top of page
Search

Installation Guide for ArcSight ESM with SQL Server Clustering in Microsoft System Center (Version 1.1)

  • Writer: Pavan Raja
    Pavan Raja
  • Apr 8, 2025
  • 15 min read

Summary:

This summary outlines a series of steps taken to ensure the ARCSIGHT database instance is running in a clustered environment using Oracle FailSafe. The process involves several key operations, including restarting Oracle services through Windows Services Manager and utilizing the cluster administrator to bring MSCS-related Oracle services back online. After verifying standalone status and editing the initarcsight.ora file for configuration settings, the next steps involve configuring the ARCSIGHT database within Oracle FailSafe, setting up a shared disk resource group, creating necessary password files, and finalizing the setup with resource additions and confirmations. To migrate an ArcSight ESM (Extended Security Manager) database from one cluster node to another, follow these steps: 1. **Shut down the current database**: First, shut down the existing database on Node A. 2. **Migrate to Node B**: Then, migrate the database from Node A to Node B. After successful migration, verify that it works correctly on both nodes (A and B). 3. **Verify Successfully Completed Operation**: Once verified, you will see a message indicating "The clusterwide operation completed successfully." Close the screen. 4. **Check Resource Listing in ARCSIGHT**: You should now see the ArcSight database listed as a resource under the HONTS5061APP group in ARCSIGHT. Right-click on this resource and select 'Verify Group' to ensure everything is set up correctly. Close the screen afterward. 5. **Check Windows Service Manager**: Within the Windows Service Manager, you should see a new service called OracleOraHome10gTNSListenerFsl that is started and set to manual. 6. **Verify Local Group Creation**: In the Computer Management MMC tool, an instance-based local group named ORA_ARCSIGHT_DBA should have been created. Check if the cluster account used for MSCS services is included in this local group. 7. **Configure as Cluster Resource**: The Oracle database is now configured as a cluster resource and can be failed over as part of the application resource group using the Oracle FailSafe Manager. 8. **Practice Failing Over**: - First, move the Cluster Group via the MS Cluster Administrator. - Then, move the APP Group via the Oracle FailSafe Manager. To do this: Right-click on the resource group containing the database and select 'Move to a Different Node' within the Oracle FailSafe Manager. 9. **Installation Complete**: Once these steps are completed successfully, the installation of ArcSight ESM with MSCS and Oracle FailSafe is complete. The ArcSight database will automatically fail over to the secondary node if the active node becomes unavailable, running on either node as needed.

Details:

**Summary of ArcSight ESM Database High Availability Configuration Guide** This guide, dated July 22, 2008, version 1.1, provides a detailed step-by-step instruction manual for configuring the ArcSight Enterprise Security Manager (ESM) database to operate in a high availability environment using Microsoft Clustering Services and Oracle FailSafe. The document is structured as follows: **Table of Contents**

  • Provides a navigation structure covering various sections from Overview to Installation Complete.

**Overview**

  • Explains the purpose of the guide, which is to configure ArcSight ESM database for high availability with MSCS and Oracle FailSafe.

  • Assumes an existing prebuilt cluster environment maintained by the customer’s Windows server team.

  • Does not cover how to create a MSCS cluster but focuses on installing ArcSight ESM within an established MSCS High Availability cluster.

**Assumptions**

  • The reader is expected to have a pre-existing MSCS cluster environment managed by the IT department.

**Screenshots**

  • All screenshots are presented with HOMEOFFICE as the Active Directory domain, but this should be replaced with the actual customer domain.

  • Oracle Instance name PARC03 and SID ARCSIGHT are used for demonstration purposes in the screenshots.

**Pre-Installation Preparation**

  • Lists prerequisites such as ensuring network configuration, user accounts, directory structures, and ArcSight ESM installation.

**ArcSight Install**

  • Covers installation of ArcSight ESM software on both nodes (NODE A and NODE B) of the MSCS cluster.

**Oracle 10g Install**

  • Provides instructions for installing Oracle Database 10g on both cluster nodes, detailing database instance creation, tablespace setup, and user schema deployment.

**NODE A in CLUSTER**

  • Specifics installation procedures, including creating an instance, tablespaces, and configuring Oracle FailSafe (to be covered in the next sections).

