You can run ArcSight Logger searches from the Search feature. Logger data (including old events) can be searched using the same parameters as in Search. To do so, an administrator for the ArcSight Database must migrate the information using a Data reader tool to the database from Logger, a process that might require migrations from several loggers as needed.
For more information about migrating Logger data to the ArcSight Database, see Logger Search from Recon
in Appendix K of the Logger Administrator’s Guide.
Before running a search on the Logger data, review the following considerations:
Logger data includes live and archived events from local searches. However, it does not include content and configuration data.
Search supports only Recon’s specific set of operators.
Your searches can include data from Logger’s storage groups even if the Logger storage groups do not display as part of Recon’s configuration. Additional functionalities related to storage groups, like retention policy, is not supported for Logger events.
If Recon and Logger are set to the same timezone, there should be no discrepancy when searching the Logger data.
After you migrate data from Logger, select Search.
From the drop-down list next to the Search button, select Logger.
Add the required query details.
Recon searches for data in the Logger events table in the database.
Click Search.