Micro Focus ArcSight Logger
App Vendor: Micro Focus
App Category: Analytics & SIEM
Connector Version: V1.0.0
API Version: Software Version 6
About App
ArcSight Logger is a log management solution that is optimized for extremely high event throughput, efficient long-term storage, and rapid data analysis. Logger receives and stores events; supports search, retrieval, and reporting; and can optionally forward selected events. Logger compresses raw data, but can always retrieve unmodified data on demand for forensics-quality litigation data.
The ArcSight app is configured with the Orchestrate application to perform the following actions:
Action Name | Description |
|---|---|
Close search operation | This action stops the execution of the search and clears the search session data from the server. |
Create new search | This action starts/creates a new search. |
Drilldown search | This action drills down search and narrows down search results to the specified time range. For example, you can use this action to narrow down the search results to be shown in the grid when a bar of the histogram is clicked. |
Search events | This action retrieves a list of events found in the specified search. |
Histogram search | This action retrieves the data you can use to display a histogram (a column chart with no gap between columns) of the event distribution over an already searched time range. |
Status of search | This action checks the latest status of the specified search. |
Stop search operation | This action stops the search operation but keeps the search session active so that the search results can be narrowed down later. |
Search raw events | This action retrieves the raw events for the specified row IDs. |
Search chart data | This action retrieves data you can use to display a chart and the table under the chart. This action also returns the results of aggregate operators like sort, tail, and head. |
Configuration Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base url | Enter the base URL to access ArcSight Logger. Example: "http[s]://domain.tld[:port]" | Text | Required | |
Username | Enter the username to authenticate ArcSight Logger. | Text | Required | |
Password | Enter the password to authenticate ArcSight Logger. | Password | Required | |
TLS verification | Specify the preference to verify or skip the TLS certificate. | Boolean | Optional | Allowed values:
Default value:
|
Action: Close search operation
This action can be used to stops the execution of the search and clears the search session data from the server.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Search session ID | Enter the search session ID. Example: "10234567" | Integer | Required |
Example Request
[
{
"search_session_id": "10234567"
}
]Action: Create a new search
This action starts/creates a new search.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Search session ID | Enter a search session ID. Example: "1633626743" | Integer | Required | |
Query | Enter a query to create a new search. "Error" | Text | Optional | Default value:
|
Timeout | Enter the timeout value in milliseconds. This will run the search till the specified time even after the processing stops. Example: "1000" | Integer | Optional | |
Discover fields | Enter the discover fields option. Example: "True" | Boolean | Optional | Allowed values:
Default value:
|
Start time | Enter the start time for the search. Example: "2021-04-09T12:00:00.000-07:00" | Text | Optional | |
End time | Enter the end time for the search. Example: "2021-09-09T12:00:00.000-07:00" | Text | Optional | |
Summary fields | Enter the summary fields as a list. Example: ["Event Time", "Device", "Logger", "Raw Message", "deviceVendor", "deviceProduct", "deviceVersion", "deviceEventClassId", "name"] | List | Optional | Allowed values:
|
Field summary | Enter the field summary option to use summary fields. | Boolean | Optional | Allowed values:
Default value:
|
Local search | Specify if you want to perform a local search and do not want to include peers. Example: "True" | Boolean | Optional | Allowed values:
Default value:
|
Search type | Enter the search type. Example: "interactive" | Text | Optional | Allowed values:
Default value:
|
Example Request
[
{
"search_session_id": "10234567",
"query": "Error",
"timeout": 1000,
"discover_fields": "True",
"start_time": "2014-04-09T12:00:00.000-07:00",
"end_time": "2014-04-09T12:00:00.000-07:00",
"summary_fields": ["Device", "Logger"],
"field_summary": "True",
"local_search": "True",
"search_type": "interactive"
}
]Action: Drilldown search
This action drills down search and narrows down search results to the specified time range. For example, you can use this action to narrow down the search results to be shown in the grid when a bar of the histogram is clicked.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Search session ID | Enter the search session ID. Example: "10234567" | Integer | Required | |
Start time | Enter the start time for the search. Example: "2014-04-09t12:00:00.000-07:00" | Text | Required | |
End time | Enter the end time for the search. "2014-05-09t12:00:00.000-07:00" | Text | Required |
Example Request
[
{
"search_session_id": "10234567",
"start_time": "2014-04-09T12:00:00.000-07:00",
"end_time": "2014-05-09T12:00:00.000-07:00"
}
]Action: Search events
This action retrieves a list of events found in the specified search.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Search session ID | Enter search session ID. Example: "10234567" | Integer | Required | |
Additional parameters | Enter the additional parameters. | Key Value | Optional | Allowed values:
|
Example Request
[
{
"search_session_id": "10234567",
"extra_params":
{
"dir": "forward",
"length": 100,
"offset": 10
}
}
]Action: Histogram search
This action retrieves the data you can use to display a histogram (a column chart with no gap between columns) of the event distribution over an already searched time range.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Search session ID | Enter the search session ID. Example: "10234567" | Integer | Required |
Example Request
[
{
"search_session_id": "10234567",
}
]Action: Status of search
This action checks the latest status of the specified search.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Search session ID | Enter the search session ID. Example: "10234567" | Integer | Required |
Example Request
[
{
"search_session_id": "10234567"
}
]Action: Stop search operation
This action stops the search operation but keeps the search session active so that the search results can be narrowed down later.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Search session ID | Enter the search session ID. Example: "10234567" | Integer | Required |
Example Request
[
{
"search_session_id": "10234567"
}
]Action: Search raw events
This action retrieves the raw events for the specified row IDs.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Search session ID | Enter search session ID. Example: "10234567" | Text | Required | |
Raw ID | Enter the raw IDs as a list. Example: "[“101”, “102”, “103”]" | List | Required |
Example Request
[
{
"search_session_id": "10234567",
"row_ids": ["101", "102", "103"]
}
]Action: Search chart data
This action retrieves data you can use to display a chart and the table under the chart. This action also returns the results of aggregate operators like sort, tail, and head.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Search session ID | Enter search session ID. Example: "10234567" | Text | Required | |
Length | Enter the length of the results. Example: "10" | Integer | Optional | Default value:
|
Offset | Enter the offset. Example: "5" | Integer | Optional | Default value:
|
Example Request
[
{
"search_session_id": "10234567",
"length": 10,
"offset": 5
}
]