**NODE B in CLUSTER**

  • Similar to NODE A section but for Node B; includes steps like setting up directories and installing ArcSight ESM.

**Create Instance**

  • Instructions on how to set up an Oracle instance on both nodes of the cluster.

**Create Tablespaces and Schema**

  • Covers deployment of user schema across the two tablespaces created during installation.

**Oracle FailSafe Install (Oracle Services for MSCS)**

  • Explains how to install Oracle FailSafe, a free tool from Oracle used to make the database aware of the cluster setup, on both nodes.

**NODE A**

  • Focuses on configuring Oracle FailSafe on Node A, including client and manager installation.

**NODE B**

  • Follows similar steps for configuring Oracle FailSafe on Node B but differs in specific configurations required due to its role in the cluster.

**Configure Oracle FailSafe (“A” Node)**

  • Details how to configure Oracle services for MSCS on Node A, ensuring proper communication and failover mechanisms between nodes.

**Installation Complete**

  • Summarizes all previous steps and confirms that the ArcSight ESM database is now set up in a high availability configuration using Microsoft Clustering Services and Oracle FailSafe.

The document outlines the setup of a domain service account, which is used for running services and tasks in ArcSight and Oracle installations. The recommended name for this account is `\arcsight`. This account should be added to the local Administrators group on all servers within the cluster. It needs administrative privileges to execute tasks during installation and must remain an administrator to run the application and database. Regarding directory structures, in a MSCS (Microsoft Cluster Shared Volumes) HA cluster, there is shared disk space that moves between cluster nodes. For ArcSight ESM's Oracle database, Oracle will be installed on each node’s local disk, with all initialization, control, and data files configured on the shared disk. Each node has a local C: and D: drive, while the shared SAN storage mounted by MSCS forms the E: to I: drives. These shared drives were sized according to customer requirements. A specific folder structure was created on these shared disks for both Oracle (E:\arcsight\control, F:\arcsight\data) and ArcSight software (E:\arcsight\data). The folders include:

  • E:\arcsight\control - First Oracle Control File

  • F:\arcsight\control - Second Oracle Control File

  • G:\arcsight\control - Third Oracle Control File

  • E:\arcsight\data - Data folder for Oracle files

  • Specific subfolders under F:\arcsight\data (e.g., ARC_SYSTEM_DATA, ARC_SYSTEM_INDEX, ARC_UNDO, ARC_TEMP, ARC_EVENT_INDEX, ARC_EVENT_DATA)

  • I:\arcsight\data\REDO_LOGS - Folder for Oracle redo logs

This document outlines the process for installing ArcSight software and its associated Oracle 10g database on a Microsoft Clustering Services environment. The installation involves running an installer executable, choosing a specific drive to install the software, and following through with the installation wizard for Oracle 10g. Here is a summarized version of the steps: 1. **Install ArcSight Software**:

  • Double-click the installer executable: `ArcSight-4.0.1.5369.0-DB-Win.exe`.

  • Click 'Next' through the initial setup screens.

  • Choose the drive to install (E: drive, specifically `E:\arcsight\db`).

  • Click 'Next' and then 'Install'. Wait for installation completion.

  • When installed, a configuration wizard for Oracle 10g will appear. If not, you can re-launch it later by running the provided batch file.

2. **Install Oracle 10g**:

  • The Oracle 10g binaries must be installed on each cluster node independently due to Microsoft Clustering Services requirements.

  • Copy necessary files (`ArcSight-4.0.1.5369.0-DB-Win.exe` and `Oracle 10.2.0.1/2 Installation Files`) from the ArcSight support portal to each cluster node.

  • Log into one of the nodes (NODE A) and run the ArcSight database installer program, selecting "Install Oracle 10gR2 database software".

  • Follow through with the installation wizard, choosing appropriate folder locations for the Oracle source files as directed by the installer.

