Arcsight安装指引

The ArcSight™ ESM Service LayerIntroductionBeginning with ArcSight™ ESM v5.0, the ESM Service Layer is available and exposes ESMfunctionalities as Web Services. By consuming the exposed Web Services, you canintegrate ESM functionality in your own applications. ESM Service Layer uses a service-oriented architecture (SOA) that supports multiple Web Service clients written in differentlanguages.You will have the ability to create programs thatRun an ESM report and feed it back to your third-party home-grown system Execute full-text searches on ESM resourcesThe SOA approach enables ESM Service Layer to support multiple consumption options, forexample:Java developers can take advantage of the ESM Service Layer SDK to create SOAP orGoogle Web Toolkit (GWT) clients.See “ESM Service Layer SDK” on page 2.Developers applying Representational State Transfer (REST) principles write scripts toconsume the services. The developers can refer to the Web Services DescriptionLanguage (WSDL) files for a description of each ESM service.For more information about REST , refer to this link:/wiki/Representational_State_TransferThe ArcSight™ ESM Service Layer (1)Introduction (1)Setting Up Your Development Environment (3)Obtaining a List of Available ESM Services (3)Obtaining the Authentication Token (4)Finding Service Information in the WSDL (5)Consuming ESM Services (7)IntroductionDevelopers who prefer to create their own stubs in a language other than Java (forexample, in .NET or C++) can refer to the Web Services Description Language (WSDL)files for a description of each ESM service.ESM Resources as Web ServicesESM Service Layer provides access to the ESM resources listed below.ArcSight ESM has more resources than listed. If you are retrieving information on an ESMresource that is not yet supported, you can use ResourceService to get the Base Resourceattributes that are common to all resources (the ID, name, and description), but not thedetails unique to the unsupported resource.ESM Service ModulesESM Service Layer groups services in two service modules:Core Service module . This module provides login services (loginService ) byreturning the authentication token (authToken ) needed to begin consuming aservice. The services are designed to be stateless. You will therefore pass theauthentication token every time you consume a service.Manager Service module . This module provides the ESM functionality, for example,ArchiveReportService.ESM Service Layer SDKThe SDK provides a set of tools and libraries for Java applications that consume theservices in ESM Service Layer .SOAP clients use Simple Object Access Protocol (SOAP) XML messages to send requests to and get responses from the ESM Service Layer web server over HTTP . The Google Web Toolkit (GWT) provides the capability to create user interfaces, useRPC to pass Java objects between the client and the server over HTTP , and more.For more information about GWT , start with this link:/webtoolkit/doc/overview.htmlSDK Installation filesThe SDK is distributed as part of the ESM installation. Installation files are located at$ARCSIGHT_HOME/utilities/sdkThe SDK libaries are located atESM Resource NameService Name Archive Report ArchiveReportService DashboardDashboardService Data MonitorDataMonitorService FileFileResourceService ReportReportService Resource ResourceServiceSetting Up Your Development Environment$ARCSIGHT_HOME/utilities/sdk/libSetting Up Your Development EnvironmentFollowing are the requirements to set up your development environment:All exposed ESM services are TLS/SSL-secured, therefore, import the ArcSight ESMManager’s certificate into your development/runtime environment. The certificateoption was chosen during ArcSight ESM installation. It could be a temporary certificateauthority (CA), a self-signed certificate, or a signed certificate from a trusted CA. Askyour ArcSight administrator about which certificate option was chosen duringinstallation and import that certificate into your development JRE’sjre/lib/security/cacerts .The ESM Sevice Layer modules are core-ws-client.jar and manager-ws-client.jar , respectively. Include these jar files in your Java classpath.Install the Java API for XML Web Services (JAX-WS) libraries, for example, the toolkitfor Apache Axis2, from your preferred software provider .Obtaining a List of Available ESM ServicesAfter setting up your development environment, you will next want to know the servicesavailable for consumption. You do this by displaying the listServices file provided by theManager Service module.To view the listServices file1Open your browser and enter the URL with the following format:https://myhost :8443/www/manager-service/services/listServices2Replace myhostas appropriate.Under /lib , you will also find the Javadoc containing the API descriptions. The Javadoc is distributed in jar format.Obtaining the Authentication TokenThe browser displays the listServices page. Scroll down to view more services. Thefollowing example is the ArchiveReportService.The listServices file provides the information about a service, including:The service’s end point reference (EPR) URLA list of service names, for example, ArchiveReportServiceThe methods associated with each serviceThe parameters associated with each method are available in the resource’s WSDL file(described in “Finding Service Information in the WSDL” on page5). Obtaining the Authentication TokenAn authentication token is the first requirement for accessing ESM Service Layer to obtainservice information and then consume the services. Two examples on how to get this tokenare provided: REST and SOAP. As explained earlier, the Core Service module handlesauthentication token requests. You will then use the returned token to log in to theManager Services module and consume the desired service.REST ExampleThe following example shows how to enter the URL to the Core Service module and obtainthe authToken string. The first part of the URL address, https://host:8443/www/,constitutes the base URL. You will always start your URLs with this base URL.To log in and obtain an authentication token1In the browser, enter the URL in the following format:https://myhost:8443/www/core-service/rest/LoginService/login?login=admin&password=password2Replace myhost, admin, and password as appropriate.Finding Service Information in the WSDL The browser displays the response which is the authentication token string. You willpass that string every time you consume a service.Java ExampleThe following example shows how to invoke the login service of the Core Service moduleand obtain the authToken string. You will pass this string every time you consume aservice. You will also set the base URL in the format https://host:8443/www/.//=================================================// Invoke the Login Service//=================================================//construct LoginServiceFactory (loginService is part of Core Service module) LoginServiceClientFactory loginServiceClientFactory = new LoginServiceClientFactory();//set the service base url. ESM's service base URL is https://host:8443/www/ loginServiceClientFactory.setBaseURL("https://myhost:8443/www/");//create service client instance from factoryLoginService loginService = loginServiceClientFactory.createClient();//invoke login service and get authTokenString authToken = loginService.login(null, "admin", "password"); Finding Service Information in the WSDLThe ESM Service Layer’s Web Service Description Language (WSDL) files are XML-formatted documents describing ESM services, one WSDL file for each service. WSDLs areused to generate clients automatically. Programmers who are writing their own stubsinstead of using the SDK can refer to the WSDLs to get information about ESM services.This topic takes you through different parts of the WSDL file using theArchiveReportService’s findByUUID method as an example. The purpose of thefindByUUID method is to find a resource by its ID. Based on this ID, you will be able toobtain additional details about the resource.Using fragments taken from the WSDL, the example walks you through the followingprocess:Obtain the method parametersObtain the responseTo display the WSDL for a specific service1On your browser, enter the URL using the following format:https://myhost:8443/www/manager-service/services/servicename?wsdl2Replace myhost with the actual server and servicename with the service you want to consume, for example, ArchiveReportService. See “Obtaining a List of AvailableESM Services” on page3 for information about supported ESM services.Finding Service Information in the WSDLThe browser displays the WSDL file for the specified service.Finding the Service’s URLThe following WSDL fragment contains the URL to the service.<wsdl:service name="ArchiveReportService"><wsdl:port name="ArchiveReportServiceHttpport"binding="ns0:ArchiveReportServiceHttpBinding"><http:address location="http://localhost:9090/manager-service/services/ArchiveReportService"/></wsdl:port></wsdl:service>Finding the MethodThe following WSDL fragment provides the URL to the method of interest, findByUUID .<wsdl:operation name="findByUUID"><http:operation location="ArchiveReportService/findByUUID"/><wsdl:input><mime:content type="text/xml" part="findByUUID"/></wsdl:input><wsdl:output><mime:content type="text/xml" part="findByUUID"/></wsdl:output></wsdl:operation>Finding the ParametersThe following WSDL fragment contains the XML Schema description of findByUUID ’sparameters.<xs:element name="findByUUID"><xs:complexType><xs:sequence><xs:element minOccurs="0"name="authToken"MethodDescription authTokenThe parameter that takes the authentication token string idThe ID of the resource to findConsuming ESM Servicesnillable="true"type="xs:string"/><xs:element minOccurs="0"name="id"nillable="true"type="xs:string"/></xs:sequence></xs:complexType></xs:element>Obtaining the Output DescriptionThe following WSDL fragment describes the response to the findByUUID request. Theresponse indicates ArchiveReport to be a complex type.<xs:element name="findByUUIDResponse"><xs:complexType><xs:sequence><xs:element minOccurs="0" name="return"nillable="true" type="ns1:ArchiveReport"/></xs:sequence></xs:complexType></xs:element>Because ArchiveReport is a complex type, this means you will find additional details aboutthe output, as shown in the following WSDL fragment:<xs:complexType name="ArchiveReport"><xs:complexContent><xs:extension base="ax23:Resource"><xs:sequence><xs:element minOccurs="0" name="archiveType"nillable="true" type="xs:string"/><xs:element minOccurs="0" name="expireDate"nillable="true" type="xs:long"/><xs:element minOccurs="0" name="owner"nillable="true" type="xs:string"/><xs:element minOccurs="0" name="reportDefName"nillable="true" type="xs:string"/><xs:element minOccurs="0" name="reportFileName"nillable="true" type="xs:string"/><xs:element minOccurs="0" name="uploaded"nillable="true" type="xs:string"/><xs:element minOccurs="0" name="valid"type="xs:boolean"/></xs:sequence></xs:extension></xs:complexContent></xs:complexType>Consuming ESM ServicesThis topic provides two examples:In REST, how to perform a text search on a resourceFor SOAP clients, how to download a report given report file’s IDConsuming ESM ServicesPerforming a Text Search on a Resource (REST Example) The search is similar to the full text search performed on the ESM Console. It is assumedthat the authToken string is available. In the example, a full text search is performed onthe DataMonitor resource. The search results include the ID. Based on the returned ID, theResourceService is then used to retrieve DataMonitor details.To perform a text search:1In the browser, enter your query string to obtain the corresponding UUID. Enter the URL in the following format:https://myhost:8443/www/manager-service/rest/ManagerSearchService/search1?authToken=authtokenstring&queryStr=datamonitor querystring&pageSize=502Replace myhost as appropriate, authtokenstring with the actual string you obtained in “Obtaining the Authentication Token” on page4, and querystring with your actualstring. For example, you are searching for DataMonitor with the name eventthroughput.The browser displays the UUID string corresponding to the resource that matchesquerystring. For example:-<uri>/All_Data_Monitors/ArcSight_Administration/ESM/System_Health/Events/Event_Throughput/Event_Throughput</uri><uuid>someUUIDstring</uuid>Take note of the returned UUID string. You will use the findByUUID method inResourceService and pass the UUID string to get the data details about theDataMonitor resource with that UUID.3In the browser, enter the URL in the following format:https://myhost:8443/www/manager-service/rest/ResourceService/findByUUID?authToken=authtokenstring&id=UUIDstringThe first part of the URL that starts with https://myhost:8443/www/ is called the baseURL.4Replace myhost as appropriate, authtokenstring with the actual string you obtained in “Obtaining the Authentication Token” on page4, and UUIDstring with the actual UUIDstring returned by your query.The browser displays the resource information. A partial example is shown below:Consuming ESM ServicesDownloading an Archived Report (SOAP Example)The following Java example for SOAP clients shows how to invoke ArchiveReportService,set the base URL in the format https://host:port/www/, and obtain the report’s file ID. Youwill then pass this ID to download the archived report. The example assumes you haveinvoked the login service and passed the authToken string prior to invoking theArchiveReportService. See “Obtaining the Authentication Token” on page4.// Invoke Login Service here and pass the authToken//=================================================// Invoke Archive Report Service//=================================================//Construct ArchiveReportServiceFactory (ArchiveReportService is part of//the Manager Service module)ArchiveReportServiceFactory archiveReportServiceClientFactory = new ArchiveReportServiceFactory ();//Set the service base URL. ESM's service base URL is https://host:port/www/ archiveReportServiceClientFactory.setBaseURL("https://myhost:8443/www/");//Create service client instance from factoryarchiveReportService archiveReportService = archiveReportServiceClientFactory.createClient();//Invoke report service to create archiveReport by its ID. This returns//the archived report’s file ID. Use that ID to download report.String fileId =archiveReportService.initDefaultArchiveReportDownload(authToken," authtokenstring", "Manual");//Download report using the obtained fileId/*** Here is the example of using the fileId to download the report:* https://myhost:8443/www/manager-service* /fileservlet?mand=download&file.id* =2r2Yp5RYNQ2WSmVWa2V9_yAuNLSS4TdTQMV2T3upay4*/Consuming ESM ServicesCopyright © 2010 ArcSight, Inc. ArcSight, the ArcSight logo, ArcSight TRM, ArcSight NCM, ArcSight Enterprise Security Alliance, ArcSight Enterprise Security Alliance logo, ArcSight Interactive Discovery, ArcSight Pattern Discovery, ArcSight Logger, FlexConnector, SmartConnector, SmartStorage and CounterACT are trademarks of ArcSight, Inc. All other brands, products and company names used herein may be trademarks of their respective owners.Follow this link to see a complete statement of ArcSight's copyrights, trademarks, and acknowledgements: /company/copyright/The network information used in the examples in this document (including IP addresses and hostnames) is for illustration purposes only.This document is ArcSight Confidential.Revision HistoryDate Product Version Description05/30/10First version Introductory content to the ArcSight ESM Service Layer.。

