Arcsight Database Installation Guide

Summary:

Here's an expanded explanation of what each part represents based on the provided information: ### Part 1: Event Index Files (Event_index12) - **Directory**: `/tjx/arcsight_prod/oradata/event_index12/` - **Files**: - `arc_event_index_001.dbf`: This file is part of a sequence of database files named with the prefix "arc_event_index" and numbered from 001 to 008, each corresponding to an index in the ArcSight system's event tracking mechanism. These files likely store data related to events that have occurred within the ArcSight system, used for quick retrieval and analysis during incident investigations or reporting. - `arc_event_index_002.dbf`: Another file in the same sequence, contributing to the overall storage of indexed event data. - `arc_event_index_003.dbf` to `arc_event_index_004.dbf`: Additional files in the sequence, likely serving similar purposes as the first two mentioned files. ### Part 2: Temporary Files (Event_index13) - **Directory**: `/tjx/arcsight_prod/oradata/event_index13/` - **Files**: - `arc_temp_000.dbf`, `arc_temp_001.dbf`, `arc_temp_002.dbf`, `arc_temp_003.dbf`, `arc_temp_004.dbf`: These files are used for temporary storage during database operations, including holding intermediate data or buffers needed for processing various tasks within the ArcSight system's database management. ### Part 3: Undo Files (Event_index14) - **Directory**: `/tjx/arcsight_prod/oradata/event_index14/` - **Files**: - `arc_undo_001.dbf` to `arc_undo_016.dbf`: These files are used for undoing transactions, maintaining data consistency after a transaction is rolled back or an error occurs. They are part of the undo functionality within the ArcSight system's database management, ensuring that data remains consistent and recoverable. ### Part 4: Redo Log Files - **Directory**: `/tjx/arcsight_prod/redologs/` - **Files**: - `redo01.log`, `redo02.log`, `redo03.log`, `redo04.log`: These files are related to logging information for the ArcSight system during its operations. They store all changes made to the database, ensuring that transactions can be replayed after a system failure or crash, maintaining data integrity and consistency across different stages of production processes. The sequence of these logs is crucial for their functionality in providing recovery points from which the system can recover if needed. This detailed overview highlights how each type of file contributes to the operational functionality and integrity of the ArcSight system's database, serving specific purposes related to event indexing, temporary data storage, undo operations, and logging transactional information.

Details:

This document outlines the steps necessary for installing the ArcSight ESM (Enterprise Security Manager) Database component, focusing on its integration with Oracle Database software. The procedure is specifically tailored for a scenario where recovery from a server outage leaves the existing installation unrecoverable, as detailed in TJX SOC August 2010 documentation. The document begins by providing an executive overview that highlights the purpose of the document and its relationship to other IT processes such as hardware restoration or OS environment changes post-installation. It clarifies that this document does not cover broader recovery scenarios like restoring hardware, operating system, or handling incremental updates. The summary section states that the installation involves setting up the ArcSight database component (Partition Archiver) and initializing the ArcSight Oracle instance. However, it explicitly notes a limitation in coverage: this document does not address the installation of Oracle software components; users should refer to TJX DBSG documentation for detailed instructions on installing or recovering Oracle software. Section 1 is dedicated to the actual installation process of the ArcSight Database component using annotated screenshots that illustrate each step involved in the setup. This section assumes a fresh install and does not cover resuming from a backup, which would be applicable if an existing but unrecoverable installation was restored from backups. This text provides detailed instructions for installing the Oracle Database software component of the ArcSight system on a Linux server. The process involves acquiring the installation software from the customer support portal, running the executable to start the installation wizard, and selecting an appropriate graphical user interface environment (GUI) such as PuTTY or Xming if necessary. After locating and starting the installation, users are guided through steps to install the ArcSight Database component, including specifying a location for the installation and completing the Oracle software installation phase. It is important to note that separate Oracle software must be installed by DBSG personnel unless using the ArcSight Installer, as TJX requires this method. The installation wizard will guide the user through these steps, with the Partition Archiver being installed but not configured upon completion of the main software install. Summary of Oracle Software and ArcSight Initialization Documentation for TJX DBSG: 1. **Installation of Oracle Database:**

• TJX DBSG installed the Oracle 10g 10.2.0 64-bit software via the ArcSight customer support portal download page.

• Refer to specific documentation for detailed installation/recovery procedures related to the Oracle Database on their server setup, as it is assumed that the configuration matches exactly what was shown in provided screenshots.

2. **Initialization of ArcSight:**

• This section covers the initialization steps for the ArcSight Oracle instance, which requires successful completion of Section 1 where the ArcSight Database component was installed and Oracle Database to be operational.

• Documentation reference should be made from TJX DBSG's installation/recovery documentation as needed during this process.

