Two remote Managers
I am having such a scenario: there are two Managers in a two separate networks. What we want to do is to export the content (events) from one ArcSight database to another for summary analysis. Would someone please tell me, is it possible? And if it is, how to implement such a task? Is it possible to simply export the content from one db and to import to another? Thanks in advance.
To export content ( rules, reports, .. ) , use export_system_tables
to export data, you can use a forwarder. When an event is about to be sent to the DB, it's also forwarded to another destination ( in this case your second manager ). Of course it can only work for future events.
If you need to export data already stored in the DB, then you need to make an export/import at the oracle level or to clone your current system.
Thank you, GCA,
I was thinking about the same options, but the only concern is how to export all the events from all the sources in a most efficient manner? I was also thinking, isn't that possible to cause any conflicts while importing a hudge amount of data into another ArcSight database?
Can you be more precise in your questions ? If you export or clone your DB, there is no risk to get conflicts and you will get all the content and data at the same time but you will overwrite the DB you are making the import to ( don't know if it's possible to make an import and merge data but I wouldn't tempt it anyway ). Same problem if you only import the content with import_system_tables. If you want only to import some content to an exsting DB, you should use packages.
Does the DB you want to import the data to already exist and contain data or are you going to build a new one ? Do you need to move the exising data or is it enough to replicate future data to the new DB ? Is there a way for you to clone your current DB ( if you are using VM or if you have similar HW for instance ? ). I can help a bit more but I need more information.
Does the DB you want to import the data to already exist and contain data or are you going to build a new one ?
I want to add events to another database with existing events without overwriting it's content.
Do you need to move the exising data or is it enough to replicate future data to the new DB ?
I need to move existing data and to replicate the content from one database to another. The thing is that there is no connection between those two databases.
Is there a way for you to clone your current DB ( if you are using VM or if you have similar HW for instance ? ).
We acctally do not need to clone the content. We want to add a content from one db to another.
The exact scenario looks like this: there are to ESM systems in two separated networks. Let's say one ESM is a Master and another is a Slave. The Slave collects events from it's local network while the Master collects events from it's local network. The thing is that the Master needs events from it's network plus events from the Slave local network so that it (the Master) can do an overall correlation between all events.
I appreciate your help.
Well it's not going to be easy. I see two very annoying points in your summary.
1) Without network connectivity between your DB you cannot use a forwarder from the slave DB to the master and you must transfer data manually on a regular basis. The problem is that to import your data in the master DB you must first export them from the slave DB which, in the best case scenario, means a big impact on this DB during the export and possibly the obligation to stop the DB during the export. Exporting data can be a very time consuming process and will require good AS DB knowledge because you cannot simply export everything, you must correctly define data you want to transfer.
2) You want to merge two DB which is a lot more complex than replicating data from one system to another. Again good oracle knowledge is required. You can ask some help to the support but don't expect too much, they will probably redirect you to the Professional services
If you cannot loose your data on the Master DB, I think you need first to find a solution to merge both DB in a single one ( if you achieve this I would be interested to know how you did it ). But then I strongly suggest you to build a network connection between these two DB and to use a forwarder. Making a manual export/import on a regular basis doesn't look very realistic to me.
This is probably not the solution you were expecting but I can't think about a better one which doesn't mean such a solution doesn't exist 😉