entity_Monitoring_-_Situational_Awareness_1.1.0.0.bat file

3) Now, when the installation fails, please copy the entire log, remove/hide the sensitive details.

I will get back to you with the exact root cause the moment I get the log file.

Thanks,

Rhydham Joshi

0 Likes
prentice@hpe.co Honored Contributor.
Honored Contributor.

Re: L2-Entity Monitoring - Situational Awareness

Hey,

Please don't do that, but answer these questions, instead:

1) Do you have special characters (punctuation, etc.) in your password?

2) Do you have a one-time password setup, i.e., do you need to enter a new password every time you connect to ESM?

If the answer to either of these questions is yes, that is what the problem is. The script's are not yet able to handle special characters in the password (this is a Microsoft cmd window issue, we're researching it, any help would be appreciated). We've been experimenting with a script for handling one-time passwords, but the base script assumes that the password will be correct and will drive through all the installation steps, even if they all fail (we're working on fixing that, too).

If this is the case in your situation, you can print out or edit the script and enter the commands manually, following the script. The steps should be sequential.

Hope this helps,

--

Prentice

0 Likes
prentice@hpe.co Honored Contributor.
Honored Contributor.

Re: L2-Entity Monitoring - Situational Awareness

Upon reviewing this, everything I said was correct, but a thought has occurred to me. Sometimes the package/archive/resource framework gets confused, and can cause a problem with the cipher suite issue. I've not seen this on a FIPS installation, but I have seen it on non-FIPS installations. The only workaround I know of is to try restarting all the ArcSight services.

If that doesn't work, please file a support ticket (feel free to reference this thread).

Thanks,

--

Prentice

0 Likes
tkachouba Trusted Contributor.
Trusted Contributor.

Re: L2-Entity Monitoring - Situational Awareness

Hi , ​,

Thanks for your responses.  It is a non-FIPS installation.  I recall having the same issues installing previous Activate packages, specifically, Activate Base but for the most part they have all been resolved except in this one.  I will open a support ticket and reference this thread for this particular package but if you have any other updates or findings please update this thread. 

1) Do you have special characters (punctuation, etc.) in your password?

Yes, there are special characters in my password.

2) Do you have a one-time password setup, i.e., do you need to enter a new password every time you connect to ESM?

No, one-time passwords are not setup.

Thanks!

0 Likes
prentice@hpe.co Honored Contributor.
Honored Contributor.

Re: L2-Entity Monitoring - Situational Awareness

Hey ​,

If you can, try temporarily changing your password to not have the special characters. If you're using local ESM authentication, you should be able to change it back to your stronger password after you've installed the L2 package. I am curious, though, if you had the special characters in your password when you installed the L1 package, etc.?

Hope this helps,

--

Prentice

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: L2-Entity Monitoring - Situational Awareness

I was talking with someone today who was going to have some difficulty using the Terminated User Account use case. Their legal department frowns on such terminology, since it implies that the people were fired, which generally is not the case. Since I assume that the use case is meant for tracking any accounts that should not be doing stuff, how about something like "Inactive Accounts"? This would cover both disabled and deleted accounts. Aside from the legal issue, it would make it clearer to users what the intention of the use case is.

0 Likes
Valued Contributor.. donald.chapell@ Valued Contributor..
Valued Contributor..

Re: L2-Entity Monitoring - Situational Awareness

Hi all, I wrote a package for Cisco ISE that fits nicely into the Entity Monitoring scheme.  A customer has it in testing right now, I did some testing against the Entity Package and it worked nicely.  You can add it into the list of products that can be monitored by it.  It will be up on Marketplace as soon as I finish the documentation.

D.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.