How can I backup the complete data from the container so that the restore is successful?

Using the default "Backup Files" repository to backup up my container only contains the agent.properties file and the agent.wrapper.conf file. As a result, SmartConnectors that have needed certs, parser overrides, map files, etc, are not restored is successfully.

How can I backup the complete data from the container so that the restore is successful?

By default, the "Backup Files" Repository has the following regular expressions:

Download

Exclude regular expression : (agentdata/ |cwsapi_fileset_).*$

Upload

Delete exclude regular expression: (agentdata/ | agent.wrapper.conf | cwsapi_fileset_).*$

These regular expressions cause the necessary SmartConnector files (certs, parsers, etc) to not be copied over to the container backup.

Workaround:

Create a new Repository and do not include the "exclude regular expression" for either the Download nor the Upload section, as follows:

1. From the Connector Appliance UI, go to Setup > Repositories

2. Select New Repository

3. Enter the Name, Display Name, Item display name and Filename Prefix

4. Save the created Repository.

What is ArcSight Connector Appliance?

Connector Appliance in a nutshell is a self-contained, hardened appliance with:

1. Connector Software
SmartConnectors are pre-installed and are constantly running in their own 'Container'. Even without any configured connectors, they continue to run in their own Java memory space.

2. Connector Management functionality (web process)
A GUI that allows SmartConnectors to be locally and remotely managed, including configuration and monitoring of the processes.

Capabilities:

• Centralized management and full control of local, remote and software connectors
• Wizard based interface designed to automate common management tasks

There are three main types of appliance models : C1x00, C3x00, and C5x00.

For more information, refer to the Connector Appliance Release Notes (for platform changes and updates) and the Connector Appliance Administrator Guide.

I need to restore a Connector Appliance from an Appliance Backup. What are the requirements and how do I perform the restore?

Sometimes you need to completely reconfigure a Connector Appliance using an Appliance Backup. This can occur if you had to RMA your Connector Appliance and want to restore the entire configuration from your backup to this new Connector Appliance. Important Notes: For a successful restore, the following conditions must be met: 1. The backup file must be taken from a Connector Appliance which has the same number of onboard containers as the Connector Appliance to which you are restoring. Examples: A C1000 has only 1 container, while a C5200 has 8 containers, thus a backup from a C1000 to a C5200 will fail. However, a C5000 appliance and a C5200 both have 8 containers, thus the backup will succeed. 2. The Connector Appliance versions must be the same on both source and destination Connector Appliances. 3. The hostname must be the same on both source and destination Connector Appliances. Resolution: 1. Create an Appliance Backup, as follows: a. Go to Setup > Backup/Restore in the UI. b. Click on Appliance Backup c. Enter the paramters and click Save. d. The backup file created is named configs.tar.gz. 2. Ensure that the hostname on the Connector Appliance you are restoring to is the same as the hostname from the Connector Appliance where the backup was created. Note: If you still have access to the Connector Appliance where the backup was created, check the file /etc/sysconfig/network and compare the value for hostname (see example below) to that found in the same file on the Connector Appliance you are restoring to. Example: HOSTNAME= 3. Restore the Appliance Backup, as follows: a. Go to Setup > Backup/Restore in the UI. b. Click on Appliance Restore c. Click Browse and navigate to the location where you have the stored the configs.tar.gz file d. Click Upload. 4. If after restoring from the backup, the Web GUI is not available, modify /etc/sysconfig/network to reflect the correct HOSTNAME value.

We are getting slow response from UI on the Connector Appliance; all of the pages take long time to load or refresh.

This issue can often be caused by a mismatch between the hostname recorded in the 'hosts' file on the appliance and the actual hostname set via the UI.

If there is a mismatch, as it can cause local hostname lookup errors, which can cause severe delays when accessing certain features of the UI. This mismatch can also cause issues such as failure to generate and upload the Container SSL certificate to the UI after restoring a Container, making it unreachable or un-configurable.

Resolution:

1. View the Setup > System Admin > Network tab. Note the System Hostname string configured.

2. View the Setup > System Admin > Network > Hosts tab. Confirm that the hostname listed in System Hostname, as you observed in Step 1, is listed.

