Você está na página 1de 17

Hewlett-Packard Company

1390 Whitman Drive


West Melbourne, FL 32904
hp.com

MacGyver Guide: Logger Byte Count per day Report

Paul MacGyver Carman


Sr. Solutions Engineer
Enterprise Security Software
M +1 321 615 1472
paul.mac.carman@hp.com

From:

Paul MacGyver Carman (HP)

Date:

6/2/2014

Re:

Guide to creating / exporting / importing a Logger report for counting raw


bytes of collected events per day (done with Logger 5.5 Patch 1 {L7067,
L250GB SE license})

Here are the steps I followed to create / export / and import a Logger report for counting
the byte count of raw events feeding in to ArcSight Logger.
Note 1: The GB/day byte counts are based on connector raw event statistics
(deviceEventClassId = agent:050, deviceCustomString4Label of Raw event
length (SLC). For report to return data, events from external connectors
(not just internal demo data feeds) must be being collected by Logger.
Note 2: For the import step of this guide, I took the export created in Logger 5.5
Patch 1, and successfully imported into the following other
systems/versions:

Logger 5.5 Patch 1 appliance VM (a different instance)


Logger 5.3 SP1 (Logger 5.3.1.6838.0) 250GB (SE VM)

Note 3: By default, reports cannot be imported into a report category (folder) that
already contains content.

For this guide, a new category folder is created to avoid any folder
conflicts on imports to other ArcSight Loggers
Based on an iRock post (https://irock.arcsight.com/docs/DOC1930), CAB can be set to not overwrite. This modification is not
covered in this guide / has not been tested here

The process outlined in this guide covers the following 5 areas:


1.
2.
3.
4.
5.

Creating a new report category (folder) for the new ByteCount query and report
Creating the underlying ByteCount query to access the ArcSight Logger CORRe
data store and sum raw byte information
Running the ByteCount report
Using iPackager in Logger to export the report category (folder), report, and
underlying query (exports a .cab file, and a .config file)
Using Deploy Report Bundle in Logger to import the report folder, report, and
underlying query (imports the .cab file)

April 10, 2014

Adding a new Category for the ByteCount Report


1.

Click Reports > Report Categories (under Administration section)

2.

Click the Add New Category button located on top of the box that displays all
existing categories.

3.

Pick the new name for the category, as well as the access criteria on who can see
the category (page 151 of Logger 5.5 Admin Guide includes full details)

4.

Click Save to add the Category to the main list of available categories

Page 2 of 17

April 10, 2014

Building Query (byte count) for report


1.

Click Reports > Queries (under Design section)

2.

Click Add New

3.

Click in the Name field and set the name for the query
-

For example: ByteCount_by_Day

4.

Click Edit button (under SQL section)

5.

In the SQL Editor window that displays:


-

Double-click events under the Entities section

Fields available in the events table are displayed on the right

In the Design section on right, select the following fields:


i. arc_deviceReceiptTime
ii. arc_deviceCustomString4
1.

This field contains the raw event byte counts

In the Select section, modify the select string to match the following
format:
DATE(events.arc_deviceReceiptTime) as "Day",
sum(events.arc_deviceCustomString4) as "Total (Bytes)",
sum(events.arc_deviceCustomString4)/1024 as "Total
(Kilobytes)", sum(events.arc_deviceCustomString4)/1024/1024
as "Total (Megabytes)",
sum(events.arc_deviceCustomString4)/1024/1024/1024 as
"Total (Gigabytes)"

Clicking on the Result tab at the top of the window will display the
column naming:

Page 3 of 17

April 10, 2014

From the Design tab, in the Where section


i. Click the + symbol two times to add 2 rows for where criteria
ii. Set row 1 as:
1.

Operand1: events.arc_deviceVendor

2.

Operator: =

3.

Operand2: ArcSight (quotes included)

4.

Relation: AND

iii. Set row 2 as:


1.

Operand1: events.arc_deviceEventClassId

2.

Operator: =

3.

Operand2: agent:050 (quotes included)

iv. End result will look like the following:

In the Group By field, add:


i. DATE(events.arc_deviceReceiptTime)

In the Order By field, add:


i. DATE(events.arc_deviceReceiptTime) ASC

When complete, click OK (bottom right)


i. The SQL design window will close automatically

From the Query Object Editor page, click Save

From the Save Query Object popup


i. Under (Root), click the report folder that was just created (or
select desired report folder to be used)

ii. Click Save

Page 4 of 17

April 10, 2014

The Save Query Object window closes, and a status of the save displays
in the Query Object Editor window

Building the Logger ByteCount report (using the new ByteCount query)
1.

Click Reports > New Report

2.

