Summary
Following an upgrade to ESM 6.9.1 from ArcSight Express 4.0 P1, the email notifications fail with "Can't send command to SMTP host". A new email property is required for server.properties
Error
Following an upgrade from ArcSight Express 4.0 Patch 1 to ESM Express 6.9.1, email notifications for reports, rules etc., no longer work. These notifications were working fine before the upgrade with no changes made to the SMTP server.
The server.log shows messages similar to the following:
Sun Apr 10 09:11:51 AST 2016 ERROR class com.arcsight.server.reports.ReportServer mailReport
com.arcsight.notification.NotificationException: Can't send command to SMTP host
at com.arcsight.notification.Email._sendMimeMessage(Email.java:673)
at com.arcsight.notification.Email.sendMimeMessage(Email.java:597)
at com.arcsight.server.reports.RepletUtils.mailReportAsAttachment(RepletUtils.java:1290)
at com.arcsight.server.reports.RepletUtils.mailReportAsAttachment(RepletUtils.java:1164)
at com.arcsight.server.reports.RepletUtils.mailReport(RepletUtils.java:902)
at com.arcsight.server.reports.ReportServer._archiveReportV4(ReportServer.java:2170)
at com.arcsight.server.reports.ReportServer.archiveReportV4(ReportServer.java:1811)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
...
Note: This could also affect new installs of 6.9.0 (Express) and 6.9.1, as well as ESM Software versions of 6.9.1
The server.log shows messages similar to the following:
Sun Apr 10 09:11:51 AST 2016 ERROR class com.arcsight.server.reports.ReportServer mailReport
com.arcsight.notification.NotificationException: Can't send command to SMTP host
at com.arcsight.notification.Email._sendMimeMessage(Email.java:673)
at com.arcsight.notification.Email.sendMimeMessage(Email.java:597)
at com.arcsight.server.reports.RepletUtils.mailReportAsAttachment(RepletUtils.java:1290)
at com.arcsight.server.reports.RepletUtils.mailReportAsAttachment(RepletUtils.java:1164)
at com.arcsight.server.reports.RepletUtils.mailReport(RepletUtils.java:902)
at com.arcsight.server.reports.ReportServer._archiveReportV4(ReportServer.java:2170)
at com.arcsight.server.reports.ReportServer.archiveReportV4(ReportServer.java:1811)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
...
Note: This could also affect new installs of 6.9.0 (Express) and 6.9.1, as well as ESM Software versions of 6.9.1
Cause
A new property has been introduced in ArcSight 6.9.x. If this property has not been set, it will be assumed to be "true" which may not be correct for the environment.
Fix
To add the property whilst logged in as user 'arcsight':
1) cd /opt/arcsight/manager/config
2) cp server.properties /tmp/server.properties.bak (this is just to backup the current file in case of problems).
3) Edit the file server.properties and add the following line to the bottom:
email.tls.desired=false
Please be careful not to accidentally add any special/hidden characters.
4) Save the file
5) Restart the manager service: /etc/init.d/arcsight_services restart manager
6) Test notification by waiting for or running a report with email destination configured, or for a rule with notifications set as emails to fire.
1) cd /opt/arcsight/manager/config
2) cp server.properties /tmp/server.properties.bak (this is just to backup the current file in case of problems).
3) Edit the file server.properties and add the following line to the bottom:
email.tls.desired=false
Please be careful not to accidentally add any special/hidden characters.
4) Save the file
5) Restart the manager service: /etc/init.d/arcsight_services restart manager
6) Test notification by waiting for or running a report with email destination configured, or for a rule with notifications set as emails to fire.