multitail color profile for ESM server.std.log

March 1, 2012

Add this to the end of your multitail.conf file and multitail your server.std.log or webserver.std.log file for some pretty colors. Adds numerous things like highlights for errors and the infamous “Ready.” line.

 

colorscheme:arc_std:ArcSight Wrapper Logs
cs_re_s:blue,,bold:(^INFO).*
cs_re_s:yellow,,bold:(^WARN).*
cs_re_s:red,,bold:(^ERROR).*
cs_re_s:green,,bold:(^STATUS).*
cs_re_s:white,,bold:.*(\|).*(\|).*(\|)
cs_re_s:magenta:^.+([0-9]{4}/[0-9]{2}/[0-9]{2}\s[0-9]{2}:[0-9]{2}:[0-9]{2}).*
cs_re_s:yellow,blue:[0-9]{3}\s(WARN\s+.*)
cs_re_s:red,blue:[0-9]{3}\s(ERROR\s+.*)
cs_re_s:white,,bold:(=====>.+<=====)
cs_re_s:green:.*\| (.+Persisted.+events.*)
cs_re:white,green,bold:.*\| Ready\.
cs_re:white,red,bold:.*Full GC.*


scheme:arc_std:.*(server|webserver)\.std\.log

 

 

Say What You Will About Shaw…

October 11, 2011

…internet speed is absolutely, undeniably, untouchable by local competition. Most people I talk to, when discussing broadband internet in North America don’t actually believe that I can get this from my ISP. They think I must be stupid and mistake 10Mb for 100. Anyway, despite whatever issues you have Shaw, thanks for at least showing us that when ISP’s wine, cry and make excuses about not having bandwidth, they’re full of sh**!

 

 

11.5 MB/s = 92Mbit/s

Given there should be around a 4-14% overhead for DOCSIS, Ethernet, and TCP, I think that’s pretty much getting advertised speed and that’s pretty swell.

Thanks to Sheena (6766) who helped me get one of Shaw’s new SMC home gateway devices to act as a bridge and not a wireless router!

FYI: If Shaw switches you to one of these routers do not expect to use features of your existing router that rely on having a public IP to work. Also, they will simply plug it in and not tell you that it is a full featured wireless router by default. You may not even realize that you now have another wireless network, and your current network is now double nat’ed. Luckily, you can call (and if you get the right person) they are able to switch it to behave like a “dumb modem” device. You may need to ask for “bridge mode” or tell them your home router is not working any more.

 

 

 

 

 

TextMate FlexConnector Bundle v0.00001

June 22, 2011

There may only be one or two people on the planet interested in this, but I think I can safely share this without fear of reprimand. :)

https://rapidshare.com/files/1601495267/ArcSight.tmbundle

Right now it is simply the file associations, slightly tweaked syntax highlighting, an “insert tokens”and “insert disclaimer” function.

More work TBD. Suggestions welcome.

 

1-10-100 and That Perfect Dashboard

June 8, 2011

This year at the Maker Faire in San Mateo Fritz Grobe and Stephen Yoltz gave a talk on their approach to innovation. It follows “a” 1-10-100 principle.

It takes one experiment to spark a concept. By experiment 10 one should have fleshed things out and have defined a direction. By experiment 100 one hopes to have found something that is sublime…

GE and Maker Faire: a match made in nerd heaven

This got me to thinking about ArcSight content development. Ever since I first started using ESM, I’ve always likened building content to programming/coding. Content development is a careful balancing act between creative and engineering disciplines that draws on understanding and experience with the underlying components. Is it that different from the world of experimentation?

A good security analyst pours through the events in their environment looking for opportunities to build content that brings value to their organization or effort. When they find something, they have concept. By the time they’ve gone through the events 10 times there should be a clear focus and direction. By the time they’ve iterated though 100 times the content and output should be refined to a level where they see exactly what they’re looking for.

Thing about it. How many times did you change the filter conditions and replay that active channel? If we think of each “experiment” in this concept as a change or refinement to content, it’s not hard to imagine that by (at least) 100 refinements your reaching something to be proud of.

