Tuesday, March 27, 2012

Why does ArcSight Support require logs and what log files I need to provide to them?

ArcSight Technical Support requires the logs to perform the problem analysis and to provide the most optimal solution to the customers.

To perform the detailed problem analysis, the logs are needed for the following reasons:

1. To look at the details of the error messages.

2. To find out and to compare the time stamps of the error in various logs

3. To find out how many times the error has occurred and how the system is reacting to it.

4. To replicate the scenario in the ArcSight's test systems and to compare test logs with the customer's logs.

Note: Always provide the latest logs to the ArcSight Support.

ArcSight Logs overview

ArcSight Console

Log Name: console.log

Location: <ARCSIGHT_HOME>/current/logs

Log Contents:
* Console exceptions
* Login failures
* Server exceptions passed to the Console
* Certificate problems

Oracle Logs

1. Log Name: alert_arcsight.log

Location: /admin/arcsight/bdump:

* Information/errors related to database down or database being hung
* Information/ errors related to redo archive logging
* Information/errors related to db file/ OS corruption

2. Log Name: Listener.log

Location: \network\log


Log Contents
* Information related to startup/shutdown of the Oracle Listener

3. Log Name: Sqlnet.log

Location: \network\log
* Information/errors related to connection failures

ArcSight DB Logs:

1. Log name: On Database Server /logs/agent.log

Log Contents:
* information and errors on archiving and reactivation errors

2. Log name: On Database Server /logs/agent.out.wrapper.log

* Information and related errors on the startup of the PA

ArcSight Web

Location: All of the ArcSight Web logs are located on the server with ArcSight Web at /logs/default

1. Log Name: Server.status.log

Log Contents:
* Information on open sessions
* General health status

2. Log Name: Webserver.log

* Communication with the Manager
* Related errors/warnings

3.Log Name: Webserver.std.log Log

Log Contents:
* Server start/stop messages
* Information on thread dumps
* Information on startup exceptions
* Information on memory status

ArcSight SmartConnector

Location: All of the SmartConnector logs are located on the connector server at /current/logs

1. Log Name: Agent.log

Log Contents:
* Startup information, i.e. loaded parsers and categorization files
* Connector/Manager communication information
* Device communication information
* Event throughput statistics
* Operational errors and warnings
* Connector files, i.e. queue and cache files

2. Log Name: Agent.out.wrapper.log

Log Contents:
* Startup messages
* JVM details
* Environment details
* Simple event throughput statistics
* Memory information

3. Log Name: agent.properties file

Location: <ARCSIGHT_HOME>\current\user\agent

Contents:
* SmartConnector Configuration

ArcSight Connector Appliance

Log Location: All of the logs can be collected from GUI: Manage > Localhost > Containers tab. Check the Container you need logs for and click Logs Button. Follow the wizard.

1. Container logs are the same as ArcSight SmartConnector logs above. Container logs are for issues with a single container or SmartConnector.

a. Agent.out.wrapper.log pertains to the logs for the Container

Log Contents:

* Startup messages
* JVM details
* Environment details
* Simple event throughput statistics
* Memory information

b. Agent.log file pertains to the SmartConnectors running inside the Container

Log Contents:

* Startup information, i.e. loaded parsers and categorization files
* Connector -> Manager communication information
* Device communication information
* Event throughput statistics
* Operational errors and warnings
* SmartConnector files, i.e. queue and cache files

Log Location: Setup > Backup/Restore > Appliance Snapshot

Snapshots include logs for all Containers, Platform, and System.
Snapshot logs are for issues with the appliance.

ArcSight Manager

Location: On the Manager serverARCSIGHT_HOME/logs/default

1. Log Name: Server.log

Log Contents:
* Most detailed information about manager’s health, contains errors or exceptions

2. Log Name: Server.std.log

Log Contents:
* Memory information, persistence times, thread dumps

3. Log Name: Server.status.log

Log Contents:
* Detailed information about every component

4. Log Name: Server.report.log

Log Contents:
* Contains information about every report including report ID and query

5. Log Name: Server.sql.log

Log Contents:
* Contains sql explain plans when requested

6. Log Name: Partitionmanager.log

Log Contents:
* Errors related to partition creation failures
* General information about Partition Manager tasks

7. Log Name: Partitionarchiver.log

Log Contents
* Errors related to Partition Archiver problems(also see agent.log on the database)
* General information about Partition Manager tasks


8. Log Name: Partitioncompressor.log

Log Contents:
* Errors related to Partition Compressor failures
* General information about Partition Compressor tasks

9. Log Name: Partitionstatsupdator.log

Log Contents:
* Errors about partition stats jobs
* General information about Partition Stats collection

ArcSight Logger

Log Location: All of the Logger logs can be collected from Logger GUI: GUI Configuration>retrieve logs


ArcSight NSP

1. Log Name: Command Log.

Log Location:
- For the NCM issues get the NCM Job Log from the GUI: NCM > View NCM Job Log > View details of the Config Management (CM) action > View Tasks > Command Log

- For the TRM issues get the TRM Job Log from the GUI: TRM > View Response Log > View Details > View Tasks > Command Log

2. Log Name: System's Error Log

Log Location: From the GUI: Admin > System > Error Log > copy/paste.

3. Log Name: Device Debug log

Location: From the GUI: Network Devices > Debug Log > click on the device IP > copy/paste.

4. Log Name: Support logs (most complete logs from NSP system):

Log Location: From the GUI: Admin > System > Error Log > click Support Logs

ArcSight Express

The log file for each component can be found in the following location:

1. On ArcSight Express Appliance:

1. First Boot Wizard: /opt/arcsight/manager/logs/firstboot.log

2. ArcSight Database: /opt/arcsight/db/logs

3. ArcSight Manager: /opt/arcsight/manager/logs/default

4. ArcSight Web: /opt/arcsight/web/logs/default

5. ArcSight Forwarding Connector: /opt/arcsight/connector/current/logs

2. On ArcSight Express Storage Appliance

ArcSight Logger: /opt/arcsight/logger/logs

3. On the machine where Console is installed:

ArcSight Console: \current\logs

Other Related Articles:

1. Run RDA for slow Database
Installing and running the Oracle Remote Diagnostic Agent on UNIX.Installing and running the Oracle Remote Diagnostic Agent on UNIX.


2. Take Manager Thread dumps:


Generate Thread Dumps

3. Enable SQL Explain Plans
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)