Error above showes you can not login, right? do you want fix it?
OR do you want jonly ePO to send events to SQL DB?
Or you want to parser old eventd from SQL DB?
I am able to login so that isn't an issue. I do want to send events to SQL database though. A lot of this was setup before I started this job, but I am the lucky one that gets to sort it all out. Right now I am looking at the epo PROPERTIES file and I see that orion.migrate.db.databse.name and orion.migrate.db.instance.name are blank.
I think we only can Purge SQL events but can not force ePO tp pick an event from client and parser it in DB, ePO does it automatically.
When a point product generates an event First it will be placed on client in Events folder>On ASCI apachi picks it and place it on ePO events folder>Event parser checks for error in event and does other inspection and parser it in DB.SO tomcat showes the events on epo dashboard.
You only can decrease the ASCI time to force ePO to pick events more frequently. but keepin mind bandwidth of your network.
I just want all events that get to the ePO to go to a database. Then ArcSight can pull the events from the database.
Click Manue>Reporting>Threat event logs.
If you see events here it means epo is doing its job to parser events to sql DB.because tomcate shows events detaild here which are logged in DB by event parser componen t of epo.
If your query is something else then wait for someone else to post here. Thank you.
it is not clear to me whether you want ePO events mirrored to a new database other than ePO's own (as there is no ePO without its own SQL database and events from client are automatically transferred into it after processing) for use with external Arcsight reporting?
Is there any obstacle preventing Arcsight from working from ePO's own database? As far as I know Arcsight works with connectors to data sources so I assume there is an SQL connector that you could use.
My second question is: are you sure you can login into ePO using the logon screen? There is a login error displayed in the picture you attached which very much resembles the "usual" login errors when users cannot login to ePO...at least to me it does.
/I think you should not mess with configuration files directly even when names are telling unless instructed by support or by a KB Article./
Yes, I wanted to mirror to a new database. However, when I got access to the db I couldn't see any tables. One of our db guys added "grant select" to my account and then I could see everything. We checked the permissions on our service account and it didn't have the ability to select. Once we added that our events began flowing to ArcSight from the mirrored database.