Você está na página 1de 17

Hewlett-Packard Company

1390 Whitman Drive

West Melbourne, FL 32904

MacGyver Guide: Logger Byte Count per day Report

Paul MacGyver Carman

Sr. Solutions Engineer
Enterprise Security Software
M +1 321 615 1472


Paul MacGyver Carman (HP)




Guide to creating / exporting / importing a Logger report for counting raw

bytes of collected events per day (done with Logger 5.5 Patch 1 {L7067,
L250GB SE license})

Here are the steps I followed to create / export / and import a Logger report for counting
the byte count of raw events feeding in to ArcSight Logger.
Note 1: The GB/day byte counts are based on connector raw event statistics
(deviceEventClassId = agent:050, deviceCustomString4Label of Raw event
length (SLC). For report to return data, events from external connectors
(not just internal demo data feeds) must be being collected by Logger.
Note 2: For the import step of this guide, I took the export created in Logger 5.5
Patch 1, and successfully imported into the following other

Logger 5.5 Patch 1 appliance VM (a different instance)

Logger 5.3 SP1 (Logger 250GB (SE VM)

Note 3: By default, reports cannot be imported into a report category (folder) that
already contains content.

For this guide, a new category folder is created to avoid any folder
conflicts on imports to other ArcSight Loggers
Based on an iRock post (https://irock.arcsight.com/docs/DOC1930), CAB can be set to not overwrite. This modification is not
covered in this guide / has not been tested here

The process outlined in this guide covers the following 5 areas:


Creating a new report category (folder) for the new ByteCount query and report
Creating the underlying ByteCount query to access the ArcSight Logger CORRe
data store and sum raw byte information
Running the ByteCount report
Using iPackager in Logger to export the report category (folder), report, and
underlying query (exports a .cab file, and a .config file)
Using Deploy Report Bundle in Logger to import the report folder, report, and
underlying query (imports the .cab file)

April 10, 2014

Adding a new Category for the ByteCount Report


Click Reports > Report Categories (under Administration section)


Click the Add New Category button located on top of the box that displays all
existing categories.


Pick the new name for the category, as well as the access criteria on who can see
the category (page 151 of Logger 5.5 Admin Guide includes full details)


Click Save to add the Category to the main list of available categories

Page 2 of 17

April 10, 2014

Building Query (byte count) for report


Click Reports > Queries (under Design section)


Click Add New


Click in the Name field and set the name for the query

For example: ByteCount_by_Day


Click Edit button (under SQL section)


In the SQL Editor window that displays:


Double-click events under the Entities section

Fields available in the events table are displayed on the right

In the Design section on right, select the following fields:

i. arc_deviceReceiptTime
ii. arc_deviceCustomString4

This field contains the raw event byte counts

In the Select section, modify the select string to match the following
DATE(events.arc_deviceReceiptTime) as "Day",
sum(events.arc_deviceCustomString4) as "Total (Bytes)",
sum(events.arc_deviceCustomString4)/1024 as "Total
(Kilobytes)", sum(events.arc_deviceCustomString4)/1024/1024
as "Total (Megabytes)",
sum(events.arc_deviceCustomString4)/1024/1024/1024 as
"Total (Gigabytes)"

Clicking on the Result tab at the top of the window will display the
column naming:

Page 3 of 17

April 10, 2014

From the Design tab, in the Where section

i. Click the + symbol two times to add 2 rows for where criteria
ii. Set row 1 as:

Operand1: events.arc_deviceVendor


Operator: =


Operand2: ArcSight (quotes included)


Relation: AND

iii. Set row 2 as:


Operand1: events.arc_deviceEventClassId


Operator: =


Operand2: agent:050 (quotes included)

iv. End result will look like the following:

In the Group By field, add:

i. DATE(events.arc_deviceReceiptTime)

In the Order By field, add:

i. DATE(events.arc_deviceReceiptTime) ASC

When complete, click OK (bottom right)

i. The SQL design window will close automatically

From the Query Object Editor page, click Save

From the Save Query Object popup

i. Under (Root), click the report folder that was just created (or
select desired report folder to be used)

ii. Click Save

Page 4 of 17

April 10, 2014

The Save Query Object window closes, and a status of the save displays
in the Query Object Editor window

Building the Logger ByteCount report (using the new ByteCount query)

Click Reports > New Report


From the Adhoc Report Designer


In the Template drop down (right side), select Delicate

i. Can use any template; for standard reports, using Delicate
because it uses Blue in header and table shading

