AE RelNotes 4.0.1
- Pavan Raja
- Apr 8, 2025
- 32 min read
Summary:
### ArcSight Express Release Notes 27 (ArcSight Express 4.0) Known Issues and Workarounds
#### 1. **Karound Browser Refresh Workaround** - **Issue Description**: Users experiencing login failures in Firefox browsers due to a lack of GWT permutation headers might need a workaround. - **Workaround**: Add the property "cross.domain.enabled=true" to the `server.properties` file and restart the Manager. This change enables cross-domain requests which are crucial for proper functioning when dealing with GWT permutations.
#### 2. **Firefox Browser Issue with GWT Headers** - **Issue Description**: In some versions of Firefox, headers starting with "x" (like GWT permutation headers) might be dropped occasionally, leading to a security exception and login failures. - **Workaround**: Add the property "cross.domain.enabled=true" to your `server.properties` file and restart the Manager. This step is a temporary workaround until the underlying problem with Firefox's handling of headers is resolved by updating or fixing the browser itself.
#### 3. **NGS-1254 Issue Resolution** - **Issue Description**: Users might encounter issues related to login failures in Firefox browsers due to lack of GWT permutation headers. - **Workaround**: Same as above; add "cross.domain.enabled=true" to the `server.properties` file and restart the Manager.
#### 4. **Keyboard Shortcut for Docked Items** - **Issue Description**: Users reported difficulty in selecting docked items using keyboard shortcuts, but only through mouse interactions. - **Workaround**: The issue arises because the UI might not register key presses when icons are docked; use a pointing device instead of just pressing keys.
#### 5. **Java InterruptedException in Pattern Discovery (ESM-35048)** - **Issue Description**: Occasionally, during scheduled pattern discovery jobs, there is a "java.lang.InterruptedException" logged in the Manager's server logs. - **Workaround**: This issue has no adverse effects on system performance and can be ignored safely since it generates unnecessary log entries; however, consider monitoring its occurrence for potential future improvements or fixes from developers.
#### 6. **Pattern Discovery Performance Issues (NGS-3527)** - **Issue Description**: When running a high EPS (events per second) system, pattern discovery jobs can become resource-intensive and potentially cause performance degradation or failure to return matching results due to increased load. - **Workaround**: Reduce either the number of events or the frequency of these jobs to mitigate this issue.
#### 7. **Image Dashboard Display Issues** - **Issue Description**: Global variable fields might not display correctly in an Image Dashboard, possibly related to refresh rates set too low or network issues causing frequent refreshes. - **Workaround**: Set a higher refresh rate to resolve the issue.
#### 8. **Unsupported 3D Bar Charts** - **Issue Description**: The Management Console does not support 3D bar charts, affecting certain visualizations within the console. - **Workaround**: Not applicable; consider using alternative chart types or updating the software version for better compatibility with 3D charts.
#### 9. **Custom Cells in Advanced Permissions** - **Issue Description**: Hidden folder called customCells appearing under personal folders in the Advanced Permissions dialog if customCells have been created using the ArcSight Console. - **Workaround**: Do not change ACL settings on this folder as it impacts custom cells functionality.
#### 10. **Query Viewer Performance** - **Issue Description**: Having a large row limit in query viewers within custom view dashboards can cause browsers to hang during loading. - **Workaround**: Keep the row limit below 100 before viewing the dashboard in a custom layout format.
#### 11. **Administrator Privileges for Management** - **Issue Description**: Access to user/connector management features requires administrator privileges. - **Workaround**: Ensure users have the necessary permissions or request assistance from an administrator to manage these features.
#### 12. **Missing Notification Groups Attribute** - **Issue Description**: The Notification Groups attribute is missing from the Connector Management page. - **Workaround**: Use the ArcSight Console through the Configure Connector option as a workaround for managing notification groups.
#### 13. **Blank Screen Issue in Management Console** - **Issue Description**: Occurrence of blank screens after navigating into modules within the Management Console. - **Workaround**: Check connectivity to backend services and ensure that no network issues or misconfigurations are causing this issue; consider updating browser cache or trying a different browser.
#### 14. **Search Functionality in Search Builder** - **Issue Description**: Issues with search functionality within the Search Builder, including slow response times or inability to retrieve results based on certain queries. - **Workaround**: Simplify the query parameters and ensure that all fields are filled out correctly; consider using more specific terms and adjusting filter settings for better performance.
#### 15. **Inconsistent User Interface Behavior** - **Issue Description**: Users report inconsistent behavior among different sections of the user interface, such as missing elements or unexpected actions upon interaction. - **Workaround**: Restarting the Management Console or refreshing the browser page can resolve temporary UI glitches; if persistent issues occur, consider updating to a newer version for potential fixes and improvements in user experience.
---
### Summary of Recommendations: - For all users, set "cross.domain.enabled=true" in `server.properties` and restart the Manager as a standard workaround for browser compatibility issues related to GWT headers. - Adjust refresh rates for Image Dashboards to avoid performance bottlenecks or incorrect display issues. - Be aware of system resource usage when running high EPS pattern discovery jobs, potentially reducing load if necessary. - Ensure proper permissions and use alternative methods (like ArcSight Console) for managing advanced features like custom cells and connector settings. - Check backend services connectivity regularly to avoid blank screen issues in the Management Console. - Simplify search queries in Search Builder to improve response times and accuracy. - Regularly update software versions or consider using different browsers if interface inconsistencies persist.
These recommendations should help mitigate common issues reported with ArcSight Express 4.0, ensuring smoother operation of your security information management system.
Details:
The release notes for ArcSight Express 4.0, dated May 28, 2013, are part of the software documentation provided by Hewlett-Packard Development Company, L.P. The document is marked as confidential and requires a valid license from HP to possess, use, or copy it. It is addressed to users in the United States Government context, citing compliance with FAR 12.211 and 12.212 regulations.