v1b – 12/11/2018Investigate 2.20 Build Guide PreSales Lab Build GuideContentsContents (2)Description (3)Versions (3)Physical Network (4)ArcSight Installer (4)Label the Nodes and Upload the Images (4)Deploy Investigate (4)CentOS install for Vertica nodes (5)Vertica Install (8)ArcSight Installer (11)Configure Investigate in the ArcSight Installer interface (11)Configure Investigate in the ArcSight Investigate interface (11)Micro Focus Trademark Information (12)Company Details (12)DescriptionThis guide shows how to install Investigate in a lab environment. This guide was created by the ArcSight PreSales Technical Enablement team as a resource for the ArcSight PreSales organization. This guide is not official documentation. Please read and refer to the official product documentation for additional information. Please see the ArcSight Event Broker 2.21 from the ground up build guide for instructions on installing the ArcSight Installer and Event Broker.1.Architecturea.Vertica on 3 nodesThis is an offline installation of Investigate. The CentOS install is a minimal install, adding the minimum number of required packages required for Vertica. The Vertica nodes are running CentOS 7.4.1708.Versions•ArcSight Installer 1.50.9o arcsight-installer-1.50.9.zip•Investigate 2.20o arcsight-investigate-2.20.9.taro arcsight-vertica-installer_2.20.0-1.tar.gz•Event Broker 2.21o arcsight-eventbroker-2.21.9.tar•SmartConnector 7.9.0.8084o ArcSight-7.9.0.8084.0-Connector-Win64.exePhysical NetworkAll nodes are on the same 1 GigE network segment. There are no firewalls between nodes and no Internet proxy.ArcSight InstallerLabel the Nodes and Upload the Images•Label the nodeso This can be done through the ArcSight Installer interface. Instructions on doing this by command line is shown below.▪The Master node will run Investigate. You need to use the node IP addresses in the command.•kubectl label --overwrite node 192.168.0.5 investigate=yes •Verify the labelso kubectl get nodes -L=investigate•Upload the offline images to o cd /opt/arcsight/kubernetes/scripts▪./uploadimages.sh -s investigate -d /root/investigateo If you specify the wrong directory for where the offline images have been extracted to you will see this message.Which suite do you want to upload? (ITSMA, DCA, OpsBridge or HCM)o You should see the following message indicating the upload was successful (6 images for Investigate).Upload completed in XXX seconds.Upload suite feature data completed.Upload-process successfully completed.Deploy Investigate•Deploy ArcSight Investigate in the ArcSight Installer interfaceo https://:5443/▪This is the HA Virtual IP (VIP) address DNS entryo Click Node Management▪Every node should be Ready and have a green check mark.o Click Deployment▪Click Deploy to the right of ArcSight Investigate and then select 2.20.o Verify deployment▪To verify deployment, check the ArcSight Installer interface. ArcSight Investigate should have a green check mark under Status.▪You can check the pod status with this command. The hercules-search pod will be in a CrashLoopBackOff or Error status; that is OK, it is in this status becausewe haven’t configured the Vertica host in the Installer interface.[root@eb1 ~]# watch kubectl get pods -n investigate1NAME READY STATUS RESTARTS AGEhercules-management-847cc7c7f8-fcprh 2/2 Running 0 5mhercules-rethinkdb-0 1/1 Running 0 5mhercules-search-869677c77d-pkqr6 2/3 CrashLoopBackOff 3 5mnginx-ingress-controller-gt589 1/1 Running 0 5msuite-reconf-pod-investigate-dnngw 2/2 Running 0 5m •Event Broker Transforming Stream Processoro With Investigate, you will need to go in to the ArcSight Installer interface and change the configuration of ArcSight Event Broker and enable the Transforming Stream Processor.▪Configuration -> ArcSight Event Broker -> Replicas•Change from 0 to 1o Once this has been changed, you will see the eb-c2av-processor pod.eventbroker1 eb-c2av-processor-0 1/1 Running 0 26mCentOS install for Vertica nodes•Install CentOSo Version▪CentOS 7.4•CentOS Linux release 7.4.1708 (Core)▪All nodes were a fresh Minimal Install.▪This guide assumes you have access to yum repositories.•Once the OS is installedo vi /etc/sysctl.conf## Increase number of incoming connectionsnet.core.somaxconn = 1024## Sets the send socket buffer maximum size in bytes.net.core.wmem_max = 16777216## Sets the receive socket buffer maximum size in bytes.net.core.rmem_max = 16777216## Sets the receive socket buffer default size in bytes.net.core.wmem_default = 262144## Sets the receive socket buffer maximum size in bytes.net.core.rmem_default = 262144## increase the length of the processor input queuedev_max_backlog = 100000net.ipv4.tcp_mem = 16777216 16777216 16777216net.ipv4.tcp_wmem = 8192 262144 8388608net.ipv4.tcp_rmem = 8192 262144 8388608net.ipv4.udp_mem = 16777216 16777216 16777216net.ipv4.udp_rmem_min = 16384net.ipv4.udp_wmem_min = 16384#### Increase the number of outstanding syn requests allowed.net.ipv4.tcp_max_syn_backlog = 4096#### Based on 128 GB of memorydirty_ratio = 8#### Resolve WARN (S0112)vm.swappiness = 1o vi /etc/rc.localecho deadline > /sys/block/sda/queue/scheduler/sbin/blockdev --setra 2048 /dev/sda/sbin/blockdev --setra 2048 /dev/sdbcpupower frequency-set --governor performanceo chmod +x /etc/rc.localo vi /etc/default/grub▪Append the GRUB_CMDLINE_LINUX line with the following:intel_idle.max_cstate=0 processor.max_cstate=1▪Here is an example from a fresh minimal install of CentOS 7.4:GRUB_CMDLINE_LINUX="crashkernel=auto rhgb quiet intel_idle.max_cstate=0processor.max_cstate=1"o vi /etc/sysconfig/selinuxSELinux=permissiveo firewalld▪iptables -F▪iptables -t nat -F▪iptables -t mangle -F▪iptables -X▪systemctl mask firewalld▪systemctl stop firewalld▪systemctl disable firewalldo vi /etc/security/limits.d/20-nproc.conf▪You will need to comment out the default soft nproc entry and add these entries * soft nproc 10240* hard nproc 10240* soft nofile 65536* hard nofile 65536* soft core unlimited* hard core unlimitedo yum▪yum install -y bind-utils java-1.8.0-openjdk gdb mcelog sysstat dialog chrony tzdatao Rebooto Check that SELinux is permissive and firewalld is disabled▪sestatusSELinux status: enabledSELinuxfs mount: /sys/fs/selinuxSELinux root directory: /etc/selinuxLoaded policy name: targetedCurrent mode: permissiveMode from config file: permissivePolicy MLS status: enabledPolicy deny_unknown status: allowedMax kernel policy version: 28▪systemctl list-unit-files | grep firewallfirewalld.service masked▪systemctl status firewalldfirewalld.serviceLoaded: masked (/dev/null; bad)Active: inactive (dead)o Check that 20-nproc.conf was properly modified▪ulimit -acore file size (blocks, -c) unlimiteddata seg size (kbytes, -d) unlimitedscheduling priority (-e) 0file size (blocks, -f) unlimitedpending signals (-i) 31152max locked memory (kbytes, -l) 64max memory size (kbytes, -m) unlimitedopen files (-n) 65536pipe size (512 bytes, -p) 8POSIX message queues (bytes, -q) 819200real-time priority (-r) 0stack size (kbytes, -s) 8192cpu time (seconds, -t) unlimitedmax user processes (-u) 10240virtual memory (kbytes, -v) unlimitedfile locks (-x) unlimited•Below are the DNS names and IP addresses I will be using in the VMs.o 192.168.0.11o 192.168.0.12o 192.168.0.13•ssho Next, we need to generate an ssh key on the node we are running the install from (). Select the default file and no passphrase.▪ssh-keygen -q -t rsao Once the ssh key is generated, we need to copy it to each of the nodes in the cluster.This also needs to be copied to the local system you’re installing from. Below are thecommands to run on .▪ssh-copy-id-i~/.ssh/**********************.0.11▪ssh-copy-id-i~/.ssh/**********************.0.12▪ssh-copy-id-i~/.ssh/**********************.0.13o To verify this was setup properly, use the following commands on each node. You should be able to login with no password.▪***************.0.11▪***************.0.12▪***************.0.13o At this point the nodes are ready for the Vertica install.Vertica Install•Upload your Vertica license to /root on o/root/vertica_license.dat•On o mkdir /root/install-vertica•Copy the Vertica installer to /root/install-vertica on o arcsight-vertica-installer_2.20.0-1.tar.gz•Change to the /root/install-vertica directory and extract the tar fileo tar xvfz ./arcsight-vertica-installer_2.20.0-1.tar.gz•vi /root/install-vertica/config/vertica_user.propertieshosts=192.168.0.11,192.168.0.12,192.168.0.13license=/root/vertica_license.datdb_retention_days=30•vi /root/install-vertica/vertica.propertieso Set the timezone to the appropriate setting.timezone="MDT"o If you want to change any settings in vertica.properties after you’ve installed Vertica, just re-run the ./vertica_installer install command again. This will uninstall and reinstallVertica.•Run the Vertica install from /root/install-verticao./vertica_installer install▪DB Admin user•dbadmin▪DB Admin user password•dbadminpw▪Search user•search▪Search user password•searchpw•Create the Investigate schemao./vertica_installer create-schema▪If successful, you should see this:# ========================================# STEP 1: create schema: investigation.events# ========================================# STEP 2: grant privileges on schema: investigation.events# ========================================# STEP 3: create table: investigation.version_metadata# ========================================# STEP 4: inserted in investigation.version_metadata: schemaVersion=4.4.0,installerVersion=2.20.0•Create the Kafka Schedulero./kafka_scheduler create 192.168.0.4:9092,192.168.0.5:9092,192.168.0.6:9092 ▪If successful, you should see this:Establishing a connection to kafka cluster ['192.168.0.4:9092', '192.168.0.5:9092', '192.168.0.6:9092'] ....Detected 6 partitions for topic 'eb-internal-avro'create scheduler under: investigation_schedulerscheduler: create target topicscheduler: create cluster for 192.168.0.4:9092,192.168.0.5:9092,192.168.0.6:9092scheduler: create source topic (eb-internal-avro) for192.168.0.4:9092,192.168.0.5:9092,192.168.0.6:9092scheduler: create microbatch (mbatch_192_168_0_4) for192.168.0.4:9092,192.168.0.5:9092,192.168.0.6:9092scheduler instance(s) added for 192.168.0.11scheduler instance(s) added for 192.168.0.12scheduler instance(s) added for 192.168.0.13•Check the Kafka Scheduler statuso./kafka_scheduler status•Check the Kafka Scheduler event-copy progresso./kafka_scheduler eventsIf the Kafka Scheduler is consuming events from Event Broker, you will see the events count increase when you check and re-check the status.•Check the Kafka Scheduler messageso./kafka_scheduler messages•You can see Vertica listed as a Consumer in the Event Broker interface. You will not see this under Consumers if you have no events from Producers in Event Broker.ArcSight InstallerConfigure Investigate in the ArcSight Installer interface•https://:5443/o This is the HA Virtual IP (VIP) address DNS entry•Click Configuration -> ArcSight Investigateo Vertica host▪192.168.0.11 192.168.0.12 192.168.0.13o Vertica user name▪searcho Vertica database▪investigateo Vertica password▪searchpw•Click Test Connectiono You should see Connection was successfully established!•Click Saveo This will redeploy and restart Investigate hercules-search pod.•If you specify the wrong Vertica host, user name, database, or password, the hercules-search pod will get in a looping Error and CrashLoopBackOff status. When you open the Investigateinterface, you will receive a 502 Bad Gateway message.investigate1 hercules-search-2613439649-cn6nt 2/3 Error 1 5minvestigate1 hercules-search-2613439649-cn6nt 2/3 CrashLoopBackOff 5 17mConfigure Investigate in the ArcSight Investigate interface•https:///o This is the HA Virtual IP (VIP) address DNS entry▪If you see a 502 error, wait a couple of minutes. If this happens for longer than a couple of minutes, check your Vertica configuration settings in the Investigate configuration.502 Bad Gatewaynginx/1.11.10▪Create System Admin•Complete this information with your own information▪LoginClick Search•Search on Last 30 minutes to see events in Vertica (events that Vertica hasconsumed from Event Broker).Micro Focus Trademark InformationMICRO FOCUS and the Micro Focus logo, among others, are trademarks or registered trademarks of Micro Focus (IP) Limited or its subsidiaries in the United Kingdom, United States and other countries. All other marks are the property of their respective owners.Company DetailsCompany name: Micro Focus International plcPlace of registration: England and WalesRegistered number: 5134647Registered address: The Lawn, 22-30 Old Bath Road, Berkshire, RG14 1Q。