3. **ArcSight Installation Wizard:**

• The ArcSight Database Installation Wizard is launched, resuming after a successful installation of the database component in Section 1.

• Silent installation properties file was generated for easier setup and can be accessed from TJX DBSG's POC on an office desk PC.

In summary, this documentation outlines the specific steps to install Oracle Database and initialize ArcSight for TJX DBSG, using pre-existing configurations in Section 1 as a reference point. The silent installation wizard setup simplifies the process, leveraging artifacts from previous successful installations. The text provided outlines the steps in setting up an ArcSight system using Oracle Database software, following its initial installation. Key points from the narrative include: 1. **Configuration Details**: After confirming that the Oracle Database software is installed and completed as per Section 1, proceed with configuring the ArcSight setup through the Installation Wizard. 2. **Verification and Corrections**: In the wizard, verify all selections; use the "Previous" button to correct any mistakes before moving forward. 3. **ArcSight Oracle Instance Parameters**: Set up the necessary parameters for the ArcSight Oracle instance. 4. **Server File Locations**: Specify initial server file locations as required by the configuration. 5. **REDO Log File Archiving**: Note that the Oracle REDO log file archiving option is not selected during this setup. 6. **Passwords**: The passwords for database admin and user (ArcSight) are securely stored with TJX DBSG, ensuring security compliance. 7. **Oracle Enterprise Manager**: Since ArcSight is embedded with the Oracle Database software, it does not provide licensing for the use of Oracle Enterprise Manager. 8. **Data Tablespace File Location**: Identify and specify the location and size for the data tablespace file used by ArcSight ESM (Enterprise Security Manager). 9. **Additional Files**: The wizard includes a command to add more files to the SYST (System) tablespace if needed, as part of the configuration process. Throughout this setup, each step in the ArcSight Installation Wizard is detailed, ensuring all configurations are correctly set up and securely managed with the appropriate passwords and file locations. The ArcSight Installation Wizard guides through creating specific data files for each tablespace, including the system (SYS), event (EVENT), index (TEMP and UNDO), and temporary (TEMP) tablespaces. These steps are designed to minimize installation time by immediately allocating space for each tablespace file but defers full expansion of storage until after the installation is complete. This strategy helps streamline the setup process without immediate need for extensive disk space allocation. Following these instructions, the wizard prompts the user to identify the location and size of data files for the system index (SYS), event data (EVENT), event index (TEMP), and undo (UNDO) tablespace. Each file is created immediately as part of the installation script. After identifying all required locations and sizes, the script proceeds with creating these single files for each tablespace. Upon completion of this process, indicated by a series of prompts confirming the creation of each tablespace data file, the ArcSight Database component installation is deemed complete. The system becomes operational, allowing for subsequent installation of the ArcSight ESM Manager. This detailed setup ensures efficient deployment and operation of the ArcSight platform on Oracle databases. This document lists various file systems mapped to different directories on a system. Each entry includes the device name and its corresponding mount point, providing an overview of where each specific storage location is being used within the overall file structure. The provided text is a summary of the file system mount points and related files for a Database Server deployed with ArcSight, an enterprise security information and event management (SIEM) solution. The document outlines that at the time it was created, the database server had specific file system mount points where certain files were stored. These include directories under `/tjx/arcsight_prod/oradata` for storing event data and databases, as well as other related files not listed in detail here. The text also mentions that any missing files during installation should be added incrementally using the ArcSight ESM Manager command 'arcsight database xts'. This indicates a method for post-installation file additions to ensure complete setup of the ArcSight Oracle instance. The data provided lists file system mount points and the corresponding database files stored in those locations for a specific setup involving Oracle databases. Here's a summary of what is being described:

• **File System Mount Points**:

• **/tjx/arcsight_prod/oradata/event_data1/** contains several Oracle database control files (e.g., `control01.ctl`) and data files (e.g., `sysaux01.dbf`, `system01.dbf`, `temp01.dbf`, `tools01.dbf`, `undotbs01.dbf`, `users01.dbf`).

• **/tjx/arcsight_prod/oradata/event_data2/** contains multiple Oracle database data files (e.g., `arc_event_data_001.dbf` to `arc_event_data_010.dbf`).

• **/tjx/arcsight_prod/oradata/event_data3/** also contains multiple Oracle database data files (e.g., `arc_event_data_001.dbf` to `arc_event_data_010.dbf`).

• **File Types**: The files listed under each mount point include control files, system auxiliary files, the main system table space (`system01.dbf`), temporary tablespaces (`temp01.dbf`), undo tablespace (`undotbs01.dbf`), and user data tablespaces (`users01.dbf`).

• **Database Files**: Each file listed is part of an Oracle database instance, with the specific files serving different purposes such as controlling database operations (control files), managing system metadata (system01.dbf, sysaux01.dbf), handling transactions and queries (temp01.dbf, undotbs01.dbf), and storing user data (users01.dbf).

This setup appears to be a part of an Oracle database environment where multiple instances share the same storage space for their respective databases, with each instance having its own set of files designed to support distinct operational needs within the overall database management system. The text provided lists the file system mount points and corresponding database files (DBF) for multiple directories under `/tjx/arcsight_prod/oradata/`. Each directory contains a sequence of `.dbf` files named `arc_event_data_001.dbf` to `arc_event_data_010.dbf`, with each file belonging to one or more of the following mount points: `/tjx/arcsight_prod/oradata/event_data4/`, `/tjx/arcsight_prod/oradata/event_data5/`, and `/tjx/arcsight_prod/oradata/event_data6/`. The files are part of a database system related to ArcSight, which is likely software for monitoring and managing network traffic and security events. The provided information outlines the structure of a file system and the specific files stored within it, specifically in directories related to "arcsight_prod" and its subdirectory "oradata/event_data". Each directory contains multiple ".dbf" files, numbered sequentially from 001 to 010. Here's the breakdown:

• **Event Data Directories**: There are three main directories under "/tjx/arcsight_prod/oradata/", each named "event_data6", "event_data7", and "event_data8". Each of these directories contains ten ".dbf" files, with filenames starting from "arc_event_data_001.dbf" to "arc_event_data_010.dbf".

• **File Organization**: The files are organized in a way that each number represents a unique file within its respective directory:

• For example, "/tjx/arcsight_prod/oradata/event_data6/" contains files like "arc_event_data_001.dbf", "arc_event_data_002.dbf", up to "arc_event_data_010.dbf".

• Similarly, "/tjx/arcsight_prod/oradata/event_data7/" and "/tjx/arcsight_prod/oradata/event_data8/" follow the same pattern with files starting from 001 to 010 in each directory.

This structure suggests that these directories are part of a larger database system where multiple databases or subsystems might be housed within separate directories, each handling different aspects or types of data related to event management and logging for an "arcsight_prod" application. The provided information outlines the structure of a file system, specifically detailing the locations and filenames of various database files related to an ArcSight product's data storage. Here’s a summary of the structure: 1. **Event Data Files**: These are stored in two directories under `/tjx/arcsight_prod/oradata/`:

• `event_data9/` contains files named `arc_event_data_001.dbf` to `arc_event_data_004.dbf`.

2. **Event Index Files**: These are stored in two directories under `/tjx/arcsight_prod/oradata/`:

• `event_index1/` contains files named `arc_event_index_000.dbf` to `ARC_SYSTEM_INDEX_007.dbf`.

• `event_index2/` contains files named `arc_event_index_001.dbf` to `arc_event_index_009.dbf`.

Each file is associated with a specific data or index type, and they are organized in clearly defined paths within the file system hierarchy. This structure supports efficient management and retrieval of large volumes of event-related data for analysis and reporting by the ArcSight software suite. The provided information outlines the file system mount points and corresponding database files for multiple directories related to an ArcSight product's data storage, specifically focusing on event index files. Each directory corresponds to a different segment of the file path within the larger "/tjx/arcsight_prod" directory structure. Here is a summarized breakdown: 1. **Directory Structure**: The data appears to be organized across multiple directories under "/tjx/arcsight_prod/oradata", each named "event_index3", "event_index4", and "event_index5". Each of these directories contains several ".dbf" files, which are likely Oracle database files. 2. **File Naming Convention**: The files within each directory follow a specific naming pattern, such as "arc_event_index_001.dbf", indicating that they are part of a sequence related to event indexing for the ArcSight product. These files appear to be used in managing and storing events or logs associated with the software. 3. **Purpose**: The purpose of these directories and files is likely to manage and store large volumes of data, specifically log or event-related information that is critical for the operation and maintenance of the ArcSight system. This includes indexing and potentially querying these files to retrieve detailed records or events as needed by the application's functionality. 4. **Usage Context**: These directories are part of a larger infrastructure setup where Oracle databases might be used, possibly for applications related to security information management (SIM), network monitoring, or other log processing tasks critical in an enterprise environment. 5. **Management and Accessibility**: The structure suggests that these files and directories are managed by IT administrators or system engineers who need to ensure efficient data handling and retrieval capabilities within the organization's infrastructure. In summary, this organizational pattern is a method for managing large volumes of database files associated with specific functionalities (in this case, event indexing) in an ArcSight product setup, which likely involves security monitoring and log management tools that require extensive data storage and accessibility features. The provided text lists the file paths and names for a series of `.dbf` files related to an event index in an unspecified system or software setup, likely part of a database management or monitoring system. Here is a summary of the information contained within the text: 1. **File System Mount Points**: Each entry under "File System Mount Point" indicates a directory path where one or more `.dbf` files are stored. These paths include:

• `/tjx/arcsight_prod/oradata/event_index5/`

• `/tjx/arcsight_prod/oradata/event_index6/`

• `/tjx/arcsight_prod/oradata/event_index7/`

• `/tjx/arcsight_prod/oradata/event_index8/`

2. **Files Listed**: For each directory, the corresponding `.dbf` files are listed. The filenames follow a pattern where they start with "arc_event_index_" followed by numbers (from 001 to 009). Here is a breakdown of the files:

• `/tjx/arcsight_prod/oradata/event_index5/`: `arc_event_index_007.dbf`, `arc_event_index_008.dbf`, `arc_event_index_009.dbf`

• `/tjx/arcsight_prod/oradata/event_index6/`: `arc_event_index_001.dbf` to `arc_event_index_006.dbf`, and then `arc_event_index_007.dbf` to `arc_event_index_009.dbf`

• `/tjx/arcsight_prod/oradata/event_index7/`: Similar listing as in `/tjx/arcsight_prod/oradata/event_index6/` but with different numbers, starting from 001 to 009.

• `/tjx/arcsight_prod/oradata/event_index8/`: Also follows a similar pattern, listing `arc_event_index_001.dbf` to `arc_event_index_006.dbf`, and then `arc_event_index_007.dbf` to `arc_event_index_009.dbf`.

Each entry in the table represents a distinct file or directory where database files are stored, likely part of an integrated system used for event logging, monitoring, or data management. The pattern and structure suggest that this is related to software or hardware components that manage and archive database events efficiently across multiple directories. The provided text lists the file paths and names for multiple `.dbf` files located in different directories under `/tjx/arcsight_prod/oradata/`. Each directory contains a set of `.dbf` files named with prefixes `arc_event_index_001.dbf` to `arc_event_index_008.dbf`, and these files are repeated across multiple directories:

• **Directories**:

• `/tjx/arcsight_prod/oradata/event_index8/`

• `/tjx/arcsight_prod/oradata/event_index9/`

• `/tjx/arcsight_prod/oradata/event_index10/`

• `/tjx/arcsight_prod/oradata/event_index11/`

• **Files**: Each directory contains files named:

• `arc_event_index_001.dbf` to `arc_event_index_008.dbf`.

The pattern indicates that there are multiple sets of Oracle database backup or log files, each set belonging to a different index in a sequence (`001` to `008`), stored under the same general directory structure but with slight variations in subdirectories. This setup might be related to archived logs for different segments of an event tracking system or similar data storage requirements where sequential indexing is necessary. The text provided is a listing of file system mount points and the corresponding database files stored within those locations for an ArcSight system. Here's a summary of what each part represents: ### Part 1: Event Index Files (Event_index12)

• **Directory**: `/tjx/arcsight_prod/oradata/event_index12/`

• **Files**:

• `arc_event_index_001.dbf`

• `arc_event_index_002.dbf`

• `arc_event_index_003.dbf`

• `arc_event_index_004.dbf`

These files are related to event indexing within the ArcSight system, likely storing data used for quick retrieval and analysis of logged events. ### Part 2: Temporary Files (Event_index13)

• **Directory**: `/tjx/arcsight_prod/oradata/event_index13/`

• **Files**:

• `arc_temp_000.dbf`

• `arc_temp_001.dbf`

• `arc_temp_002.dbf`

• `arc_temp_003.dbf`

• `arc_temp_004.dbf`

These files are used for temporary storage during database operations, possibly holding intermediate data or buffers needed for processing. ### Part 3: Undo Files (Event_index14)

• **Directory**: `/tjx/arcsight_prod/oradata/event_index14/`

• **Files**:

• `arc_undo_001.dbf` to `arc_undo_016.dbf`

Undo files are used in Oracle databases for undoing transactions, maintaining data consistency after a transaction is rolled back or an error occurs. These specific files relate to the undo functionality within the ArcSight system's database management. ### Part 4: Redo Log Files

• **Directory**: `/tjx/arcsight_prod/redologs/`

• **Files**:

• `redo01.log` (continued...)

Redo log files are crucial for maintaining the integrity of database transactions, recording all changes made to the database so they can be replayed after a system failure or crash. The sequence in which these logs are written is essential for ensuring data consistency and recovery capabilities. This summary provides an overview of where specific types of files are stored within the file system hierarchy for this particular ArcSight deployment, helping to understand their role in maintaining the operational functionality and integrity of the database. The text provided is a list of file paths, each ending with the extension ".log". These files are located in the directory "/tjx/arcsight_prod/redologs/" and their names indicate that they are related to logging information for some system or software named "ArcSight" possibly involved in production processes. The filenames include "redo03.log", "redo04.log", and another file which is not explicitly named but follows a similar pattern, likely also representing log files used by the same system during its operations.