Searching the Help
To search for information in the Help, type a word or phrase in the Search box. When you enter a group of words, OR is inferred. You can use Boolean operators to refine your search.
Results returned are case insensitive. However, results ranking takes case into account and assigns higher scores to case matches. Therefore, a search for "cats" followed by a search for "Cats" would return the same number of Help topics, but the order in which the topics are listed would be different.
Search for | Example | Results |
---|---|---|
A single word | cat
|
Topics that contain the word "cat". You will also find its grammatical variations, such as "cats". |
A phrase. You can specify that the search results contain a specific phrase. |
"cat food" (quotation marks) |
Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase. |
Search for | Operator | Example |
---|---|---|
Two or more words in the same topic |
|
|
Either word in a topic |
|
|
Topics that do not contain a specific word or phrase |
|
|
Topics that contain one string and do not contain another | ^ (caret) |
cat ^ mouse
|
A combination of search types | ( ) parentheses |
|
- Policy Templates
- Configure ArcSight Logger Policies
- Configure ConfigFile Policies
- Configure BSM Connector High Availability Policies
- Configure Database Policies
- Configure Data Forwarding Policies
- Configure Flexible Management Policies
- Configure Logfile Entry Policies
- Configure Measurement Threshold Policies
- Configure Metric Streaming Configuration Policies
- Configure Node Info Policies
- Configure Open Message Interface Policies
- Configure Perl Script Policies
- Configure REST Web Service Listener Policies
- Configure Scheduled Task Policies
- Configure Service Auto-Discovery Policies
- Configure Service/Process Monitoring Policies
- Configure Structured Log File Policies
- Configure SNMP Interceptor Policies
- Configure Windows Event Log Policies
- Configure Windows Management Interface Policies
- Configure XML File Policies
- Import SiteScope templates
- Troubleshoot the deployment of SiteScope templates
- Develop Instrumentation
- Policy Objects for Scripts
- Pattern Matching in Policy Rules
- Review the policy syntax
Configure ArcSight Logger Policies
ArcSight Logger (ArcSight Logger) is a log management solution that is optimized for extremely high event throughput, efficient long-term storage, and rapid data analysis. ArcSight Logger receives and stores events; supports search, retrieval, and reporting; and can optionally forward selected events.
ArcSight Logger Receiver Configuration policy templates configure one or more receivers in ArcSight Logger. Receivers in ArcSight Logger listen for and capture event data locally or on remote systems.
-
Open the Policy Templates manager:
Administration > Monitoring > Policy Templates
Alternatively, click Policy Templates.
-
In the Policy Template Groups pane, expand Policy Management > Templates grouped by type > Configuration.
-
Click the ArcSight Logger folder, and then do one of the following:
-
To add a new policy template, in the Policy Templates pane, click the New Item button, and then click the Add New Policy Template... or the Add New Policy Template (Raw Mode) button.
The New ArcSight Logger Template Editor opens.
-
To edit an existing policy template, click the policy template in the Policy Templates pane, click the Edit Item button, and then click the Edit Policy Template or the Edit Policy Template (Raw Mode) button.
The Edit ArcSight Logger Template Editor opens.
-
Tip You can also access the policy editor from the Edit Aspect dialog box (see —Policy Templates).
Learn more
ArcSight Logger policies configure ArcSight Logger receivers on the system to which they are deployed. The policies must use the following syntax:
-
Receiver name, type, and state syntax
The policy template name determines the name of the receiver in ArcSight Logger. The policy parameters
_logger_receiver_type
and_logger_receiver_state
define the receiver type and state.For example, the policy "Audit Log", which contains the policy parameter
_logger_receiver_type
with the valuelocalfile
and the parameter_logger_receiver_state
with the valuetrue
creates a receiver named "Audit Log" of the type "File Receiver" that is enabled in ArcSight Logger after deployment.If the policy template does not contain the parameters
_logger_receiver_type
and_logger_receiver_state
, the policy template by default creates a receiver of the type File Receiver. The state of the receiver in ArcSight Logger depends on the state of the deployed policy (that is, enabled or disabled). If the parameters exist in the policy template but have empty values, a receiver of the type File Receiver will be created in ArcSight Logger but will be disabled by default.Parameter Name Parameter Type Parameter Value _logger_receiver_type
Enumeration Defines the receiver type. Supported values are:
udp
Creates a receiver for UDP messages (for example, SYSLOG). tcp
Creates a receiver for TCP messages (for example, SYSLOG, which can also be sent with TCP). localfile
Creates a receiver to read logs from a local or remote file system (for example, NFS, CIFS, or SAN). filetransfer
Creates a receiver to read remote logs using scp, sftp or ftp. smartmsg
Creates a receiver for encrypted SmartMessage messages sent by SmartConnectors. cefudp
Creates a receiver for CEF (Common Event Format) messages sent through UDP. ceftcp
Creates a receiver for CEF (Common Event Format) messages sent through TCP. _logger_receiver_state
String Defines the receiver state. Supported values are:
true
Sets the receiver state to enabled in ArcSight Logger. false
Sets the receiver state to disabled in ArcSight Logger. -
Receiver parameter syntax
The data part of an ArcSight Logger policy template defines the details of a receiver. Each receiver property is defined by a receiver parameter name-value pair. You can optionally create policy parameters for each receiver parameter and insert them as variables in place of the values.