From the Adhoc Report Designer


-

In the Template drop down (right side), select Delicate


i. Can use any template; for standard reports, using Delicate
because it uses Blue in header and table shading

In the Report Title field, set name:


i. For example, Logger Daily ByteCount Report

Next to the Query Editor field, click the folder icon

Page 5 of 17

April 10, 2014

Browse to the BytesPerDay query (under Root >


MacGyverPack_140602a), and double-click on it

i. The list of fields defined in the report display on the left


column under Available Fields

Click the >> button to add all fields to the report

Click the Create Chart section (bottom of Adhoc Report Designer page,
small arrow next to text to expand it)

i. Click Day from Available Fields list


1.

Click the > arrow next to the Group Fields (X-Axis)


section

2.

Select Group By Day

3.

Select Display Field Day

Page 6 of 17

April 10, 2014

ii. Click Total (gigabytes) from Available Fields list


1.

Click the > arrow next to the Group Fields (Y-Axis)


section

2.

Select Function Max

3.

Select Chart Type Bar

3.

When complete, click Save

4.

From Save Report Layout As window:


-

Pick destination folder for report

Set Report Nname to be saved

i. For example, click Root > MacGyverPack_140602a


i. For example Logger Daily ByteCount Report
-

5.

Click Save

From the report save confirmation window, click Close

Page 7 of 17

April 10, 2014

Running the Logger ByteCount report (using the new ByteCount query)
1.

Click Reports > Report Explorer > MacGyverPack_140602a


-

In this example, MacGyverPack_140602a was the save destination

2.

Click the Logger Daily ByteCount Report

3.

Click the top report running icon (Quick Run with default options)

4.

In the report parameters window, change the Start time to match your
requirement. For example:
-

5.

6.

$Now 1w

Set scan limit to 0


Default is 100000 dont need to limit rows

Click Run Now

Example report

Page 8 of 17

April 10, 2014

Exporting the Report and related Queries (for sharing with other ArcSight Logger users)
1.

Log on to the source Logger (from which the report / underlying query will be
exported)

2.

Click Reports > iPackager

3.

If Java security warnings are listed, follow these steps; if iPackager build window
displays, skip to Step 4.
Note:

Newer versions of Java report trust issues relating to the Java


components relating to iPackager. Where applicable, click Continue to
get past initial Java-related trust errors. You can add the Logger
system to a trusted system list in the Java settings:

From Windows system, Start > All Programs > Java > Configure
Java
Click Security tab

Click Edit Site List

Page 9 of 17

April 10, 2014

Click Add button

Add the IP address for your Logger system, and click OK


Click OK to close the Java control panel
Re-access iPackager
When prompted with the Security Warning, click I accept the risk
and click Run

At the

At the security warning window, click Dont Block

At the next Security Warning window, click Run to allow system to


continue

Page 10 of 17

April 10, 2014

When all prompts are accepted, the iPackager CAB builder window
is displayed

4.

Select the Import Selective Data from Report Server button

5.

The following import window displays

Page 11 of 17

April 10, 2014

6.

For this report example, select Reports and Query Objects


-

When the Reports checkbox is selected, the Categories check box is


also automatically selected. (This is the default, leave this selected.)

7.

Click Next

8.

Expand the repository list displayed (click on the + symbol), and check the
content to be exported.
-

In this example, selected the MacGyverPack_140602a folder and all of


the contents

9.

Click Next
-

A summary of the selected items is displayed

Page 12 of 17

April 10, 2014

10. Click on the Import from Report Server button

11. From the main Build Properties window, fill in the details about the package that
was just built. Include Author, Company, Version, and a Comment
-

At the bottom of the window, a summary of the actions taken for the
import are listed

12. Click the Build CAB button

Page 13 of 17

April 10, 2014

13. Name the .conf file, and browse to the destination directory
-

The .conf file contains the definition of the content included in the CAB
file, and is needed if you want to modify the contents of the CAB file in
the future (which contain the content being deployed on Logger)

14. Click Save


15. Name the .cab file, and browse to the destination directory
-

The .cab file contains the content being deployed on Logger

16. Click Save


17. The CAB file is created and saved

18. Details about the file saves is also displayed in the Messages tab

Page 14 of 17

April 10, 2014

19. From the destination directory for the conf and cab files, can browse to target
directory to access files.
-

For sharing newly-created content, the CAB file is the one that needs to
be shared

For updating the contents of the CAB file (for example, adding new
reports and queries), the CONF file is used

Importing the Report and related Queries (for sharing with other ArcSight Logger users)
1.

Log on to the target Logger (to which the report / underlying query will be
imported)

2.

Click Reports > Deploy Report Bundle (under Administration section)

The Deploy Repository Bundle options are displayed

Page 15 of 17

April 10, 2014

3.

Click Browse, click on the CAB file to be imported, and click Open

4.

Click Upload
-

A CAB summary page is displayed, which includes details about the


contents of the CAB

5.

Click Deploy (in the Step 2 section)

Page 16 of 17

April 10, 2014

6.

A summary of the deployment results is displayed in Step 3

7.

Access Reports > Report Explorer to verify the report category and report were
imported

8.

Run the report to verify the content runs successfully

###

Page 17 of 17