More importantly are the four rules that Fritz and Stephen live by:

  • Seek variation – explore the possibilities.
  • Be obsessive – keep focused until one finds something special.
  • Be stubborn – don’t give up until you work through the problems.
  • Set limits and work within them – unconstrained innovation meanders and wonders, only by setting limits does it force one to dive into the depths of a concept.

I’ve never been able to elegantly lay out tenants for great content development, but I think that’s as close as it gets. So remember, when your in class learning about ESM, your learning the foundation, how to put content together, why it works that way and how to use the tool itself. When you get back to your production world, sit down in front of the console, and have to deliver something “sublime,” think hard about these rules, and the 1-10-100 concept.

Motorola DCT6416 Possessed Cooling Fan

May 27, 2011

The little speed controlled fan inside of my cable box (or more likely a temp sensor) decided to fizzle a few weeks ago. Everything else seems to be fine, but the fan speed goes from “jet-engine” to “whisper” and back randomly and for no reason. Some may call me fickle, but you try watching TV or sleeping in a room with this monster!

DIY Fan Speed Bypass Fix

Disassembly was a cinch, aside from the nasty “System Zero” security screws (Yes, the same ones Nintendo used on the SNES!) To remove use the correct driver, slot them with a dremel, or (carefully) use pliers. I replaced mine with some nice phillips-head machine screws I had lying around.

NOTE TO MANUFACTURERS: Security screws are ridiculous. With tools for all of them available to everyone it’s like putting a lock on something that you can buy a key for at Wal-Mart. Not to mention, unscrewing a screw on something I own, in my home, doesn’t violate any laws anywhere. Warranty, debatable; laws, nope.

I digress. Now, aside from the fan, everything is working perfectly with this box. I debated trying to determine the root cause of the fan issues, but I’m to lazy to do the research necessary, learn new skills, etc. In the end I decided there has to be a way to simply force the fan to one “moderately quiet” speed. If i get a few more years out of this DCT i’ll be happy!

The DCT has all of the working components of your standard PC and, as I suspected, the fan is a variable speed 12V brushless DC type just like you’d find in a laptop, or your PS3. Could be the controller built into the fan, could be a temp sensor, who knows. I know that if you avoid hooking up the third wire (yellow, sometimes blue) on the fan, it will run at fill speed. I tested this to make sure it ran at full speed without hiccups and it was good.

Next step, speed. I could have worked out how to ge the fan’s speed controller to force it to run at a set speed, instead I went the simple/lazy way again. I grabbed a 1KΩ pot I had in the junk pile and twisted it until the fan made no noise but was still moving a fair amount of air through the box. The meter said the pot was set to about 89Ω.

I had no 89Ω resistors so i just tied 3 320Ω resistors together. Close enough. A little solder and some fancy shrink tubing and I can finally watch TV a little more peacefully. I didn’t actually calculate this, but I estimate the efficiency lost by using resistors in this circuit will cost me around $0.00000001/day in electricity. Totally worth it.

ArcSight SmartConnector on Mac

May 24, 2011

A few releases ago (5.0.4) the Linux build of the ArcSight SmartConnector installed on OS X without much difficulty. It is not a supported platform of course, so the message relaying this detail is displayed prior to installation.

 

 

 

 

 

 

How could you attempt such a foul thing! Well since you can just click OK and everything works, I’ve been using it on a Mac, as my testing platform, and for building Flex Connectors for almost 2 years and never had any issues. I was frustrated when the latest version scoffed at me when attempting to install.

Preparing to install...
Extracting the JRE from the installer archive...
Unpacking the JRE...
Extracting the installation resources from the installer archive...
Configuring the installer for this system's environment...
Launching installer...
ArcSight-5.1.1.5782.0-Connector-Linux.bin: line 2506: /tmp/install.dir.5400/Linux/resource/jre/bin/java: cannot execute binary file
ArcSight-5.1.1.5782.0-Connector-Linux.bin: line 2506: /tmp/install.dir.5400/Linux/resource/jre/bin/java: Unknown error: 0

Wait a minute, I’ll bet nothing substantial was changed, I believe the installer wrapper was updated recently. Lets check it out.

