Micro Focus ArcSight Logger

Version: 2.0.0

ArcSight Logger delivers a universal log management solution that unifies searching, reporting, alerting, and analysis across any type of enterprise machine data.

Connect ArcSight Logger with LogicHub

  1. Navigate to Automations > Integrations.
  2. Search for ArcSight Logger.
  3. Click Details, then the + icon. Enter the required information in the following fields.
    • Label: Enter a connection name.
    • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
    • Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
    • Remote Agent: Run this integration using the LogicHub Remote Agent.
    • Server URL: Application server URL to connect to the ArcSight Logger. Example: abc.abcd.net or 10.10.10.10.
    • Server Port (Optional): Application server port to connect to the ArcSight Logger (Default is 443).
    • Login ID: The Login ID to connect to the ArcSight Logger.
    • Password: The Password to connect to the ArcSight Logger.
  4. After you've entered all the details, click Connect.

Actions for ArcSight Logger

Search Events

Search event objects in ArcSight Logger.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Jinja Template for QueryJinja-templated text containing the search query string to filter/process the events.
Example: message CONTAINS {{query_column_name}}.
Required
Start TimeColumn name from the parent table to lookup value for start time (Default is Batch start time). Example: 2020-08-25T21:49:46.000-07:00.Optional
End TimeColumn name from the parent table to lookup value for end time (Default is Batch end time). Example: 2020-08-26T21:49:46.000-07:00.Optional
Search TimeSelect option for search time, it indicates the field date used for searching events (Default is Received Time).Optional
Jinja Template for FieldsJinja-templated text containing comma separated list of fields in order to show (Default is all fields). Example: {{fields_column1}}, {{fields_column2}}.Optional
Number of resultsMaximum number of results to return, must be between 1 through 10,000 (Default is 100).Optional
TimeoutMaximum timeout duration per search in milliseconds for results to return (Default is 600000 milliseconds, 10 minutes).Optional
Discover FieldsSelect option for discovering fields, It indicates that the search should try to discover fields in the events found. Will be considered when Field Summary is set to True. Otherwise, ignored. (Default is False).Optional
Jinja Template for Summary FieldsJinja-templated text containing comma separated list of fields to be used to calculate summary when Field Summary is true (Default is empty). Example: {{summary_fields_column1}}, {{summary_fields_column2}}.Optional
Field SummarySelect option for field summary, It indicates to use the field summary (Default is False).Optional
Local SearchSelect option for local search. Setting it as True indicates that the search is local only and does not include peers. Set it as False if you want to include peers in the search. (Default is False).Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: List of events.
{
  "Device": "Logger",
  "Event Time": 1598959891935,
  "Logger": "Local",
  "Receipt Time": 1598960492511,
  "Version": "0",
  "_rowId": "531-0@Local",
  "agentSeverity": "2",
  "baseEventCount": 1,
  "destinationUserId": "1",
  "destinationUserName": "admin",
  "deviceCustomString4": "F3B80A1A9548F6FF7A962708E559D967",
  "deviceCustomString4Label": "Session ID",
  "deviceEventCategory": "/Logger/Resource/Dashboard/Configuration/Add",
  "deviceEventClassId": "logger:580",
  "deviceProduct": "Logger",
  "deviceReceiptTime": 1598959891883,
  "deviceVendor": "ArcSight",
  "deviceVersion": "7.1.0.8337.0",
  "endTime": 1598959891883,
  "error": null,
  "fileId": "1369094286720630795",
  "fileName": "Summary",
  "fileType": "Dashboard",
  "globalEventId": 0,
  "has_error": false,
  "message": "Dashboard [Summary] has been added",
  "name": "Dashboard added",
  "startTime": 1598959891883
},
{
  "Device": "Logger",
  "Event Time": 1598959891987,
  "Logger": "Local",
  "Receipt Time": 1598960492511,
  "Version": "0",
  "_rowId": "531-1@Local",
  "agentSeverity": "2",
  "baseEventCount": 1,
  "destinationUserId": "1",
  "destinationUserName": "admin",
  "deviceCustomString4": "F3B80A1A9548F6FF7A962708E559D967",
  "deviceCustomString4Label": "Session ID",
  "deviceEventCategory": "/Logger/Resource/Dashboard/Configuration/Update",
  "deviceEventClassId": "logger:582",
  "deviceProduct": "Logger",
  "deviceReceiptTime": 1598959891985,
  "deviceVendor": "ArcSight",
  "deviceVersion": "7.1.0.8337.0",
  "endTime": 1598959891985,
  "error": null,
  "fileId": "1369094286720630795",
  "fileName": "Summary",
  "fileType": "Dashboard",
  "globalEventId": 0,
  "has_error": false,
  "message": "Dashboard [Summary] has been updated",
  "name": "Dashboard updated",
  "startTime": 1598959891985
}

Release Notes

  • v2.0.0 - Updated architecture to support IO via filesystem

© 2017-2021 LogicHub®. All Rights Reserved.