HOW TO CREATE AND USE EVENT
REPLAY FILES
Joe Burke, ACIA, ACSA
Revision 2.1
Feb 2011
Introduction
Event replays are useful for testing event throughput, testing rules, testing filters and for many other scenarios. This
document shows you how to create and use event replays. The replayfilegen utility was tested using ESM v5.0.1.
*Note: The screenshots were taken from ESM v4.x when the replayfilegen utility was located in the manager/bin
directory.
To create an event replay
1. From the bin directory on your console type:
arcsight replayfilegen -i console (No GUI)
arcsight replayfilegen (Use GUI)
Follow the on-screen instructions. The user you log in with must have admin privileges to the manager. It’s a good idea
to create a filter for the replay file ahead of time and find the specific time range you wish to export as a replay file using
an active channel in an ESM console.
2. Follow the on-screen instructions to set the time range you wish to capture along with the filter to use. Lastly you can
choose to sanitize hostnames and IP addresses. The files can quickly become very large so it’s best to use as small a time
range as possible
Console mode (Shown running remotely via PuTTy SSH)
3. You’ll find the replay file in your console home directory when the export is complete.
(ie: c:\arcsight\console\current)
The default time range is a day which is usually too much!
Alternate method of creating an event replay
1. Highlight some events in an active channel, then right click in the highlighted area -> export -> events in channel
2. You’ll then see a box appear like the one shown below.
3. Copy the CSV file to the database server and run the following command from the ArcSight bin directory (this path for
Linux is usually /usr/local/arcsight/db/bin):
./arcsight csvconvert –S <full path with CSV filename> -D <event replay filename>
4. You’ll find the replay file in your replayagent directory when the conversion is complete. (ie:
/usr/local/arcsight/db/replayagent)
To use an event replay
1. Install the “test alert” connector from the latest connector package for your platform.
2. Put the replay events file in the current directory of your replay agent
(ie: C:\Program Files\ArcSightSmartConnectors\current)
3. Start the agent, and click the replay tab on the GUI. Find your event file in the list, check the enable box and click the
continue button. You can adjust the max rate as needed.
*Tip: If you just want to create some events on the fly without exporting an event replay from ESM, you can use the
“Test Alert” tab. It let’s you assign whatever field values you wish to a new event.
Using an event replay without the GUI
1. Change the following values in your agent.properties file.
agents[0].loadall=true
agents[0].continuous=true
agents[0].autoload=false
agents[0].uienabled=false
agents[0].eventrateunit=Second
agents[0].maxrate=<enter the desired EPS here>
agents[0].startpaused=false
agents[0].enabled=true
agents[0].markasreplayed=false
2. Start the agent as a service or run it from the command line. It will run continuously until you manually stop it.
If you run it from the command line you will see the status messages scroll by that tell you the current EPS, etc. These
messages can also be found in the agent log.