Note that this is not magic or reverse engineering. The binary downloads are actually shell scripts with embedded/compressed java based installers and a stand alone jvm (hence the need to have an installer for each system.) If you look at the first few K of the the file you can see how the installer is launched on your system.

Naturally, comparing the first few K of a known working installer to the new one revealed some interesting things.

  1. The installer used is InstallAnywhere, licensed to ArcSight by Flexera Software Inc. otherwise known as InstallShield. I believe it is a common system, but I’m no installation packaging expert.
  2. The version used did indeed change. The latest installers are using “InstallAnywhere ™ UNIX Self Extractor Version 11.5″
  3. There are some minor changes in the logic used to detect the java vm that will be used for the installation. Normally, on a Linux box, it used the one inside the installer. Traditionally, it detected OS X and used Apple’s jvm instead. Clearly this is where it’s bombing out since it is trying to execute (above) the jvm built for Linux on Mac. For several reasons I’ll not get into here, that will not work.

Going through the shell script I see that there is an optional command line option “LAX_VM” that forces the installer to execute a user-defined jvm.

# when VM is specified using the lax.nl.current.vm property or the
# LAX_VM command-line option, just accept that VM, no validation is required
laxVMisValid="true"

(java) Hmm. I wonder if directing the installer to use the local jvm will work?

sh ArcSight-5.1.1.5782.0-Connector-Linux.bin LAX_VM /usr/bin/java

Voila! Installation magic.

I’m guessing that it was Apple’s recent java update that caused the jvm to be “invalid” in the eyes of the installer. Perhaps the installer was changed to ignore OS X. Perhaps it was a combination of the two. Hell, maybe Apple wouldn’t give Flexera access to the jvm before being released, so Flexera said f’ Apple!

Tested with the Arcsight SmartConnector v 5.1.2 (for Linux) and OS X 10.6.7 with the latest updates.

tl;dr
add ”LAX_VM /usr/bin/java” to the command when installing to make it work on OS X.

“Hi, I’m in charge of expanding my company.”

April 16, 2011

My wife took a call for me while I was in the shower today. She said somebody named Steve, in charge of expanding their company, called to discuss something with me. She didn’t remember the company name or anything like that but I took the number down. I get strange cold calls all the time from recruiters and companies and I like to see what people are looking for, so I called Steve back.

He didn’t give me any details and I still didn’t really understand why he was calling me, at home, on a saturday. He claimed to represent a financial services company called Primerica. I said I’ve never heard of it and didn’t understand what the opportunity was. He noted that usually happens on the phone (what?) so he took my e-mail so he could send me more details.. Ok, maybe he’s just bad on the phone?

I got an e-mail invite to a webinar called “Sunday Success Call” from some other person a while later and an email from Steve asking if I received the invite. I did my research and it turns out Primerica is Multi-Level-Marketing operation, or “Pyramid Scheme,” in some people’s opinion. Oh well, other than getting a bit more spam, no harm done. I replied to Steve because I am a nice guy and respect his time and effort considering me for such a great opportunity:

Steve,

I was under the impression this was a professional opportunity, I usually get cold calls from recruiters. I didn't realize it was an MLM scheme. Sorry to have wasted your time, but I will not be attending your webinar, and I'm not interested in joining Primerica. I'm sorry you work for an MLM company that endorses cold calling strangers, you should look into switching to a more reputable outfit like Amway or perhaps Avon. Good luck.

Cheers,

EDIT: and the response..

Jay,

Thank you for the response, I'm sorry you feel that way. I do not know where you did you research, but Primerica is professional opportunity, we deal in the financial services industry, with other peoples money, highly regulated by the provincial and federal governments. Our office is located at 2750 22 St NE. I ask you where you may find and Amway or Avon office located in our city. You must be very intelligent to be working for the company that you do, but you have no common sense, based on the research you must have done. I thank you for your time, you have a wonderful day.

 

Sincerely,

Oh Primerica, your name is all over the web slathered in MLM controversy and dubious business practices, and you can’t take a joke?

