Upgradation steps of ArcSight logger from v5.0 to v5.1

Document created by vi829374 on Sep 28, 2013
Version 1Show Document
  • View in full screen mode


An upgrade to software Logger v5.1 GA is supported from v5.0 Patch 2 only. If you are using any other version, you need to first upgrade to v5.0 Patch 2 before upgrading to v5.1 GA.


About ArcSight Logger:


ArcSight logger is a world-class log management solution that addresses the industry’s growing need to efficiently and quickly collect, store and analyze all forms of log data. The solution provides an easily searchable, high performance log data repository to aid in faster forensic analysis of cyber security and IT operations incidents and provides content and efficient storage to simultaneously address multiple regulations.


·        Bi-directional integration with ArcSight ESM for detection of subtle and sophisticated cyber-attacks

·        Economic and efficient long term storage

·        Reduce cost and manual audit report generation effort

·        Automation of log storage lifecycle and log retention policies

·        High performance analysis (Millions of EPS search rate) without compromise on collection rate (best case 100K EPS) and storage efficiency(42 TB of logs per appliance with 10:1 average compression) as imposed by other solutions

·        Personalized, interactive, dynamic dashboard views

·        Real-time alerting and anomaly detection

Collection and preservation of raw events





v Back up your configuration before and after upgrading to this release.


v The location to which events are archived is mounted on your software Logger machine before you begin the upgrade. If the event archive location is not mounted, upgrade will fail.


v Make a note of custom Report Configuration settings (Reports > Reports Administration) you have configured on your Logger because after the upgrade those settings are set to the default values. To reinstate the customized value, you need to re-enter them.


v When you upgrade to Logger v5.1, any existing filters or queries based on the previous system health events will not work on the events collected after the upgrade. However, those filters and queries will continue to work on the system health events collected prior to the upgrade. Therefore, you will need to define additional filters or queries after the upgrade to search for system health events collected after the upgrade.



Steps to take backup and restoration:


Filter Backup:


v Before upgrading for safer side better to take filter backup.

v To take filter backup follow the below steps.

v ConfigurationàSettingsàFiltersàExportàExport


Filter Restoration:


After Up-gradation as i mentioned above existing filters or queries based on the previous system health events will not work on the events collected after the upgrade. So we need to define additional filters.


To restore or import filter follow the below steps.

  1. ConfigurationàSettingsàContent ImportàFiltersàImport



Configuration Backup:


It is very important before updation. After updation logger will restore to its default configuration. If you are not having any configuration backup then again you should spend lot of to time reconfigure it and it is quite difficult in a single shot.



To take Configuration backup follow the below steps.

  1. ConfigurationàSettingsàConfiguration backupàConfiguration backupàSave



Configuration Restoration:


After Up-gradation restore the configuration.

To restore Configuration follow the below steps.


  1. ConfigurationàSettingsàconfiguration BackupàRestoreàuploadàSubmit



Upgrade Instructions:


1.     Download the logger-5887.enc file from the ArcSight Download Center at


https://arcsight.subscribenet.com or

http://support.openview.hp.com/downloads.jsp to a computer from which you connect to the Logger UI.


2.     Click System Admin > License & Update.

3. Browse to the logger-5887.enc file you downloaded in the previous step and click Upload Update. Once the upgrade is complete, the Logger login prompt is displayed.

4.     Log in to the appliance.

5.     Click the Reboot link in the above message to display a page with the “Start Reboot Now” button.

6.     Click Start Reboot Now.

7.     After the reboot, log in again and click the link in the banner bar on top to


Configure your locale or navigate to System Admin > System Locale.


You can choose from these locales:


Ø English

Ø Japanese

Ø Chinese (China)

Ø Chinese (Taiwan)



Once locale is set, it cannot be changed.

8.     Click System Admin > Reboot > Start Reboot Now to reboot your Logger once again.

9.     If you had custom Report Configuration settings (Reports > Reports Administration) configured prior to the upgrade, re-enter those settings because after the upgrade those settings are set to the default values.

10.     If you had defined filters or queries to search for system health events, define additional filters and queries to search for system health events collected after the upgrade.



Logger Upgrade Tips:


  1.  Check the current version-build from your System Admin > License and Update page. Look for component Arcsight-logger.

2.   There is currently no way to "downgrade" or "back out" one of the upgrades.

  3.  If any upgrade fails or gives an error:


·        Stop the process and take a screenshot of the entire web page (error message, URL, etc).

·        Contact ArcSight Customer Support and supply the screenshot.

·        Do not attempt to install the next upgrade file.


4.  Before upgrading, run an md5sum on the .enc upgrade file and confirm that it matches the md5 signature from the download site.

5.  Run the upgrade from local fast reliable LAN (not over a slow-speed DSL from home.)

6.  ArcSight highly recommends that you connect a KVM configured (preferably DRAC or other remote virtual KVM) to expedite access for both you and ArcSight Customer Support in case of problems.