Known Issues

These issues apply to common or several components in your ArcSight Platform deploy. For more information about issues related to a specific product, please see that product's release notes.

Micro Focus strives to ensure that our products provide quality solutions for your enterprise software needs. If you need assistance with any issue, visit Micro Focus Support (https://www.microfocus.com/support-and-services/), then select the appropriate product category.

Analytics Does Not Detect the Custom SQL Loader Scripts After the Intelligence Upgrade

Issue: For AWS and Azure deployments, after the Intelligence upgrade from 22.1.0 to 22.1.1, analytics does not detect the custom SQL loader scripts of the previous version of Intelligence. Instead, it proceeds with the default SQL loader scripts present in <arcsight_nfs_vol_path>/interset/analytics/vertica_loader_sql/0/1.9.2.9/ (OCTCR33I466019)

Workaround:

Step 1: Perform the following steps before the upgrade:

  1. Launch a terminal session and as a root user, log in to the node where NFS is present.

  2. Navigate to the following directory:

    cd  /<arcsight_nfs_vol_path>/interset/analytics/vertica_loader_sql/0/

  3. Execute the following command to create the 1.9.1.9 directory:

    mkdir 1.9.1.9

  4. Navigate to the following directory:

    cd <arcsight_nfs_vol_path>/interset/analytics/vertica_loader_sql/0

  5. Execute the following command to move the SQL loader scripts from <arcsight_nfs_vol_path>/interset/analytics/vertica_loader_sql/0 to <arcsight_nfs_vol_path>/interset/analytics/vertica_loader_sql/0/1.9.1.9:

    mv *.md5 *.sql 1.9.1.9

  6. Execute the following command to grant permissions to the 1.9.1.9 directory:

    chown -R 1999:1999 1.9.1.9

Step 2: Upgrade the Intelligence capability.

For more information, see Upgrading to 22.1.1 in the Administrator’s Guide for ArcSight Platform.

Step 3: Perform the following steps after the upgrade:

  1. Run Analytics to start the next analytics run. For more information, see Running Analytics on Demand in the Administrator’s Guide for ArcSight Platform.

  2. During the analytics run, the 1.9.2.9 folder is created in the following directory with the default SQL loader scripts:

    cd <arcsight_nfs_vol_path>/interset/analytics/vertica_loader_sql/0/1.9.2.9

  3. (Conditional) If you have been using custom SQL loader scripts in 22.1.0, then the SQL loader scripts with inconsistent md5 sums between the current and previous versions are displayed in the Analytics logs. Perform the following steps to review and modify the SQL loader scripts:

    1. Execute the following command to check the logs of the analytics pod:

      kubectl logs -f interset-analytics-xxx -n arcsight-installer-xxx -c interset-analytics

    2. Review and add the necessary modifications to the new SQL loader scripts present in the following directory:

      cd <arcsight_nfs_vol_path>/interset/analytics/vertica_loader_sql/0/1.9.2.9

    3. Update the md5 files with the md5 sums corresponding to the modified SQL loader scripts in the following directory:

      cd <arcsight_nfs_vol_path>/interset/analytics/vertica_loader_sql/0/1.9.1.9

      Analytics is triggered automatically after all the SQL loader scripts with inconsistent md5 sums are updated.

Pods Might Not Run During Fusion Reinstall

Issue: After you undeploy the Fusion capability and then redeploy Fusion into the same cluster, pods might remain in CrashLoopBackOff or PodInitializing status. The root cause of the issue is that the redeploy causes the system to forget the password for the rethinkdb database. (OCTCR33I112042)

Workaround: Delete all of the files in the NFS folder before redeploying Fusion: arcsight-nfs/arcsight-volume/investigate/search/rethinkdb/hercules-rethinkdb-0. This will cause the rethinkdb database to be automatically recreated when Fusion is redeployed.

Installation, Upgrade, or Adding Additional Capabilities Fails Due to Comma Character in On-Premises Docker Container Registry Admin Password

Issue: For on-premises deployments, if the Docker container registry-admin password includes a comma (,) character, the image upload phase fails due to a bug in the container registry. The registry-admin password is initially set to the same password as the admin user for the CDF Management Portal during installation. However, later changing the CDF Management Portal admin password does not change the registry-admin password because it is managed separately. (INST-2464)

Workaround: Log in to the master node console and use the /opt/arcsight/kubernetes/scripts/updateLocalRegistryInfo.sh script to change the registry-admin password to a new one that does not include the restricted comma character.