Installation and Configuration Guide ArcSight Express 4.0 Virtual ApplianceMarch 31, 2014Copyright © 2014 Hewlett-Packard Development Company, L.P.Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.Follow this link to see a complete statement of copyrights and acknowledgements:/copyrightThe network information used in the examples in this document (including IP addresses and hostnames) is for illustration purposes only.HP ArcSight products are highly flexible and function as you configure them. The accessibility, integrity, and confidentiality of your data is your responsibility. Implement a comprehensive security strategy and follow good security practices.This document is confidential.Contact InformationPhone A list of phone numbers is available on the HP ArcSight TechnicalSupport page: /us/en/software-solutions/software.html?compURI=1345981#.URitMaVwpWI. Support Web Site Protect 724 Community https://Revision HistoryDate Product Version Description03/31/2014 1.0First release of guide and virtual applianceContentsChapter 1: Overview (5)Chapter 2: Installing the ArcSight Express Virtual Appliance (7)Supported ESXi Version and Required Hardware (7)Operating System (7)FIPS Support (8)Browser Support (9)Downloading the ArcSight Express Virtual Appliance OVA Files (9)Upgrade Support (9)Deploying the ArcSight Express Virtual Appliance OVA File (9)Installing a License File (13)Confidential AE Virtual Appliance Installation and Configuration Guide 3Contents4 AE Virtual Appliance Installation and Configuration Guide ConfidentialChapter 1OverviewThe ArcSight Express Virtual Appliance is a Security Information and Event Management(SIEM) solution that collects and analyzes security data from heterogeneous devices onyour network and provides you a central, real-time view of the security status of all devicesthat are of interest to you.ArcSight Express components gather and store events generated by the devices youidentify. These events are filtered and correlated with events from other devices orcollection points to discover risks and assess vulnerabilities.ArcSight Express uses the Correlation Optimized Retention and Retrieval Engine Storage(CORR-Engine Storage), a proprietary data storage and retrieval framework that receivesand processes events at high rates, and performs high-speed searches. This provides anumber of benefits, including increased performance and more compact data storage.The ArcSight Express Virtual Appliance allows deployment of ArcSight Express on serversthat have VMware ESXi installed.Confidential AE Virtual Appliance Installation and Configuration Guide 51 Overview6AE Virtual Appliance Installation and Configuration Guide ConfidentialConfidential ArcSight Express Virtual Appliance Installation and Configuration Guide 7Chapter 2Installing the ArcSight Express Virtual ApplianceThe following topics are covered in this chapter:Supported ESXi Version and Required HardwareThe ArcSight Express Virtual Appliance is supported on VMware ESXi 5.5. The hardware requirements for installing the ArcSight Express Virtual Appliance OVA file are:⏹12 CPU cores ⏹36 GB of RAM ⏹ 1.8 TB disk availableOperating SystemThe ArcSight Express Virtual Appliance operating system is Centos 6.2 and the following security patches:⏹bind-libs-9.8.2-0.17.rc1.el6_4.4.x86_64.rpm ⏹bind-utils-9.8.2-0.17.rc1.el6_4.4.x86_64.rpm ⏹cups-1.4.2-50.el6_4.4.x86_64.rpm ⏹cups-libs-1.4.2-50.el6_4.4.x86_64.rpm ⏹cvs-1.11.23-15.el6.x86_64.rpm ⏹dbus-glib-0.86-6.el6.x86_64.rpm ⏹dhclient-4.1.1-34.P1.el6.centos.x86_64.rpm ⏹dhcp-common-4.1.1-34.P1.el6.centos.x86_64.rpm ⏹freetype-2.3.11-14.el6_3.1.x86_64.rpm ⏹ghostscript-8.70-15.el6_4.1.x86_64.rpm“Supported ESXi Version and Required Hardware” on page 7“Operating System” on page 7“Browser Support” on page 9“Downloading the ArcSight Express Virtual Appliance OVA Files” on page 9“Deploying the ArcSight Express Virtual Appliance OVA File” on page 9“Installing a License File” on page 132 Installing the ArcSight Express Virtual Appliance⏹krb5-appl-clients-1.0.1-7.el6_2.1.x86_64.rpm⏹krb5-libs-1.10.3-10.el6_4.2.x86_64.rpm⏹krb5-workstation-1.10.3-10.el6_4.2.x86_64.rpm⏹liberation-fonts-common-1.05.1.20090721-5.el6.noarch.rpm⏹liberation-sans-fonts-1.05.1.20090721-5.el6.noarch.rpm⏹libexif-0.6.21-5.el6_3.x86_64.rpm⏹libjpeg-turbo-1.2.1-1.el6.x86_64.rpm⏹libpng-1.2.49-1.el6_2.x86_64.rpm⏹libproxy-0.3.0-4.el6_3.x86_64.rpm⏹libproxy-bin-0.3.0-4.el6_3.x86_64.rpm⏹libproxy-python-0.3.0-4.el6_3.x86_64.rpm⏹libsmbclient-3.6.9-151.el6.x86_64.rpm⏹libtalloc-2.0.7-2.el6.x86_64.rpm⏹libtdb-1.2.10-1.el6.x86_64.rpm⏹libtiff-3.9.4-9.el6_3.x86_64.rpm⏹libvorbis-1.2.3-4.el6_2.1.x86_64.rpm⏹libxml2-2.7.6-12.el6_4.1.x86_64.rpm⏹libxml2-python-2.7.6-12.el6_4.1.x86_64.rpm⏹nspr-4.9.2-1.el6.x86_64.rpm⏹nss-3.14.0.0-12.el6.x86_64.rpm⏹nss-sysinit-3.14.0.0-12.el6.x86_64.rpm⏹nss-util-3.14.0.0-2.el6.x86_64.rpm⏹openjpeg-libs-1.3-9.el6_3.x86_64.rpm⏹openssl-1.0.0-27.el6_4.2.x86_64.rpm⏹perl-5.10.1-131.el6_4.x86_64.rpm⏹perl-libs-5.10.1-131.el6_4.x86_64.rpm⏹perl-Module-Pluggable-3.90-131.el6_4.x86_64.rpm⏹perl-Pod-Escapes-1.04-131.el6_4.x86_64.rpm⏹perl-Pod-Simple-3.13-131.el6_4.x86_64.rpm⏹perl-version-0.77-131.el6_4.x86_64.rpm⏹pixman-0.26.2-5.el6_4.x86_64.rpm⏹samba-client-3.6.9-151.el6.x86_64.rpm⏹samba-common-3.6.9-151.el6.x86_64.rpm⏹samba-winbind-3.6.9-151.el6.x86_64.rpm⏹samba-winbind-clients-3.6.9-151.el6.x86_64.rpm⏹sudo-1.8.6p3-7.el6.x86_64.rpm⏹xulrunner-17.0.6-2.el6.centos.x86_64.rpm⏹yelp-2.28.1-17.el6_3.x86_64.rpmFIPS SupportFIPS is not supported for this release of the virtual appliance.8ArcSight Express Virtual Appliance Installation and Configuration Guide Confidential2 Installing the ArcSight Express Virtual ApplianceConfidential ArcSight Express Virtual Appliance Installation and Configuration Guide 9Browser SupportSupported browsers for connecting to the ESM Manager are:⏹Internet Explorer 9 and 10⏹Firefox 24Downloading the ArcSight Express Virtual Appliance OVA FilesThe ArcSight Express Virtual Appliance OVA files are available for download from the HPSoftware Depot at: .If you use Internet Explorer to download the files, ensure that the files names remain asshown below.Download the 3 files and the MD5 checksum to a disk accessible by your vSphere client:⏹B7500_B1312_1800GB_V8.ova.part1 ⏹B7500_B1312_1800GB_V8.ova.part2 ⏹B7500_B1312_1800GB_V8.ova.part3Join the 3 files into one file by running one of the following commands:Windows - copy /bB7500_B1312_1800GB_V8.ova.part1+B7500_B1312_1800GB_V8.ova.part2+B7500_B1312_1800GB_V8.ova.part3 B7500_B1312_1800GB_V8.ovaLinux - cat B7500*.part* > B7500_B1312_1800GB_V8.ovaAfter joining the 3 files together , use the MD5 checksum to verify the file’s integrity.Upgrade SupportThe ArcSight Express 4.0 Virtual Appliance cannot be upgraded from any prior versions ofArcSight Express.Deploying the ArcSight Express Virtual Appliance OVA FileTo deploy the virtual appliance OVA file, use a vSphere client to perform the followingprocedure:2 Installing the ArcSight Express Virtual Appliance10 ArcSight Express Virtual Appliance Installation and Configuration Guide Confidential 1Select File > Deploy OVF Template . The Source screen displays: 2Click Browse and navigate to where you downloaded the OVA file.3Select the file and then click Next . The OVF Template Details screen displays:4Click Next. The Name and Location screen displays:5Enter a name for the virtual appliance or accept the default. You can change the name later. Click Next. The Storage screen displays:6Select a drive with 1.8 TB of disk space. The virtual appliance requires 1.8 TB of disk space. Click Next. The Disk Format screen displays:7Select the Thick Provisioned Lazy Zeroed Format. Click Next. The Ready to Complete screen displays.8If the deployment settings are correct, click Finish. A progress timer will appear showing the progress of the deployment. When the deployment completes, the virtualmachine created from the OVA file is added to the inventory (Virtual Machines tab) onyour vSphere client.9Right-click your VM and select Power > Power Off.10Before running the First Boot Wizard, configure your network settings and increase the memory from 12 GB to 36 GB. To configure the network settings and increase thememory for your virtual appliance, right-click your virtual machine in the VirtualMachines tab. Select Edit Settings.After configuring the network settings and increasing the memory for your virtual machine,select Power > Power On. The virtual machine performs an initial boot process thatdisplays in the console. After installing the license, refer to the Configuring the ArcSightExpress chapter of the ArcSight Express with CORR-Engine 4.0 Configuration Guide. Theguide is available at:https://Installing a License FileThe ArcSight Express Virtual Appliance requires that a license be installed.Perform the following procedure to install the license:1Download the license file from the Customer Support web site at to a computer from which you can connect to thevirtual appliance.2Follow the First Boot Wizard directions for license installation.3Click Browse and navigate to where you stored the license and select the license file.4Click Upload & Install.5Perform the rest of the First Boot Wizard steps.The base license includes:⏹ 4 onboard connectors⏹25 remote connectors⏹ 3 console users⏹25 web users⏹2500 IDView users⏹1500 devices⏹25000 assets⏹Threat detector enabledThe base license includes 250 sustained events-per-second (EPS). Additional EPS can beadded only in increments of 250 up to a maximum of 1250.Pattern Discovery jobs can be resource intensive. Under high EPS, Pattern Discovery jobscan cause a degradation in performance, and may fail to return a matching result set.ArcSight recommends that you reduce the number of events over which the PatternDiscovery search runs and/or frequency of Pattern Discovery jobs when running a systemwith high EPS.。

HP E nterprise S ecurity P roductsHP Enterprise Security Products GlobalServicesArcSight Activate Wiki Install GuideFebruary 12, 2015ContentsDelivery D ocument P urpose a nd S cope (3)Installation P re-­‐Requisites (4)Download W iki C ontent: (4)Download 64-­‐Bit C entOS 6.6 “Minimal” I SO I mage: (4)Configure S erver o r V irtual M achine f or C entOS (4)Virual M achine I nstallation a nd C onfiguration (5)Mount I nstallation I SO (5)Boot V irtual M achine (5)Install a nd C onfigure C entOS O perating S ystem (5)Foswiki I nstallation (13)Download R PMs (13)Create F oswiki Y UM R epository (13)Install M akecache (13)Install F oswiki a nd P lugins (14)Disable I PTables F irewall (14)Navigate t o F oswiki W eb I nterface (15)Activate C ontent I nstallation (17)Upload A ctivate W iki C ontent t o V M (17)Extract A ctivate W iki C ontent (17)Grant O wnership t o A ctivate W iki C ontent (17)Navigate t o A ctivate C ontent (18)Support I nformation (20)Delivery Document Purpose and ScopeThe p urpose o f t his d ocument i s t o p rovide g uidance o n i nstalling t he A rcSight A ctivate W iki.The A ctivate W iki i s a s et o f d ownloadable c ontent t hat c an b e d eployed o n t he o pen-­‐source “Foswiki” application.This c an b e p erformed o n a l ocal F oswiki i nstall, h osted o n a d edicated s erver w ith F oswiki, h osted within a v irtual m achine (VM), o r u sing a n a lternative m ethod s uch a s “Foswiki o n a U SB s tick”. These i nstructions d etail h ow t o i nstall t he A ctivate W iki c ontent o n F oswiki, w ithin a V M w ith C entOS 6.6 a s t he o perating s ystem.Installation Pre-­‐RequisitesDownload Wiki Content:The A ctivate W iki c ontent i s a vailable t hrough t he H P P rotect 7/24 c ustomer f orum (account registration r equired):https:///groups/activate-­‐frameworkSearch f or t he “Wiki C ontent” l ink, a nd d ownload t he “activate-­‐wiki.tar.gz” f ile.Download 64-­‐Bit CentOS 6.6 “Minimal” ISO Image:The A ctivate W iki i s s upported o n C entOS 6.6. T he I SO i mage c an b e d ownloaded t hrough t he following l ink:/centos/6/isos/x86_64/The I SO i mage f ile n ame i s “CentOS-­‐6.6-­‐x86_64-­‐minimal.iso”Configure Server or Virtual Machine for CentOSThe s ystem r equirements f or C entOS m inimal a re 1 G B o f R AM a nd 5 G B o f d isk s pace.The i nstallation h as b een t ested s uccessfully o n a V irtual M achine w ith t he f ollowing c onfiguration: •1024 M B o f R AM•1 C PU C ore•5 G B o f D isk S pace•Internet A ccess (configure n etwork s ettings a ccording t o y our e nvironment)Create a V irtual M achine i n t he V M a pplication o f y our c hoice, w ith t he r ecommended s ystem configuration a bove.Virual Machine Installation and ConfigurationMount Installation ISOConfigure t he V M t o m ount t he C entOS i nstallation I SO t hat w as d ownloaded i n a p revious s tep.Boot Virtual MachineStart u p t he V M w ith t he i nstallation m edia l oaded.Install and Configure CentOS Operating SystemFollow t hrough t he i nstallation s teps b elow.Select “Install o r u pgrade a n e xisting s ystem”Select “Skip”Select “Next”Select y our l anguage o f c hoice, t hen c lick “Next”.Select y our k eyboard o f c hoice, t hen c lick “Next”.Select “Basic S torage D evices”, t hen c lick “Next”.Select “Yes, d iscard a ny d ata”.Configure y our V M’s h ostname a s d esired, t hen c lick “Configure N etwork”.Select “System e th0” t hen c lick “Edit”. C heck “Connect A utomatically” a nd c onfigure y our n etwork settings f or y our e nvironment. T he c onfiguration i s u nique t o y our e nvironment, b ut c onfigure t he settings s o t hat y our V irtual M achine w ill b e a ble t o c onnect t o t he i nternet f or t he p urpose o f downloading R PMs a nd c ontent.Select y our d esired T ime Z one, t hen c lick “Next”Enter a p assword f or t he r oot u ser a ccount, t hen c lick “Next”.Select “Use A ll S pace” t hen c lick “Next”.Click “Format”Click “Write c hanges t o d isk”Leave t he d efault s ettings a s-­‐is, a nd c lick “Next”.The i nstallation w ill n ow c ommence.The i nstallation h as c ompleted. C lick “Reboot”.Foswiki InstallationOnce t he V M h as r ebooted, l og i n a s r oot v ia l ocal c onsole o r S SH a nd p erform t he f ollowing s teps.Download RPMsDownload t he E PEL R PMs w ith t he f ollowing c ommand:rpm -­‐Uvh /pub/epel/6/x86_64/epel-­‐release-­‐6-­‐8.noarch.rpmSample O utput:[root@activatewiki ~]# rpm -­‐Uvh /pub/epel/6/x86_64/epel-­‐release-­‐6-­‐8.noarch.rpm Retrieving /pub/epel/6/x86_64/epel-­‐release-­‐6-­‐8.noarch.rpmwarning: /var/tmp/rpm-­‐tmp.Y7H0d7: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEYPreparing... ########################################### [100%]1:epel-­‐release ########################################### [100%]Create Foswiki YUM RepositoryNavigate i nto t he /etc/yum.repos.d/ d irectory, a nd d ownload t he f oswiki r epositories l ist b y e xecuting the f ollowing c ommands:cd /etc/yum.repos.d/curl /Foswiki_rpms/foswiki.repo > foswiki.repoSample O utput:[root@activatewiki ~]# cd /etc/yum.repos.d/[root@activatewiki yum.repos.d]# curl /Foswiki_rpms/foswiki.repo > foswiki.repo% Total % Received % Xferd Average Speed Time Time Time CurrentDload Upload Total Spent Left Speed174 174 174 174 0 0 194 0 -­‐-­‐:-­‐-­‐:-­‐-­‐ -­‐-­‐:-­‐-­‐:-­‐-­‐ -­‐-­‐:-­‐-­‐:-­‐-­‐ 654Install MakecacheInstall “Makecache” w ith t he f ollowing c ommand:yum makecacheSample O utput:[root@activatewiki yum.repos.d]# yum makecacheLoaded plugins: fastestmirrorbase | 3.7 kB 00:00base/group_gz | 216 kB 00:01 base/filelists_db | 6.1 MB 00:54 base/primary_db | 4.6 MB 00:29 base/other_db | 2.8 MB 00:29 epel/metalink | 15 kB 00:00 epel | 4.4 kB 00:00 epel/group_gz | 237 kB 00:01 epel/filelists_db | 9.0 MB 01:08epel/primary_db | 6.3 MB 00:48 epel/other_db | 3.8 MB 00:37 epel/updateinfo | 943 kB 00:06 extras | 3.4 kB 00:00 extras/filelists_db | 31 kB 00:00 extras/prestodelta | 605 B 00:00 extras/primary_db | 30 kB 00:00 extras/other_db | 37 kB 00:00 foswiki | 2.7 kB 00:00 foswiki/filelists_db | 3.1 MB 00:25 foswiki/primary_db | 1.3 MB 00:08 foswiki/other_db | 334 kB 00:01 updates | 3.4 kB 00:00 updates/filelists_db | 1.5 MB 00:24 updates/prestodelta | 194 kB 00:12 updates/primary_db | 2.1 MB 00:14 updates/other_db | 19 MB 02:25 epel/pkgtags | 1.3 MB 00:10 Metadata Cache CreatedInstall Foswiki and PluginsInstall “Foswiki” a nd s everal p lugins w ith t he f ollowing c ommand. A nswer “Y” t o a ny p rompts.yum install foswiki foswiki-­‐workflowplugin foswiki-­‐jscalendarcontrib foswiki-­‐ldapcontribSample O utput (trimmed f or l ength):[root@activatewiki yum.repos.d]# yum install foswiki foswiki-­‐workflowplugin foswiki-­‐jscalendarcontrib foswiki-­‐ldapcontrib Loaded plugins: fastestmirrorSetting up Install ProcessLoading mirror speeds from cached hostfile* base: * epel: * extras: * updates: Resolving Dependencies-­‐-­‐> Running transaction check-­‐-­‐-­‐> Package foswiki.noarch 0:1.1.9-­‐291 will be installed-­‐-­‐> Processing Dependency: foswiki-­‐wysiwygplugin for package: foswiki-­‐1.1.9-­‐291.noarch-­‐-­‐> Processing Dependency: foswiki-­‐twistyplugin for package: foswiki-­‐1.1.9-­‐291.noarch-­‐-­‐> Processing Dependency: foswiki-­‐twikicompatibilityplugin for package: foswiki-­‐1.1.9-­‐291.noarch-­‐-­‐> Processing Dependency: foswiki-­‐topicusermappingcontrib for package: foswiki-­‐1.1.9-­‐291.noarch-­‐-­‐> Processing Dependency: foswiki-­‐tipscontrib for package: foswiki-­‐1.1.9-­‐291.noarch-­‐-­‐> Processing Dependency: foswiki-­‐tinymceplugin for package: foswiki-­‐1.1.9-­‐291.noarch-­‐-­‐> Processing Dependency: foswiki-­‐tableplugin for package: foswiki-­‐1.1.9-­‐291.noarch...