ArcSight Compare Two Rule Folder Contents

Summary:

The provided document outlines a method for comparing the structure of two folders used by ArcSight ESM (Extended Systems Manager) instances, focusing on rule folder structures between different or even the same instances. The script is designed to be run on a Linux machine and compares HTML exports from the two folders. It identifies discrepancies in rule names but does not check the content or status of the rules. ### Key Points: 1. **Purpose**: Automate the process of checking if folder structures (rule names) are identical between two ArcSight ESM instances, either for different environments or within a single instance. 2. **Requirements**: A Linux machine with access to both ESM instances and permissions to export rule folders as HTML for transfer to the Linux server. 3. **Limitations**: Does not compare rule content or status; only checks folder structure (names of rules). 4. **Procedure**: Export rule folders from ArcSight ESM as HTML, transfer these files to a Linux server, and run the `compare.sh` script to compare them based on rule names. 5. **Output**: Lists rules that are present in one instance but missing in the other. ### Script Explanation: - The script removes specific HTML tags from the exported HTML files of two instances. - It then compares the cleaned content for differences, identifying which rules (based on names) are absent from each instance. - Outputs lists rules found only in one instance versus the other. This tool is a basic method to verify structural similarities between ESM rule folders and does not replace detailed analysis of individual rule configurations.

Details:

This document provides a method for comparing the contents of two ESM (Extended Systems Manager) folders, specifically designed to work with ArcSight ESM instances. The script is developed to ensure that the folder structure and rule names are identical between two instances, though it does not check the content or status of the rules. ### Introduction The script is intended for environments where there are two ArcSight ESM instances in production, which are manually synced using .arb packages. To automate this process, a quick check to ensure folder structure similarity was developed. This script compares HTML exports from two rule folders across different instances or even within the same instance. ### Use Case The script is designed for comparing two ArcSight ESM instances' rule folders by exporting their contents as HTML and then using a shell script to compare these exports. It can also be applied to sync folder structures within a single ESM instance. ### Requirements To execute the script, a Linux machine with access to both ESM instances is required. The user must have permission to export rule folders to HTML format from the ArcSight ESM console and transfer the generated HTML files to the Linux server hosting the compare.sh script. ### Limitations

• **Content Comparison**: This script does not check the actual content of the rules; it only compares names and basic properties like whether a rule is enabled or disabled.

• **Rule Properties**: It cannot detect changes in rule parameters, configurations, or status (enabled/disabled).

### Creating the HTML Rule Export To use this script: 1. Right-click on the desired rule folder within the ArcSight ESM console and select "Export to HTML". 2. Transfer the generated HTML files to the Linux server where the compare.sh script is installed. ### Sample Output The script outputs any discrepancies between the two HTML exports, listing rules that are missing in either of the folders. ### Compare.sh Script Explanation

• **Script Execution**: Takes two HTML file inputs and compares them based on rule and group names.

• **File Handling**: Extracts relevant information (group and rule names) from each HTML file.

• **Output Comparison**: Lists rules that are present in one ESM but missing in the other, without evaluating rule content or status.

### Conclusion This script provides a basic method for verifying folder structure similarity between two ArcSight ESM instances. It is useful for manual checks before automated syncing methods are implemented and does not replace detailed inspection of individual rules within these folders. This script processes two files (`${file1}` and `${file2}`) by removing specific HTML tags (\ , \ , and \{.*\}) from their contents. It then temporarily stores the cleaned-up versions in `.folder.tmp`. After that, it compares the rules between the two files using `fgrep` to find missing rules: 1. Cleans up the content of `${file1}` by removing tags and saving it as `${file1}.folder`. 2. Cleans up the content of `${file2}` by removing tags and saving it as `${file2}.folder`. 3. Finds and prints "Rules Missing in ESM 1" - rules present in `${file2}` but not in `${file1}`. 4. Finds and prints "Rules Missing in ESM 2" - rules present in `${file1}` but not in `${file2}`.