CDF Management Portal Admin Password Change Fails to Update Registry Admin Password

Issue: For on-premises deployments, the registry-admin password is initially set to the same password as the admin user for the CDF Management Portal during installation. However, later changing the CDF Management Portal admin password does not change the registry-admin password because it is managed separately. The registry-admin password is used during upgrades and when adding capabilities to an existing cluster during the phase of image upload. (INST-2464)

Workaround: Log in to the master node console and use the /opt/arcsight/kubernetes/scripts/updateLocalRegistryInfo.sh script to change the registry-admin password.

On Multi-master Non-root Install, itom-cdf-keepalived Pod Restarting and Suite Fails to Deploy

Issue: If sudo installing a multi-master cluster through the arcsight-install tool, you will notice all capability pods are marked as pending, and itom-cdf-keepalived pod is existing only in single replica and crashing. In addition, the kubectl get nodes command returns all of your worker nodes in a NotReady stats. If the sudo installation for multi-master was executed manually via install.sh, you will notice only the itom-cdf-keepalived pod in single replica count and crashing, even before you try to deploy the capabilities.

Workaround: Use kubectl edit ds/itom-cdf-keepalived -n kube-system to edit the daemonset definition of cdf-keepalived. Locate the "nodeSelector" section and change its value (make sure to honor the spacing) to master: "true". Save and exit as a normal vi session. Make sure command kubectl get ds/itom-cdf-keepalived -n kube-system returns now the current/desired replica count of 3.

After an Upgrade from the Patch Release, Error Returned: "Failed to upgrade. Internal Server Error."

After upgrading to 22.1 from the 21.1, in some cases, the error message might be returned in the upgrade's final stages: "Failed to Upgrade. Internal Server Error." The issue can also be detected in logs if some resources are not upgraded. If encountering this, delete the old upgrade pod and then run the following command:
kubectl delete deployment suite-upgrade-pod-arcsight-installer -n `kubectl get namespaces | grep arcsight-installer | awk ' {print $1}

Then run the upgrade again.

Accessing the CDF Management Portal Reconfigure Page

Issue: At times, you might not be able to access the CDF Management Portal Reconfigure page. For example, this issue might occur when you are trying to perform an upgrade.

Workaround: Follow these steps:

  1. Verify the status of the nginx-ingress-controller DaemonSet :

    NS=$(kubectl get namespaces | awk '/arcsight/{print $1}');kubectl get daemonset nginx-ingress-controller -n $NS

  2. Create a new nginx-ingress-controller.yaml file:

    cd ${K8S_HOME};kubectl get daemonset nginx-ingress-controller -n `kubectl get namespaces | grep arcsight-installer | awk '{print $1}'` -o yaml > \
nginx-ingress-controller.yaml

  3. Ensure that the saved nginx-ingress-controller.yaml file exist in the ${K8S_HOME}home directory (/opt/arcsight/kubernetes) and contains definitions in yaml format.

  4. Delete the current nginx-ingress-controller configuration:

    kubectl delete -f ./nginx-ingress-controller.yaml

  5. Apply the new nginx-ingress-controller configuration:

    kubectl apply -f ./nginx-ingress-controller.yaml

  6. Wait until the nginx-ingress-controller pods are up and running:

    kubectl get pods -n $NS --watch | grep nginx-ingress-controller

  7. Verify the nginx-ingress-controller controller daemonset status:

    kubectl get daemonset nginx-ingress-controller -n $NS

  8. To continue to upgrade deployed capabilities, see "Accepting the Certificate" in the Administrator’s Guide for ArcSight Platform.

Contract & Usage Page Throws an Ingress Router Error and Does Not Load

Issue: When the user tries to navigate from My Profile to Contract & Usage, the page throws an ingress router error message as follows and does not load:

            The Route You Reach Does not Exist
Please check your router configuration and the path in your address bar

(OCTCR33I372067)

Workaround: Refresh the page to load the Contract & Usage page.