<REMOVED MANY LINES>...Complete!Disable IPTables FirewallDisable I PTables (or c onfigure i t) s o t hat y ou c an c onnect t o t he V M f rom y our l ocal m achine’s w eb browser, o ver p ort 80 a nd 443. T he e asiest m ethod i s t o j ust d isable i t u sing t he f ollowing c ommands:/etc/init.d/iptables stopchkconfig iptables offSample O utput:[root@activatewiki yum.repos.d]# /etc/init.d/iptables stopiptables: Setting chains to policy ACCEPT: filter [ OK ]iptables: Flushing firewall rules: [ OK ]iptables: Unloading modules: [ OK ][root@activatewiki yum.repos.d]# chkconfig iptables offNavigate to Foswiki Web InterfaceNow t hat F oswiki i s i nstalled, o pen a w eb b rowser o n y our l ocal m achine a nd c onnect t o: http://<IP_Address_of_VM>/foswiki/bin/configureOnce c onnected, y ou s hould s ee t he f ollowing F oswiki c onfiguration i nterface:You m ay w ish t o p erform i nitial c onfiguration t asks, b ut w e’ll a ssume t hat y our n etwork i s c onfigured so t hat o nly y our l ocal m achine c an a ccess t he V M, a nd t hat y ou d o n ot n eed t o l ock d own a ny security c onfiguration.Activate Content InstallationWith F oswiki u p a nd r unning o n y our V M, t he o nly s tep r emaining i s t o c opy t he A ctivate W iki c ontent onto y our V M, a nd i nstall i t i nto p lace.Upload Activate Wiki Content to VMTransfer t he A ctivate W iki c ontent t hat y ou d ownloaded e arlier (activate-­‐wiki.tar.gz) o nto y our V M i n “/var/lib/foswiki/”. A r ecommended m ethod w ould b e S CP’ing t he f ile o nto t he V M.Extract Activate Wiki ContentNavigate t o /var/lib/foswiki/:cd /var/lib/foswiki/Untar t he W iki C ontent:tar –zxvf activate-­‐wiki.tar.gzSample O utput (trimmed f or l ength):[root@activatewiki foswiki]# tar -­‐zxvf activate-­‐wiki.tar.gzdata/ArcSightActivate/data/ArcSightActivate/WebSenseProxyConfigurationGuide.txt,vdata/ArcSightActivate/BestPracticesRules.txt,vdata/ArcSightActivate/WebChanges.txt,vdata/ArcSightActivate/MicrosoftWindowsL1ConfigurationGuide.txtdata/ArcSightActivate/CiscoSecureAcsConfurationGuide.txt,vdata/ArcSightActivate/ActivateOperatingSystemMonitoring.txtdata/ArcSightActivate/CheckPointActivateInstallConfig.txt,vdata/ArcSightActivate/WebNotify.lock...<TRIMMED LINES FOR LENGTH>...pub/System/ProjectLogos/HP_Blue_RGB_72_LG.gifpub/System/ProjectLogos/HP_Blue_RGB_72_MD.gifpub/System/ProjectLogos/HP_Blue_RGB_72_MN.gifpub/System/ProjectLogos/HP_Blue_RGB_72_MX.gifpub/System/ProjectLogos/HP_Blue_RGB_72_SM.gifGrant Ownership to Activate Wiki ContentChange t he o wnership o f t he “data” a nd “pub” d irectories t o t he “apache” u ser a ccount a nd g roup, b y using t he f ollowing c ommands:chown -­‐R apache:apache /var/lib/foswiki/data/chown -­‐R apache:apache /var/lib/foswiki/pub/Navigate to Activate ContentNow t hat t he A ctivate W iki C ontent i s i n p lace, u se a w eb b rowser o n y our l ocal m achine t o n avigateto t he f ollowing a ddress:http://<IP_Address_of_VM>/foswiki/Click t he “ArcSightActivate” w ebs l ink i n t he l ower-­‐left c orner:The A rcSight A ctivate W iki i s n ow i nstalled a nd a vailable f or u se:Support InformationPlease n ote t hat t his p rocess i s N OT o fficially s upported b y H P.All A ctivate-­‐related i nformation c an b e a ccessed a t t he f ollowing l ocation:https:///groups/activate-­‐frameworkIf a ny s upported i ssues a rise, o r i f y ou h ave a ny q uestions, p lease v isit o ur S oftware S upport O nline website.HP S oftware S upport O nline (/go/hpsoftwaresupport) i s a vailable t o y ou around t he c lock, 24x7, e nabling y ou t o:•Search t he t echnical k nowledge b ase f or k nown p roblems, t echnical d ocuments, m anuals a nd patches•Log, t rack a nd u pdate s upport i ncidents e lectronically t hrough a s ecured e nvironment•Review, r evise, a nd r enew a n H P S oftware S upport C ontract•Register t o r eceive e-­‐mail n otifications a nd a ccess t o e lectronic d ownload o f m any H P s oftware products•Download t he l atest s oftware p atches f or H P s oftware p roducts。

ArcSight SmartConnectors Software Version:8.4.xInstallation Guide for Context and Content AUPDocument Release Date:2023Software Release Date:2023Legal NoticesOpen Text Corporation275Frank Tompa Drive,Waterloo,Ontario,Canada,N2L0A1Copyright NoticeCopyright2023Open Text.The only warranties for products and services of Open Text and its affiliates and licensors(“Open Text”)are as may be set forth in the express warranty statements accompanying such products and services.Nothing herein should be construed as constituting an additional warranty.Open Text shall not be liable for technical or editorial errors or omissions contained herein.The information contained herein is subject to change without notice. Trademark Notices“OpenText”and other Open Text trademarks and service marks are the property of Open Text or its affiliates.All other trademarks or service marks are the property of their respective owners.Documentation UpdatesThe title page of this document contains the following identifying information:l Software Version numberl Document Release Date,which changes each time the document is updatedl Software Release Date,which indicates the release date of this version of the softwareTo check for recent updates or to verify that you are using the most recent edition of a document,go to:https:///support-and-services/documentationInstallation Guide for Content AUP and Context UpdatesThis guide provides information to install the Content AUP and Context updates.Note:From May2023onwards,the ArcSight Context-GeoLocation&VulnerabilitySignature updates and ArcSight Content-Categorization updates will be a monthly release. Content AUP also known as ArcSight Content-Categorization Updates is delivered as Patch and is available through ArcSight SmartConnectors License SKU.Customers who are still on legacy ArcSight product structure who have not migrated to ArcSight Standard Edition license structure might obtain the AUP updates through most current version of core product downloads.There is a list of signatures within which the categorization gets modified which changes with every release.Context Update also known as ArcSight Context-GeoLocation&Vulnerability Signature Updates is delivered through ESM and Logger SKUs.Context updates are based on the following3factors which changes in every release:l Vulnerability Signatures:Every single ArcSight release provides additional context as part of the event enrichment process and lets ESM leverage this data as it analyzes the barrage of IDS and other security alerts available for popular products like Snort, Juniper,TippingPoint,etc.l Sensor Signatures:The term signature refers to signatures,rules,and filters.Customers use IPS systems to monitor networks for suspicious traffic.Mostly a set of filters or rules,which is commonly known as signatures,is designed to identify various types of network events.Signatures are often associated with vulnerabilities.ArcSight collects this information and stores it in the categorization database.Vulnerabilities are mapped to a signature.From a signature,one can find the associatedvulnerabilities.l ipdataV6:We have a redistribution license for Maxmind DB,which is a third-party geolocation database that is updated every week.The MaxMind and the geolocation information are distributed via a binary data file known as ipdataV6.mmdb.Important:Every information submitted to MaxMind is subjected to modifications as theyhave the final destination to introduce the modifications on DB's that they provide to buildthe Context Builds.Every correction is reviewed by MaxMind to ensure that is accurateand complies with their policies which might take2-3weeks.No requests are accepted forchanging anonymous proxy or VPN IP addresses.Intended AudienceThis guide provides information for IT administrators who are responsible for managing the ArcSight software and its environment.Additional DocumentationThe ArcSight SmartConnector documentation library includes the following resources:l Technical Requirements Guide for SmartConnector,which provides information about operating system,appliance,browser,and other support details for SmartConnector. l Installation and User Guide for SmartConnectors,which provides detailed information about installing SmartConnectors.l Configuration Guides for ArcSight SmartConnectors,which provides informationabout configuring SmartConnectors to collect events from different sources.l Configuration Guide for SmartConnector Load Balancer,which provides detailedinformation about installing Load Balancer.For the most recent version of this guide and other ArcSight SmartConnector documentation resources,visit the documentation site for ArcSight SmartConnectors8.4.Contact InformationWe want to hear your comments and suggestions about this book and the other documentation included with this product.You can use the comment on this topic link at the bottom of each page of the online documentation,or send an email to MFI-***********************************.For specific product issues,contact Open Text Support for Micro Focus products.Installing ArcSight Content-Categorization UpdatesImportant:Micro Focus recommends the customers to use this AUP Content version onthe latest release of SmartConnectors.Note:ArcSight Content Updates are packaged in the form of AUP files.To obtain theupdated files,navigate to https:///and log in using theuser ID and password.Applying on ESMTo apply a new Content AUP:1.Log in to an ESM machine.2.Copy the.aup file to ARCSIGHT_HOME\updates\directory.3.SmartConnectors registered to this ArcSight Enterprise Security Manager downloadsthe file,and generates an audit event once completed.The ArcSight Enterprise Security Manager finds the new content and pushes it to the SmartConnectors.When the updates occurs,each of the affected SmartConnectors triggers an audit event to ArcSight Enterprise Security Manager.Applying on ArcMCTo apply Content AUP:1.Copy the downloaded Content AUP file to the machine that is used to connect to thebrowser-based interface.2.Log in to the browser-based interface for ArcSight Management Center,from thecomputer where the AUP file is downloaded.3.Click Administration>Repositories.4.Click Content AUP from the left panel.5.Click Upload from the right panel.6.Click Browse and Select the file you downloaded.7.Click Submit to add the specified file to the repository and send it to all the applicableconnectors.Modified SignaturesThere is a list of signatures within which the categorization gets modified.Every Content AUP release might not contain any modified signatures and this changes with every release.The user can find these signatures in the Release Notes.Installing ArcSight Context-GeoLocation& Vulnerability Signature UpdatesApplying and Verifying Context Updates on ArcSight ESM1.Make a note of the md5checksum generated for the files,as the values change with everyrelease.The updated values are provided along with the mappings for every release.For detailed description,click Release Notes for2022Context Updates.2.Copy the.zip file over to the$ARCSIGHT_HOME/config/server directory on ESM.3.Unzip the file in$ARCSIGHT_HOME/config/server,and replace the existing files with theunzipped files.4.Remove the.new file extension.5.Verify the md5checksum values for the files.6.ESM renames files from previous releases with a timestamp appended to their names.These files are saved in the same directory as the unzipped files.7.To verify if the updates are successfully applied on the ArcSight Enterprise SecurityManager,check the timestamped files from the last release.8.Verify that the three new files are unzipped.The ArcSight Enterprise Security Manager willuse the new files until the next release update.These file names are present in the Release Notes.Note:Restarting the manager is not required with this version.Important:Make sure to check the Release Notes for the specified version of ArcSight EnterpriseSecurity Manager for the updates to work properly.For more information on this process,see ESM Administrator’s Guide.Applying on Logger1.Log in to ArcSight Logger.2.Navigate to Configuration>Import Content.3.Click Choose File.4.Locate the specific file name.Installation Guide for Context and Content AUPInstalling ArcSight Context-GeoLocation&Vulnerability Signature Updates5.Click Import.A message will be acknowledging the request.6.Verify that the new file named ipdataV6.mmdb was imported to<loggerInstalla-tion>/config/logger/server/.When new release files are imported to Logger,the old files are automatically renamed in the following format:ipdataV6_year-month.mmbd.Note:ArcSight Logger stores a maximum of4geolocation files by default.The Logger searchpanel uses the latest imported file.For more information on this process,see the Logger Administrator’s Guide.Send Documentation FeedbackIf you have comments about this document,you can contact the documentation team by email.If an email client is configured on this computer,click the link above and an email window opens with the following information in the subject line:Feedback on Installation Guide for Context and Content AUP(SmartConnectors8.4.x) Just add your feedback to the email and click send.If no email client is available,copy the information above to a new message in a web mail client,and send your feedback to***************************************.We appreciate your feedback!。

