Viewer Panel
You see the products of
security-event analyses in the Viewer panel, which can display several
different types of views.
Although there are some
views that display information about resources, most views are active channels,
which are continuously evaluated collections of security-event data.
The Viewer panel can also
internally render basic HTML, meaning that it automatically shows HTML-based
reports, reference pages, results for the Web Search tool, and notification
acknowledgements.
More complex HTML that might include JavaScript, plug-ins, or
other embedded objects is, for security reasons, still rendered in the external
browser you specify through the Preferences dialog box. The external browser is
also used by PDF document files. The Web Viewer tabs in the Viewer panel have a
live link at the top. You can click these links to open the contents in an
external, fully functional browser window. You can also right-click the
contents of a Web Viewer and use the standard browser commands to do basic
functions such as going back or forward or reloading.
If your Console is not
already displaying a default set of pre-defined views, or you want to change
the views displayed, you can use these options:
Choose Window > Viewer
Panel to open the panel if it isn't open.
Choose the Active
Channels, Dashboards, or Pattern Discovery resource trees in the Navigator
panel to find analysis tools or results to view.
Right-click a resource in
a tree and choose Show <resource> to open it in the Viewer panel.
When multiple tabbed
views are open in the panel, click the tabs at the top of the panel to choose
the active channel you want to see, and the tabs at the bottom of the panel to
choose which view of that active channel should be foremost. To close an
individual view, Shift+click its name tab. (You can also right-click a view
name tab and choose Close from the popup menu.) Using active channels and the
many types of views they offer is fully covered in the topics under these
headings:
Monitoring Events
Selecting and
Investigating Events
Using Dashboards
ArcSight Console Look-and-Feel
If you start the ArcSight
Console from the command line with the arcsight console command (in ARCSIGHT_HOME/current/bin),
use the -laf <style> flag to specify a look-and-feel style. For example,
the following command starts the Console with a "metal"
look-and-feel: arcsight console -laf metal These styles modify the Console
display and associated online help. The figure below shows what the ArcSight
Console looks like when started with the default and metal styles.
The screen captures and
illustrations used throughout the ArcSight Console online help show various
look-and-feel styles.
Inspecting and Editing
ESM provides the
Inspect/Edit panel to examine the details of events that appear in active
channels in the Viewer panel, or to modify the resource attributes in the
Navigator panel. You can examine security events through the Inspect/Edit
panel's Event Inspector, and edit resources using specialized editors, one for
each specific resource type.
Overview of Inspect/Edit
Features and Utilities Each editor has its own controls and attributes,
described in the Help for its resource.
The Inspect/Edit panel
opens automatically when you double-click an event in a grid view or choose to
edit a resource in the Navigator panel. You can also right-click an event in a
grid view and choose Show Event Details. To explore the Inspect/Edit panel, you
can:
Choose Window >
Inspect/Edit Panel to open or restore the panel, if it already has inspectors
or editors in it. If no inspectors or editors are open, the panel isn't
available.
When no editors or
inspectors are open, or to work with different ones, double-click an event in a
grid view or right-click an item in a Navigator panel resource tree and choose Show
<resource>.
To clear an editor from
the Inspect/Edit panel, right-click it's tab and choose Close.
Click the Hide Empty Rows
button ( ) beside the Select a Field Set menu to see only populated fields.
Click the New Field Set
button ( ) to create a new field set.
Click the icon toggle
button ( ) to show/hide icons next to each field entry.
Searching for Fields in
Event Inspector, Resource Editors or CCE To find an item in a list of fields on
the Event Inspector, any Resource Editor, or the Common Conditions Editor
(CCE), start typing the search string in the Search for field at the bottom of
the panel. The search is predictive in that it will navigate to and select
matching fields as you type. The Search utility works essentially the same way
in the Event Inspector and in resource editors that use field sets and filters
(and, by association, the CCE).
If you start to type a term
that is not in the field list, the search text turns red. If you backspace and
start deleting text, the text will change from red to black when a matching
field is found. Resume typing to find another matching term. To exit the
Search, press the Return key.
The best way to learn more
about the Event Inspector and each of the many resource editors is to click the
question mark button ( ) in the upper-right corner of the Inspect/Edit panel or
Help button ( ) in the lower right of a resource editor.
Error and Warning Messages
Certain error messages,
warnings, and notifications appear in a small dialog. To capture the error
message and supporting data, click the Copy button or check Copy message to
system clipboard to copy the entire message to the Clipboard. You can then
paste the error message in text fields in the ArcSight Console, into the body
of an e-mail message, or other applications.
Using the Network Tools
The network tools are the
right-most set of buttons on the toolbar and are also available from the Tools
menu. ArcSight provides Ping, Traceroute, Nslookup, PortInfo, Whois, WebSearch,
and Send Logs as default utilities. Most of these tools are utilities you use
to investigate events in grid views. In a grid view, you right-click an event
to access these tools from a context menu. A new wizard-based utility called Send
Logs gathers logs and diagnostic information for review or which you can email
to customer support.
You can add, copy, edit, or
delete network tools using the Tools menu in the menu bar. The toolbar buttons
and menu commands adjust automatically to such changes.
Running a Tools Command To run a tools command:
1 In a grid view, select an
IP address.
2 Right-click and select Tools,
then one of the tool options
3 Based on the tool
selected, a window appears with the information. 4 In the window, click Close.
Adding a Tool To add a tool:
1 Choose Tools > Local
Commands > Configure.
2 In the Configure Tools
window, click New.
3 In the Tool window, edit
the Name, Program, Working Directory, Icon, and Program Parameters (command
line parameters to be used for the program) text fields.
4 Click OK, then Done.
Configure (Edit) a Tool To configure (edit) a tool:
1 Choose menu command Tools
> Local Commands > Configure.
2 In the Configure Tools
window, select an existing tool and click Edit.
3 In the Tool window, set
these parameters and options:
4 Name, Program, Working
Directory, Icon, and Program Parameters (command line parameters to be used for
the program) text fields. Also select whether you an the tool to show in the
toolbar
5 Click OK, then Done.
Deleting a Tool To delete a tool:
1 Choose menu command Tools
>Local Commands > Configure.
2 In the Configure Tools
window, select an existing tool and click Delete.
3 In the dialog box, click Yes.
4 Click Done.