Creating event replay files for ArcSight SmartConnectors

Posted on by

The ArcSight connector framework includes the capability to record event replay files from inbound event streams, regardless of the type of event data. This is enormously useful for development and testing individual of use cases, demonstrations and training. The following article is based on ArcSight SmartConnector version 7.0.7.

Events are replayed back to the target destinations by selecting some variety of previously recorded replay files using an ArcSight Test SmartConnector. Either multiple event files or a consolidated file can be used with the Test Alert connector. Since the Test Alert connector is a standard SmartConnector, multiple destinations can be configured, such as to Enterprise Security Manager (ESM) and/or Logger. As event files are replayed back into the target(s), the timestamp can be the original or can be overridden to the current time. This enables historical analysis as well as event data appropriate for any time sensitive rules or use cases.

Create Replay File Directly From Connector

1. Shut down Connector Service.
2. Open the .../current/user/agent/agent.properties file, add following two properties to agent.properties file:

agent.component.count=36
agent.component[35]=com.arcsight.agent.loadable._RecordComponent

agent.properties replay configuration

3. Start Connector Service again

The Connector will start capturing events being sent to ESM, writing the output to .../current/replayagent/{agent-id}.sessions

4. Stop the Connector when you are done capturing events
5. Open the agent.properties file again and remove or comment out the lines added in step 2, then restart the connector again
6. Rename the .sessions file to .events and copy it to the …/current directory of the Testalert SmartConnector and start (or restart) the Test Alert SmartConnector.
7. Start Test Alert to replay the file.

Testalert Connector

Once the replay file or files are selected, the events can be replayed into the system with a specified Event Per Second (EPS) rate

replay-event-rate

Optimizing the Collection and Replay

By default, the Test Alert SmartConnector will replay the recorded events with a current timestamp.  Where it is desirable to replay the events with the original timestamp, the connector can be configured through the normal connector reconfiguration (…/current/bin/runagentsetup.sh)

One of the disadvantages of this approach is apparent if using this method to collect sample event data that would not normally be directed to your ESM instance. On the source SmartConnector, the destination can be set to be a CSV file – enabling the ability to turn very large event feeds directly into .event files without using any ESM storage and processing capacity.

Replaying Events with Original Timestamps

To enable replay of the recorded events with their original timestamps, edit the .../current/user/agent/agent.properties file and add or uncomment out the following lines:

agents[0].preserveagenttime=true
agents[0].preservedetecttime=true

When the Test Alert SmartConnector starts again, the events will be replayed with original timestamps.