This process ensures that both the ArcSight software and its associated Oracle 10g database are installed correctly on each node within the cluster environment. This document outlines the steps for installing Oracle 10g binaries on a Windows environment within a cluster setup. The process involves specifying and installing the software at a predetermined location (C:\oracle\OraHome10g) due to the requirement of having local copies of ORACLE_HOME on each node in a cluster environment, specifically for Oracle FailSafe. The installation will involve several stages where progress windows cycle through extraction, installation, and further extraction processes. Once completed, users are prompted to add the domain service account used for running Oracle FailSafe services to the ora_dba local group. The setup also includes instructions on verifying ORACLE_HOME as a system environment variable and ensuring it points to the correct path. Additionally, in a cluster environment where nodes are labeled NODE B and CLUSTER, Oracle 10g must be installed on the second node in the same location (C:\oracle\OraHome10g). This requires managing resources through Microsoft Cluster Administrator by moving all cluster resource groups to the appropriate node. To create an Oracle 10gR2 instance on a single node in a cluster, follow these steps from NODE A to NODE B: 1. **Move Shared Resources**: Ensure all shared resources are moved to NODE A. If they are on NODE B, move them to NODE A. 2. **Disable NICs**: Disable all but the primary network interface card (NIC) on NODE A and stop the cluster service on NODE B. 3. **Launch Database Installer**: Run the script `E:\arcsight\db\bin\rundatabasesetup.bat` on NODE B to launch the DB installer. 4. **Create Instance**: In the ArcSight 4.0 SP1 database installer wizard:

  • Choose "Create and configure ArcSight Oracle 10gR2 instance."

  • Follow through the prompts for naming the instance, selecting a database template, character set, and client connections (use IP addresses only).

  • Set the ORACLE_SID to `parc03`.

  • Select the appropriate database template (`ArcSight_XXLarge.dbt`).

By following these steps, you will successfully create an ArcSight Oracle 10gR2 instance on NODE B after moving necessary resources and configuring the instance setup from NODE A. To summarize the text provided, it outlines a series of steps for setting up an Oracle database instance within an ArcSight environment. The user is advised to choose appropriate character sets specific to their English language environment. They must then input IP addresses for clients that will connect to the database, noting that Oracle FailSafe requires IP-based entries since hostnames follow the active cluster node. Next, the user needs to specify paths for control files, data dictionary files, and redo logs. The example provided uses a SID named "parc03," but recommends using "arcsight" if there is only one environment instance. The paths specified include:

  • Control file directory path examples (E:\arcsight\control, F:\arcsight\control, G:\arcsight\control)

  • Data dictionary file directory at E:\arcsight\data

  • Redo log directory at I:\arcsight\data\REDO_LOGS.

The user is asked to enter the IP addresses for clients and provide paths for control files, data dictionary, and redo logs. They are also given instructions on whether or not to enable auto archive redo log functionality. The path for the archive log folder should be specified if enabled, with an example of I:\arcsight\ARCHIVE_LOGS. The user is instructed to enter SYS and SYSTEM passwords and store them securely. For installation purposes, it's recommended to choose no when asked about installing Enterprise Manager and leaving DBSNMP and SYSMAN passwords blank. After configuring these settings, the instance creation process begins automatically. Users are provided with an option to continue or cancel the setup from which they can re-launch the wizard by running a specific batch file. Finally, after setting up the database instance, users need to re-enable backup and heartbeat network interfaces as well as bring back the B node (HONTS5061b) into the cluster using the cluster administrator tool. The text suggests that creating tablespaces and schema should only be done on one node of a multi-node cluster to prevent database corruption, which is not discussed in detail here but implies further setup steps beyond this summary. The provided text outlines a series of steps and screens encountered during an ArcSight database setup process, focusing on configuring Oracle settings for both the database host name, instance details, user credentials, and defining data files for specific tablespace. Here's a summarized breakdown of each step: 1. **Initial Screen After Wizard Launch**: If you re-launch the wizard by running the script `E:\arcsight\db\bin\rundatabasesetup.bat`, you will see a screen prompting to choose an option, in this case, "Initialize ArcSight Tablespaces, Schema and Resources." Clicking 'Next' will proceed to the next set of screens. 2. **Database Host Name and Instance Setup**:

  • Enter the IP address of the cluster for the Database Host Name, which is required for Oracle FailSafe configurations.

  • Set the Database Port to 1521.

  • Set the Database Instance to "arcsight"; however, note that the screenshot shows a different SID (System ID). This should be corrected according to the installation guide.