The release notes outline several key points:
1. **Software Information**: The software is referred to as ArcSight Express 4.0, released on May 28, 2013. It includes updates related to new open issues from the previous version and enhancements detailed under "What’s New in ArcSight Express 4.0."
2. **Use of Network Information**: The examples within this document, including IP addresses and hostnames, are for illustrative purposes only and should not be considered accurate network configurations.
3. **Confidentiality**: This document itself is marked as confidential and should not be shared outside the intended audience without proper authorization.
4. **Contact Information**: A list of phone numbers can be found on the HP ArcSight Technical Support page, accessible via a link provided in the release notes. The main support web site for technical issues is http://support.openview.hp.com, and there's also a community forum available at https://protect724.arcsight.com.
5. **Revision History**: The revision history provides two dates with their corresponding product versions:
May 28, 2013: ArcSight Express 4.0 - Updated with new open issues.
April 10, 2013: ArcSight Express 4.0 - Release Notes Contents.
6. **Disclaimer of Warranties**: The document states that the only warranties for HP products and services are set forth in express warranty statements accompanying those products or services. Any implied warranties are excluded from these terms. HP shall not be liable for technical or editorial errors or omissions within this documentation.
7. **Acknowledgements**: A complete statement of copyrights and acknowledgements can be accessed via a link provided: http://www.hpenterprisesecurity.com/copyright.
In summary, the ArcSight Express 4.0 release notes provide an overview of updates, changes, and important information related to the software version, including how to obtain support and the nature of the document's confidentiality.
This document provides information about ArcSight Express Content, Connectors, Management Console, Dashboards, Correlation, Reporting, Security, Environment Updates, Geographical Information Update, Vulnerability Update, Section 508 Compliance, Usage Notes, and Browser Support in FIPS with Suite B Mode. Here's a summary of each section:
1. **ArcSight Express Content**: Provides details on the content available for ArcSight Express, including connectors, management console, dashboards, correlation, reporting, security features like environment updates, geographical information update, vulnerability update, and Section 508 compliance.
2. **Connectors**: Lists various connectors supported by ArcSight Express to connect with different data sources and systems.
3. **Management Console**: Describes the Management Console within ArcSight Express, including its features like connectivity, dashboard display, correlation engine storage, security settings, and environment updates.
4. **Dashboards in the Management Console**: Discusses the dashboards available within the management console that can be used to visualize data such as geographical event graphs or event graph data monitors.
5. **Correlation**: Explains how correlations are performed within ArcSight Express to detect threats and patterns across different systems and events.
6. **Reporting**: Provides information on the reporting capabilities available in the platform, including standard reports and custom report creation options.
7. **CORR-Engine Storage**: Details about the storage used by the correlation engine for efficient data handling during the correlation process.
8. **Security**: Covers security features like Section 508 compliance and discusses how ArcSight Express ensures secure usage of its platform, including updates to ensure protection against vulnerabilities.
9. **Environment Updates**, **Geographical Information Update**, **Vulnerability Update**: These subsections provide information on regular updates made to the environment, geographical data, and security vulnerabilities within the system, respectively.
10. **Usage Notes**: Includes practical tips and guidelines for using ArcSight Express effectively, such as browser support in FIPS with Suite B Mode, compatibility with Safari browser, and warnings about potential dashboard issues.
11. **Dashboard Warnings**: Lists specific warnings related to the operation of dashboards within the management console that users should be aware of when utilizing this system.
This document appears to be a release note for software or an application, possibly related to cybersecurity or enterprise security management. The text is organized into sections that list various components and features of the product, along with information about issues fixed in this version, analytics, installation details, and open issues. Here's a summarized breakdown:
1. **Introduction**: This section introduces the document as a release note for Confidential ArcSight Express. It outlines different aspects covered within the document such as online help enhancements, connector management updates, and detailed descriptions of software components like ArcSight Console, Manager, Web, CORR-Engine, etc.
2. **Analytics**: Describes enhancements or changes in analytics functionality including Windows Unified Event Log Connector and large trends feature.
3. **Issues Fixed in this Release**: Lists specific issues that have been resolved in the latest version of the software.
4. **Installation and Upgrade**: Provides information on how to install or upgrade the software, which is crucial for users transitioning to a new version.
5. **Management Console**: Specifies any changes or updates related to management console functionality.
6. **Open Issues in this Release**: Identifies potential issues or problems that are not resolved yet but may affect future use of the product.
7. **Other Sections** (15-17): These sections likely contain detailed descriptions and information for specific components like Analytics, ArcSight Console, and ArcSight Manager, possibly including version numbers where applicable.
The document appears to be intended for users who need to know about updates, fixes, or changes in a software product named Confidential ArcSight Express, which is used for cybersecurity or similar purposes requiring event management and analysis capabilities.
The document discusses various topics related to "ArcSight Express 4.0," including installed components, what's new in the release, environment updates, usage notes, issues fixed, and open issues. Key points include:
1. **Installed Components**: Table 1 lists the files needed for this release, such as the installation file and a specific .pl file for upgrade from version 3.0. It also mentions that after downloading these files, users should verify their checksums to ensure integrity.
2. **Upgrade Support**: The document confirms that ArcSight Express 4.0 supports upgrading from ArcSight Express 3.0. Users are advised to download the specific .pl file for upgrade from the HP SSO website and to validate the downloaded file's checksum against what is provided on the download page.
This release notes summary provides a concise overview of the key features, updates, and technical details related to the ArcSight Express 4.0 version, particularly focusing on the upgrade process and checklist for verifying downloads.
ArcSight Express 4.0 introduces several enhancements aimed at simplifying content navigation and adding new capabilities through improved connectors and management features. Key additions include NetFlow Monitoring, Microsoft Windows Monitoring, Cisco Monitoring, and a trial version of the HP Reputation Security Monitor solution (RepSM). The appliance now includes two pre-configured connectors: Syslog Daemon and Windows Unified Event Log. Additionally, Management Console has been updated to centrally manage SmartConnectors across various systems, offering enhanced internationalization support for Japanese, French, and Traditional Chinese, and improved dashboard features.
