<shamelessly copied from Konrad Kaczkowski’s post on iRock>
ESM Active List Import script – arc_import_al.py
Version 20
Active List import script (PYTHON) – Version 0.6
!!!!! THIS SCRIPT DOES NOT VALIDATE CORRECTNESS OF IMPORTED CSV !!!!!
Fixed special character encoding in active list import over XML (tested on symantec GIN source adv_ip URLs)
| Symbol | Description | ArcSight Active List MAP in XML |
|---|---|---|
| “ | Double quotes (or speech marks) | " |
| & | Ampersand | \A |
| + | Comma | \C |
| < | Less than (or open angled bracket) | \L |
| > | Greater than (or close angled bracket) | \G |
| \ | Backslash | \\ |
| | | Vertical bar | \| |
Fixed temporary files removing from /tmp directory – if AL was huge can use all /tmp space
Fixed verification of access to archive.log [ tree = ElementTree.parse(TEMP_FILE) … IOError: [Errno 2] No such file or directory: ‘/tmp/AL_IN_ESM_INVALID’ ]
Fixed TEMP_FILE access verification – if no write rights generate new variable for TEMP_FILE
Things to add:
- check capacity of Active List and compare to import file
- check activelist.max_capacity and activelist.max_columns from server.properties
- check activelist.max_capacity and activelist.max_columns from server.default.properties
THIS SCRIPT IS AFTER BETA TESTS on RedHat 6.5 with Python 2.6
Test scenario at the end of post
How does it work:
- check if import csv file exist
- check connectivity with ESM (validate if available, if password is correct and account is not vlocked)
- check if Active List exist on ESM [ use /opt/arcsight/manager bin/arcsight archive -action export command ]
- check if number of columns from Active List is the same as number of columns from csv file
- prepare xml file/files to import
- import xml file [ use /opt/arcsight/manager/bin/arcsight archive -action import command ]
- if syslog server is specified send CEF events to syslog server
- if option -c was set – delete successfully imported files – otherise change name to *.xml.done
Execution:
./arc_import_al.py -r 20 -l “/All Active Lists/BCC/al_IP” -f /opt/asset_import/al_IP.csv -m ManagerName -u UserName -p UserPass -s 10.0.1.33 -P 514 -d -c
where parameters are:
REQUIRED
-r 10 [ numers of rows per single import ]
-l Actve List [ avtive list full URI in format “/All Avtive Lists/customer/malware” ]
-f filename [ if file contains space – use filename in ” QUITAS ” ]
-m ESM manager [ HP ArcSight ESM manager FQDN ]
-u ESM user [ HP ArcSight ESM import user ]
OPTIONAL
-p ESM user pass [ HP ArcSoght ESM user password ]
-s Syslog Server [ Syslog server ]
-P Syslog Port [ Syslog server port ]
-c [ clean (delete) imported files ]
-d [ debugging – display detailed information from processing ]
ADDITIONAL PARAMETERS
-h [ help ]
-v [ version ]
# Possible reconfiguration options:
#
# Place where are stored xml files for import: line 66
# export_dlobal_dir = “/opt/asset_import/active list”
#
# Device interface name: line 89
# CEF_dvc = get_ip(‘eth0‘)
Test scenarios
Test scenario 1:
– Active List 1 [ size: 400000, columns: 4, Type: Event-based ]
Import rows: 331776
Batch size ( -r ) : 100000
Time of import :
– processing time: 20 s
– importing: 4 x 12 s
Test scenario 2:
– Active List 2 [ size: 1200000, columns: 1, Type: Field-based ]
Import rows: 1100000
Batch size ( -r ) : 200000
Time of import :
– processing time: 95 s
– importing: 6 x 45 s
When Batch Size [ -r ] was set to 300k import failed.
Below ESM Active Channel
Download arc_import_al.py