ArcMc 2.1 NEW Breach Rule Workaround

Document created by MaryCordova on Feb 12, 2016
Version 1Show Document
  • View in full screen mode

Default Breach Rules are still not included in the GA, its a text file, it should be.   


If you try to upload your breach rules from your old ArcMc (because you had to factory restore the appliance because the GHOST patch is incompatible with the 2.1 software upgrade) there is a bug in ArcMc 2.1 in which the file import is broken. 


Here is a workaround to get your breach rules uploaded so that you don't have to go through the GUI to manually re-create the needed ~23 rules. 


(One of the nice things is that you now don't need 3 * ~23 rules, one each for Logger, ConApp, and ArcMc.  You can make 1 rule for a FAILED CPU and apply it to all 3 appliances.  The GUI is nice...but the baseline hardware rules really should just be included making the GUI available for customizations to the baseline or for advanced monitoring usecases.) 


My previous breach rules:  ArcMc Breach Rules Original , ArcMc Hardware Form Factor Breach Rules , ArcMc Breach Rules Supplement from HP Support


In my import I used the ArcMc Hardware Form Factor Breach Rules


I got the below error:



SSH as root to ArcMc and execute the following:

[root@arcmc ~]# cd /opt/arcsight/

[root@arcm arcsight]# find -name ""




Then just move the breach rules from /opt/arcsight/arcmc/tmp/upload to /opt/arcsight/userdata/arcmc


FYI, since ArcMc 2.1 breach rules operate slightly differently, I had to edit them after they were moved into the correct directory.  I used the GUI  and collapsed ArcMc, ConApp, and Logger actions into single rules, removed the duplicates, and added logical names to the rules.  


I exported the new version and I now recommend using ArcMc 2.1 NEW Breach Rules to do the above import with the workaround.