The ArcSight Console has been upgraded with several enhancements, including improved configuration options and the ability to drill down from data monitors and query viewers to dashboards, reports, active channels, and more. This update also introduces new features such as support for previously unsupported data monitors like Event Graph, Geographical Event Graph, and Hierarchy Map. The system's performance has been optimized with lightweight rules that can handle multiple event aliases and aggregation without significantly impacting processing power. Additionally, ArcSight Express now supports the Federal Information Processing Standard (FIPS) 140-2 for enhanced security compliance, and includes an update to geographical information used in graphic displays as well as vulnerability mappings from February 2013.
This document outlines various device vulnerability updates for different security devices such as Snort / Sourcefire SEU 815, Enterasys Dragon IDS, Cisco Secure IDS S695, and others. It also highlights HP ArcSight's progress in Section 508 compliance by emphasizing the importance of accessibility in its products. Additionally, it provides usage notes for ArcSight Express 4.0, including information about required plugins for certain dashboard features and browser compatibility with FIPS Suite B mode.
The document discusses issues and workarounds related to Internet Explorer browser usage with ArcSight Express 4.0 on specific platforms and browsers:
**Platform Limitations**: Internet Explorer does not support FIPS (Federal Information Processing Standards) with Suite B compliance on Windows XP, Vista, and Windows 2008. This means users must use alternative browsers like Chrome or Firefox for accessing the Manager in these environments.
**ArcSight Web and Management Console on Safari**: On macOS only, when first accessing ArcSight Web from the Management Console, the browser opens a new tab instead of directly within the console. The workaround is to refresh the page if needed.
**Online Help in Internet Explorer with Chrome Frame Plugin**: When using the Management Console in Internet Explorer, clicking the Help link does not open the online help; users should refresh the browser page or click the refresh button to accept the Manager's certificate and view the content.
**Connector Management on Safari**: On macOS only, opening Connector Management for the first time in a standalone browser instead of being embedded within the Management Console requires using the back button to load it in embedded mode after accepting the Manager’s certificate.
**Large Trends**: The document advises against using trends specifically for creating subsets of columns due to improved indexing capabilities that make this practice unnecessary.
**Windows Unified Event Log Connector**: Adding this connector might result in an error, possibly related to slower LDAP queries as suggested by Microsoft support regarding AD or LDS/ADAM directors.
In summary, the document provides guidance on browser compatibility and specific workarounds for issues encountered when using ArcSight Express 4.0 across different platforms and browsers.
In this release of ArcSight Express (version 4.0), several issues have been addressed to improve performance and user experience.
For Analytics, two main problems were resolved concerning data monitors:
1. Editing existing data monitors would throw a NullPointerException error due to an issue that was fixed post-punitive action period. Now, the data monitor can be edited without exceptions.
2. Creating a new data monitor resulted in an incomplete editor populating values and throwing an exception in the Console stdout; this has also been resolved.
Additionally, for ArcSight Console:
1. The HTML text within payload viewers previously contained non-HTML line breaks, which have now been replaced with HTML line breaks (
).
2. An Active Channel filter that applies conditions to a List data type field might cause multiple rows to appear for the same event or resource; this issue has also been resolved by preventing such occurrences.
These changes are expected to enhance the overall functionality and user interface of ArcSight Express 4.0, improving performance and user experience in managing analytics and console functionalities.
This summary is about several issues found in different products of ArcSight software that have now been fixed. Some issues were related to web applications displaying HTML encoded data, which could lead to XSS vulnerabilities (NGS-4056), and causing consoles to hang when adding charts or selecting geographic views (NGS-3930 and NGS-3129). Others involved logging errors on FIPS mode systems, memory leaks in software applications, and issues with how data is displayed or handled when using specific features like custom layouts for dashboards. In each case, the company has released updates that resolve these problems according to their release notes which are confidential at the moment but will be available later.
ArcSight Express Release Notes 13ArcSight Express 4.0 had several issues that were resolved in its latest update, including:
1. **Email Issue with Active Directory External ID:** A bug occurred where a report would fail to run if a web user logged into the ArcSight Web Console and selected a user's email address for the 'Email to' option while configured with an Active Directory external ID. This issue is now fixed.
2. **HTML Encoding in Payloads:** Previously, the payload value in ArcSight Web was HTML encoded, which caused an XSS vulnerability when not properly handled. This has been resolved and no longer presents a risk.
3. **Archive Issue Post-Daylight Saving Time Adjustment:** An issue occurred with the archive functionality stopping work after Daylight Saving Time ended in Brazil on 10/22 when the clock was turned back one hour. The error "An archive with duplicate date already exists in the database" appeared in the Logger log file, which has now been fixed.
4. **Buffer Pool Size Affecting Performance:** If the buffer pool size was too small, it caused slow channel performance or prevented logging into the Console with an error message related to lock table size exceeding limitations. The issue is resolved by editing the `/opt/arcsight/logger/data/mysql/my.cnf` file to set `innodb_buffer_pool_size = 512M`, and then restarting all services, which resolves this problem.
5. **Long-Running Queries Terminated by CORR-Engine:** Excessive system resource utilization from long-running queries would cause the CORR-Engine to terminate these queries. This issue is now resolved, preventing such disruptions in event insertion rate or EPS (Event Processing Speed).
6. **ESM and Management Console Issues:**
The ESM Installation Guide contained an error stating incorrect versions of supported MAC OS for the ArcSight Console; this has been corrected to specify that only macOS 10.6 and 10.7 are supported as indicated in the PLD supporting this release.
A dashboard rendering issue in the browser was fixed, improving its performance when used within the management console.