Displays an Erroneous Warning about a Recon License

Issue: In an ArcSight Platform deployment that has Intelligence with an MSSP license, you will receive the usual notifications that the licenses are about to expire. However, if the MSSP license expires, the Platform erroneously displays a warning that the Recon license has expired even though Recon is not deployed. This issue does not occur when Recon is deployed, with or without the MSSP license. (OCTCR33I378083)

Workaround: There is no workaround for this issue.

Backup Failures in S3 While Deleting Obsolete Files

Issue: Part of the backup operation is clearing obsolete backup files that are older than the backup retention configuration setting. Due to this issue, the cleanup of obsolete files might not completed successfully and some obsolete files might remain, resulting in higher than necessary backup storage utilization. (OCTCR33I408155)

Workaround: A patch will be released to fix this issue so that the cleanup operation reliably completes. However, if you need to resolve this issue sooner than the patch release, contact Technical Support to obtain a modified /opt/vertica/bin/vbr.py file that contains a fix that can be applied immediately. Also, edit the config/backup_restore_cloud_storage_base.ini file by uncommenting and setting cloud_storage_concurrency_delete = 1.

Event Integrity Query for Large Time Range Indicates Insufficient Disk Space (AWS/Azure)

Issue: If a large time range is selected (e.g., 1/31-2/22), there is an intermittent error of "Other" when running an Event Integrity query in an Amazon Web Service (AWS) or Azure environment. There is a related issue for insufficient disk space behavior. (OCTCR33I414022)

Workaround: We recommend to select one day for event integrity check.

Event Integrity Query Indicates Insufficient Disk Space (AWS/Azure)

Issue: There is an intermittent error of "insufficient disk space" when running an Event Integrity query in an Amazon Web Service (AWS) or Azure environment. There is a related issue for insufficient disk space. (OCTCR33I411123)

Workaround: See View Event Integrity Check Results to help troubleshoot this issue.

Fails to Change Storage Groups

Issue: Sometimes when data ingestion is in progress, the system fails to make your changes to storage groups because the system cannot lock the affected events table. (OCTCR33I180085)

Workaround: Stop data ingestion (the scheduler) before applying your changes to storage groups. Then start data ingestion again.

Issues Related to the Data Quality Dashboard

Data Quality Chart Fails to Update after You Change Time to a Dynamic Value

Issue: When you change a time setting for charts in the Data Quality dashboard, the charts automatically update as soon as you pick the new value. However, if you change the Start Time or End Time to a dynamic value, the charts fail to update automatically. (HERC-9913)

Workaround: To refresh the charts, click outside the time selection that you just changed. For example, if you changed the End Time to a dynamic value, click either on a chart or on the Start Time.

Data Timeseries Chart Fails to Update after Changing Categories

Issue: When viewing the Data Timeseries Chart in the Data Quality dashboard, the stacked area chart should automatically update as soon as you select an event category, such as Future Events, Past Events, or Active Events. However, when you select an event category, the stacked area chart fails to update automatically. (OCTCR33I276138)

Workaround: To refresh the Data Timeseries Chart, clear all the event categories and select them again in this order: Future Events, Past Events, and Active Events.

Specified Sizes for Dashboard Table Cells do not Work in a SaaS Environment

Issue: On your dashboard, when you manually change a table cell size, the emerging window does not show the values you entered in the fields, and the table cells cannot be resized. (This issue only affects SaaS environments.) (OCTCR33I339016)

Workaround:Even though the values are not visible, you can still modify them inside the fields and use them as intended. One way to do this is to use the shortcut Ctrl + A to select values in the field and then copy or replace them, as needed.

Issues Related to Reports Portal

Reporting Shows an Error When Single Sign On Secrets are Changed (Azure)

Issue: Reporting runs into an Open id or HTTP 500 error when single sign on secrets are changed. The reporting app can take a few minutes to fully start, so this error does not happen right after applying the change. (OCTCR33I409268)

Edit Wizard Preview is Unavailable

Issue: When you edit an asset using the Edit Wizard option, you cannot preview the report or dashboard.(OCTCR33I134098)

Workaround: To preview your changes, select the metadata option from the Edit Wizard.

My Reports Folder Cannot Be Used for Exporting

Issue: You cannot export content from the My Reports folder. (OCTCR33I186200)

Workaround: Contact Support for help with this issue.