  • Enter the Database Admin User as "sys" and set its password using the SOC password safe database details.

  • Leave the Database User Name as "arcsight" and enter a password for the arcsight user, storing it securely.

3. **System User Configuration**: Change the System User Name to something other than "systemuser", following the ESM installation guide instructions. 4. **Tablespace Data Files Configuration**:

  • For ARC_SYSTEM_DATA tablespace: Set the Data File Path to "F:\arcsight\data\ARC_SYSTEM_DATA". Set the Data File Size and Number of Data Files based on recommended sizes provided for the customer.

  • For ARC_SYSTEM_INDEX tablespace: Set the Data File Path to "F:\arcsight\data\ARC_SYSTEM_INDEX". Configure similarly as above.

  • For ARC_EVENT_DATA tablespace: Set the Data File Path to "H:\arcsight\data\ARC_EVENT_DATA". Configure with recommended sizes and numbers of files.

  • For ARC_EVENT_INDEX tablespace: Set the Data File Path to "G:\arcsight\data\". Ensure this path is correctly specified according to the guide, as the screenshot might show a different location.

Each step involves clicking 'Next' after setting or confirming each configuration detail, ensuring all settings align with the customer-specific recommendations and guidelines provided in the ESM installation guide. This process involves setting up data files for specific tablespace in an ArcSight database instance. The steps include defining the path, size, and number of data files for tablespaces ARC_UNDO and ARC_TEMP. Afterward, it explains that all data files will be created immediately for specified tablespaces including ARC_SYSTEM_DATA, ARC_SYSTEM_INDEX, ARC_EVENT_DATA, ARC_EVENT_INDEX, ARC_TEMP, and ARC_UNDO. The process may take up to a couple of hours to complete. Next, the screen prompts to set partition management settings based on customer requirements, including notification levels and email addresses for notifications. It then specifies that 3 days should be waited before starting partition compression. Default settings are recommended for Partition Manager, Partition Compression, and Partition Stats Updator Runtimes. The process concludes with clicking through several "Next" buttons until reaching the finish button to complete the setup. The final part of this document introduces Oracle FailSafe (Oracle Services for MSCS), a tool required for installing ArcSight's database as a Cluster-aware database, which is included in all Oracle 11g, Oracle 10g and Or versions. Oracle Fail Safe is a high availability software that works with Microsoft Cluster Server to automatically fail over Oracle databases and applications in case of system failure. It integrates with Microsoft Cluster Server for fast, easy, and accurate cluster configuration and verification. The software provides features like monitoring and automatic failover, ensuring minimal downtime. For compatibility, Oracle Fail Safe 3.4.1 is available in both 64-bit and 32-bit versions. While the server version (for Windows 64-bit) supports various configurations including Microsoft Cluster Server (version 5.0 or later), Oracle Database (versions 10.2 for 10g Release 2 and 11.1 for 11g Release 1), and Oracle Management Agent (releases 10.1.0.2, 10.1.0.3), the Fail Safe Manager must run on a Microsoft Windows 32-bit client system. Installation involves copying a zip file to the local disk and unzipping it into the designated folder. The specific steps for installation are outlined in the text provided. To summarize the process described in your text: 1. **Installation of Oracle Services for MSCS:**

  • Double click the `setup.exe` file to start the installation wizard.

  • On the first screen, click "Next."

  • Choose "Typical Install" and click "Next."

  • Change the name field to "Ofs34_home1" and set the path to "C:\oracle\Ofs34_1".

  • Click "Next" multiple times through the wizard. Remember to reboot after installation is complete.

  • Click "Install," and once installed, a configuration screen for Oracle Services for MSCS will appear.

  • Input the domain account `\arcsight` with its username and password. Ensure this account has local administrator access on all nodes in the cluster.

  • Click "OK" to confirm. Then click "Exit."

  • The software is installed at `C:\oracle\Ofs34_1\Ofs34_Home1`. Reboot the server as prompted, or when required later.

2. **Installation of Oracle FailSafe on Node B:**

  • Log into the B node and repeat all steps from NODE A, except there's no need to manually failover resources since the installation will be on the local C: drive.