For more information about the receiver parameters, see the ArcSight Logger Help.
Tip You can add as many different parameter name-value pairs to your ArcSight Logger policy template as you want. ArcSight Logger ignores parameters that are not relevant to the receiver configured by the policy template.
UDP, TCP, CEF UDP, and CEF TCP Receiver parametersParameter Name Receiver Property ip
IP/Host PORT
Port Encoding
Encoding File Receiver parametersParameter Name Receiver Property rfsname
RFS Names folder
Folder sourcetype
Source Type wildcard
Wildcard (regex) mode
Mode renameext
Rename extension charencoding
Character encoding delayafterfirstseen
Delay after seen datetimelocale
Date/time locale datetimezone
Date/time zone datetimelocregex
Date/time loc regex datetimeformat
Date/time format singlelinestart
Event start (regex) File Transfer Receiver parametersParameter Name Receiver Property protocol
Protocol port
Port host
Ip/Host username
User password
Password filepath
File path schedule
Schedule zipformat
Zip Format sourcetype
Source Type charencoding
Character encoding delayafterfirstseen
Delay after seen datetimelocale
Date/time locale datetimezone
Date/time zone datetimelocregex
Date/time loc regex datetimeformat
Date/time format singlelinestart
Event start (regex) Smart Message Receiver parametersParameter Name Receiver Property Encoding
Encoding
The following policy data creates an enabled ArcSight Logger receiver of the type "File Receiver". The receiver reads all files in the folder /home/arcsight/filereceiver01 on the ArcSight Logger system.
Example:
<?xml version="1.0" encoding="UTF-8"?>
<ParameterValues>
<Parameter Name="_logger_receiver_type" Value="localfile"/> <Parameter Name="_logger_receiver_state" Value="true/> <Parameter Name="rfsname" Value="LOCAL"/>
<Parameter Name="folder" Value="/home/arcsight/filereceiver01"/>
<Parameter Name="sourcetype" Value="Other"/>
<Parameter Name="wildcard" Value=".*"/>
<Parameter Name="mode" Value="persist"/>
<Parameter Name="renameext" Value=".done"/>
<Parameter Name="charencoding" Value="US-ASCII"/>
<Parameter Name="delayafterfirstseen" Value="10"/>
<Parameter Name="datetimelocale" Value="en_US"/>
<Parameter Name="datetimezone" Value="Europe/Berlin"/>
<Parameter Name="datetimelocregex" Value=""/>
<Parameter Name="datetimeformat" Value=""/>
<Parameter Name="singlelinestart" Value=""/>
</ParameterValues>
You assign ArcSight Logger policy templates to the remote systems from which you want to receive data in ArcSight Logger. Based on the connected server configuration, OMi then selects an ArcSight Logger server and deploys the policy template to that server. The ArcSight Logger server finally creates the corresponding receivers and starts receiving data from the corresponding hosts.
To be able to assign and deploy an ArcSight Logger policy template, the ArcSight Logger system must be set up as a connected server in OMi and a node CI must exist for the system in Monitored Nodes. In addition, the remote systems that send data to ArcSight Logger must be represented as node CIs in the RTSM.
If the ArcSight Logger policy template contains parameters, you can choose to deploy the policy template with the default values or provide custom values during the assignment or tuning. For example, even if the default value of the _logger_receiver_type
parameter is localfile
, you can tune this parameter before deployment and change it to udp
.
Tasks
Before you can collect log data from a node using ArcSight Logger, you must complete the following steps:
-
Install HPE Operations Agent and the HPE Operations Subagent for ArcSight Logger on the ArcSight Logger system. For details, see How to Install the HPE Operations Subagent for ArcSight Logger.
-
Set up the ArcSight Logger system as a connected server in OMi.
For details, see Connected Servers.
-
Verify that a node CI has been created for the ArcSight Logger system and also make sure the systems that send data to ArcSight Logger are represented as node CIs in the RTSM, access:
Administration > Setup and Maintenance > Monitored Nodes
Alternatively, click Monitored Nodes.