After Hours Access Activity on GDPR Systems Summary Report Fails to Run

Issue: When you specify a long time range for the After Hours Access Activity on GDPR Systems Summary report, the report fails to run. (OCTCR33I186011)

Workaround: You must remove the Day of the Week variable. Complete the following steps:

  1. Right-click the report.

  2. Select Edit Table.

  3. Right-click the dayOfWeek variable.

  4. Select Remove.

An Exported Report Might Have Format Issues

Issue: When using the Export Asset feature, the formatting for the reports might have issues such as dark backgrounds, dark fonts, and dark table cells. (OCTCR33I186007)

Workaround: You can change the formatting manually for the exported report.

Some Exported Tables Show Squeezed Columns

Issue: Some dashboard table columns display squeezed columns when they are exported using specific formats like HTML. (OCTCR33I349068)

Workaround: There is no workaround.

Cannot Remove X/Y Fields from a Graph

Issue: In the chart editor, when you remove an X or Y field, the Reports Portal display an error message. This issue occurs intermittently. (OCTCR33I162021)

Workaround: When this issue occurs, try again or avoid removing fields from the Axis.

Dashboard Wizard Fails to Load all Data

Issue: If you create a dashboard using the Dashboard Wizard, when the chart is not loading, there is data that cannot be selected at the same time. This issue occurs intermittently. (OCTCR33I161014)

Workaround: When this issue occurs, try again or avoid removing fields from the Axis.

Cannot View Text in a Chart

Issue: If you select the Multiple Styles checkbox, the whole area of chart selection displays white with text in the middle that cannot be read. (OCTCR33I141023)

Workaround: To read the text, highlight the text inside the white space.

Reports and Dashboards Use UTC Time Zone

Issue: The start and end times for your reports and dashboards use UTC time instead of your local time zone. (OCTCR33I331194)

Workaround: There is no workaround for this issue.

Issues Related to Search

Fieldsets Default to Base Event Fields After an Upgrade

Issue: After upgrading to this release, the Public Default Fieldset defaults to Base Event Fields. (OCTCR33I178795)

Workaround: In User Preferences, specify the fieldset that you want and set it as default again.

Fieldsets Display Database Names

Issue: When you create a fieldset, Search displays the coding-style name for the fields instead of the human-readable names that you see when creating a search query. For example, in a query you can enter or select Agent Address. However, in the fieldsets selection, this same field appears as agent AddressBin.

This issue also occurs when you’re adding queries to a report. (OCTCR33I181059)

Workaround: To identify the coding-style names, see “Mapping Database Names to their Appropriate Search Fields” in the Help or the User Guide for ArcSight Recon.

Scheduled Tasks Do Not Allow Default Printer Selection

Issue: The default printer field is a textbox that allows any value instead of being a list of valid entries. (OCTCR33I71158)

Workaround: There is no workaround

Scheduled Tasks Can be Saved Even if the User Closes the Dialog Box

Issue: When you click the Close button during the scheduler task creation process, the modal dialog box closes, but the task is still being saved. (OCTCR33I167004)

Workaround: If you do not intend to save the task in the scheduler table, select the task and manually delete it.

Load Modal Does Not Load Search Criteria When the Fieldset is Deleted

Issue: Search criteria does not load under the circumstances described below. (OCTCR33I369029)

  1. The customer creates his or her own fieldset.

  2. The customer creates a search criteria and assigns his or her custom fieldset to it.

  3. The customer deletes the fieldset that was just created.

  4. The search criteria fieldset returns to the one set in the user preferences.

  5. The customer tries to load the Search Criteria from the Feature Table, but it will not load and displays a red "Failed to load search list" error message.

Workaround: Load the search criteria from the Load modal dialog box in the main search page.

Saved Query or Criteria Can Overwrite the Query in a Saved Results that Has the Same Name

Issue: If you save a Query or Criteria and use the same name as a previously saved search Results, the system overwrites the query in that saved search results rather than saving a new Query or Criteria with the specified name. For example, you execute a search and save the results as Checking Log4J Vulnerabilities. If you create and save a new search Query or Criteria with that same name, you have changed the query in the saved Results. The next time that you run Checking Log4J Vulnerabilities, Search will use the newly saved query instead of your original query. (OCTCR33I369158)

Workaround: Before saving a new Query or Criteria, review the existing saved Results to ensure that you do not use the same name.

