ArcSight ESM Archive Action Fails with Error “Archive Failed: (…) ArcSight_Metadata_csv_gz (No such file or directory).

  • Document ID:KM03780276
  • Creation Date:15-Feb-2021
  • Modified Date:16-Feb-2021
    • Micro Focus Products:
      arcsight express appliance 5.0
      arcsight esm appliance 5.0
      arcsight esm appliance 5.2
      arcsight esm appliance 6.90
      arcsight express 5.0
      arcsight enterprise security manager 6.9.1
      arcsight enterprise security manager 6.11.0
      arcsight enterprise security manager 7.0
      arcsight enterprise security manager 7.2
      arcsight enterprise security manager 7.2.1
      arcsight enterprise security manager 7.3.0
      arcsight enterprise security manager 7.4.0

Summary

Archiving events in the Command Center fails.

Error

During the creation of event archives in ArcSight ESM, the operation can fail. 

When hovering the mouse pointer over the failed archive in ArcSight Command Center (Administration >Storage and Archive> Archive Jobs)

the popup message shows an error message resembling the following:

/archives/064xxxxxxxxxx/202110215_tmp/ArcSight_Metadata_csv_gz (No such file of directory)

 

image text

 

Cause

This problem occurs when the archive action is unable to create a temporary directory to store the daily archive files.

This can happen if

  1. The disk where the archives are located is not mounted with correct permissions.
  2. The directory structure where archives are located does not have the correct ownership or permissions. 

Fix

 

Scenario 1. 

The disk where the archives are located is not mounted with correct permissions.

 

Identify the disk where the archives are stored using the 'mount' command.

You can check the specific mount point name, for example if the archives are located on the disk/partition named /archives
 
NOTE: Please consult with your operating system administrator for assistance with the mount configuration.
 
Here is a possible example
 
mount | grep archives
/dev/sdb on /archives type ext4 (rw,relatime,seclabel,data=ordered)
 

Check to see if the permissions are incorrectly set to Read Only 'ro'.

The permssions should be set to Read Write 'rw'.

 

If the permissions are set to any combination other than 'rw' you will need to unmount the disk and mount it again with the correct permissions for example

umount /dev/sdb

mount -o rw /dev/sdb /archives

 

After correcting the mount permssions you do not need to stop and start the ESM services.

 

 

 

Scenario 2. 

The directory structure where archives are located does not have the correct ownership or permissions. 

 

Below are the correct ownership and permissions of the folders for the default location of archives. If your archives are located on a separate disk or network share you must ensure the Owner and Group are set to the 'arcsight' user and have the correct permissions.
 
 
ls -lhrt /opt/arcsight/logger/data
drwxrwxr-x.  arcsight arcsight   Feb  9 01:00 archives
 
ls -lhrt /opt/arcsight/logger/data/archives/
drwxr-xr-x.  arcsight arcsight    Feb 12 01:00 0648518346341351425
drwxr-xr-x.  arcsight arcsight    Feb  7 17:34 0648518346341351424
 
ls -lhrt /opt/arcsight/logger/data/archives/0648518346341351424
drwxr-xr-x. arcsight arcsight    Feb  2 01:00 20201201