HPE Software is now Micro Focus
HPE Software is now Micro Focus
Protect Your Assets
cancel

IMPORTANT ANNOUNCEMENT: ArcSight Logger v6.3 License Accounting discrepancy

Re: IMPORTANT ANNOUNCEMENT: ArcSight Logger v6.3 License Accounting discrepancy

hhalladay

It seems pretty clear to me there needs to be more transparency and insight into the data being used to compute these values.  With this issue, it seems essential that end-users be able to independently compute license related utilization for verification and not rely on values that have admittedly shown to be unreliable, erring in favor of HPE and not the customer.

0 Kudos
About the Author

hhalladay

Comments
Respected Contributor.

Is the licenses accounting discrepancy the reason why I cannot download the Logger 6.3 Software?

Today I wanted to download Logger 6.3 Software, but only 6.1 and 6.2 are offered. My new servers for the new Logger 6.3 installation are already running RHEL 7.2. So I'm afraid I cannot install Logger 6.2 (Logger 6.2 requires RHEL 7.1).

Should I wait until Logger patch 6.3.1 is released? I hope Logger 6.3 is than offered for download (again?).

Please advice.

Super Contributor.

Hi Markus

You are absolutely right - we temporarily pulled the v6.3 binaries from SSO in an attempt to avoid any further headache for our customers - Logger v6.3.1 is due very soon and, at that stage, we will re-upload the original v6.3 alongside it, as it will form part of the upgrade path to the fixed (and enhanced) v6.3.1.

Watch this space!

New Member.

We have 1st of December today and still no new release 6.3.1 as promissed in anouncement.

New Member.

Any news about this release?

Regular Contributor.

What is the last situation about new release?

Respected Contributor.

The new release is available over the SSO Portal.
Please check it.
Thank you!

Respected Contributor.

It's finally available for download. There was a slight delay to make sure the respective bugs are addressed.

Thank you for understanding!

Super Contributor.

Hi! We have upgraded to ArcSight Logger 6.3.1, but when we apply a new License from the Web Interface, even if we are not receiving any error, the new License is not applied. 

Is there anybody seeing the same behavior?

Thanks!

Regular Contributor.

Hello fpieressa:

You can open a case with the License support team and they can provide a temp solution until the license model issues are corrected. Also, you can request a eval license from your sales rep.

Thank you,

Justin

Super Contributor.

Hi! I have the new License, the issue is that after apply it in a Logger that had a temporary license, we are not receiving any error but the new License is ignored.

If I install the new License on a new Logger, it works.

The issue apparently is that change the License through the Web Interface doesn't work.

I have opened a Case...  is anybody seeing the same behavior?

Thanks!

Super Contributor.

Hi! The support team sent a workaround to update the License in ArcSight Logger 6.3.1, before to do it, the following command must be executed:

   $ mv /opt/arcsight/userdata/autopass/data/LicFile.txt /tmp

Valued Contributor.

Hi ​,

Issue doesn't seem to be fixed for us. We still see huge GB/day consumption at ArcMC.

We have a set up a new SOC with ADP architecture. It was a fresh install of Logger (v6.3.1.7874.0) and ArcMC (v2.5.1.1931.0). Logger alone was integrated with ArcMC. And ArcMC was declared as a License server. To this ArcMC we have imported add-on license for 180 GB/day. For this ADP setup there are 15 connectors that are sending data with an average EPS of 3.5k. In this scenario, when we look at the 'data Volume' tab in logger showing 'Data volume for past 30 days', we could see an average of 220 GB/day. Whereas in ArcMC under the Dashboard 'License usage for past 30 days' we see an average of 300 GB/day which is very much different from Logger. So we need to understand why there is difference between Logger and ArcMC? How are data and license calculated at both the components?

To add to this point we have one more question. Same 15 connectors are reporting to ArcSight ESM. There if we calculate the daily usage (by agent:050) we roughly get around 5 to 10 GB/day. Which is 1/20 of what it shows in logger. So we are completely confused with the license calculation used between the components. Kindly share you knowledge on the same.

Regards,

Bala.

Super Contributor.

Good afternoon Bala

Assuming that no event feeds are being managed by this ArcMC that are not also feeding the managed Logger, this apparent disparity would not be expected - please contact ArcSight Support to have the situation investigated.

ArcMC accumulates statistics both direct from managed connectors, plus from any managed Loggers, via an internal API call. The statistics are then de-duplicated based on unique 'agent ID' tagged against the source events, before ArcMC reports its results.

It is possible that if you are manipulating the agent ID in some way though the event flow (via custom mapping, etc), that the statistics could be corrupted, but this is speculative...

Trusted Contributor.

It seems pretty clear to me there needs to be more transparency and insight into the data being used to compute these values.  With this issue, it seems essential that end-users be able to independently compute license related utilization for verification and not rely on values that have admittedly shown to be unreliable, erring in favor of HPE and not the customer.