Highlighted
Absent Member.
Absent Member.
606 views

Case Management

Hi,

I need to know where does the Case Data go into the ESM. We have a requirement of preservinfg Cases for a period of 10 years (Tape drive, Hard disks) etc. Our retention policy is 120 days. (30 Days Online and 90 days Archived). Need to retrieve all the cases and take a backup of it. Kindly advice.

Thanks,

Jitendra

Labels (1)
Tags (1)
0 Likes
Reply
2 Replies
Highlighted
Absent Member.
Absent Member.

Re: Case Management

Hi Jitendra,

KB 3223

ESM 5.0 introduces new functionality which allows the events associated with cases to be preserved beyond the usual retention period, when events would normally be archived.

This feature is enabled by default during installation and affects all Cases, rather than specific cases or events.  During an upgrade to ESM 5.0, all existing Case events are copied from active partitions to the preserved event tables.

    Note: There is a 30-minute timeout for the event preservation task during the upgrade.

If there is an issue during upgrade, this feature may be enabled after installation by running the following command from <ARCSIGHT_HOME>/bin:

    arcsight preservecaseevent

With Preserve Case Events enabled, when events are added to cases (if the event is not already preserved) the event is copied from arc_event to arc_event_p tables.  Event annotations and payloads will be automatically cloned to the preserved tables.  Events will stay in the preserved tables until they no longer belong to any case.

The preseved event tables are:

    arc_event_p

    arc_event_additional_data_p

    arc_event_annotation_p

    arc_event_correlation_p

    arc_event_payload_p

These tables use the same indexing as the standard event tables: ET, MRT, ID.

----------------

As per ArcSight standard procedure on backup, you need to backup System configuration + arcsight database (oracle hot backup or cold backup).

During ArcSight system recovery in any case, if you have ArcSight system configuration and full arcsight database backup and redo archives from Oracle database then it's possible to restore.

I have a thought but never tested:

Export only preserved tables. On Test system, import ArcSight System configuration and import preserved tables. Not sure how this works, let me know if any one tried this or other thoughts to backup only case tables and trend tables.

Thanks

Sri


0 Likes
Reply
Absent Member.
Absent Member.

Re: Case Management

Hi Sri,

Thanks for the response. One question though. How do I know that cases are already being preserved? Our retention period is 120 days (30 Days online and 90 days Inactive).

If they are being preserved to arc_event_p tables, what is the default size of of the table? I am unable to find KB 3223, if you have a copy of it then please share.

Appreciate your response.

Thanks,

Jitendra

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.