Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
grantsales
New Member.
931 views

ArcSight System Cases _system_case_Event_Export_Request

I have a problem with these cases being created.

I would like to stop them from being created or disable the "export to external system" option so users don't accidentally click on the wrong export.

Also it would be great to get these removed from the system either by deleting them on the manager or by using a command line tool to delete them.

Screen Shot Below:

Anyone have a solution?

Labels (3)
Tags (2)
0 Likes
Reply
6 Replies
Acclaimed Contributor.. Volker Michels Acclaimed Contributor..
Acclaimed Contributor..

Re: ArcSight System Cases _system_case_Event_Export_Request

Hello,

I see the same and will check this.

Will come back to you.

Volker

0 Likes
Reply
Acclaimed Contributor.. Volker Michels Acclaimed Contributor..
Acclaimed Contributor..

Re: ArcSight System Cases _system_case_Event_Export_Request

Hmm, very strange, Itried to find the rule that creates the cases but I can't.

Sorry, Volker

0 Likes
Reply
grantsales
New Member.

Re: ArcSight System Cases _system_case_Event_Export_Request

There isn't a rule generating this case. I've looked through all of our rules many times. Were you able to delete this auto generated case?

0 Likes
Reply
Acclaimed Contributor.. Volker Michels Acclaimed Contributor..
Acclaimed Contributor..

Re: ArcSight System Cases _system_case_Event_Export_Request

No, even with the admin user it's not possible.

Volker

0 Likes
Reply
doug.mcneill@de Absent Member.
Absent Member.

Re: ArcSight System Cases _system_case_Event_Export_Request

Resurrecting an old topic, perhaps, but this looks like something I've encountered in trying to automate exporting cases...I have a rule set up with an "Export to External System" action...whenever the rule triggers, that action creates a system case with the events related to that rule triggering and writes that case as an XML file in <home>/archives/export.

That's probably the culprit for the cases being created.  Now, as far as deleting them, that's something I'll need to figure out as well.

0 Likes
Reply
grantsales
New Member.

Re: ArcSight System Cases _system_case_Event_Export_Request

To forcefully delete these you can do this on command line and XML:

run "arcsight archive" more info can be found in the help docs if you search and details on how to run it.

My export command:

.\arcsight.bat archive -m <ManagerHostName> -u <admin> -p <pass> -uri "/All Cases/All Cases/ArcSight System/" -f <ExportFile> -exportaction remove

-m is the hostname of your ESM manager

-u is an admin user

-p is the password (optional, you can leave this flag off and it'll prompt for creds)

-uri is what we are exporting in this example all these system cases are under "/All Cases/All Cases/ArcSight System/"

-f output file

-exportaction remove is building the XML to remove these upon an import

After exporting, open your XML file in a text editor and remove the Groups so when you import you don't delete the folder structure. Save it and import the XML with "-i" and this will remove the cases that you can't delete from within the GUI.


Import your saved XML:

.\arcsight.bat archive -m <ManagerHostName> -u <admin> -p <pass> -f <ExportFile> -i

I am not responsible or liable for what you do in your environment.

I highly recommend testing this on a single resource in a testing environment first.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.