Getting Started with ArcSight™ ESM ApplianceESM v4.5 SP1August 28, 2009Getting Started with ArcSight™ ESM ApplianceAugust 28, 2009Copyright © 2009 ArcSight, Inc. All rights reserved. ArcSight, the ArcSight logo, ArcSight TRM, ArcSight NCM, ArcSight Enterprise Security Alliance, ArcSight Enterprise Security Alliance logo, ArcSight Interactive Discovery, ArcSight Pattern Discovery, ArcSight Logger, FlexConnector, SmartConnector, SmartStorage and CounterACT are trademarks of ArcSight, Inc. All other brands, products and company names used herein may be trademarks of their respective owners.Follow this link to see a complete statement of ArcSight's copyrights, trademarks, and acknowledgements: /copyrightnotice.The network information used in the examples in this document (including IP addresses and hostnames) is for illustration purposes only.This document is ArcSight Confidential.ContentsGetting Started with ArcSight™ ESM Appliance (1)Installation Instructions (1)Installing ArcSight ESM (1)Preparing for Oracle Database Installation (2)Oracle Installation (2)Restoring Factory Settings (3)Customer Support (11)Getting Started with ArcSight™ ESM ApplianceUse this document and the Rack Installation Guide , included in the ArcSight ESM Appliance, to install your appliance and connect to it the first time.The ArcSight ESM Administrator’s Guide explains in detail how to deploy, configure and use ArcSight ESM. The guide is available:From the ESM Console Browse Docs pageAs a download from https://On the Server in the /opt/arcsight/docs directoryInstallation Instructions 1. Follow the instructions in the Rack Installation Guide for unpacking the appliance and its accompanying accessories. 2. Securely mount the appliance in a rack and make the rear panel connections. 3. Attach a monitor, keyboard and mouse to the system.4. Power on the system, and wait for the system to boot.The ArcSight ESM Appliance comes with the Oracle Enterprise Linux operating system already installed. When setting preferences for Oracle Enterprise Linux, consider the following:• When you accept the License agreement, note that the license agreement is for Oracle Linux only. ArcSight ESM has a separate license agreementthat appears when ArcSight ESM component is installed.•If you choose to enable the firewall, you will need to open ports 8443 and 9443 for ArcSight Manager and ArcSight Web communication. You might also want to open port 22 for remote SSH access. For more information on Oracle Enterprise Linux, see /linux/.Installing ArcSight ESMThe installation files for ArcSight ESM components are available in the/opt/arcsight/installers directory. Navigate to this directory and install the ESM components according to the instructions found in the ArcSight ESM Installation and Configuration Guide .CAUTIONRead through the instructions, cautions, and warnings in the Rack Installation Guide carefully. Failing to do so can result in bodily injury or system malfunction.After installing the ArcSight Manager, download the Console installer file fromthe ArcSight Customer Support website and install the Console on one ormore systems.Note that the ‘arcsight’ user is pre-defined in the system. You do not need tocreate this user.Preparing to Install the Oracle DatabaseBefore you install the ArcSight Database, please note the following recommendations:•There are 6 physical disks set up in a RAID 10 group that appear as a single logical disk to the Operating System. This is partitioned so thatthere is approximately 1 TB on /opt/data and 100 GB on “/”. ArcSight recommends:a.Installing the ArcSight Database in the/usr/local/arcsight/db45sp1 directoryb.Setting the Oracle user home and installation directory as/home/oracle and Oracle Home as /home/oracle/OraHome10g.c.Storing Redo Logs and default Oracle data files (System, SysAux,etc.) under default /home/oracle/OraHome10g/oradata/arcsight.d.Storing data files for all arcsight tablespaces (ARC_*) in/opt/data.•Estimate your retention needs and whether you want to enable partition archiving or not. Contact ArcSight Support if you need help withenablement. You can completely fill the /opt/data directory with datafiles.•Review the “Preparing a Linux System” section, steps 5-7 in the ArcSight ESM Installation and Configuration Guide for details on how to configure and verify that the hostname is properly set and can be pinged. TheOracle installation will fail if your host system cannot be pinged.•When the Oracle database installation is complete, install the ArcSight Manager in the /home/arcsight/ directory, for example/home/arcsight/manager45sp1.Oracle InstallationFor more information about Oracle installation, see the ArcSight ESM Installation and Configuration Guide. Refer to the ArcSight ESM Administrator’s Guide for instructions on how to use ArcSight ESM and confirm that initialization was successful. Also, refer to the appropriate Release Notes, available on the ArcSight Customer Support site,https://.When you are prompted to set the ArcSight Database Template, ArcSight recommends choosing the Extra Large template. This template will dedicate 6 GB memory for Oracle, leaving enough memory for the ArcSight Manager, operating system, and any other ArcSight components you need.Restoring Factory SettingsArcSight ESM Appliance can be restored to its original factory settings usingbuilt-in Acronis True Image software.Restoring ArcSight ESM Appliance to factory settings will irrevocablydelete all event data and configuration settings.To restore ArcSight ESM Appliance to its original factory settings, perform these steps:1.Attach a keyboard, monitor, and mouse directly to the ArcSight ESMAppliance system.2.Reboot ArcSight ESM Appliance.3.When the system has started, use the mouse or arrow keys to selectSystem Restore and press Enter.4.On the Pick a Task list, choose Recovery.5.The Restore Data Wizard opens. Click Next to continue.6.Select the Acronis Secure Zone and click Next. You will have an opportunityto review the choices you make on this page and the wizard pages thatfollow before initiating the restore process.7.Select Restore disks or partitions, and then click Next. Only choose otheroptions if specifically directed to do so by ArcSight Customer Support.8.Select the entire drive, labeled ‘sda’ in the figure below. Click Next tocontinue.9. Select Generate new NT signature, and then click Next.10. Choose the drive to restore (‘sda’), and then click Next.11. Choose Yes, I want to delete all the partitions on the destination hard disk drive before restoring, and then click Next.12. Because there are no other partitions or disks to restore, choose No, I do not, and then click Next.13. Select Restart machine automatically if needed for recovery, and then click Next.14. Review the checklist of operations to be performed and click Proceed to begin the restore process, or click Back to revisit previous wizard pages.Do not interrupt or power-down ArcSight ESM Appliance duringthe restore process. Interrupting the restore process may forcethe system into a state from which it cannot be recovered.15. The progress bars shown in the figure below display the status of thecurrent and total operations. When the restoration is complete, an alert is displayed that says “Data was successfully restored.” Click OK.16. Close the Acronis True Image Server window to reboot ArcSight ESMAppliance.Customer SupportTo answer any questions, contact ArcSight Customer Support: Phone: 1-866-535-3285 (North America)+44 (0)870 141 7487 (EMEA)E-mail:********************Web: https://。

Elasticsearch ArcSight Module InstallationThis document is designed to be a how-to guide for the installation of Elasticsearch on CentOS 7 minimal, the necessary X-Packs, ArcSight Module, and configuration to receive events from Event Broker. Upon completion, your Elasticsearch deployment will receive ArcSight enriched data via the Event Broker and the ArcSight module will be deployed with additional content in order to make the most of your installation quickly.Version No. Version date Revised by Affected section and description of change1.0 9/12/17 Peter Titov Genesis1.1 9/25/17 Peter Titov Tweaking1.2 10/3/17 Peter Titov Added optional configuration change settings 1.3 10/17/17 Peter Titov Updated for incremental versionsTable of contents1 Introduction (4)1.1 Prerequisites (4)1.1.1 Operating System Configuration & Update (4)1.1.2 Elasticsearch YUM Repositories Configuration (5)2 Elasticsearch Configuration (7)2.1 Make a backup of the default Yaml file: (7)2.1.1 Modify elasticsearch.yml file (7)2.1.2 Install Elasticsearch X-Pack Plugin (7)3 Kibana Configuration (8)3.1 Make a backup of the default Yaml file (8)3.1.1 Modify kibana.yml file (8)3.1.2 Install Kibana X-Pack Plugin (8)4 Logstash Configuration (9)4.1 Logstash yml and conf File Modification / Creation (9)4.1.1 Modify logstash.yml file (10)4.1.2 Install Logstash X-Pack & Kafka Input Plugin (10)5 Optional Configuration Settings (12)5.1 Java Heap Memory Configuration (12)5.2 ArcSight Logstash Module Single Shard Configuration (12)6 Elasticsearch Ignition (15)6.1 Start Elasticsearch & Kibana Services (15)6.2Start Logstash with ArcSight Module Configured (15)1IntroductionThis how-to guide is designed for installing Elasticsearch on CentOS 7 minimal, with the ArcSight module, and configure events input via Event Broker. While there are different methods to installing Elasticsearch (e.g. Docker, build from source, etc…), this guide will leverage YUM Elastics earch repositories for easy installation and updates!1.1PrerequisitesThese items must be met, or at least addressed if modifying steps. This guide assumes an ArcSight Event Broker has already been installed and configured, along with SmartConnectors.1.1.1Operating System Configuration & UpdateCentOS minimal is installed and root access is enabled, commands will be run as ‘root’ unless otherwise specified.If changes to the system will be done remotely, these steps must be completed directly on the target system:systemctl enable sshd(modify or disable firewalld if necessary) systemctl disable firewalldAdd the ‘epel’ repository to YUM:yum install epel* -yInstall net-tools, bind, and java-1.8* ( htop is optional, but recommended )yum install net-tools* bind* java-1.8* htop nano -yUpdate the OS:yum update –y1.1.2Elasticsearch YUM Repositories ConfigurationCreate the following files and add the contents to each:nano /etc/yum.repos.d/elasticsearch.repo[elasticsearch-5.x]name=Elasticsearch repository for5.x packagesbaseurl=https://artifacts.elastic.co/packages/5.x/yum gpgcheck=1gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1autorefresh=1type=rpm-md∙PRESS: Crtl X (To exit nano)∙PRESS: Y (To save changes)∙PRESS: Enternano /etc/yum.repos.d/kibana.repo[kibana-5.x]name=Kibana repository for5.x packagesbaseurl=https://artifacts.elastic.co/packages/5.x/yum gpgcheck=1gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1autorefresh=1type=rpm-md∙PRESS: Crtl X (To exit nano)∙PRESS: Y (To save changes)∙PRESS: Enternano /etc/yum.repos.d/logstash.repo[logstash-5.x]name=Elastic repository for5.x packagesbaseurl=https://artifacts.elastic.co/packages/5.x/yum gpgcheck=1gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1autorefresh=1type=rpm-md∙PRESS: Crtl X (To exit nano)∙PRESS: Y (To save changes)∙PRESS: EnterDownload and install the public signing key:rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearchInstall Elasticsearch, Kibana, & Logstash via YUM:yum install elasticsearch kibana logstash -y2Elasticsearch ConfigurationThis section will cover changes made to the Elasticsearch Yaml file; modify as you see fit, but please modify corresponding sections in order to prevent errors.2.1Make a backup of the default Yaml file:cd /etc/elasticsearchcp elasticsearch.yml elasticsearch.yml.bak2.1.1Modify elasticsearch.yml filenano /etc/elasticsearch/elasticsearch.ymlThe following sections were uncommented (enabled via deleting the “#”) and modified: network.host: 10.0.100.5 (set this to the IP of your Elasticsearch system)http.port: 9200∙PRESS: Crtl X (To exit nano)∙PRESS: Y (To save changes)∙PRESS: Enter2.1.2Install Elasticsearch X-Pack Plugincd /usr/share/elasticsearch/bin./elasticsearch-plugin install x-pack∙PRESS: y (Continue with installation)∙PRESS: y (Continue with installation)3Kibana ConfigurationThis section will cover changes made to the Kibana Yaml file; modify as you see fit, but please modify corresponding sections in order to prevent errors.3.1Make a backup of the default Yaml filecd /etc/kibanacp kibana.yml kibana.yml.bak3.1.1Modify kibana.yml filenano /etc/kibana/kibana.ymlThe following sections were uncommented (enabled via deleting the “#”) and modified: server.port: 5601server.host: "10.0.100.5": "GRU"elasticsearch.url: http://10.0.100.5:9200∙PRESS: Crtl X (To exit nano)∙PRESS: Y (To save changes)∙PRESS: Enter3.1.2Install Kibana X-Pack Plugincd /usr/share/kibana/bin./kibana-plugin install x-pack4Logstash ConfigurationThis section will cover changes made to the Logstash Yaml & Conf file; modify as you see fit, but please modify corresponding sections in order to prevent errors.4.1Logstash yml and conf File Modification / CreationMake a backup of the default yml file, create a Logstash conf file, then create directories in /opt:cd /etc/logstashcp logstash.yml logstash.yml.baknano /etc/logstash/conf.d/logstash.confinput {kafka {topics => ["eb-cef"]bootstrap_servers => "10.0.100.4:39092"}}## FILTER#output {elasticsearch {hosts => ["10.0.100.5:9200"]user => elasticpassword => changeme}}∙PRESS: Crtl X (To exit nano)∙PRESS: Y (To save changes)∙PRESS: Enter4.1.1Modify logstash.yml filenano /etc/logstash/logstash.ymlThe following section was uncommented (enabled via deleting the “#”) and modified:path.config: /etc/logstash/conf.dThe following section was added to the top of the Yaml file:xpack.monitoring.enabled: truexpack.monitoring.elasticsearch.url: "10.0.100.5:9200"*The entry below may be added to the Yaml file, it is recommended to add it to the Module Settings section:modules:- name: arcsightvar.input.eventbroker.bootstrap_servers: "10.0.100.4:39092"var.input.eventbroker.topics: "eb-cef"var.elasticsearch.hosts: "10.0.100.5:9200"ername: "elastic"var.elasticsearch.password: "changeme"var.kibana.host: "10.0.100.5:5601"ername: "elastic"var.kibana.password: "changeme"∙PRESS: Crtl X (To exit nano)∙PRESS: Y (To save changes)∙PRESS: Enter4.1.2Install Logstash X-Pack & Kafka Input Plugincd /usr/share/logstash/bin./logstash-plugin install x-pack./logstash-plugin install --version 6.2.7 logstash-input-kafka5Optional Configuration SettingsThis section will cover optional steps to fine tune Elasticsearch so that if it is configured as a single-node to make better use of the Java heap memory and shard creation. NOTE: This must be accomplished prior to proceeding to the next chapter. If you are NOT going to update the configuration, please skip this section.5.1Java Heap Memory ConfigurationThis setting will allow better use of memory allocation for Elasticsearch. Ideally this should be set to no more than 50% of the physical memory, and it is HIGHLY recommended to use the same memory allocation for both the initial and maximum entries. In the example below, I configured 16GB of RAM.nano /etc/elasticsearch/jvm.optionsLook for the following entries, this should be near the top of the file listed above:# Xms represents the initial size of total heap space# Xmx represents the maximum size of total heap space-Xms16g-Xmx16g∙PRESS: Crtl X (To exit nano)∙PRESS: Y (To save changes)5.2ArcSight Logstash Module Single Shard ConfigurationThis setting will lower the number of shards created for the ArcSight index. If running in a single node configuration, this will lower the amount of disk space used to store events.First make a copy of the original file.cp /usr/share/logstash/vendor/bundle/jruby/1.9/gems/x-pack-5.6.