Time Range Loads Incorrectly When Selecting the Default Option “DD/MM/YY hh:mm:ss:ms”

Issue: When the User sets DD/MM/YY hh:mm:ss:ms in user preferences and loads a search criteria, the time range is reported incorrectly. (OCTCR33I411211)

Workaround: Manually change the time range that was set in the search criteria.

Search Fails to Load All Saved Search Criteria Settings

Issue: If you load a saved search Criteria from the Search page, the system fails to load the saved fieldset or time range. (OCTCR33I385042) and (OCTCR33I174130)

Workaround: Load the saved Criteria from the Saved Search Criteria page:

  1. Select Search > Criteria.

  2. Click the box next to the search criteria that you want to load.

  3. Click Load

Scheduled Searches Sometimes Fail to Export to CSV

Issue: On occasion, when you export a completed run of a scheduled search, the CSV file fails to display any data. (OCTCR33I174130)

Workaround: If this issue occurs, view the results of the run. Then, from the Events table, export the data to a CSV file.

CSV File Export Fails after You Change the Date and Time Format

Issue: After modifying the date and time format in preferences, the CSV export function for saved searches runs before the preference change fails. (OCTCR33I113040)

Workaround: Run the scheduled search again, then save it. Select the CSV icon to download the file.

Fieldset Fails to Revert to its Original Setting

Issue: If you change the fieldset after running a search, then leave the Search web page or navigate to a different feature, Search fails to revert the fieldset to the original setting. For example, you choose the Base Event Fields fieldset and run the search, then change the fieldset to All Fields. Next you navigate to the Saved Searches page. When you return to the Search page, the fieldset is still All Fields rather than reverting to Base Event Fields as it should. (HERC-9865)

Workaround: To revert the fieldset to its original setting, press F5 while viewing the Search.

Cannot Change the Time Range if Your Preferred Time Range is a Static Value

Issue: In User Preferences, if your preferred Default Time Setting is Static, you cannot use the date picker to quickly change the time range for a search. (OCTCR33I174128)

Workaround: In a Search, manually enter the date and time values. Alternatively, change your preferred Default Time Setting to a Dynamic or Preset value. For more information about configuring your user preferences, see the Help or User's Guide for Fusion 1.5 in the ArcSight Platform

Scheduled Search Appends Erroneous Values to the Run Interval

Issue: When creating a scheduled search, if you select Every 2 hours in the Pattern section, the search runs every two hours, at every even hour, such as 0, 2, 4, 6, etc and appending the minutes setting in Starting From value. The system ignores the hour setting in Starting From. (OCTCR33I179782)

For example, you might select Every 2 hours and choose Starting From at 01:15 am. Search will run every 2 hours at 2:15 am, 4:15 am, 6:15 am, and so on.

Workaround: To run the Search at a selected hour and minutes, specify a specific hour for the Starting From setting.

Search Join Fails when Lookup List has 'User' as a Value

Issue: Search displays an error and fails to apply a join if an associated lookup list includes the word “user” for a data value. (HERC-8283)

Workaround: Contact Support for help with this issue.

Cannot Change the Start or End Date While a Notification Banner is Present

Issue: If the application currently displays a notification banner, Search fails to accept a change to the Start time or End time for a custom date range. (OCTCR33I379056)

Workaround: Clear the notifications, then change the date range.

Cannot Use Search Operators in the Name of a Saved Query or Criteria

Issue: If you include a search operator in the name of a saved query or criteria, Search includes that part of the saved name in the query. For example, you save a query with the name Users and Devices. When you load that query, Search adds "and Devices" to the query field. This occurs because "and" is also a search operator. (OCTCR33I341227)

Workaround: Avoid the following terms in the name of a saved search query or criteria:

Term to Avoid Workaround
& No workaround
| No workaround

and

Use without spaces before or after the term. For example: UsersAndDevices

or

 Use without spaces before or after the term. For example: UsersORdevices

Search Query Might Return Incorrect Results if the Query is not Explicitly Stated

Issue: The Search field should return the correct results from a search. If you do not get the results you expect, you might need to restate the query. For example, if your query is written with spaces, only the first word is shown in the results. (OCTCR33I324035)

Workaround: State the query using explicit phrasing without any spaces.