These fixes were part of ArcSight Express Release Notes 13ArcSight Express 4.0 to enhance functionality and address security vulnerabilities.
The summary of the bug fixes and improvements in this release include:
1. **NGS-2245**: Fixed an issue where changing the display format of a data monitor (like from bar chart to table) did not save the change after saving the dashboard, ensuring consistent settings upon reloading.
2. **NGS-2184**: Resolved a problem with some dashboards occasionally failing to load predefined background color or image, improving consistency in visual presentation.
3. **NGS-1523**: Corrected an issue where user group creation failed if the name contained an ampersand (&), now detecting invalid characters and preventing resource creation until corrected.
4. **NGS-1435**: Fixed a problem with pie charts displaying too long legends that would shrink the chart, removing the legend area to maintain proper display size.
5. **NGS-1425**: Resolved an issue causing custom layouts of dashboards, data monitors, or query viewers to fail when using Adobe Flash Player, updating the technology stack to remove Adobe Flash dependency.
6. **NGS-1149**: Fixed a bug in Internet Explorer browser usage where the "Close Dashboard" menu command erroneously appeared enabled, now correctly disabling this option for applicable sections of the Management Console dashboard module.
7. **NGS-1072**: Removed support for displaying EventGraph data monitors within the ArcSight Console custom layout's internal browser, recommending external browser launches or use of the Management Console dashboard module to view such dashboards.
8. **Open Issues in this Release**: Noted that some issues remain unresolved and are suggested to be used with available workarounds, indicating continued improvement efforts for a more stable product experience.
The provided text discusses several technical issues and their resolutions related to different systems or applications. Here are the summarized points for each entry:
1. **ESM-48307**: This issue concerns a mislabeling where Windows 2008 is incorrectly identified as Windows 2003 in terms of DeviceEventclassId. The correct identification should be made to avoid any operational or support issues.
2. **ESM-47918**: The Threat Response Manager (TRM) sometimes fails to return an expected response when updating the Quarantine Node by IP command. This problem needs to be addressed promptly to ensure effective quarantine management and network security.
3. **ESM-40449**: When attempting to export archived events from the Case Details channel, the export process does not include these events as part of the exported data. The system's handling of such exports must be reviewed to prevent data loss in future operations.
4. **ESM-39405**: There is an issue with displaying Chinese characters correctly in email attachments when creating a report and sending it via PDF attachment. This affects only the display name in the email, while the content itself appears correct. The software needs to be updated for better character encoding support.
5. **ESM-37810**: For scheduled reports where the "Run as" user has their read and write privileges removed or limited, the report continues to run under the creator of the schedule if they have only read privileges. If there are no issues with privilege management, this behavior should be reviewed for efficiency and accuracy in reporting.
6. **ESM-35070**: The "Verify Rules with Events" feature does not work as intended when combined rules manipulate active lists that change dynamically during testing. This could affect the reliability of real-time rule verification across different types of active list configurations. Further development and testing are required to resolve this issue effectively.
7. **ESM-34531**: There is a display error in the Editor for scheduled reports regarding the Schedule Frequency, where the Next Run Time field shows an incorrect time despite correctly setting the specified run time. This visual glitch should be fixed to improve user experience and ensure correct scheduling of report generation.
8. **ESM-29633**: The text seems cut off; it appears that there was a description regarding "occasionally, after changing" which could involve further details about recurring issues or troubleshooting steps taken for the system stability and performance improvement. If you have the complete context for this entry, please provide additional information for a more comprehensive summary.
The text discusses a couple of trends related to trend descriptions and their potential invalidation depending on certain conditions. It also provides a workaround for an issue (ESM-29348) where the Scheduled Time column in the Scheduled Runs view displays discrepancies due to overlapping time ranges for completed and pending runs. Additionally, it mentions that during the conversion of a rule from a heavyweight to a lightweight version, there is a swap in action order which results in incorrect data being displayed in related views such as Recently Closed Cases viewer and several case tracking reports. The workaround suggested here is simply reordering the actions within the converted rule.
This document outlines several issues and solutions related to software management and operations. The first issue is with the gzip operation failing, which can result in corrupted archives. To avoid this, ensure sufficient disk space is available during the process. Another concern mentioned is an issue with rendering of grouped table columns in the Windows Critical Services Started or Stopped report, which lacks a background for the table headers. A workaround to this involves keeping trend tables small and adjusting their retention period as needed.
There are also issues related to deleting trends that are used in queries or query viewers, such as NGS-3686, where attempting deletion results in an error due to dependencies on other resources. For these cases, the trend should be removed from all affected resources before it can be deleted. Lastly, there is a challenge when trying to retrieve base events from source to destination managers (NGS-3294) and querying cases by user ID rather than name (NGS-3139). The solution for these problems involves specifying the user's unique identifier in queries instead of their username.
The summarized text outlines several issues related to different software versions of ArcSight Express, along with their respective workarounds. Here are the main points:
1. **NGS-2917**: This rule action issue arises when a lightweight rule is scheduled, and it affects data list updates if mapped fields in conditions are not used. The workaround involves adding simple conditions like "IS NOT NULL" for such fields to ensure correct querying from the database during execution.
2. **ArcSight Console Issues**:
**ESM-49990**: To display proper icons for forwarded correlation events, add the Locality Field column to the channel's field set.
**ESM-49187**: The text in the Table Header does not show CJK characters even if Arial Unicode MS font is set. The workaround involves using the case event editor or Reports to correctly display these events.
**ESM-47213**: Case-related events are moved to a special table after archiving, causing issues with channel display. Use the case event editor or Reports for correct event display.
**ESM-41641**: On Macintosh systems, selecting rows and attempting to print them causes the Console to crash. The workaround is to set up a default printer before starting the Console.
**ESM-41019**: With client-side authentication configured, accessing product documentation via the embedded or external browser results in an error when using "Password Based and SSL Client Based Authentication". The workaround involves generating a key pair for browsers and importing their certificate into the Manager's truststore.
These summaries provide concise descriptions of the issues encountered with specific versions of ArcSight Express software, along with practical solutions to mitigate these problems.
The provided text discusses various issues and workarounds related to software products from ArcSight Express (ESM). Here's a summary of each issue mentioned:
1. **Key Copying Issue**: It suggests copying the Console's key into the browser's keystore for security purposes, but does not provide detailed steps on how to do this.
2. **Correlation Events Timing**: ESM-40587 explains that correlation events might occur before the base event in channels sorted by time if their end times are identical. The workaround is to add a sort column in the channel sorting events first by end time and then by event type, where base events have a type of 0 and correlation events have a type of 1.
3. **Console Unresponsiveness**: ESM-39980 states that accessing other resources while building category models with a large number of actors can make the Console unresponsive. The suggested workaround is to resize the panel before running reports, possibly multiple times for optimal results.
4. **Embedded Browser Issues in Windows**: ESM-39856 describes problems with viewing reports using the embedded browser on Windows, where the report may not appear until the panel is resized. The recommended workaround involves resizing the panel prior to running a report and experimenting with different sizes.
5. **Deleting Actors Impacting Category Models**: ESM-39829 discusses how deleting actors requires rebuilding category models if any exist. Each rebuild can take seconds, so when thousands of actors are deleted, the entire deletion process might last hours due to the triggered rebuilds.
6. **Actor Channels and Custom Fields**: ESM-39331 notes that actor channels can only display fields part of a predefined field set. To view additional fields, these must be added to the field set used by the Actor channel rather than directly to the channel.
7. **Image View Mode Background File Upload**: ESM-38961 in Image View mode, when uploading a background file, the Console automatically uploads it into the user's personal folder without providing an option for location selection. The suggested workaround involves moving the file after upload to a preferred location.
8. **Manager Case Selection Issue**: ESM-37344 on the Manager interface faces difficulties in picking cases for "Add to Existing Case" rule actions when there are many cases within a single group, as the resource selector only shows leaf nodes if fewer than 1000 cases are present.
These issues and workarounds highlight potential challenges users might encounter with ArcSight Express software and provide solutions or recommendations to mitigate these issues.
The text discusses various issues related to resource management and usage within a system, providing solutions or workarounds for each problem encountered. Here's a summary of the main points:
1. **Resource Hierarchy Management**: To prevent inefficiencies in resource allocation, it is recommended that no single group contain more than 1000 resources. This helps maintain optimal performance by preventing excessive load on system components.
2. **Query Editor Permissions Issue (ESM-36055)**: Users with read permissions to a query might lack access to the global variables used within it, leading to incomplete data display in the results. To rectify this, ensure that users have appropriate permissions for all resources utilized in queries, including global variables.
3. **Hierarchy Map Data Monitor Limitation (ESM-33440)**: When attempting to view events through a Hierarchy Map Data Monitor, issues arise if the Source Node Identifier contains any variables. As a workaround, avoid using such variables within the identifier field when querying event data.
4. **Escalation-Level Notification Resource Deletion Error (ESM-33360)**: Upon deleting an escalation-level notification resource, users encounter a "Group does not exist" error in their console logs. This issue is acknowledged as incorrect and can be disregarded; however, alternative methods should be explored to manage such resources without encountering this specific error.
5. **Color Mapping Alteration Limitation (ESM-32705)**: Once color ranges are specified within a Hierarchy Map Data Monitor, there is no direct method to modify these mappings afterward. A workaround involves deleting the existing color mapping and creating anew with desired settings.
6. **Non-Alphanumeric Resource IDs Search Issue (ESM-27970)**: To search for resource IDs that include non-alphanumeric characters, users must enclose the ID in double quotes within the query text field to ensure proper recognition by the system.
7. **Content Package Merging Limitation (ESM-26488)**: When importing older content into a newer package, the imported contents from both packages are merged, but attributes are sourced from the older package. As a workaround, export the new package to a bundle file for potential recovery before deleting it to import the old one.
These summaries highlight key issues and recommended solutions or workarounds that users might encounter while working with various resources within a system environment.
The text outlines a few issues and workarounds related to using ArcSight Console, ArcSight Express, and their content management. Specifically, it mentions problems with browsing for background uploads via the console, potential system hangups due to large notification history or registry files, slow loading of dashboards on certain systems, and visual glitches such as cut-off titles in custom layout mode. The solutions provided include using alternative methods (like uploading through the Management Console) when specific tools do not function correctly, adjusting window sizes, and opening external browsers for viewing content that might be misaligned or improperly displayed.
The document outlines several issues and their corresponding workarounds on a Win64 system, primarily related to dashboard displays and configurations in software such as Arcsight Console and Management Console. Here are the key points:
1. **NGS-2499**: In the Image Dashboard, the time field is displayed incorrectly as a number instead of formatted date and time. The workaround suggests using a regular dashboard instead of the Image Dashboard.
2. **NGS-2241**: When creating or viewing a new custom view dashboard with data monitors or query viewers, elements might overlap. The solution involves defining the arrangement manually by either:
Using auto-arrange (Edit -> Auto Arrange and then save), or
Manual arranging (Edit -> Arrange to move/resize elements, followed by 'Done Arranging' and 'Save').
3. **NGS-1745**: In Arcsight Console Dashboard and Management Console dashboards, data monitors or query viewers might overlap when viewed in custom layout mode. The workaround is to click on Edit -> Auto-Arrange to rearrange the elements for correct display before saving the dashboard.
4. **NGS-1262**: If a dashboard contains a Query Viewer with a large row limit, it may cause the Console to hang while loading the dashboard in custom layout view. The recommended practice is to keep the Query Viewer's row limit below 100 before viewing the dashboard in this format.
5. **NGS-1088**: Applying a regular or inline filter with conditions involving Event Annotation Flag to an Active Channel may prevent it from loading events. The workaround advises against using Event Annotation Flag in such filter conditions.
6. **NGS-146**: Occasionally, event-based Active Channels with InCase filtering conditions might not display events that belong to a case but have been removed due to retention period limits. This issue is rare and related to the CORR-Engine's handling of cases within the main event table (arc_event).
These issues and workarounds highlight the importance of dashboard configuration and troubleshooting in software applications, particularly for managing and visualizing complex data streams effectively.
The Confidential ArcSight Express Release Notes 19ArcSight Express 4.0, specifically for ArcSight Manager, highlight several issues and provide solutions to improve performance and accuracy during case exports, resource validation, audit event processing, large data exports, and managing stages within the console. Key findings include:
1. **Case Export Issues**: The creation time of a case was incorrectly being reset to the export time during exports. This issue has been resolved, preventing this from happening in future exports (ESM-47625).
2. **Resource Validation Errors**: During resource validation, assets that are actually invalid might be reported as valid (ESM-41331). A workaround is suggested where the script should be run twice: once with '-persist true' to fix invalid resources and again with '-persist false' for a correct report.
3. **Audit Event Failures**: There have been instances where an "group:101" audit event fails due to numerous role memberships being added or changed (ESM-40889). A specific error related to this issue appears in the server log, indicating the affected objects' IDs.
4. **Large Data Export Issues**: When exporting large Active Lists with 10 million entries or more, or rules using such lists, an exception occurs and the Manager may run out of memory causing a restart (ESM-37488). A solution is to use alternative export formats that do not include Active List data.
5. **Stage Management**: Stages within the ArcSight Console should ideally remain unchanged as standard content in their provided folders, but there have been instances where they were editable (ESM-33462). This behavior was noted and guidelines are recommended for managing stages to maintain consistency.
These issues and solutions aim to enhance the reliability, performance, and usability of ArcSight Manager in handling large datasets and complex configurations.
The provided text discusses various issues and their workarounds related to content stages, search index errors, and performance issues in ArcSight Express (ES). Here's a summary of the key points:
1. **Content Stages**: The standard content stages mentioned are Closed, Final, Flagged as Similar, Follow-up, Initial, Monitoring, Queued, and Rule Created. For more details, refer to the "Standard Content" topic in the ArcSight Console Help.
2. **Search Index Errors**:
**ESM-31433**: A NullPointerException occurs due to a java.lang.NullPointerException at org.apache.lucene.index.IndexReader.open. The error automatically resolves within one week as the Manager rebuilds the resource search index. Alternatively, you can manually create a new index using the command: `arcsight searchindex -a create -m -u -p `.
**ESM-30670**: If the search index file becomes corrupted, it results in an out-of-date index and a log message "java.io.IOException: read past EOF" appears. The workaround is to re-generate the index by issuing the command: `arcsight searchindex -a create`.
3. **Performance Issues**:
**NGS-4837**: With long-running queries, there's a risk of deadlock in the JDBC driver, leading to decreased throughput. If suspected, request a thread dump through the Management Console and check for deadlocks in the dump. A deadlock may require restarting the Manager to resume normal operations.
**NGS-3856**: Displaying an Active List with many entries (e.g., 10 million) causes an error in the server log file. To resolve this, increase the memory size for the Manager and avoid displaying Active Lists with a large number of records if possible.
In summary, these issues involve managing content stages, resolving errors related to search indexes, and optimizing performance for long-running queries and large data sets in ArcSight Express.
Summary of Issues:
NGS-3825: If an event exceeds 32 KB, it won't be persisted due to size constraints.
NGS-3803: The "arcsight manager-reload-config" command fails to dynamically reload the configuration; a restart of the Manager is required for changes in config/server.properties.
NGS-3771: A new feature automatically deactivates user accounts inactive for more than 90 days. Run "arcsight managersetup" after installation, then restart the Manager. To change the inactivity period, update auth.user.account.age= in server.properties and restart the Manager.
NGS-1937: The Archive tool may fail to import entries into an active list due to transient errors; a workaround is re-importing the package.
NGS-1449: Shutting down services with "arcsight_services" command can cause exceptions in the log, but these are ignorable issues related to shutdown order.
NGS-264: Integration with iDefense may result in garbled Case notes when creating a Case in ArcSight Express; alternative views exist in iDefense or Event Inspector panel.
NGS-172: Base events do not automatically get annotated after rules trigger; manual annotation is required as a workaround.
ArcSight Web Issues:
ESM-41321: Reports with the hash character "#" in their name may display incorrectly; remove the "#" from the report name.
ESM-35801: Setting the Estimated Resource Time for a Case in ArcSight Web does not apply; define this setting on the Console as per online Help instructions.
ArcSight Express 4.0, released in conjunction with Identical ArcSight Express Release Notes 21, addresses several issues affecting its user interface and functionality on both the web and console interfaces. The primary issue reported involves Query Viewer charts displayed on the ArcSight Web dashboard, which do not impose a row limit like they do on the ESM Console. This results in unreadable charts when there are more than 100 rows due to improper display of data beyond the first 100 rows. As a workaround, users can set a row limit of 100 for specific Query Viewers within the ArcSight Console.
Another significant issue is related to running the 'sendlogs' command, which should ideally be executed from either the ArcSight Console or the Manager directory on Unix-based systems like Linux. Running it from the ArcSight Web directory does not collect remote logs properly, leading to incomplete log data collection. The recommended workaround involves using the console instead of the web interface for this task.
Other issues include incorrect display handling in ArcSight Web when clicking the Knowledge Base link and displaying newline characters as literal '\n' in the login banner rather than adding a new line. Additionally, there is no user-configurable banner support within the Management Console to customize login messages. Lastly, a rare occurrence of the restorearchives command potentially failing under certain conditions has been noted but with no specific workaround provided beyond general system stability practices.
The text discusses two issues related to ArcSight systems and their solutions:
1. **Database Space Management:**
If a database fills up, there are several ways to free up space:
Delete any unused trends, which will remove data associated with those trends.
Reduce the retention period of specific trends; older data falling outside this range will be removed automatically when the trend runs next time.
Examine and manage session lists by running a command to remove data older than specified times, affecting all system sessions.
2. **Archive Restoration:**
Only a single CORR-Engine can restore an archive. Combining archives from multiple engines is not recommended.
Additionally, there's information about handling corrupted Connector Management configuration due to unexpected shutdowns, suggesting regular backups and how to restore them using the 'Export Remote Management Configuration' feature.
In summary, the text provides guidance on maintaining system performance by managing database space and restoring configurations post-corruption for ArcSight Express 4.0 related issues.
The provided information is related to ArcSight Express Release Notes for version 4.0 and discusses several issues with configuration settings, connectors, and asset management within the software. Here are the key points summarized:
1. **Configuration Directory and Service Start**: Mention that there's a configuration file (nfig.xml) located in `/opt/arcsight/conapp/userdata/conapp`. To properly configure the system, start the `conapp` service after ensuring it is installed and configured correctly. This includes uploading the Remote Management Configuration as per customer saved settings, which can be done through specific menu options in the navigation tree of the ArcSight Console.
2. **Connectors Issues**: There are multiple issues reported with connectors:
**Setting eventpollcount for hosts**: The setting does not retain after deleting some Windows hosts from the agent setup wizard, requiring a workaround where the Manager's certificate should be imported manually if auto-import fails.
**Syslog SmartConnector disk space issue**: If it runs out of disk space, it may lose events permanently until restarted, which has a documented workaround to import the certificate manually as per the Configuration Guide instructions.
**Auto-import of Manager's certificate in FIPS with Suite B mode**: This does not work automatically and requires manual intervention by importing the certificate for the connector.
**Asset Model Import Connector identification issues**: It fails to uniquely identify assets, requiring an External ID, resource ID, or URI to update existing assets.
3. **Upgrading Connectors on Windows Machines**: While upgrading a connector from the ArcSight Console on Windows machines, if any process is using the connector's 'current' folder, the upgrade will fail. The workaround involves ensuring no files in the 'current' folder are open and not starting connectors via the command `arcsight agents`.
4. **Release Notes Context**: These issues and workarounds are part of ArcSight Express Release Notes for version 4.0, detailing specific problems encountered during configuration or operation that users might face along with suggested solutions to mitigate these issues.
The error log entry NGS-4712 indicates an issue with MySQL where a query execution failed due to insufficient disk space during the process, possibly caused by large event time ranges or concurrent usage. A possible solution is reducing the event time range of the query for faster execution and preventing potential conflicts. For troubleshooting trends, refer to specific tuning sections in the administrator's guide.
NGS-5255 from the upgrade procedure mentions an error during resource migration that prevents import of the appliance post-install archive. To resolve this, consult the MigrateTo_CORRE.pdf document for guidance on troubleshooting and recovery steps.
Upon upgrading to ArcSight Express 4.0 (AE 4.0) from version 3.0, NGS-5128 alerts users to an empty group named "Trends" under a specific path in the system health section. This is normal and can be safely managed or ignored as it does not affect operations.
Lastly, post-upgrade, NGS-5050 notes that certain rules might be disabled automatically; they need to be manually enabled according to user discretion, specifically targeting those related to case management in ArcSight Express 4.0.
This summary outlines several issues related to resource upgrades, user access permissions, and data monitors during the transition from ArcSight Express (AE) 3.0 to AE 4.0, as well as minor exceptions in logs due to deprecated resources. The upgrade process for ACLs in user groups led to some users still having access to outdated resources like /All Queries, which were replaced by /All Queries/ArcSight Express post-upgrade. Additionally, certain data monitors might have been disabled after the upgrade and require reactivation before use.
The provided text is a summary of release notes for ArcSight Express version 4.0 from Confidential ArcSight Express Release Notes 25. It discusses several issues and changes that were addressed in the software update, including problems with installation, log file errors, configuration issues, and localization problems. Here's a breakdown:
### Issues and Changes Discussed:
1. **Installation Problems:**
**NGS-3445:** In some cases, the Installer panel may falsely report successful installation even if the Web Server fails to start. The administrator should refer to the manual configuration guide for starting the Web Server manually.
**NGS-3322:** Due to timing issues during startup, harmless error messages appear in the log files such as "java.io.IOException: end of communication channel" and "java.nio.channels.ClosedChannelException." This could be related to component initialization order or dependencies.
**NGS-3067:** During the First Boot Wizard configuration for the product, using an incorrect IP address or unresolved hostname in the Manager Hostname panel can lead to failure during ArcSight Web configuration. Correcting the manager's hostname or IP address is crucial for successful installation.
2. **Localization Issues:**
**NGS-4220:** In Traditional Chinese localized environments, reports displayed messy code. This issue was not detailed further but provided a workaround which involves logging into ArcSight Console to resolve the problem in the localized environment.
### Summary of Actions and Recommendations:
**Manual Configuration for Web Server:** If the installation does not proceed as expected due to issues starting the Web Server, refer to the Administrator's Guide for manual configuration steps.
**Check Log Files for Errors:** Review log files for error messages that might indicate startup problems or communication issues between components.
**Correct IP Address/Hostname in Configuration:** Ensure that IP addresses and hostnames used during setup are accurate and correctly resolved, as incorrect configurations can lead to installation failures or other operational issues.
**Logging into ArcSight Console:** For localization issues, especially in languages not commonly supported by software, logging into the ArcSight Console might provide a temporary workaround or direct access to fix the issue within the application settings.
This summary provides actionable insights for users and administrators of ArcSight Express 4.0, highlighting critical issues that need attention during updates or installations.
This document outlines steps to create a report with Chinese characters using ArcSight Express, along with troubleshooting tips for specific issues in the software. Key points include:
1. **Report Creation**:
Create a report titled in Chinese.
Select an appropriate template and open it in the designer mode.
Edit the header and other fields to display Chinese characters.
Set fonts to Arial Unicode for Chinese character support.
Save the modified template.
Generate the report in PDF format.
Verify the output using Acrobat Reader version 9 to ensure proper display of Chinese characters.
2. **Technical Issues**:
For non-English locales, only English usernames and passwords are supported due to character encoding issues during authentication.
**NGS-5361**: Clicking Connector Management in the Management Console fails to load the Connector Management Panel, requiring a restart of the Connector Management service using the command `/sbin/service arcsight_services restart conapp`. Refer to the Administrator's Guide for details.
**NGS-5134**: Entering passwords longer than 16 characters in the ArcSight Web Console results in inability to log into the Management Console due to password field limitations.
**NGS-4460**: Attempting to upload a new background image in the Dashboard panel encounters an error message indicating an issue with setting the uploaded image as the background. No immediate workaround is provided for this issue.
**NGS-3892**: Dashboards featuring Data Monitors of type 'System Monitor' or 'System Monitor Attribute' display only the first 100 rows, regardless of data availability.
**NGS-3858**: The minimum and default heap size settings for ArcSight Express 4.0 Management Console are noted but do not detail a specific problem other than configuration details.
This document is intended to assist users in configuring and troubleshooting the software effectively, particularly when dealing with non-English language support and specific interface behaviors.
The document outlines several issues and recommendations for using an ArcSight product, specifically mentioning configurations or behaviors in the Management Console. Here are the summarized points:
1. **Heap Size Configuration**: The system has a maximum heap size of 16 GB, but this can be adjusted based on available memory. If attempting to configure beyond 16 GB, contact HP ArcSight Customer Support due to inaccurate error messages in the Management Console.
2. **Image Dashboard Display Issues**: NGS-3084 indicates that global variable fields might not display correctly in an Image Dashboard. This could be related to refresh rates set too low or network issues causing frequent refreshes, which can impact browser performance and dashboard behavior. Setting a higher refresh rate should resolve this issue.
3. **Unsupported 3D Bar Charts**: NGS-2301 notes that the Management Console does not support 3D bar charts, potentially affecting certain visualizations within the console.
4. **Custom Cells in Advanced Permissions**: NGS-1582 warns about a hidden folder called customCells appearing under personal folders in the Advanced Permissions dialog if customCells have been created using the ArcSight Console. It is advised not to change ACL settings on this folder as it impacts custom cells functionality.
5. **Query Viewer Performance**: NGS-1451 suggests that having a large row limit in query viewers within custom view dashboards can cause browsers to hang during loading. To prevent this, keep the row limit below 100 before viewing the dashboard in a custom layout format.
6. **Administrator Privileges for Management**: NGS-1283 states that access to user/connector management features requires administrator privileges.
7. **Missing Notification Groups Attribute**: NGS-1275 reports that the Notification Groups attribute is missing from the Connector Management page, with a workaround provided using the ArcSight Console through the Configure Connector option.
8. **Blank Screen Issue in Management Console**: NGS-1256 describes an occurrence of blank screens after navigating into modules within the Management Console when using it.
These issues and recommendations are part of a larger document, likely detailing updates or known problems with ArcSight Express Release Notes 27 (ArcSight Express 4.0), providing guidance for users to avoid these issues or manage them effectively.
The text provides information about several issues related to different software applications, primarily focusing on updates, browser compatibility, user interface (UI) interactions, and performance concerns. Here's a summary of the key points mentioned in the provided passage:
1. **Karound Browser Refresh Workaround**: For users experiencing login failures in Firefox browsers due to a lack of GWT permutation headers, there is a workaround available. Adding the property "cross.domain.enabled=true" to the server.properties file and restarting the Manager can resolve this issue. This change enables cross-domain requests which are crucial for proper functioning when dealing with GWT permutations.
2. **Firefox Browser Issue with GWT Headers**: In some versions of Firefox, there is an issue where headers starting with "x" (like GWT permutation headers) might be dropped occasionally, leading to a security exception ("java.lang.SecurityException: Blocked request without GWT permutation header") and login failures. This problem occurs because the browser drops these required headers which are necessary for proper authentication in some applications.
3. **NGS-1254 Issue Resolution**: To address this issue, add "cross.domain.enabled=true" to your server properties and restart the Manager. This step is a temporary workaround until the underlying problem with Firefox's handling of headers is resolved by updating or fixing the browser itself.
4. **Keyboard Shortcut for Docked Items in NGS-277**: Users reported difficulty in selecting docked items using keyboard shortcuts, but only through mouse interactions. The issue arises because the UI might not register key presses when icons are docked, making it necessary to use a pointing device instead of just pressing keys.
5. **Java InterruptedException in Pattern Discovery (ESM-35048)**: Occasionally, during scheduled pattern discovery jobs, there is a "java.lang.InterruptedException" logged in the Manager's server logs. This issue arises due to an incorrect database pooling time-out mechanism, which does not impact the actual functionality but generates unnecessary log entries and can be ignored safely since it has no adverse effects on system performance or tasks.
6. **Pattern Discovery Performance Issues (NGS-3527)**: When running a high EPS (events per second) system, pattern discovery jobs can become resource-intensive, potentially causing degradation in performance and failure to return matching results due to the increased load. To mitigate this, ArcSight advises reducing either the number of events or the frequency of these jobs.
In summary, while these issues are specific to certain versions of software applications, particularly related to browser interactions, UI design, and resource management for tasks like pattern discovery, there are suggested workarounds provided in the text that can help users navigate around these limitations until updates or fixes become available from the developers.
Comments