Report Writing Tutorial?
First post to the community forum... forgive me if this is easy to find.
Is there a report writing tutorial for Arcsight Logger? I generated some reports, but there are a lot of features which aren't obvious as to how or why I would use them. A tutorial going from basic concepts to more advanced features would be very helpful. The documentation is great at describing what features are and how I would use them, but it doesn't seem to address what they do or why I need them.
Is there such a thing?
I don't know of any tutorials, the documentation is the best we have.
I would suggest having a look at the existing out-of-the-box reports and use them as a basis to get started.
There are features of the reporting engine which are not very well documented from memory.
If you have any specific questions post them here and we may be able to help.
I started writing a huge response about how to write reports for ESM, but then I realized your question was about Logger. D'oh!
The only way to get really good at writing reports for Logger is practice, and even then you'll have quirks and strange results, sometimes.
One resource you can use is to look at the many MySQL query tutorials on-line. The Logger Report Query Engine is all based on MySQL-style queries. If you look at that syntax (like using % as a wildcard, the term "LIKE" instead of "=" etc.) you'll find you can get ahead of the curve.
Also, one of the major restrictions is the Web GUI itself. I find that sometimes the windows with the different event attributes don't draw correctly on different browsers. I've had more luck with the later versions of IE than I've had with FireFox or Chrome.