Search for	Example	Results
A single word	`cat`	Topics that contain the word "cat". You will also find its grammatical variations, such as "cats".
A phrase. You can specify that the search results contain a specific phrase.	`"cat food"` (quotation marks)	Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase.

Search for	Operator	Example
Two or more words in the same topic	`AND` `and` `+` (plus symbol) `&` (ampersand)	`cat AND dog` `"cat food"+milk` `"cat food"&"dog food"`
Either word in a topic	`OR` `or` `\|` (pipe)	`cat OR dog` `cat \| dog`
Topics that do not contain a specific word or phrase	`NOT` `not` `!` (exclamation point)	`NOT cat` `! dog`
Topics that contain one string and do not contain another	`^` (caret)	`cat ^ mouse`
A combination of search types	`( )` parentheses	`cat + (dog \| mouse)` `cat \| dog + (! mouse)`

Operations Manager i10.62

Administer > Monitoring > Policy Templates > Configure ArcSight Logger Policies

Configure ArcSight Logger Policies

ArcSight Logger (ArcSight Logger) is a log management solution that is optimized for extremely high event throughput, efficient long-term storage, and rapid data analysis. ArcSight Logger receives and stores events; supports search, retrieval, and reporting; and can optionally forward selected events.

ArcSight Logger Receiver Configuration policy templates configure one or more receivers in ArcSight Logger. Receivers in ArcSight Logger listen for and capture event data locally or on remote systems.

To access

Open the Policy Templates manager:

Administration > Monitoring > Policy Templates

Alternatively, click Policy Templates.
In the Policy Template Groups pane, expand Policy Management > Templates grouped by type > Configuration.
Click the ArcSight Logger folder, and then do one of the following:
- To add a new policy template, in the Policy Templates pane, click the New Item button, and then click the Add New Policy Template... or the Add New Policy Template (Raw Mode) button.
  
  The New ArcSight Logger Template Editor opens.
- To edit an existing policy template, click the policy template in the Policy Templates pane, click the Edit Item button, and then click the Edit Policy Template or the Edit Policy Template (Raw Mode) button.
  
  The Edit ArcSight Logger Template Editor opens.

Tip You can also access the policy editor from the Edit Aspect dialog box (see —Policy Templates).

Learn more

ArcSight Logger Configuration Syntax

ArcSight Logger policies configure ArcSight Logger receivers on the system to which they are deployed. The policies must use the following syntax:

Receiver name, type, and state syntax

The policy template name determines the name of the receiver in ArcSight Logger. The policy parameters _logger_receiver_type and _logger_receiver_state define the receiver type and state.

For example, the policy "Audit Log", which contains the policy parameter _logger_receiver_type with the value localfile and the parameter _logger_receiver_state with the value true creates a receiver named "Audit Log" of the type "File Receiver" that is enabled in ArcSight Logger after deployment.

If the policy template does not contain the parameters _logger_receiver_type and _logger_receiver_state, the policy template by default creates a receiver of the type File Receiver. The state of the receiver in ArcSight Logger depends on the state of the deployed policy (that is, enabled or disabled). If the parameters exist in the policy template but have empty values, a receiver of the type File Receiver will be created in ArcSight Logger but will be disabled by default.

Parameter Name Parameter Type Parameter Value

_logger_receiver_type

Enumeration

Defines the receiver type. Supported values are:

`udp`	Creates a receiver for UDP messages (for example, SYSLOG).
`tcp`	Creates a receiver for TCP messages (for example, SYSLOG, which can also be sent with TCP).
`localfile`	Creates a receiver to read logs from a local or remote file system (for example, NFS, CIFS, or SAN).
`filetransfer`	Creates a receiver to read remote logs using scp, sftp or ftp.
`smartmsg`	Creates a receiver for encrypted SmartMessage messages sent by SmartConnectors.
`cefudp`	Creates a receiver for CEF (Common Event Format) messages sent through UDP.
`ceftcp`	Creates a receiver for CEF (Common Event Format) messages sent through TCP.

_logger_receiver_state

String

Defines the receiver state. Supported values are:

`true`	Sets the receiver state to enabled in ArcSight Logger.
`false`	Sets the receiver state to disabled in ArcSight Logger.

Receiver parameter syntax

The data part of an ArcSight Logger policy template defines the details of a receiver. Each receiver property is defined by a receiver parameter name-value pair. You can optionally create policy parameters for each receiver parameter and insert them as variables in place of the values.

For more information about the receiver parameters, see the ArcSight Logger Help.

Tip You can add as many different parameter name-value pairs to your ArcSight Logger policy template as you want. ArcSight Logger ignores parameters that are not relevant to the receiver configured by the policy template.

UDP, TCP, CEF UDP, and CEF TCP Receiver parameters

Parameter Name	Receiver Property
`ip`	IP/Host
`PORT`	Port
`Encoding`	Encoding

File Receiver parameters

Parameter Name	Receiver Property
`rfsname`	RFS Names
`folder`	Folder
`sourcetype`	Source Type
`wildcard`	Wildcard (regex)
`mode`	Mode
`renameext`	Rename extension
`charencoding`	Character encoding
`delayafterfirstseen`	Delay after seen
`datetimelocale`	Date/time locale
`datetimezone`	Date/time zone
`datetimelocregex`	Date/time loc regex
`datetimeformat`	Date/time format
`singlelinestart`	Event start (regex)

File Transfer Receiver parameters

Parameter Name	Receiver Property
`protocol`	Protocol
`port`	Port
`host`	Ip/Host
`username`	User
`password`	Password
`filepath`	File path
`schedule`	Schedule
`zipformat`	Zip Format
`sourcetype`	Source Type
`charencoding`	Character encoding
`delayafterfirstseen`	Delay after seen
`datetimelocale`	Date/time locale
`datetimezone`	Date/time zone
`datetimelocregex`	Date/time loc regex
`datetimeformat`	Date/time format
`singlelinestart`	Event start (regex)

Smart Message Receiver parameters

Parameter Name	Receiver Property
`Encoding`	Encoding

Tasks

How to Create an ArcSight Logger Policy

In the ArcSight Logger Policy Editor, in the Properties page, type a Name for the policy.