* -java/modules/arcsight/configuration/elasticsearch/arcsight.json/usr/share/logstash/vendor/bundle/jruby/1.9/gems/x-pack-5.6.* -java/modules/arcsight/configuration/elasticsearch/arcsight.json.bakOpen the arcsight.json file:nano /usr/share/logstash/vendor/bundle/jruby/1.9/gems/x-pack-5.6.* -java/modules/arcsight/configuration/elasticsearch/arcsight.jsonOnly the top portion will be modified, here is what the arcsight.json file appears as prior to modification:After the modification, the arcsight.json file will appear as this:If you wish to simply copy & paste this configuration change:"settings" : {"number_of_shards": 1},∙PRESS: Crtl X (To exit nano)∙PRESS: Y (To save changes)Technical White Paper 6 Elasticsearch IgnitionThis section will cover the steps to fire up Elasticsearch configured to read events from the eb-cef topicof Event Broker.6.1 Start Elasticsearch & Kibana Servicesservice elasticsearch start && service kibana startIf you wish to enable Elasticsearch to start each time the system is powered on:systemctl enable elasticsearch && systemctl enable kibana6.2 Start Logstash with ArcSight Module ConfiguredModify the command below so that it reflects your environment.cd /usr/share/logstash/bin/./logstash --path.settings /etc/logstash -f /etc/logstash/conf.d/logstash.conf --modules arcsight --setup -M "arcsight.var.input.eventbroker.bootstrap_servers=10.0.100.4:39092" -M"var.input.eventbroker.topics: "eb-cef"" -M "ername=elastic" -M"arcsight.var.elasticsearch.password=changeme" -M "ername=elastic" -M"arcsight.var.kibana.password=changeme" &。

ArcSight SmartConnectors Software Version:8.4.3Configuration Guide for Microsoft365 Defender SmartConnectorDocument Release Date:October2023Software Release Date:October2023Configuration Guide for Microsoft365Defender SmartConnectorLegal NoticesOpen Text Corporation275Frank Tompa Drive,Waterloo,Ontario,Canada,N2L0A1Copyright NoticeCopyright2023Open Text.The only warranties for products and services of Open Text and its affiliates and licensors(“Open Text”)are as may be set forth in the express warranty statements accompanying such products and services.Nothing herein should be construed as constituting an additional warranty.Open Text shall not be liable for technical or editorial errors or omissions contained herein.The information contained herein is subject to change without notice. Trademark Notices“OpenText”and other Open Text trademarks and service marks are the property of Open Text or its affiliates.All other trademarks or service marks are the property of their respective owners.Documentation UpdatesThe title page of this document contains the following identifying information:l Software Version numberl Document Release Date,which changes each time the document is updatedl Software Release Date,which indicates the release date of this version of the softwareTo check for recent updates or to verify that you are using the most recent edition of a document,go to:https:///support-and-services/documentationContentsConfiguration Guide for Microsoft365Defender SmartConnector4 Product Overview5 Understanding Event Collection5 Preparing to Install the SmartConnector6 Microsoft365Defender API in Microsoft Threat Protection(Security API)6 Registering an Azure Active Directory Application with appropriate Permissions forMicrosoft365Defender6 Adding Permissions for Microsoft365Defender Incidents7 Generating Client Secret for the Application7 Microsoft365Defender API in Microsoft Graph7 Registering an Azure Active Directory Application with appropriate Permissions forMicrosoft365Defender7 Adding Permissions for Microsoft365Defender Incidents8 Generating Client Secret for the Application8 Microsoft365Defender API in Certificate-based Authentication8 Creating Self-Signed Certificate9 Installing and Configuring the SmartConnector10 Device Event Mapping to ArcSight Fields13 Event Mapping for Alerts via Security API15 Incident15Alerts15Devices16Entities17 Event Mapping for Alert V2via Graph API-alert V218 Alerts18Device Evidence18Process Evidence19File Evidence19IP Evidence20Url Evidence20Registry Value Evidence21Cloud Application Evidence21Oauth Application Evidence21 Send Documentation Feedback23Configuration Guide for Microsoft365Defender SmartConnectorThe ArcSight Microsoft365Defender configuration guide provides information to install the SmartConnector for Microsoft365Defender and configure the connector for event collection.Intended AudienceThis guide provides information for IT administrators who are responsible for managing the ArcSight software and its environment.Additional DocumentationThe ArcSight SmartConnector documentation library includes the following resources:l Technical Requirements Guide for SmartConnector,which provides information about operating system,appliance,browser,and other support details for SmartConnector.l Installation and User Guide for SmartConnectors,which provides detailed information about installing SmartConnectors.l Configuration Guides for ArcSight SmartConnectors,which provides information about configuring SmartConnectors to collect events from different sources.l Configuration Guide for SmartConnector Load Balancer,which provides detailedinformation about installing Load Balancer.For the most recent version of this guide and other ArcSight SmartConnector documentation resources,visit the documentation site for ArcSight SmartConnectors8.4.Contact InformationWe want to hear your comments and suggestions about this book and the other documentation included with this product.You can use the comment on this topic link at the bottom of each page of the online documentation,or send an email to MFI-Documentation-*********************.For specific product issues,contact Open Text Support for Micro Focus products.Product OverviewThe SmartConnector for Microsoft365Defender retrieves incidents from Microsoft365 Defender,normalizes and sends these incidents to the configured destinations.For more information about Microsoft365Defender and its services,see the Microsoft365 Defender documentation.Understanding Event CollectionThe SmartConnector for Microsoft365Defender uses access tokens to authenticate and allow an application to access an API.The access token will be retrieved by using the client credentials-client ID and client secret.The following call details are used to access the retrieved tokens:Request type:PostToken URL:https:///<tenant_id provided in setup>/oauth2/token Parameters:grant_type=client_credentialsclient_id=<client_id provided in setup>client_secret=<client_secret provided in setup>resource=https://The retrieved access token will be valid for one hour by default.A new access token will be retrieved after the old access token expires.Microsoft365Defender incidents are retrieved by using the following Event URL:https:///api/incidents?$filter=lastUpdateTime+ge+<ST ART_AT_TIME><START_AT_TIME>is replaced with the current time in the following format:yyyy-MM-dd'T'HH:mm:ss.SSSSSSS'Z'Limitationsl Maximum page size is100incidentsl Maximum rate of requests is50calls per minute and1500calls per hourThe SmartConnector for Microsoft365Defender uses certificate-based authentication method to authenticate applications and services that need to access the Graph API.To authenticateusing certificate,an Application must be registered with Azure AD and certificate needs to be uploaded in the Azure AD portal to obtain the Application ID and Client Secret.The following call details are used to access the retrieved tokens:Request type:PostToken URL:https:///<tenant_id provided in setup>/oauth2/token Parameters:grant_type=client_credentialsclient_id=<client_id provided in setup>client_assertion_type=The value must be set to urn:ietf:params:oauth:client-assertion-type:jwt-bearerclient_assertion=An assertion(a JSON web token)is created.Log in with the certificate that you registered as credentials for your application.resource=https://The retrieved access token will be valid for one hour by default.A new access token will be retrieved after the old access token expires.Preparing to Install the SmartConnectorBefore Installing the SmartConnector,complete the following procedures:1.Microsoft365Defender API in Microsoft Threat Protection(Security API)2.Microsoft365Defender API in Microsoft Graph3.Microsoft365Defender API in Certificate-based AuthenticationMicrosoft365Defender API in Microsoft Threat Protection(Security API)Registering an Azure Active Directory Application with appropriate Permissions for Microsoft365Defender1.Log in to Azure as a Global Administrator User.2.Navigate to Azure Active Directory>App Registrations>New Registration.4.Click Register.Adding Permissions for Microsoft365Defender Incidents 1.On the Application Page,select API Permissions>Add a Permission>APIs myOrganization uses.2.Type Microsoft Threat Protection on the search panel,and select Microsoft ThreatProtection.Your application can now access Microsoft365Defender.3.Choose Application Permissions>Incident.Read.All and select Add Permissions.For more information regarding Azure Active Directory application with the appropriate permissions for Microsoft365Defender Incidents,see https:///en-us/microsoft-365/security/defender/api-hello-world?view=o365-worldwide Generating Client Secret for the Application1.Click Certificates and Secrets.2.Click New Client Secret.3.Add Description to the secret and click Add.4.Note the generated Secret Value.Important:If you do not note down the Secret Value,you will not be able to retrieve itlater.5.On the application page,go to Overview and Copy the following:l Application(Client)IDl Directory(Tenant)IDMicrosoft365Defender API in Microsoft Graph Registering an Azure Active Directory Application with appropriate Permissions for Microsoft365Defender1.Log in to Azure as a Global Administrator User.2.Navigate to Azure Active Directory>App Registrations>New Registration.4.Click Register.Adding Permissions for Microsoft365Defender Incidents1.Navigate to the application page and select API Permissions>Microsoft Graph.2.Select Delegated permissions,and type security in the search bar.Then selectSecurityIncident.Read.All and click Add permission.3.Click admin consent for your tenant.Multiple permissions can be selected.You can thengrant admin consent for all.For more information regarding Azure Active Directory application with the appropriate permissions for Microsoft365Defender Incidents,see https:///t5/microsoft-365-defender-blog/the-new-microsoft-365-defender-apis-in-microsoft-graph-are-now/ba-p/3603099Generating Client Secret for the Application1.Click Certificates and Secrets.2.Click New Client Secret.3.Add Description to the secret and click Add.4.Note the generated Secret Value.Important:If you do not note down the Secret Value,you will not be able to retrieve itlater.5.On the application page,go to Overview and Copy the following:l Application(Client)IDl Directory(Tenant)IDMicrosoft365Defender API in Certificate-based AuthenticationCertificate-based authentication is used to authenticate applications and services that need to access the Graph API.To authenticate using certificate,an Application must be registered with Azure AD to obtain the Application ID and Client Secret.The Application must also generate a self-signed certificate or obtain a certificate from a Trusted Certificate Authority(CA).TheCertificate is then uploaded to the Azure AD Application Registration and is used to authenticate the application when it requests access to the Graph API.When an Application requests access to the Graph API using certificate-based authentication, Azure AD verifies the Certificate to ensure that it is valid and issued by a trusted CA.If the certificate is valid,Azure AD grants the Application an Access Token,which the Application can use to access the Graph API.Creating Self-Signed Certificate1.Create the self-signed certificate.Refer to the Microsoft documentation for moreinformation regarding the self-signed certificate and authenticating the Application.2.Register an Azure Active Directory Application with appropriate permissions for Microsoft365Defender as per the following steps:a.Log in to Azure as a Global Administrator User.b.Navigate to Azure Active Directory>App Registrations>New Registration.c.In the registration form,select your application.d.Click Register.3.Add the required permissions for Microsoft365Defender Incidents as per the followingsteps:a.On the Application Page,select API Permissions>Add a Permission>APIs myOrganization uses.b.Type Microsoft Threat Protection on the search panel,and select Microsoft ThreatProtection.Your application can now access Microsoft365Defender.c.Choose Application Permissions>Incident.Read.All and select Add Permissions.d.For more information regarding Azure Active Directory application with theappropriate permissions for Microsoft365Defender Incidents,seehttps:///en-us/microsoft-365/security/defender/api-hello-world?view=o365-worldwide4.Generate the Client Secret for the Application as per the following steps:a.Click Certificates and Secrets.b.Click New Client Secret.c.Add Description to the secret and click Add.d.Note the generated Secret Value.Important:If you do not note down the Secret Value,you will not be able to retrieve itlater.e.On the application page,go to Overview and Copy the following:l Application(Client)IDl Directory(Tenant)ID5.Select Certificates&Secrets>Certificates.6.Click Upload Certificate and select the required certificate file to be uploaded.7.Click Add.After the certificate is uploaded,the Thumbprint,Start Date,and Expiration Values are displayed.Installing and Configuring the SmartConnectorThe installation steps described in this section are specific to the Microsoft365Defender Connector.For detailed installation steps or for manual installation steps,see SmartConnector Installation and User Guide.To install and configure the Microsoft365Defender Connector:Start the installation wizard.1.Start the installation wizard.2.Follow the instructions in the wizard to install the core software.3.Specify the relevant Global Parameters,when prompted.4.From the Type drop-down list,select Microsoft365Defender as the type of connector,then click Next.5.Enter the following parameters to configure the SmartConnector and then click Next.Note:If you want to fetch events of a specific period,use the startattime parameter in agent.properties.Do not remove"$START_ AT_TIME"in the URL.6.Select a destination and configure parameters.7.Specify a name for the connector.8.