Apple’s carpel tunnel (magic) mouse.

April 8, 2011

I travel a lot, my workstation setup changes on a daily basis. Hotel desk, abandoned cubicle, meeting room, whatever. I’ve come to accept this ergonomic adventure, although my physiotherapist has not. There is, however, one thing that I insist on being consistent and comfortable. My mouse.

In actual “lap” top circumstances (i.e. on the plane, in bed, etc.) the trackpad on my system is more than adequate but for desktop operations I prefer the real deal. Enter Apple’s latest idea of a mouse. I hate this mouse! I tried, so desperately to adapt to it. I gave it months of opportunity. I have finally come to the conclusion that it was either designed by a retarded dwarf, or Apple has some sort of vested intrest in wrist injury treatment.

I’ve seriously racked my brain over the process that could have taken place while engineering this horrid little peripheral. No amount of multi-touch goodness could ever overcome this flat, awkward, cramp inducing, finger straining, sharp edged little beauty. In fact the true test of any Apple fan boi would be their willingness to continue to use this abomination. To the curb my little mouse friend, to the curb.

As frustrating as all this sounds, let’s move on to the even more angering portion, finding a replacement, or what I like to call “settling for slightly better.” In my quest to find a better mouse I discovered two things. Nobody stocks a great selection of mice, and bluetooth is a rare feature. All of the contenders were in these categories:

  • Overpriced ”gaming mice.” The majority of which i’d have to pay extra for thier weight in my luggage.
  • Teeny shrunken versions designed for portable use. These suffer the same “doesn’t fit adult hands” problem as the magic mouse.
  • Economy mice. Aptly named and suffering from lack of features like precision, quality and sometimes even a scroll wheel.

So what the hell? Are we on the verge of a mouse revolution or do people just not give a shit? To cut the story short, because I should go do some real work; you’ll never guess what I ended up settling on. Voila, the Microsoft Arc Mouse touch. It’s not perfect but it’s a far cry better than the magic mouse and except for the funny looks I get from Apple purists, I’m satisfied, for now…

UPDATE: Took the ARC Mouse back. Couldn’t handle the little fake scroll wheel with its uppity haptic feedback. The surface of the button and the scroll are to similar and it’s hard to tell when your scrolling or not. Picked up the Logitech G500, I am quite happy with this mouse except for the portability, but it will have to do.

Work ethics and values?

April 8, 2011

I totally forgot that google analytics was running on my old site. Here are some interesting stats:

Since Dec 2008,

1190 unique vistors
60% from google searches
40% direct or referral, half from LinkedIn

    top keywords

values and work ethics
work ethics and values
dtr
jay heidecker
arcsight certified

It seems that through some quite unintentional SEO, I have linked my name to the phrase “work ethics and values”. I suppose, for now, this is a good thing. Unfortunately, if I’m ever gunning for upper management, i’ll have to hire someone to scrub this from the web. :)

One other interesting correlation I saw. It seems that the highest volume of searches arriving here using “arcsight” in the search tearms are in the past 2 months. According to google trends, the keyword “arcsight” is quite lower in volume the past 2 months, but keywords like “cyberthreat” and “data breach” have spiked. It looks like I picked the perfect time to update the site with some new metadata.

I don’t want to disappoint anyone who may be arriving based on some old SE index. So…

  • If your looking for DTR Technology Solutions (the consulting company,) we’re no longer doing business. Not that there was really any business being done in the first place. I’ll save the history of why I even started a company for some other time.
  • If your coming from LinkedIn or direct for “ArcSight” or “Jay Heidecker” feel free to browse the resume. Note that I am not currently seeking a new position.
  • Finally, if your looking for some insight or information on work ethics, I feel somewhat sorry for you. If you need someone to teach you about ethical behaviour you likely have some deeper issues to explore. I have my ideas and my own personal set of values, but they are probably different from yours. Really, the only important thing is that we act as we expect others to. The rest should just fall into place.

Hello world.

April 6, 2011

DROP DATABASE wordpress;

 
Powered by Wordpress and MySQL. Theme by Shlomi Noach, openark.org