Optional. Provide a description of the policy (Description), select the instrumentation that will be deployed with the policy onto the host system where the agent is running (Instrumentation), and select the operating systems with which the policy is compatible (OS Types).

For more information, see Properties Page.
Use the Policy Parameters tab to create the _logger_receiver_state and the _logger_receiver_type parameters.

For more details, see Receiver name, type, and state syntax and Policy Parameters Tab.
In the Policy Data page, type the details of the receiver using name-value pairs. If you are creating a new policy, copy and paste template data from an existing policy template. Alternatively, click the button to load policy data from a policy template file on your computer.

For details, see Receiver parameter syntax.
Click Save and Close to save the policy template and exit the wizard.
Optional. If the receiver state has been set to false (disabled), enable the receiver in ArcSight Logger (Configuration > Event Input/Output) after the deployment.

UI Reference

User interface elements are described below (listed alphabetically):

Policy Data Page

UI Element	Description
	Load From Local File System: Click to open the Select file to upload dialog box. Use the dialog box to upload a policy file. Policy files are data files and their filenames end in `_data`.
	Save To Local File System: Click to download the policy to a policy data file on your system. You can then update the policy more comfortably in an editor of your choice. After completing your changes to the policy, upload the policy data file by clicking the Load From Local File System button. The policy editor automatically asks you to download policies that exceed 1 MB in file size.
	ArcSight Logger policies do not support syntax checking. You can click Check Syntax but the check fails to perform.
<policy data>	Policy data in text form. The policy editor highlights the policy syntax. If the policy exceeds 1,000 lines, syntax highlighting is automatically disabled. If the policy exceeds 1 MB in file size, the policy editor automatically asks you to download the policy to a file. For details, see ArcSight Logger Configuration Syntax.

Policy Parameters Tab

UI Element	Description
	Create Parameter: Open the Create Parameter dialog box.
	Edit Parameter: Open the Edit Parameter dialog box.
	Delete Parameter: Delete the selected parameter from the list.
	Synchronize Parameters: Check the policy template to make sure that variables in the format `%%<variable_name>%%` have corresponding parameters. Each variable should have one corresponding parameter. Also checks for unused parameters, for which no corresponding variable exists in the policy template. If any missing or unused parameters exist, the Synchronize Parameters dialog box opens. Read the summary, and then click Change or Ignore. If you click Change, the missing parameters are automatically created, and unused parameters are automatically deleted.
<Parameters>	List of parameters configured for this policy template. Parameters enable you to create policy templates that other users can easily customize. Each parameter corresponds to a variable in a policy template. A parameter gives consumers of a policy template the opportunity to specify the value of a variable, without having to modify the policy template themselves. To insert a parameter, drag the parameter from the Policy Parameters tab to any text field within a condition or an event definition in a policy template. Alternatively, type the parameter in the text box using the format `%%<variable_name>%%` (for example `%%CriticalThreshold%%`). An icon represents the type of parameter value, which can be one of the following: Enumeration (of several options) Number Password String

Properties Page

UI Element	Description
Name	Name of the policy. You can use spaces in the name. The equal sign (=) is not allowed. The name is set when the policy is created and cannot be changed in new versions of a policy.
Description	Description of what the policy does. You might also add other notes (for example, data sources that are used).
Template ID	GUID (globally unique identifier) assigned to the policy template when it is first created.
Version ID	GUID (globally unique identifier) assigned to this version of the policy template when it is saved. Each version of a policy template has a unique ID.
Version	The current version of the policy. If you modify an existing policy, you create a new version of the policy in the database with a unique version number. By default, the minor version number increases by one automatically after you modify the policy and save it. If you want to save the policy with a specific version number, you can select the major or minor version number that you want. It is not possible to replace an existing version of a policy. However, you can delete a specific version of a policy. Note If you modify a policy template that is part of an HPE Operations Manager i Management Pack, increase the minor version number only. The next version of the Management Pack normally uses the next major version number.
Change Log	Text that describes what is new or modified in this version of the policy.
Last Modification	The date and time that the policy was saved. The date and time displays using the current time zone of the computer on which the Web browser runs. The language setting of the Web browser determines the date and time format (for example, `09/14/2010 8:16:38 AM` for English (United States)). If the Web browser and the computer on which the server run have different language settings, the language setting of the Web browser takes precedence. However, English is the default language if the Web browser is configured to use a language that is not available on the server.
Last Modified by	The name of the user active when the policy was saved.
Instrumentation	Instrumentation selected for this policy. Instrumentation consists of one or more programs (for example scripts or executable files) that some policies may require to complete a configuration or monitoring task. Instrumentation is deployed to nodes that have HPE Operations Agent installed when the policy is deployed. Instrumentations are unavailable if they are grayed out and their names end with "(Placeholder)". Upload them by using the Content Manager.
OS Types	Types of operating system with which this policy is compatible. To enable platform neutrality, you can create several platform specific variations of the same policy, and include them all in one aspect. OMi ensures that a policy is deployed only to host nodes that have the operating systems that you specify. If you leave all the OS type check boxes clear, the policy can be deployed to host nodes with any operating system.

Send Help Center feedback