Changes to the community structure and the menu bar
Significant changes have happened to the structure of our community and our drop down menu bar. READ ABOUT IT HERE
Protect Your Assets

IMPORTANT ANNOUNCEMENT: ArcSight Logger v6.3 License Accounting discrepancy

IMPORTANT ANNOUNCEMENT: ArcSight Logger v6.3 License Accounting discrepancy

Micro Focus Expert Martyn Hill

RESOLVED: ADP v2.0.1 with Logger v6.3.1 and ArcMC v2.5.1 has now been released to address this issue.

We have identified an issue in the latest release of ArcSight Logger v6.3 (part of the ADP v2.0 suite) that impacts the GB/d accounting of event ingestion.

The effect is seen as an apparent over-use of the GB/d entitlement, which can cause the product to trigger feature lock-out when in fact the ingestion is well within the purchased/applied License entitlement. We typically see this lock-out after the 5-day License Violation window built-in to the product and thus recommend our affected customers to take swift action.

Customers still running versions of Logger prior to v6.3 are not affected – see recommendation a) below.

We understand the cause of the issue and expect the fix to be released end of November as patch release v6.3.1.

a) Customers preparing to upgrade or install Logger v6.3:

Please hold-off until the release of v6.3.1, at which time installation/upgrade of the original v6.3 build (and application of the new style AutoPass license) should then be followed immediately by application of the v6.3.1 patch - i.e. v6.3 is a necessary upgrade step towards v6.3.1.

b) Customers who have already upgraded or installed Logger v6.3:

Please contact ArcSight Support to acquire a temporary license that, once applied, will increase the GB/d capacity to effectively workaround the erroneous license violation for the validity period of the temporary license. Once the v6.3.1 patch is released, this should be applied promptly to ensure continuity of service beyond the temporary license validity period. Support will provide any additional instructions regarding application of the temporary license at time of engagement.

In addition to addressing the License Accounting issue, patch release v6.3.1 will also include a number of other critical and useful fixes, including the recent Timezone Update and Software Logger upgrade fix, among others.

Thank you for your patience whilst we address this issue, in what is otherwise our best Logger release to-date.

The ArcSight ADP Product Management team.

About the Author

Martyn Hill


Respected Contributor..

Is the licenses accounting discrepancy the reason why I cannot download the Logger 6.3 Software?

Today I wanted to download Logger 6.3 Software, but only 6.1 and 6.2 are offered. My new servers for the new Logger 6.3 installation are already running RHEL 7.2. So I'm afraid I cannot install Logger 6.2 (Logger 6.2 requires RHEL 7.1).

Should I wait until Logger patch 6.3.1 is released? I hope Logger 6.3 is than offered for download (again?).

Please advice.

Micro Focus Expert

Hi Markus

You are absolutely right - we temporarily pulled the v6.3 binaries from SSO in an attempt to avoid any further headache for our customers - Logger v6.3.1 is due very soon and, at that stage, we will re-upload the original v6.3 alongside it, as it will form part of the upgrade path to the fixed (and enhanced) v6.3.1.

Watch this space!

New Member..

We have 1st of December today and still no new release 6.3.1 as promissed in anouncement.

Absent Member.

Any news about this release?

Absent Member.

What is the last situation about new release?

New Member..

The new release is available over the SSO Portal.
Please check it.
Thank you!

New Member..

It's finally available for download. There was a slight delay to make sure the respective bugs are addressed.

Thank you for understanding!

Super Contributor.

Hi! We have upgraded to ArcSight Logger 6.3.1, but when we apply a new License from the Web Interface, even if we are not receiving any error, the new License is not applied. 

Is there anybody seeing the same behavior?


 Regular Contributor...

Hello fpieressa:

You can open a case with the License support team and they can provide a temp solution until the license model issues are corrected. Also, you can request a eval license from your sales rep.

Thank you,


Super Contributor.

Hi! I have the new License, the issue is that after apply it in a Logger that had a temporary license, we are not receiving any error but the new License is ignored.

If I install the new License on a new Logger, it works.

The issue apparently is that change the License through the Web Interface doesn't work.

I have opened a Case...  is anybody seeing the same behavior?


Super Contributor.

Hi! The support team sent a workaround to update the License in ArcSight Logger 6.3.1, before to do it, the following command must be executed:

   $ mv /opt/arcsight/userdata/autopass/data/LicFile.txt /tmp

 Valued Contributor..

Hi ​,

Issue doesn't seem to be fixed for us. We still see huge GB/day consumption at ArcMC.

We have a set up a new SOC with ADP architecture. It was a fresh install of Logger (v6.3.1.7874.0) and ArcMC (v2.5.1.1931.0). Logger alone was integrated with ArcMC. And ArcMC was declared as a License server. To this ArcMC we have imported add-on license for 180 GB/day. For this ADP setup there are 15 connectors that are sending data with an average EPS of 3.5k. In this scenario, when we look at the 'data Volume' tab in logger showing 'Data volume for past 30 days', we could see an average of 220 GB/day. Whereas in ArcMC under the Dashboard 'License usage for past 30 days' we see an average of 300 GB/day which is very much different from Logger. So we need to understand why there is difference between Logger and ArcMC? How are data and license calculated at both the components?

To add to this point we have one more question. Same 15 connectors are reporting to ArcSight ESM. There if we calculate the daily usage (by agent:050) we roughly get around 5 to 10 GB/day. Which is 1/20 of what it shows in logger. So we are completely confused with the license calculation used between the components. Kindly share you knowledge on the same.



Micro Focus Expert

Good afternoon Bala

Assuming that no event feeds are being managed by this ArcMC that are not also feeding the managed Logger, this apparent disparity would not be expected - please contact ArcSight Support to have the situation investigated.

ArcMC accumulates statistics both direct from managed connectors, plus from any managed Loggers, via an internal API call. The statistics are then de-duplicated based on unique 'agent ID' tagged against the source events, before ArcMC reports its results.

It is possible that if you are manipulating the agent ID in some way though the event flow (via custom mapping, etc), that the statistics could be corrupted, but this is speculative...

New Member.

It seems pretty clear to me there needs to be more transparency and insight into the data being used to compute these values.  With this issue, it seems essential that end-users be able to independently compute license related utilization for verification and not rely on values that have admittedly shown to be unreliable, erring in favor of HPE and not the customer.