HP ArcSight ESM Disaster Recovery Scenarios

Summary:

This document outlines the process of version controlling Oracle Database Disaster Recovery specifically for HP ArcSight ESM 5.x, which is built on Oracle Database. The focus is on managing changes to both the database configuration and data through various scenarios and customization, requiring professional services for a tailored approach. The backup and recovery processes in HP ArcSight ESM involve two main methods: backing up the entire system tables or selectively backing up specific resources like Active Lists, queries, rules, dashboards periodically. The 'archive' method is faster but captures less data due to its selective nature, while 'dump the entire system tables' provides a comprehensive snapshot but has drawbacks such as unencrypted and unobfuscated data that requires strict access control management. The command `arcsight export_system_tables` is used for exporting and importing system tables on Oracle versions of ESM. The output location is `/tmp` within the ArcSight Manager directory, and the import command follows a similar structure but includes the exported SQL file as an argument. Preparations require stopping the manager during this process. The text also covers alternative methods like 'archive' or 'package' for selective backup of certain resources, although these carry warnings about potential database corruption. The provided command should be run directly and requires administrative privileges with the correct password for authentication. This summary highlights key points including command structure, output location, import process, preparation steps, limitations, and sample usage to facilitate managing system tables in HP ArcSight ESM instances.

Details:

Version control in the context of Oracle Database Disaster Recovery refers to managing changes to the database configuration and data to ensure that systems can recover from a disaster or failure. For HP ArcSight ESM 5.x, which is based on Oracle Database, the process of disaster recovery involves various scenarios and customization. Professional services are required to understand the specific environment and provide a custom document detailing the exact steps needed for backup and recovery processes. There are two main approaches to backing up the configuration (resources like Active Lists, queries, rules, dashboards) in ESM: 1. **Dump the Entire System Tables**: This involves creating a snapshot of all internal database tables which captures more data than the selective method below. It is considered faster and more complete due to its comprehensive nature but has drawbacks such as being unencrypted and unobfuscated. Access control must be strictly managed for this unencrypted file. 2. **Backup Resources Periodically & Selectively**: This involves using 'archive' or 'package' commands to selectively back up specific parts of the configuration, which is generally faster than option 1 but may not capture as much data due to its selective nature. Option 1 has advantages over Option 2 because it captures more data and is considered faster and more complete. However, both options have their pros and cons, with system table exports being unencrypted and unobfuscated by default. The sample usage mentioned involves using the command `arcsight export_system_tables` for exporting and importing the system tables on Oracle versions of ESM and Express. The given text provides information about exporting and importing system tables using the ArcSight management command-line tools. Here's a summary of the key points: 1. **Command Structure**: The command to export system tables is `export_system_tables` followed by the ArcSight username, password, and MySQL database name. For example: ```bash ./arcsight export_system_tables arcsight arcsight arcsight ``` 2. **Output Location**: The exported SQL file will be saved in the `/tmp` folder within the ArcSight Manager directory. 3. **Import Command**: To import system tables, use: ```bash ./arcsight import_system_tables arcsight arcsight arcsight arcsight_dump_system_tables.sql ``` 4. **Preparation**: When running the dump command, it waits for 30 seconds and prompts stopping the manager. In practice, the manager should be stopped during this process. 5. **Documentation**: More details can be found in the ArcSight Manager Administration Guide under Appendix A: Administrative Commands, specifically sections on `export_system_tables` and `import_system_tables`. 6. **Alternative Method (Archive/Package)**: There are methods to selectively backup certain resources using commands like 'archive' or 'package'. These can be used for specific subsets of data but may exclude higher-level URIs such as `/All Users` and `/All Cases`. 7. **Command Execution**: The command provided should be run directly: ```bash ./arcsight ``` 8. **Limitations**: The 'archive' tool, although replaced by the 'package' command, can still be used but carries a warning from the ArcSight 5.2 Admin Guide about potential database corruption when running in standalone mode against an active manager instance. 9. **Sample Usage**: A sample usage of the command is provided: ```bash ./arcsight export_system_tables arcsight arcsight arcsight <-s>

``` This summary captures the essential details and usage instructions for exporting and importing system tables in ArcSight using command-line tools. The command provided is used to export specific data from an ESM (Event Server Manager) instance, including various components such as active channels, field sets, lists, agents, assets, zones, networks, locations, dashboards, data monitors, filters, profiles, reports, and rules. This data is exported in XML format and saved to a specified file path (`/home/arcsight/export.xml`). The command requires administrative privileges and the correct password for authentication. The command details:

• `archive -u admin -p password`: Specifies the username (`admin`) and password (`password`) for authentication.

• `-m exp30`: Indicates that this is an export operation, specifically version 30 of the export method.

• `-f /home/arcsight/export.xml`: Saves the exported data to a file named `/home/arcsight/export.xml`.

• The `-uri` options specify which components or URIs (Uniform Resource Identifiers) of the ESM instance should be included in the export, including:

• `/All Active Channels`

• `/All Field Sets`

• `/All Active Lists`

• `/All Agents`

• `/All Assets`

• `/All Zones`

• `/All Networks`

• `/All Locations`

• `/All Dashboards`

• `/All Data Monitors`

• `/All Filters`

• `/All Profiles`

• `/All Reports`

• `/All Rules`

• `/All Stages`

This command is part of a larger set of administrative commands used to manage and export data from HP ArcSight systems, as outlined in the ESM Admin Guide. The guide also provides additional information under "Appendix A" which includes details about archive and package commands, although these should be used with caution due to their unsupported nature for general use without specific customization by HP ArcSight Professional Services for individual customers like BC Hydro.