(Conditional)If you have selected ArcSight Manager as the destination,the certificateimport window for the ArcSight Manager is displayed.Select Import the certificate to the connector from destination,and then click Next.The certificate is imported and the Add connector Summary window is displayed.Note:If you select Do not import the certificate to connector from destination,theconnector installation will end.9.Select whether you want to run the connector as a service or in the standalone mode.plete the installation.11.Run the SmartConnector.12.For instructions about upgrading the connector or modifying parameters,seeSmartConnector Installation and User Guide.Device Event Mapping to ArcSight FieldsThe following section lists the mappings of ArcSight data fields to the device-specific event definitions.For more information about the ArcSight data fields,refer to the ArcSight Console User's Guide for ESM.Security APIEach incident retrieved from Microsoft365Defender is processed,split,and sent to the configured destinations in the following structure:l IncidentsOne top-level incident event is sent per incident.l Alertso One alert event is sent for each device present in the alert.o One alert event is sent for each entity present in the alert.Alert events can be correlated using the alertId(Device Custom String2)and theincidentId(External ID)fields.Graph API-alert V2Each alert retrieved from Microsoft365Defender is processed,split,and sent to the configured destinations in the following structure:Alertsl One alert event is sent for each evidence present in the alert.l One top-level alert event is sent per alert.Sample alert:ArcSight security event format expected by the connector:1.Alert1+Evidence1(+device evidence if applicable)2.Alert1+Evidence2(+device evidence if applicable)3.Alert1(top level alert event)Event Mapping for Alerts via Security API IncidentAlertsDevicesEntitiesEvent Mapping for Alert V2via Graph API-alert V2 AlertsDevice EvidenceProcess EvidenceFile EvidenceIP EvidenceUrl EvidenceRegistry Value EvidenceCloud Application EvidenceOauth Application EvidenceRegistry Value Evidence Page21of23Oauth Application Evidence Page22of23Send Documentation FeedbackIf you have comments about this document,you can contact the documentation team by email.If an email client is configured on this computer,click the link above and an email window opens with the following information in the subject line:Feedback on Configuration Guide for Microsoft365Defender SmartConnector (SmartConnectors8.4.3)Just add your feedback to the email and click send.If no email client is available,copy the information above to a new message in a web mail client,and send your feedback to***************************************.We appreciate your feedback!Send Documentation Feedback Page23of23。

ArcSight SmartConnectorsSoftware Version:8.4.3Configuration Guide for Cisco NX-OS Syslog SmartConnectorDocument Release Date:October2023Software Release Date:October2023Legal NoticesOpen Text Corporation275Frank Tompa Drive,Waterloo,Ontario,Canada,N2L0A1Copyright NoticeCopyright2023Open Text.The only warranties for products and services of Open Text and its affiliates and licensors(“Open Text”)are as may be set forth in the express warranty statements accompanying such products and services.Nothing herein should be construed as constituting an additional warranty.Open Text shall not be liable for technical or editorial errors or omissions contained herein.The information contained herein is subject to change without notice. Trademark Notices“OpenText”and other Open Text trademarks and service marks are the property of Open Text or its affiliates.All other trademarks or service marks are the property of their respective owners.Documentation UpdatesThe title page of this document contains the following identifying information:l Software Version numberl Document Release Date,which changes each time the document is updatedl Software Release Date,which indicates the release date of this version of the softwareTo check for recent updates or to verify that you are using the most recent edition of a document,go to:https:///support-and-services/documentationContentsConfiguration Guide for Cisco NX-OS Syslog SmartConnector4Product Overview5Configuration6 Configuring Syslog Servers6 Configuring for the Syslog SmartConnectors6Installing the SmartConnector10 Preparing to Install Connector10 Installing and Configuring the SmartConnector10Device Event Mapping to ArcSight Fields14 Cisco NX-OS Syslog Mappings to ArcSight ESM Fields14 Send Documentation Feedback15Configuration Guide for Cisco NX-OS Syslog SmartConnector Configuration Guide for Cisco NX-OS Syslog SmartConnectorThis guide provides information for installing the SmartConnector for Cisco NX-OS and for configuring the device for syslog event collection.Intended AudienceThis guide provides information for IT administrators who are responsible for managing the ArcSight software and its environment.Additional DocumentationThe ArcSight SmartConnector documentation library includes the following resources: l Technical Requirements Guide for SmartConnector,which provides information about operating system,appliance,browser,and other support details for SmartConnector.l Installation and User Guide for SmartConnectors,which provides detailed information about installing SmartConnectors.l Configuration Guides for ArcSight SmartConnectors,which provides informationabout configuring SmartConnectors to collect events from different sources.l Configuration Guide for SmartConnector Load Balancer,which provides detailedinformation about installing Load Balancer.For the most recent version of this guide and other ArcSight SmartConnectordocumentation resources,visit the documentation site for ArcSight SmartConnectors8.4.Contact InformationWe want to hear your comments and suggestions about this book and the otherdocumentation included with this product.You can use the comment on this topic link at the bottom of each page of the online documentation,or send an email to MFI-***********************************.For specific product issues,contact Open Text Support for Micro Focus products.Product OverviewProduct OverviewCisco NX-OS is a data center-class operating system and runs on Cisco Nexus Switches.It is designed to deliver continuous operation with failure detection,fault isolation,self-healing features,and small maintenance windows.Cisco NX-OS is highly scalable and can easily integrate with and adapt to ongoing innovation,technologies,and evolvingstandards.It provides operation tools that reduce complexity and offer consistentfeatures and operations without compromising capabilities.Cisco NX-OS enhances virtual machine portability and converges multiple services,platforms,and networks to simplify and reduce infrastructure sprawl and total cost of ownership(TCO).ConfigurationConfiguring Syslog ServersYou can configure up to eight syslog servers that reference remote systems where you want to log system messages.Before configuring a syslog server,ensure that you are in the correct VDC.To change the VDC,use the switchto vdc command.1.To go to the global configuration mode,specify the following command:config t-2.To configure a syslog server at the specified hostname or IPv4or IPv6address,specifythe following command:logging server host[severity-level[use-vrf<vrf-name>]]To limit logging of messages to a particular VRF,use the use-vrf keyword.3.To enable a source interface for the remote syslog server,specify the followingcommand:logging source-interface loopback<virtual-interface7>The range for the virtual-interface argument is from0to1023.4.(Optional)To display the syslog server configuration,specify the following command:show logging server5.(Optional)To copy the running configuration to the startup configuration,specify thefollowing command:copy running-config startup-configConfiguring for the Syslog SmartConnectorsThe syslog SmartConnectors use a sub-connector architecture that lets them receive and process syslog events from multiple devices.There is a unique regular expression that identifies the device.For example,the same SmartConnector can process events from a Cisco Router and a NetScreen Firewall simultaneously.The SmartConnector inspects all incoming messages and automatically detects the type of device that originated the message.You can install the syslog SmartConnector as a syslog daemon,pipe,or file connector.You can use the Syslog Deamon,Syslog Deamon NG,or Syslog File connector types depending on your requirement.The Syslog File type SmartConnectors also support Syslog Pipe.Syslog Daemon SmartConnectorThe Syslog Deamon SmartConnector is a syslogd-compatible daemon designed to work in operating systems that have no syslog daemon in their default configuration,such as Microsoft Windows.The SmartConnector for Syslog Daemon implements a UDP receiver on port514by default,or can be configured on another port to receive syslog events.You can also configure to use the TCP protocol.To use the SmartConnector for Syslog Daemon,add the following statement in the rsyslog.conf file:*.*@@(remote/local-host-IP):514Example:local1.warning@@10.0.0.1:514l To read all Syslog events,use*.*l To filter specific events,replace regex with the specific event name.l For example:*.*@@(remote/local-host-IP):514and local1.warning@@10.0.0.1:514. l To send events over a TCP connection,use@@and to send events over an UDPconnection,use@.If you are running SmartConnector for Syslog Daemon on the same machine as the server, you must provide the IP address of the local host.If you want to forward events to other machines,you must provide the IP address of the same.Messages longer than1024bytes might be split into multiple messages on syslog daemon.No such restriction exists on syslog file or pipe.Syslog Pipe and File SmartConnectorsWhen a syslog daemon is already in place and configured to receive syslog messages,an extra line in the syslog configuration file rsyslog.conf can be added to write the events to either a file or a system pipe and the ArcSight SmartConnector can be configured to read the events from it.In this scenario,the ArcSight SmartConnector runs on the same machine as the syslog daemon.The additional configurations for the ArcSight syslog file or syslog pipe SmartConnectors in the system where all Syslog Daemon SmartConnector configurations are done.The Syslog Pipe SmartConnector is designed to work with an existing syslog daemon.This SmartConnector is especially useful when storage is a factor.In this case,syslogd isconfigured to write to a named pipe,and the Syslog Pipe SmartConnector reads from it to receive events.The Syslog File SmartConnector is similar to the Pipe SmartConnector.However,this SmartConnector monitors events written to a syslog file such as messages.log rather than to a system pipe.Using the SmartConnector for Syslog Pipe or FileThis section provides information to set up your existing syslog infrastructure to send events to the ArcSight Syslog Pipe or File SmartConnector.The standard UNIX implementation of a syslog daemon reads the configuration parameters from the/etc/rsyslog.conf file,which contains specific details about which events to write to files,write to pipes,or send to another host.For Syslog Pipe:1.Execute the following command to create a pipe:mkfifo/var/tmp/syspipe2.Add one of the following lines depending on your OS to the/etc/rsyslog.conf file:*.debug/var/tmp/syspipeor*.debug|/var/tmp/syspipe3.Restart the syslog daemon in one of the following methods:Enter the following commands:/etc/init.d/syslogd stop/etc/init.d/syslogd startorExecute the following command to send a configuration restart signal:On RedHat Linux:service syslog restartOn Solaris:kill-HUP`cat/var/run/syslog.pid´For Syslog File:1.Create a file or use the default file into which log messages must be written.2.Modify the/etc/rsyslog.conf fileThe syslog daemon is forced to reload the configuration and start writing to the pipe.3.Restart the syslog daemon in one of the following methods:a.Restart the syslog daemon in one of the following methods:Enter the following commands:/etc/init.d/syslogd stop/etc/init.d/syslogd startorExecute the following command to send a configuration restart signal:On RedHat Linux:service syslog restartOn Solaris:kill-HUP`cat/var/run/syslog.pid´Installing the SmartConnectorInstalling the SmartConnectorThe following sections provide instructions for installing and configuring your selected SmartConnector.Preparing to Install ConnectorBefore you install any SmartConnectors,make sure that the OpenText ArcSight products with which the connectors will communicate have already been installed correctly(such as ArcSight ESM or ArcSight Logger).For complete product information,refer to the Administrator's Guide to ArcSightPlatform,available on ArcSight Documentation.If you are adding a connector to the ArcSight Management Center,see the ArcSight Management Center Administrator's Guide available on ArcSight Documentation for instructions.Before installing the SmartConnector,make sure that the following are available:l Local access to the machine where the SmartConnector is to be installedl Administrator passwordsInstalling and Configuring the SmartConnector Unless specified otherwise at the beginning of this guide,this SmartConnector can be installed on all ArcSight supported platforms.1.Start the installation wizard.2.Follow the instructions in the wizard to install the core software.3.Exit the installation wizard.4.Do one of the following depending on your requirement:l Select Syslog Daemon from the Type drop-down:a.Click Next,the specify the following paramenters:b.Click Next.l Select Syslog File from the Type drop-down:a.Click Next,the specify the following paramenters:b.Click Next.5.Select a destination and configure parameters.6.Specify a name for the connector.7.(Conditional)If you have selected ArcSight Manager as the destination,thecertificate import window for the ArcSight Manager is displayed.Select Import the certificate to the connector from destination,and then click Next.The certificate is imported and the Add connector Summary window is displayed.Note:If you select Do not import the certificate to connector from destination,theconnector installation will end.8.Select whether you want to install the connector as a service or in the standalonemode.plete the installation.10.Run the SmartConnector.For instructions about upgrading the connector or modifying parameters,seeInstallation and User Guide for SmartConnector.Device Event Mapping to ArcSight FieldsDevice Event Mapping to ArcSight Fields The following section lists the mappings of ArcSight data fields to the device's specific event definitions.See the ArcSight Console User's Guide for more information about the ArcSight data fields.Cisco NX-OS Syslog Mappings to ArcSight ESM Fieldsreceivee events.And the workaround is to apply older driver5.0.8,after that connector is able to received events.Send Documentation FeedbackIf you have comments about this document,you can contact the documentation team by email.If an email client is configured on this computer,click the link above and an email window opens with the following information in the subject line:Feedback on Configuration Guide for Cisco NX-OS Syslog SmartConnector(SmartConnectors 8.4.3)Just add your feedback to the email and click send.If no email client is available,copy the information above to a new message in a web mail client,and send your feedback to***************************************.We appreciate your feedback!。