3. If the System Hostname is not listed in the Hosts tab, add an entry for it and click Update File.

What commands are available under the ArcSight appliance Console?

rom console or DRAC, you see this prompt:

ArcSight Platform Console
Login:

Use the same login credentials as you use to access the web GUI (e.g Login as admin)

Type 'help' to get a list of possible commands:

System Command	Description
help	Prints this help
halt	Halts and powers off the Appliance
reboot	Reboots the Appliance
exit	Exits (restarts) the CLI
show admin	Shows Default Administrator Name
show config	Shows Appliance Configuration
show date	Shows current date
set date	Sets current date
show defaultgw	Shows Default Gateway for the interface
set defaultgw	Sets Default Gateway for the interface
show dns	Shows DNS Configuration
set dns	Sets DNS Configuration
show hostname	Shows Host Name
set hostname	Sets Host Name
show ip	Shows Ip Addresses of Network Interfaces
set ip	Sets IP Address of Network Interface
set password	Sets the password for this account
show sslcert	Shows SSL Server Certificate
reset sslcert	Installs/restarts https with temporary certificate
restart sslcert	Restarts https server
diag sslcert	Displays the SSL connection
show status	Shows System Configuration

Use shift+pageup and shift+page down to page up/down in the list.

How many of the suffixes listed will be used by the SmartConnector for DNS resolution?

When entering suffixes on the Setup > Network > DNS > Search Domains page on Connector Appliance running v6.1, only the first 6 search domains listed are used by the SmartConnectors for DNS resolution.

Any additional search domains added beyond the first 6 are not used for resolution by the DNS server.

Workarounds:

Depending on how many entries you have, there are a few options to work around this limitation:

1. Place the short names into /etc/hosts on the appliance.

2. Use fully-qualified names.

3. Create a 'virtual' domain to hold all the short names and re-configure DNS servers for that virtual domain to forward accordingly.

Note: For more information on virtual domains and forwarding, refer to the following site:

http://www.linuxquestions.org/questions/linux-general-1/resolv-conf-search-limited-to-six-725254/

What is the proper order in which to shut down all of these Appliances is we are preparing a power outage?

1. Connector or Logger Appliance:

The Connector Appliance and Logger Web Interface has a reboot option. (System Admin > Reboot > Start Reboot Now)

However, if the Appliance will need to be shutdown for an extended time for maintenance or other reasons, you will need to access the Appliance command line interface and issue the halt command.

Described below are 2 methods to access the Appliance's command line interface to shut down the appliance gracefully:

1. Physical access to Appliance console:

a. Attach a Keyboard and Monitor to the appliance.

b. From the monitor you will see the ArcSight logo and login prompt.

c. Enter the credentials to access the appliance - this will be the same credentials you enter in the appliance's web interface login prompt.

d. At the command line, enter the command: halt

2. Appliance Access via DRAC:

Note: the steps below assume that you have already configured the appliance for DRAC access. If you have not yet configured DRAC, refer to Document ID KM1271064.

a. Open the browser and specify the DRAC IP address in the browser's URL bar

b. Confirm the SSL security warning.

c. At the login prompt, enter the user name and password that was assigned.

d. Select the Console tab and select Connect. The Console session to the appliance appears.

e. Enter the credentials you use to access the appliance Web UI

f. Enter the command: halt

Note: Once the "halt" command has been issued (using either method) you will need to have physical access to the hardware in order to restart the appliance.

2. Express Appliance: KM1272277

To properly shut down the ArcSight Express Appliance (or other ArcSight Appliances), connect to the appliance using SSH to access the command line interface.

To enable SSH login, refer to the steps in

Document ID KM1271655.

To shutdown the appliance, issue the following command:

shutdown -h

To shutdown and restart the appliance, issue one of the following commands:

shutdown -r

OR

reboot

However, the order to shut down and turn off multiple Appliances in a complicated environment is depended on the configuration setting.

Scenario 1: Connector Appliance -> Logger -> Express

a. Shutting Down: When ESM is not available, Connectors can hold events in its cache file. Therefore, the order should be as follows:

Express > Logger > Connector Appliances

b. Starting Up: Start up the appliances in the reverse order which you shut them down. (ie. Connector Appliances, Logger, then Express.)

Scenario 2: Connector Appliance -> Express (Forwarding Connector) -> Logger

If there is ESM Forwarding Connector involved, the order is different than above:

a. Shutting Down: Forwarding Connector -> Express -> Logger and Connector Appliances

b. Starting Up: Logger and Connector Appliances-> Express -> Forwarding Connector