-
Prerequisite: Make sure HPE Operations Agent is installed on the ArcSight Logger system.
-
On the OMi Data Processing Server, navigate to the subagent installation files:
<OMi_HOME>/opr/subagents/arcsight_logger
-
Copy the subagent installation files from the OMi Data Processing Server to a temporary directory on the ArcSight Logger system.
-
On the ArcSight Logger system, execute the installation script
install_asloggersubagent.sh
.The script prompts you for the installation directory on the ArcSight Logger system. Type
/opt/arcsight/
, for example.
-
In the ArcSight Logger Policy Editor, in the Properties page, type a Name for the policy.
Optional. Provide a description of the policy (Description), select the instrumentation that will be deployed with the policy onto the host system where the agent is running (Instrumentation), and select the operating systems with which the policy is compatible (OS Types).
For more information, see Properties Page.
-
Use the Policy Parameters tab to create the
_logger_receiver_state
and the_logger_receiver_type
parameters.For more details, see Receiver name, type, and state syntax and Policy Parameters Tab.
-
In the Policy Data page, type the details of the receiver using name-value pairs. If you are creating a new policy, copy and paste template data from an existing policy template. Alternatively, click the button to load policy data from a policy template file on your computer.
For details, see Receiver parameter syntax.
-
Click Save and Close to save the policy template and exit the wizard.
-
Optional. If the receiver state has been set to false (disabled), enable the receiver in ArcSight Logger (Configuration > Event Input/Output) after the deployment.
UI Reference
User interface elements are described below (listed alphabetically):
Description |
|
---|---|
Load From Local File System: Click to open the Select file to upload dialog box. Use the dialog box to upload a policy file. Policy files are data files and their filenames end in |
|
Save To Local File System: Click to download the policy to a policy data file on your system. You can then update the policy more comfortably in an editor of your choice. After completing your changes to the policy, upload the policy data file by clicking the Load From Local File System button. The policy editor automatically asks you to download policies that exceed 1 MB in file size. |
|
ArcSight Logger policies do not support syntax checking. You can click Check Syntax but the check fails to perform. |
|
<policy data> |
Policy data in text form. The policy editor highlights the policy syntax. If the policy exceeds 1,000 lines, syntax highlighting is automatically disabled. If the policy exceeds 1 MB in file size, the policy editor automatically asks you to download the policy to a file. For details, see ArcSight Logger Configuration Syntax. |
Description |
|
---|---|
Name |
Name of the policy. You can use spaces in the name. The equal sign (=) is not allowed. The name is set when the policy is created and cannot be changed in new versions of a policy. |
Description | Description of what the policy does. You might also add other notes (for example, data sources that are used). |
Template ID | GUID (globally unique identifier) assigned to the policy template when it is first created. |
Version ID | GUID (globally unique identifier) assigned to this version of the policy template when it is saved. Each version of a policy template has a unique ID. |
Version |
The current version of the policy. If you modify an existing policy, you create a new version of the policy in the database with a unique version number. By default, the minor version number increases by one automatically after you modify the policy and save it. If you want to save the policy with a specific version number, you can select the major or minor version number that you want. It is not possible to replace an existing version of a policy. However, you can delete a specific version of a policy. Note If you modify a policy template that is part of an HPE Operations Manager i Management Pack, increase the minor version number only. The next version of the Management Pack normally uses the next major version number. |
Change Log |
Text that describes what is new or modified in this version of the policy. |
Last Modification |
The date and time that the policy was saved.
The date and time displays using the current time zone of the computer on which the Web browser runs. The language setting of the Web browser determines the date and time format (for example, |
Last Modified by |
The name of the user active when the policy was saved. |
Instrumentation |
Instrumentation selected for this policy. Instrumentation consists of one or more programs (for example scripts or executable files) that some policies may require to complete a configuration or monitoring task. Instrumentation is deployed to nodes that have HPE Operations Agent installed when the policy is deployed. Instrumentations are unavailable if they are grayed out and their names end with "(Placeholder)". Upload them by using the Content Manager. |
OS Types |
Types of operating system with which this policy is compatible. To enable platform neutrality, you can create several platform specific variations of the same policy, and include them all in one aspect. OMi ensures that a policy is deployed only to host nodes that have the operating systems that you specify. If you leave all the OS type check boxes clear, the policy can be deployed to host nodes with any operating system. |
We welcome your comments!
To open the configured email client on this computer, open an email window.
Otherwise, copy the information below to a web mail client, and send this email to ovdoc-asm@hpe.com.
Help Topic ID:
Product:
Topic Title:
Feedback: