Specifying a Global Event ID Generator ID
Global event IDs uniquely identify events across the ArcSight product suite so that you can determine the origin of events that appear in multiple components. Although ESM mainly consumes events from components such as connectors and Transformation Hub, it also generates monitoring, correlation, audit, and other internal events that require a unique event ID. The ArcSight administrator must specify a global event ID generator ID that is unique and does not overlap with the global event ID generator IDs for other ArcSight products.
The global event ID generator ID will be used to generate global event IDs for the events that are generated within the ESM installation.
During installation, you must specify a global event ID generator ID that is an integer between 0 and 16384 (0 and 16384 are not valid IDs). When you assign a global event ID generator ID to an ArcSight component, it should remain the same throughout the lifetime of the component. Should it become necessary to change the generator ID, do not attempt to change it without contacting Technical Support.
If you specified a valid global event ID generator ID but for some reason ESM failed to store the ID, the installation proceeds but the ArcSight Manager will not start. This situation is not expected. In the event that this situation does occur, complete the following steps to resolve the issue:
- Shut down the ArcSight Manager.
-
As user
arcsight, run the following script:./arcsight setgeidgenid <Global_Event__ID_Generator_ID>
where
Global_Event_ID_Generator_IDis an integer between 0 and 16384 (0 and 16384 are not valid)Note: In a distributed correlation environment, only run the script on the persistor node. - Restart the ArcSight Manager.
After you complete the installation, you can view the resources that are related to the global event ID by searching for the term "GEID" from the Resources search field in the ArcSight Console.