Highlighted
rharman Absent Member.
Absent Member.
1083 views

Creating ArcSight ESM arb bundles from archive xml files (or failing to)

I'm trying to create an ArcSight ESM bundle (arb) file using the Manager/bin/arcsight package and archive commands.

1) I've got .arb packages that were exported from a Package built in an ESM -- I'm doing this daily, to "back up" our content.  I followed the process in CSN27.

2) I've performed a "daily diff" with Manager/bin/arcsight archive -action diff -f changes.xml -source today.xml -base yesterday.xml

3) I'm trying to create a .arb package containing changes.xml so that I can load that into a Manager with: Manager/bin/arcsight package -action bundle  -f 20130821_changes.arb -source changes.xml

I get the following error:

Assuming ARCSIGHT_HOME: /home/arcsight/Manager

Assuming JAVA_HOME: /home/arcsight/Manager/jre

ArcSight Package Utility starting...

Configuration initialized: config/server.defaults.properties; config/server.properties

   ___           _____      __   __

  / _ | ________/ __(_)__ _/ /  / /_

/ __ |/ __/ __/\ \/ / _ `/ _ \/ __/

/_/ |_/_/  \__/___/_/\_, /_//_/\__/

    Package Utility /___/ Version 4.5.2.6100.2 (A6100_4-27-2010_21:7:42)

Copyright (C) 2000-2013 ArcSight, Inc.

All rights reserved.

JVM memory allowed: 455.1 MB

System locale: en_US

Will now bundle on the following files:

        /home/arcsight/Manager/20130821_changes.arb

java.lang.NullPointerException

        at com.arcsight.common.packageresource.PackageBundleEntry.ensurePackageDetailsPopuplated(PackageBundleEntry.java:138)

        at com.arcsight.common.packageresource.PackageBundleEntry.(PackageBundleEntry.java:84)

        at com.arcsight.common.packageresource.PackageUtility.createBundle(PackageUtility.java:2560)

        at com.arcsight.common.packageresource.PackageUtility.main(PackageUtility.java:1107)

Every "diff" XML file I've created (23 of them, from the daily export of 23 packages) fails to create a package with the above error.  Most of the "diff" XML files are "empty" (there is no real content in them) but the one that does actually have content still fails.

Here's the Manager/bin/arcsight archive -action list -f changes.xml output for the one "diff" file that actually contains content:

Configuration initialized: config/server.defaults.properties; config/server.properties

   ___           _____      __   __

  / _ | ________/ __(_)__ _/ /  / /_

/ __ |/ __/ __/\ \/ / _ `/ _ \/ __/

/_/ |_/_/  \__/___/_/\_, /_//_/\__/

    Archive Utility /___/ Version 4.5.2.6100.2 (A6100_4-27-2010_21:7:42)

Copyright (C) 2000-2013 ArcSight, Inc.

All rights reserved.

JVM memory allowed: 455.1 MB

System locale: en_US

Will now perform archive operation with format default on the following files:

        changes.xml

Will now list contents of archive 'changes.xml'

---------------------------------------------------------------------------

Parsing archive 'changes.xml'... Done. 0 min 0 sec 321 ms

        ActiveList ID='H4mPKqisBABCAiDVl+i2PgA==' URI='/All Active Lists/Internal Operations/Data Reduction/Listing Rule' Version ID='AAAADn65hebizO+T' Content Version ID='AAAAUgr2uBSWDUuw'

        ActiveList ID='Hj6bLqisBABCAkDVl+i2PgA==' URI='/All Active Lists/Internal Operations/Data Reduction/Signature Noise' Version ID='AAAAC365lm7izO+V' Content Version ID='AAAASwr2zIyWDUuu'

        ActiveList ID='Hg77b6j0BABCAfBQwgmLeXg==' URI='/All Active Lists/Internal Operations/IP Rule Lists/BAD IP addresses' Version ID='AAAAAO27YcoxMIZe' Content Version ID='AAAABAr21LyWDUut'

        ActiveList ID='HXsu5uS4BABCCrbJU16K4cA==' URI='/All Active Lists/Internal Operations/Workflow/Behavioral Dst List' Version ID='AAAAALNgnPQNsP1p' Content Version ID='AAAAOAr2xFyWDUuv'

        ActiveList ID='HRWmztS4BABCKbQecEVMLcA==' URI='/All Active Lists/Internal Operations/Workflow/Behavioral SrcList' Version ID='AAAAALNhD1QNsP1n' Content Version ID='AAAAPgr2+5SWDUus'

        Package ID='_RR9DZEABABCAI09sd8kpng==' URI='/All Packages/Replication/01_Active_Lists' Version ID='AAAAIPoHfQ2WDUur'

        Entry counts by type:

                ActiveList: 5

                Package:    1

        Total entries in the archive: 6

---------------------------------------------------------------------------

List Complete. Elapsed Archive Time:1 sec 506 ms

So the content is correct, and actually has stuff in it.  Help?

Labels (3)
0 Likes
Reply
1 Reply
rharman Absent Member.
Absent Member.

Re: Creating ArcSight ESM arb bundles from archive xml files (or failing to)

Anybody?

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.