In the Report Title field, set name:

i. For example, Logger Daily ByteCount Report

Next to the Query Editor field, click the folder icon

Page 5 of 17

April 10, 2014

Browse to the BytesPerDay query (under Root >

MacGyverPack_140602a), and double-click on it

i. The list of fields defined in the report display on the left

column under Available Fields

Click the >> button to add all fields to the report

Click the Create Chart section (bottom of Adhoc Report Designer page,
small arrow next to text to expand it)

i. Click Day from Available Fields list


Click the > arrow next to the Group Fields (X-Axis)



Select Group By Day


Select Display Field Day

Page 6 of 17

April 10, 2014

ii. Click Total (gigabytes) from Available Fields list


Click the > arrow next to the Group Fields (Y-Axis)



Select Function Max


Select Chart Type Bar


When complete, click Save


From Save Report Layout As window:


Pick destination folder for report

Set Report Nname to be saved

i. For example, click Root > MacGyverPack_140602a

i. For example Logger Daily ByteCount Report


Click Save

From the report save confirmation window, click Close

Page 7 of 17

April 10, 2014

Running the Logger ByteCount report (using the new ByteCount query)

Click Reports > Report Explorer > MacGyverPack_140602a


In this example, MacGyverPack_140602a was the save destination


Click the Logger Daily ByteCount Report


Click the top report running icon (Quick Run with default options)


In the report parameters window, change the Start time to match your
requirement. For example:



$Now 1w

Set scan limit to 0

Default is 100000 dont need to limit rows

Click Run Now

Example report

Page 8 of 17

April 10, 2014

Exporting the Report and related Queries (for sharing with other ArcSight Logger users)

Log on to the source Logger (from which the report / underlying query will be


Click Reports > iPackager


If Java security warnings are listed, follow these steps; if iPackager build window
displays, skip to Step 4.

Newer versions of Java report trust issues relating to the Java

components relating to iPackager. Where applicable, click Continue to
get past initial Java-related trust errors. You can add the Logger
system to a trusted system list in the Java settings:

From Windows system, Start > All Programs > Java > Configure
Click Security tab

Click Edit Site List

Page 9 of 17

April 10, 2014

Click Add button

Add the IP address for your Logger system, and click OK

Click OK to close the Java control panel
Re-access iPackager
When prompted with the Security Warning, click I accept the risk
and click Run

At the

At the security warning window, click Dont Block

At the next Security Warning window, click Run to allow system to


Page 10 of 17

April 10, 2014

When all prompts are accepted, the iPackager CAB builder window
is displayed


Select the Import Selective Data from Report Server button


The following import window displays

Page 11 of 17

April 10, 2014


For this report example, select Reports and Query Objects


When the Reports checkbox is selected, the Categories check box is

also automatically selected. (This is the default, leave this selected.)


Click Next


Expand the repository list displayed (click on the + symbol), and check the
content to be exported.

In this example, selected the MacGyverPack_140602a folder and all of

the contents


Click Next

A summary of the selected items is displayed

Page 12 of 17

April 10, 2014

10. Click on the Import from Report Server button

11. From the main Build Properties window, fill in the details about the package that
was just built. Include Author, Company, Version, and a Comment

At the bottom of the window, a summary of the actions taken for the
import are listed

12. Click the Build CAB button

Page 13 of 17

April 10, 2014

13. Name the .conf file, and browse to the destination directory

The .conf file contains the definition of the content included in the CAB
file, and is needed if you want to modify the contents of the CAB file in
the future (which contain the content being deployed on Logger)

14. Click Save

15. Name the .cab file, and browse to the destination directory

The .cab file contains the content being deployed on Logger

16. Click Save

17. The CAB file is created and saved

18. Details about the file saves is also displayed in the Messages tab

Page 14 of 17

April 10, 2014

19. From the destination directory for the conf and cab files, can browse to target
directory to access files.

For sharing newly-created content, the CAB file is the one that needs to
be shared

For updating the contents of the CAB file (for example, adding new
reports and queries), the CONF file is used

Importing the Report and related Queries (for sharing with other ArcSight Logger users)

Log on to the target Logger (to which the report / underlying query will be


Click Reports > Deploy Report Bundle (under Administration section)

The Deploy Repository Bundle options are displayed

Page 15 of 17

April 10, 2014


Click Browse, click on the CAB file to be imported, and click Open


Click Upload

A CAB summary page is displayed, which includes details about the

contents of the CAB


Click Deploy (in the Step 2 section)

Page 16 of 17

April 10, 2014


A summary of the deployment results is displayed in Step 3


Access Reports > Report Explorer to verify the report category and report were


Run the report to verify the content runs successfully


Page 17 of 17