This section describes tasks that you must complete after you verify that the upgrade was successful.
To complete required post-upgrade tasks:
If you upgraded software ESM and did not install the time zone update package before you upgraded or did not install it when prompted during the upgrade, you must install it now.
ESM uses the time zone update package to automatically handle changes in time zone or changing between standard and daylight savings time.
For information about installing the time zone update package, see Software ESM: Installing the Time Zone Package.
Correct invalid resources.
You checked for invalid resources before the upgrade. It is possible that during upgrade, the condition statement for a resource that you created or modified became invalid. For example, if the schema of an ESM-supplied active list changed and a resource that you created reads entries from this list, the condition statement in the created resource no longer matches the schema of the active list and the logic is invalid.
During the upgrade process, the resource validator identifies any resources that are rendered invalid. Review the upgrade summary report at
</opt/arcsight/manager/upgrade/out/<timestamp>/summary.html to identify invalid resources and correct their conditions.
Caution: If you choose not to persist conflicts to the database and disable invalid resources, the ArcSight Manager might generate exceptions when the invalid resources try to evaluate live events.
For information about running the resource validator, see Running the Resource Validator.
Delete unassigned .art files.
The upgrade might result in unassigned resources. For example, .art files are created as new file resources in ESM, and the upgrade assigns new version IDs to these resources. The original files are stored in the Files resource in the Unassigned folder.
Because they are duplicates, you can safely delete the unassigned .art files.
Restore or delete deprecated resources.
For more information, see Restoring or Deleting Deprecated Resources.
Restore custom Velocity templates.
The upgrade adds a .previous file extension to preserve customized velocity templates and replaces the original file with an un-customized version. To restore your customized version, delete the new file and remove the .previous file extension from your customized version.
For example, if you customized the file Email.vm, you will have two files after the upgrade completes: Email.vm and Email.vm.previous. Your customizations are in Email.vm.previous, which is not being used. To restore your customized version, delete Email.vm and rename Email.vm.previous to Email.vm.
Update the Cases user interface.
For more information, see Updating the Cases User Interface.
Restore and verify customized standard resources.
For more information, see Restoring and Verifying Customized Standard Resources.
Remove deprecated Threat Response Manager (TRM) integration commands.
The TRM integration commands are deprecated and should not be used. Delete the following folders to remove the TRM integration commands from the Integration Commands menu:
/All Integration Commands/Deprecated/ArcSight Administration/TRM
/All Integration Targets/Deprecated/ArcSight Administration/TRM
/All Integration Configurations/Deprecated/ArcSight Administration/TRM
Verify that the upgrade program successfully transferred your content to the upgraded structures.
For more information, see Verifying Content Transfer.
If you previously linked assets to default system zones, the assets might have lost the zone information. Micro Focus does not recommend linking assets to default system zones. Create custom zones (including configuring the category) and link the assets to the new custom zones.
For information about creating customized zones, see the ArcSight Console User's Guide.
If you are upgrading to ESM version 7.5 from distributed mode, complete the following steps:
repo instances.After you complete the required upgrade tasks, continue to Completing Optional Post-Upgrade Tasks. If the optional tasks do not apply to your configuration, continue to Upgrading the ArcSight Console and Smart Connectors.
Some resources and resource groups have been deprecated, meaning they are no longer needed. Resources are deprecated for the following reasons:
The resource was too product- or vendor- specific.
The resource was inefficient, or presented marginal value (for example, a collection of 10 reports was really one report with nine small variations).
New features accomplish the same goal more efficiently.
The upgrade program moved deprecated resources to a separate Deprecated group for that resource type. The resources retain the hierarchy from the previous ESM version. These resources remain active so that they will be present and operational if you rely on them.
Note: If you built resources that refer to a deprecated resource, or if you modified a deprecated resource to refer to a resource that has not been deprecated, some connections might break during the upgrade.
If you still need to use the deprecated resource, move the deprecated resource back to the active resource tree and change the conditions as needed.
If you choose to restore a deprecated resource, you are responsible for its maintenance. Verify whether new resources address the same goal more efficiently.
For example, if the upgrade program moved /All Rules/Arcsight System to /All Rules/Arcsight System/Deprecated and you plan to continue using the resource, move it to your own group after the upgrade is complete.
To generate a list of deprecated resources:
In the ArcSight Console, select Edit > Find Resource.
In the search field, enter the keyword deprecated and press Enter.
Complete this task before you upgrade the ArcSight Console.
If you did not customize the Cases user interface, at a minimum you must rename an XML file that the upgrade program provided to ensure that you receive updates pertaining to the user interface structure (for example, new fields).
If you customized the Cases user interface in a previous ESM version, you must manually restore the customized files so that you can continue using those customizations and also access new Cases editor fields.
To update the Cases user interface if you did not previously customize it:
/opt/arcsight/manager/config/, rename caseui.xml to caseui.xml.old.caseui.xml.orig (the file that the upgrade program provided) and rename it to caseui.xml. Stop the ArcSight Manager:
/etc/init.d/arcsight_services stop manager
Start the services to implement the upgraded Cases user interface structure and expose any new fields:
/etc/init.d/arcsight_services start all
The updates are propagated to both ArcSight Command Center and the ArcSight Console.
To update the Cases user interface if you previously customized it:
In /opt/arcsight/manager.preUpgradeBackup/i18n/common, locate the properties files that you customized (for example, label_strings_en.properties and resource_strings_en.properties, and other localized properties files).
The upgrade process installs the latest properties files in /opt/arcsight/manager/i18n/common.
Open one of the customized properties files (for example, /opt/arcsight/manager.preUpgradeBackup/i18n/common/label_strings_<locale>.properties) and locate your customizations.
Tip: Search for the string extendedcase to locate your customized field labels.
Copy the customizations to the corresponding properties file that the upgrade program provided (located in /opt/arcsight/manager/i18n/common/).
Note: For English, if the *_en.properties file does not exist in /opt/arcsight/manager.preUpgradeBackup/i18n/common, copy the *.properties file. If it exists, copy *_en.properties. For other locales, copy the *_<locale>.properties file.
After you upgrade the ArcSight Console (Upgrading the ArcSight Console and Smart Connectors), copy the following customized files to the individual Console installations at arcsight\console\i18n\common\:
label_strings
resource_strings
In /opt/arcsight/manager/config/, rename caseui.xml to caseui.xml.old.
/opt/arcsight/manager.preUpgradeBackup/config, open the customized copy of caseui.xml and locate your customizations.Copy your customizations to caseui.xml.orig (in /opt/arcsight/manager/config/).
caseui.xml.orig to caseui.xml.If there is a customized case details mapping to audit events, copy case.properties from /opt/arcsight/manager.preUpgradeBackup/config/audit to /opt/arcsight/manager/config/audit.
Stop the ArcSight Manager:
/etc/init.d/arcsight_services stop manager
Start the services:
/etc/init.d/arcsight_services start all
If you created a .arb file in the topic Preparing Resources for Upgrade, import it and verify that its contents work as expected.
Updates to standard content that occurred during the upgrade might cause resources that you created to work in a way that you did not intend. For example, a rule might trigger too often or not at all if it uses a filter in which conditions were changed.
To verify that resources that you created work as expected:
Send events that you know will trigger the content using the Replay with Rules feature.
For more about this feature, see the ArcSight Console User's Guide.
Check the Live or All Events active channel to verify that the correlation event was triggered. Ensure that the data monitors that you created return the expected output based on the test events that you sent.
Verify that notifications were sent to the recipients in your notification destinations.
Verify that active lists that you created to support your content gather the replay with rules data.
During the upgrade process, the resource validator identified resources that were rendered invalid (conditions that no longer work) during the upgrade. Identify invalid resources and correct their conditions as appropriate.
After the upgrade is complete, verify that the upgrade program transferred your content to the upgraded structures.
To verify content transfer:
For all resource types, check for resources in the Unassigned group in the resource tree. If resources are present, move them to the appropriate custom group.
Unassigned groups contain resources that you created and were previously located in the System group.
Check for assets in the Disabled group.
The Disabled group in the assets resource tree queries the ArcSight Manager every two minutes for assets that have been disabled. If you find assets in the Disabled group, review the disabled assets to determine why they were disabled and make the appropriate corrections. For example, if an asset's IP address is outside the range of the upgraded zone, either expand the range of the zone or assign the asset to another zone.
For existing assets, if two assets in the same zone have the same host name or IP address, one of them becomes invalid after the upgrade. This might occur for assets that use the fully-qualified domain dame (FQDN) of the asset as the host name. When comparing the two assets, only the host name is extracted from the FQDN.
For example, if two assets have FQDNs myhost.mycompany.com and myhost.mycompany.us.com, ESM only uses the value myhost to compare them. Since the host name is identical, these two assets are considered conflicting assets and one of them becomes invalid. To override this behavior and use the FQDN instead, set the following property in the server.properties file:
asset.lookup.hostname.resolve.without.domain=true
You can delete disabled assets if you no longer need them.
Verify that access control lists are correct and valid based on the organization of the standard content.
For example, only users with authority to work with system-level content such as ArcSight System and ArcSight Administration should have Administrator access.