Creating and Modifying Event Files

Summary:

This document provides a step-by-step guide on how to create and modify event files for use in ArcSight using the utilities "csvconvert" and "replayfilegen". To begin, users should set up a desktop shortcut with the command "C:\arcsight\Console\current\bin\arcsight.bat replayfilegen" to access the Replay File Generator wizard. The wizard will require information such as target file location, start date, end date, and filter selection. Once connected successfully, one can modify event files by selecting events within the specified date range using a defined filter. For those needing detailed guidance on csvconvert functionality, additional resources like "ArcSight_Event_Export_And_Modification.doc" are available. This document explains how to set up an event filter and export filtered events as CSV files, which can then be converted into replay files for specific use cases, such as updating a demo connector. It's important to carefully select filters to avoid including data from other systems like ASM or correlated ArcSight events. The document also offers additional resources, including sample event files that users can find through the provided link by Damian. Additionally, there is an alternative method for creating replay event files without using ESM, utilizing only the ArcSight Connector as outlined in specific documentation from iRocket/ArcSight. The document comes with two main resource attachments: Export_Field_Set.arb and ArcSight_Event_Export_And_Modification.doc, to assist users in navigating this process more effectively.

Details:

The article provides a guide on how to create and modify event files using two utilities, "csvconvert" and "replayfilegen". It suggests creating a desktop shortcut with the command "C:\arcsight\Console\current\bin\arcsight.bat replayfilegen" to start the Replay File Generator wizard. The wizard will prompt for target file location, start date, end date, and filter selection. After connecting successfully, one can modify event files by selecting events within the specified date range using a defined filter. It also mentions that resources like "ArcSight_Event_Export_And_Modification.doc" provide more details on csvconvert functionality. This document outlines a process for creating and using replay event files in ArcSight, specifically tailored for those who need to extract specific data from events such as IPs or hostnames. The steps include setting up an event filter within the ArcSight system to save desired information, followed by exporting these filtered events into a CSV format which can then be converted into a replay file. This file is subsequently moved to a designated directory and used to update a demo connector for testing purposes. It's crucial to customize filters carefully to avoid unwanted data from other systems like ASM or correlated ArcSight events. The document also provides additional resources, including sample event files that can be found in the mentioned link provided by Damian. Additionally, it mentions an alternative method of creating replay event files without relying on the Enterprise Security Manager (ESM), using only the ArcSight Connector itself as outlined in a specific documentation from iRocket/ArcSight. The document is attached with two resources: Export_Field_Set.arb and ArcSight_Event_Export_And_Modification.doc, which are meant to guide users through this process more effectively.