Common ArcSight Command Line Operations

Posted on by

Here are a number of command line operations that are frequently needed within the ArcSight ecosystem.

Export Enterprise Security Manager Certificate without a GUI
Use for ESM 6 or later.
Lookup the manager certificate details and alias name by running a list operation:
arcsight keytool -store clientcerts -list | grep manager
self-arcsight-manager-esm6c, Feb 20, 2013, trustedCertEntry,
Export the certificate by running an export operation with the certificate alias name:
arcsight keytool -store clientcerts -exportcert -alias self-arcsight-manager-esm6c -file /home/arcsight/manager.cer
The manager certificate can then be imported into Logger via the web interface or into the cacerts certificate store for a SmartConnector.

Launch SmartConnector Keytool GUI

To launch the keytool GUI for editing the certificate store used by a specific connector, use the following syntax, where … refers to the installation directory of the SmartConnector:

cd .../current/bin
./arcsight agent keytoolgui

Send syslog events via SmartConnector

To replay syslog events from a flat file to a syslog daemon destination, use the following syntax, where … refers to the installation directory of the SmartConnector:

cd /opt/agents/syslog-udp-1514/current/bin
./arcsight agent runjava com.arcsight.agent.loadable._PerfTestSyslog -H 127.0.0.1 -P 1514 -f ~arcsight/udp.txt -x 50

Required Parameters:
-H Host where packets will be sent to
-P Port where packets will be sent to

Optional Parameters:
-d Source IP address (1.1.1.1)
-f syslog-data-file
-x Max. rate (5000)

Options:
-h help – Get help for this command
-m multiple devices – Simulate multiple devices
-s sequential – Use sequence numbers as time
-t use raw TCP instead of UDP

See also: How to replay syslog events using the performance testing feature of ArcSight SmartConnectors and Creating event replay files for ArcSight SmartConnectors

Send SNMP events via SmartConnector

To replay SNMP events from a flat file to a SNMP daemon destination, use the following syntax, where … refers to the installation directory of the SmartConnector (note it does not have to be a SNMP SmartConnector):

cd /opt/agents/syslog-udp-1514/current/bin
./arcsight agent runjava com.arcsight.agent.loadable._PerfTestSyslog -H 127.0.0.1 -P 162 -f ~arcsight/snmp.txt

Required Parameters:
-H Host where packets will be sent to
-P Port where packets will be sent to

Optional Parameters:
-d Source IP address (1.1.1.1)
-f SNMP file to read
-x Max. rate (5000)

Options:
-h help – Get help for this command
-m multiple devices – Simulate multiple devices
-s sequential – Use sequence numbers as time

See also: Creating event replay files for ArcSight SmartConnectors