There are really two components here. The first is part of your Manager, and that is the ability to generate "replay" files for use with the Test Alert connector. But replay files are actually CSV format event exports. You may find this functionality very useful even if you never intend actually replay them anywhere.
The first step is to think about what events you would like to export. Space is an issue depending on what time frame and type of events you want to export. If you need to stress test your hardware or rules, make sure you are going to get enough events to sustain the event/min or event/sec rate that you'd like to test up to. But beyond that, less is more, since it doesn't take much to get a very large (uncompressed, CSV text) replay file. Also, this feature makes use of filters defined in your ArcSight manager, so if you have specific events you wish to select, review your current filters or create a new one for your export.
The next step is pretty easy. Log in to the manager and run 'arcsight replayfilegen' from the manager/bin directory. Then follow the prompts to log in, select a file name, time range, and filter.
Now that you're generating replay files, it's time to set up your Test Alert connector. Because you're not going to run Test Alert like a service, you can install it anywhere that is convenient for your purposes, your test server, your laptop, whatever. The install is the same as any connector, just select 'Test Alert' in the type dialog and then finish the install as you would normally.
To use it, copy your replay files into the 'current' directory and launch 'arcsight agents' from the 'bin' directory. You will need a GUI display for this, and I have found the X11 display to be flaky with missing or slow redraws to remote X servers. All of the *.events files in the connector's 'current' directory will be displayed. You can turn any combination on/off, select flow rate, and then click 'Continue' to start pumping events into your manager.
1 comment:
This is awesome. We just upgraded Arcsight and I needed something like this! Glad I discovered this blog! Keep it up!
Post a Comment