  • After installing the Oracle FailSafe service (OracleMSCSServices) on Node B, it will start in a manual mode and not run automatically due to being controlled by MSCS for exclusive node usage.

3. **Installation of Oracle FailSafe Manager:**

  • Install the 32-bit version of the Oracle FailSafe Manager software since it is not supported as a 64-bit application.

This summary captures the main steps and requirements outlined in your detailed instructions, ensuring a clear understanding of the installation process for both the primary node (A) and the secondary node (B). The provided text outlines the steps for installing Oracle FailSafe on two nodes of a cluster, referred to as "A" Node and "B" Node. Here's a summary of the process: 1. **Node A:**

  • Copy the zip file `ofs341kit_32bit.zip` to the directory `D:\Install\Apps\32bit\Oracle\FailSafe`.

  • Unzip the contents to the same folder.

  • Navigate to the unzipped folder and double-click the `setup.exe` file to initiate installation.

  • Follow on-screen prompts, including specifying an Oracle Inventory data directory (choose `C:\Program Files (x86)\Oracle32\Inventory`), selecting "Client Only" for FailSafe Manager installation, and providing a new name and path for ORACLE_HOME (`Ofs34_home1_32bit` and `C:\oracle\Ofs34_1_32bit`, respectively).

2. **Node B:**

  • Repeat the steps from Node A on the "B" Node, noting that no failover to the local machine is required since installation will be done directly on Node B's C: drive.

3. **Configure Oracle FailSafe:**

  • After successful installation, start the FailSafe Manager by navigating through the Start Menu to `Start>Ofs34_home1_32bit>Oracle FailSafe Manager`.

  • Upon startup, provide the cluster alias which should match the one used in Microsoft Cluster Administrator (e.g., HONTS5061).

This summary captures the key steps for installing Oracle FailSafe across two nodes of a cluster and configuring it using the provided instructions. The provided text discusses the process of connecting to and verifying a cluster using Oracle FailSafe Manager. Here's a summary of the key points: 1. **Connecting to the Cluster:**

  • Oracle FailSafe Manager can connect to the cluster and allows users to explore the cluster resource tree.

  • When you single-click on the cluster resource, it shows that Oracle FailSafe Manager is not connected to the cluster in the General tab.

  • To connect, right-click on the cluster alias, select "Connect," and enter a username and password with administrative rights on all nodes.

2. **Verifying the Cluster:**

  • The first time connecting, you must run "Verify Cluster." This command checks:

  • Identical Oracle homes across all nodes.

  • Same Oracle Fail Safe release on all nodes.

  • Consistent resource providers configured identically on all nodes.

  • Resource providers are disabled if required software is not installed.

  • Consistent Host Name/IP Address mappings across all nodes in the cluster.

  • Verify Cluster also registers with Microsoft Cluster Services (MSCS) the necessary resource DLLs for supported resource types by Oracle Fail Safe.

  • Upon completion of the verify steps, you can close the "Verify Cluster" window and return to the FailSafe Manager window.

3. **Cluster Information:**

  • After verifying the cluster, you should see cluster information in the main window of the Oracle FailSafe Manager tool.

  • The Oracle FailSafe Manager has connected to both nodes in the cluster and configured it to accept commands from the tool.

  • Windows services named OracleMSCSServices are installed on each node in the cluster:

  • On node "A," verify that OracleMSCSServices is installed and running.

  • On HONTS5061b, verify that OracleMSCSServices is installed but stopped.

  • The cluster resource group should show a resource named Oracle Services for MSCS with an Online state.

In summary, the text provides step-by-step instructions on how to connect and verify a cluster using Oracle FailSafe Manager, including the verification process and post-verification steps to ensure proper configuration. To prepare a standalone Oracle database on Node A for clustering using Oracle FailSafe, you need to follow these steps: 1. **Stop Oracle Services**: On the "A" node, take the Oracle Services for MSCS service offline using the cluster administrator and stop all running Oracle services from the Windows Services Manager. 2. **Create Necessary Folders**: Ensure that folders E:\arcsight\init\database and E:\arcsight\admin exist; if not, create them. 3. **Copy Files**: Copy all *dump folders from C:\oracle\OraHome10g\admin to E:\arcsight\admin. Also, make a backup copy of the initarcsight.ora file in C:\oracle\OraHome10g\database (renamed as initarcsight.ora.orig). 4. **Modify initarcsight.ora**: Edit the initarcsight.ora file located at C:\oracle\OraHome10g\database to point all *dump folders and other relevant paths to the new locations in E:\arcsight\admin:

  • adump = E:\arcsight\admin\adump

  • bdump = E:\arcsight\admin\bdump

  • cdump = E:\arcsight\admin\cdump

  • udump = E:\arcsight\admin\udump

  • Additionally, set max_parallel_servers=0 to ensure optimal configuration for ArcSight.

5. **Copy Modified initarcsight.ora**: Copy the modified initarcsight.ora file from C:\oracle\OraHome10g\database to E:\arcsight\init\database. 6. **Modify Network Configuration Files**: Edit the SQLNET.ORA, LISTENER.ORA, and TNSNAMES.ORA files in C:\oracle\OraHome10g\NETWORK\ADMIN to use IP addresses instead of hostnames to avoid issues with Oracle FailSafe using hostname resolution. By following these steps, you ensure that all necessary configurations are set up for the standalone Oracle database on Node A to be ready and configured for clustering in an Oracle FailSafe environment. This summary outlines a series of steps taken to ensure the ARCSIGHT database instance is running in a clustered environment using Oracle FailSafe. The process involves several key operations, including restarting Oracle services through Windows Services Manager and utilizing the cluster administrator to bring MSCS-related Oracle services back online. After verifying standalone status and editing the initarcsight.ora file for configuration settings, the next steps involve configuring the ARCSIGHT database within Oracle FailSafe, setting up a shared disk resource group, creating necessary password files, and finalizing the setup with resource additions and confirmations. To migrate an ArcSight ESM (Extended Security Manager) database from one cluster node to another, follow these steps: 1. **Shut down the current database**: First, shut down the existing database on Node A. 2. **Migrate to Node B**: Then, migrate the database from Node A to Node B. After successful migration, verify that it works correctly on both nodes (A and B). 3. **Verify Successfully Completed Operation**: Once verified, you will see a message indicating "The clusterwide operation completed successfully." Close the screen. 4. **Check Resource Listing in ARCSIGHT**: You should now see the ArcSight database listed as a resource under the HONTS5061APP group in ARCSIGHT. Right-click on this resource and select 'Verify Group' to ensure everything is set up correctly. Close the screen afterward. 5. **Check Windows Service Manager**: Within the Windows Service Manager, you should see a new service called OracleOraHome10gTNSListenerFsl that is started and set to manual. 6. **Verify Local Group Creation**: In the Computer Management MMC tool, an instance-based local group named ORA_ARCSIGHT_DBA should have been created. Check if the cluster account used for MSCS services is included in this local group. 7. **Configure as Cluster Resource**: The Oracle database is now configured as a cluster resource and can be failed over as part of the application resource group using the Oracle FailSafe Manager. 8. **Practice Failing Over**:

  • First, move the Cluster Group via the MS Cluster Administrator.

  • Then, move the APP Group via the Oracle FailSafe Manager. To do this: Right-click on the resource group containing the database and select 'Move to a Different Node' within the Oracle FailSafe Manager.

9. **Installation Complete**: Once these steps are completed successfully, the installation of ArcSight ESM with MSCS and Oracle FailSafe is complete. The ArcSight database will automatically fail over to the secondary node if the active node becomes unavailable, running on either node as needed.

Disclaimer:
The content in this post is for informational and educational purposes only. It may reference technologies, configurations, or products that are outdated or no longer supported. If there are any comments or feedback, kindly leave a message and will be responded.

Recent Posts

See All
Zeus Bot Use Case

Summary: "Zeus Bot Version 5.0" is a document detailing ArcSight's enhancements to its Zeus botnet detection capabilities within the...

 
 
 
Windows Unified Connector

Summary: The document "iServe_Demo_System_Usage_for_HP_ESP_Canada_Solution_Architects_v1.1" outlines specific deployment guidelines for...

 
 
 

Comments

@2021 Copyrights reserved.

bottom of page