ArcSight SmartConnectors Software Version:8.4.3Configuration Guide for Citrix NetScaler Syslog SmartConnectorDocument Release Date:October2023Software Release Date:October2023Legal NoticesOpen Text Corporation275Frank Tompa Drive,Waterloo,Ontario,Canada,N2L0A1Copyright NoticeCopyright2011–2023Open Text.The only warranties for products and services of Open Text and its affiliates and licensors(“Open Text”)are as may be set forth in the express warranty statements accompanying such products and services.Nothing herein should be construed as constituting an additional warranty.Open Text shall not be liable for technical or editorial errors or omissions contained herein.The information contained herein is subject to change without notice. Trademark Notices“OpenText”and other Open Text trademarks and service marks are the property of Open Text or its affiliates.All other trademarks or service marks are the property of their respective owners.Documentation UpdatesThe title page of this document contains the following identifying information:l Software Version numberl Document Release Date,which changes each time the document is updatedl Software Release Date,which indicates the release date of this version of the softwareTo check for recent updates or to verify that you are using the most recent edition of a document,go to:https:///support-and-services/documentationContentsConfiguration Guide for Citrix NetScaler Syslog SmartConnector4Product Overview5Configuration6 Configuring Citrix NetScaler6 Configuring for the Syslog SmartConnectors7Installing the SmartConnector11 Preparing to Install Connector11 Installing and Configuring the SmartConnector by Using the Wizard11Device Event Mapping to ArcSight Fields15 Citrix NetScaler Mappings to ArcSight Fields15 Send Documentation Feedback17Configuration Guide for Citrix NetScaler Syslog SmartConnector Configuration Guide for Citrix NetScaler Syslog SmartConnectorThis guide provides information for installing the SmartConnector for Citrix NetScaler Syslog and configuring the device for event collection.Intended AudienceThis guide provides information for IT administrators who are responsible for managing the ArcSight software and its environment.Additional DocumentationThe ArcSight SmartConnector documentation library includes the following resources: l Technical Requirements Guide for SmartConnector,which provides information about operating system,appliance,browser,and other support details for SmartConnector.l Installation and User Guide for SmartConnectors,which provides detailed information about installing SmartConnectors.l Configuration Guides for ArcSight SmartConnectors,which provides informationabout configuring SmartConnectors to collect events from different sources.l Configuration Guide for SmartConnector Load Balancer,which provides detailedinformation about installing Load Balancer.For the most recent version of this guide and other ArcSight SmartConnectordocumentation resources,visit the documentation site for ArcSight SmartConnectors8.4.Contact InformationWe want to hear your comments and suggestions about this book and the otherdocumentation included with this product.You can use the comment on this topic link at the bottom of each page of the online documentation,or send an email to MFI-***********************************.For specific product issues,contact Open Text Support for Micro Focus products.Product OverviewProduct OverviewCitrix NetScaler is a web application delivery appliance available as a separate hardware network device or as a virtualized Scaler optimizes application availability through L4-7load balancing and traffic management,accelerates performance,increases security with an integrated application firewall,and lowers costs by increasing web server efficiency.ConfigurationConfiguring Citrix NetScalerYou can customize logging of NetScaler for the needs of your site and direct these logs to an external syslog Scaler uses the Audit Server Logging feature for logging the states and status information collected by different modules in the kernel and by user-level daemons.For more information about the Audit Server Logging feature,see the "Audit Server Logging"chapter in the Citrix NetScaler Administration Guide.To configure NetScaler to collect syslog events:1.Login to Citrix NetScaler.2.From the left pane,select System and Auditing.Click Change global auditingsettings.3.Select SYSLOG as the Auditing Type and add the IP address and port number of thesyslog server under Server.Select ALL log levels or select specific log levels to beincluded.4.Select the appropriate Log Facility and other logging options as desired.Note:The date format must be MMDDYYYY to be parsed correctly.5.Click OK to save your configuration and close the Configure Auditing Parameterswindow.6.Click Save to save running configuration.Configuring for the Syslog SmartConnectorsThe syslog SmartConnectors use a sub-connector architecture that lets them receive and process syslog events from multiple devices.There is a unique regular expression that identifies the device.For example,the same SmartConnector can process events from a Cisco Router and a NetScreen Firewall simultaneously.The SmartConnector inspects all incoming messages and automatically detects the type of device that originated the message.You can install the syslog SmartConnector as a syslog daemon,pipe,or file connector.You can use the Syslog Deamon,Syslog Deamon NG,or Syslog File connector types depending on your requirement.The Syslog File type SmartConnectors also support Syslog Pipe.Syslog Daemon SmartConnectorThe Syslog Deamon SmartConnector is a syslogd-compatible daemon designed to work in operating systems that have no syslog daemon in their default configuration,such as Microsoft Windows.The SmartConnector for Syslog Daemon implements a UDP receiveron port514by default,or can be configured on another port to receive syslog events.You can also configure to use the TCP protocol.To use the SmartConnector for Syslog Daemon,add the following statement in the rsyslog.conf file:*.*@@(remote/local-host-IP):514Example:local1.warning@@10.0.0.1:514l To read all Syslog events,use*.*l To filter specific events,replace regex with the specific event name.l For example:*.*@@(remote/local-host-IP):514and local1.warning@@10.0.0.1:514. l To send events over a TCP connection,use@@and to send events over an UDPconnection,use@.If you are running SmartConnector for Syslog Daemon on the same machine as the server, you must provide the IP address of the local host.If you want to forward events to other machines,you must provide the IP address of the same.Messages longer than1024bytes might be split into multiple messages on syslog daemon.No such restriction exists on syslog file or pipe.Syslog Pipe and File SmartConnectorsWhen a syslog daemon is already in place and configured to receive syslog messages,an extra line in the syslog configuration file rsyslog.conf can be added to write the events to either a file or a system pipe and the ArcSight SmartConnector can be configured to read the events from it.In this scenario,the ArcSight SmartConnector runs on the same machine as the syslog daemon.The additional configurations for the ArcSight syslog file or syslog pipe SmartConnectors in the system where all Syslog Daemon SmartConnector configurations are done.The Syslog Pipe SmartConnector is designed to work with an existing syslog daemon.This SmartConnector is especially useful when storage is a factor.In this case,syslogd is configured to write to a named pipe,and the Syslog Pipe SmartConnector reads from it to receive events.The Syslog File SmartConnector is similar to the Pipe SmartConnector.However,this SmartConnector monitors events written to a syslog file such as messages.log rather than to a system pipe.Using the SmartConnector for Syslog Pipe or FileThis section provides information to set up your existing syslog infrastructure to send events to the ArcSight Syslog Pipe or File SmartConnector.The standard UNIX implementation of a syslog daemon reads the configuration parameters from the/etc/rsyslog.conf file,which contains specific details about which events to write to files,write to pipes,or send to another host.For Syslog Pipe:1.Execute the following command to create a pipe:mkfifo/var/tmp/syspipe2.Add one of the following lines depending on your OS to the/etc/rsyslog.conf file:*.debug/var/tmp/syspipeor*.debug|/var/tmp/syspipe3.Restart the syslog daemon in one of the following methods:Enter the following commands:/etc/init.d/syslogd stop/etc/init.d/syslogd startorExecute the following command to send a configuration restart signal:On RedHat Linux:service syslog restartOn Solaris:kill-HUP`cat/var/run/syslog.pid´For Syslog File:1.Create a file or use the default file into which log messages must be written.2.Modify the/etc/rsyslog.conf fileThe syslog daemon is forced to reload the configuration and start writing to the pipe.3.Restart the syslog daemon in one of the following methods:a.Restart the syslog daemon in one of the following methods:Enter the following commands:/etc/init.d/syslogd stop/etc/init.d/syslogd startorExecute the following command to send a configuration restart signal: On RedHat Linux:service syslog restartOn Solaris:kill-HUP`cat/var/run/syslog.pid´Installing the SmartConnectorThe following sections provide instructions for installing and configuring your selected SmartConnector.Preparing to Install ConnectorBefore you install any SmartConnectors,make sure that the OpenText ArcSight products with which the connectors will communicate have already been installed correctly(such as ArcSight ESM or ArcSight Logger).For complete product information,refer to the Administrator's Guide to ArcSight Platform,available on ArcSight Documentation.If you are adding a connector to the ArcSight Management Center,see the ArcSight Management Center Administrator's Guide available on ArcSight Documentation for instructions.Start the installation procedure from step3.Before installing the SmartConnector,make sure that the following are available:l Local access to the machine where the SmartConnector is to be installedl Administrator passwordsInstalling and Configuring the SmartConnector by Using the WizardThe installation steps described in this section are specific to the Citrix NetScaler Syslog Connector.For detailed installation steps or for manual installation steps,see SmartConnector Installation and User Guide.To install and configure the Citrix NetScaler Syslog Connector:1.Start the installation wizard.2.Follow the instructions in the wizard to install the core software.3.Specify the relevant Global Parameters,when prompted.4.Do one of the following depending on your requirement:l Select Syslog Daemon from the Type drop-down:a.Click Next,the specify the following paramenters:b.Click Next.l Select Syslog File from the Type drop-down:a.Click Next,the specify the following paramenters:b.Click Next.5.Select a destination and configure parameters.6.Specify a name for the connector.7.(Conditional)If you have selected ArcSight Manager as the destination,thecertificate import window for the ArcSight Manager is displayed.Select Import the certificate to the connector from destination,and then click Next.The certificate is imported and the Add connector Summary window is displayed.Note:If you select Do not import the certificate to connector from destination,theconnector installation will end.8.Select whether you want to install the connector as a service or in the standalonemode.plete the installation.10.Run the SmartConnector.For instructions about upgrading the connector or modifying parameters,seeInstallation and User Guide for SmartConnector.Device Event Mapping to ArcSight Fields The following section lists the mappings of ArcSight data fields to the device's specific event definitions.See the ArcSight Console User's Guide for more information about the ArcSight data fields.Note:If you use MySQL JDBC driver5.1.38,then the connector does not receive events.Therefore,use MySQL JDBC driver version5.0.8.Citrix NetScaler Mappings to ArcSight FieldsSend Documentation FeedbackIf you have comments about this document,you can contact the documentation team by email.If an email client is configured on this computer,click the link above and an email window opens with the following information in the subject line:Feedback on Configuration Guide for Citrix NetScaler Syslog SmartConnector (SmartConnectors8.4.3)Just add your feedback to the email and click send.If no email client is available,copy the information above to a new message in a web mail client,and send your feedback to***************************************.We appreciate your feedback!。