Tuesday, May 19, 2015

SIEM Deployment - HP Arcsight Logger Installation

HP Arcsight Logger product constitutes the log management part of HP's Security Event Management and Log Management product portfolio, ESM being the security event management part.

Before getting this much into SEM and Log Management, they both meant the same thing for me, as most of the products available on the market were trying to do. Architecture-wise, Arcsight managed to distinguish its offerings  for different needs and markets. This issue is the topic of another blog entry however if you are looking for a product which will allow you to store all your logs in a stable way and query specific patterns very quickly then Arcsight Logger is the solution you are looking for.

As of mid-2015, the latest version of HP Arcsight Logger is the 6.0 SP1 version with no known security bugs. Arcsight 6.0 SP1  :
  • Distributes latest version of OpenSSL, 0.9.8zc, which addresses multiple vulnerabilities including CVE-2014-0224.
  • Resolves the Bourne-Again Shell (Bash) Code Injection Vulnerability, including CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278.
  • Disables support for SSL v3.0 encryption, to address the Padding Oracle On Downgraded Legacy Encryption (POODLE) vulnerability (CVE-2014-3566).
Version 6.0 SP1 also brings support for doubled local storage size. Each instance of logger now can support up to 8TB of logs before sending logs to archive.

In this article, I tried to resume how you can get your Logger up and running in a short amount of time. This is also the first time for me to include a video which obviously makes the article more interesting.

The installation of Arcsight Logger is a 2 step process, Preparation and Installation itself.

For the preparation you should of course have your server equipped with necessary resources (just like all other Log Management products, Logger also is greedy in resources), Logger software, license,user accounts (root privileges are required for the installation) and ports.
PREPARATION
Server Requirements
OS

  • Red Hat Enterprise Linux (RHEL) versions 6.2 and 6.5 (64-bit),
  • CentOS versions 5.5 and 6.5 (64-bit)

Hardware

For the Trial Logger and VM Instances:
CPU: 1 or 2 x Intel Xeon Quad Core or equivalent
Memory: 4 - 12 GB (12 GB recommended)
Disk Space: 10 GB (minimum) in the Logger installation directory (/opt/...)
Temp directory: 1 GB

For the Enterprise Version of Software Logger:
CPU: 2 x Intel Xeon Quad Core or equivalent
Memory: 12 - 24 GB (24 GB recommended)
Disk Space: 65 GB (minimum) in the Software Logger installation directory. (/opt/...)
Root partition: 400 GB
Temp directory: 1 GB

For performance reasons, it is preferable to use dedicated hardware for Logger rather than using virtual machines. For faster searchs archive connections should be over direct fiber channel rather over NFS.

Logger interface can be reached through all known browsers with recent versions.

Logger can be installed using root and non-root accounts but following points should be taken into consideration:

  • For root installs, allow access to port 443 as well as the ports for any protocol that thelogger receivers need, such as port 514 for the UDP receiver and port 515 for the TCP receiver.
  • For non-root installs, allow access to port 9000 as well as the ports for any protocol that the Logger receivers need, such as port 8514 for the UDP receiver and port 8515 for the TCP receiver.

INSTALLATION
You can follow instructions given below. The video also follows the same steps.


1. Install Linux Server (Minimal Server with GUI for trial installations). Do not "Easy Install" when using Vmware and manually set partitions

2. Adjust partitions as below as a minimum:

/ 10240 MB
/home 10240 MB
swap 4096  MB (Typically half of your RAM but do not exagerrate)
/opt 70000 MB (Give Minimum 65 GB, more is better)
/tmp 2048  MB

3. Create arcsight user

groupadd arcsight
useradd -c "arcsight_software_owner" -g arcsight -d /home/arcsight -m -s /bin/bash arcsight

4. Copy sources and license to /home/arcsight

5. Set hostname in /etc/hosts

#vim /etc/hosts

192.168.X.Y logger.mycompany.com

6. Make sure system time is correct

7. Create /opt/arcsight with arcsight user
chown arcsight:arcsight /opt/arcsight

8. Disable selinux and iptables for performance (Use Network Firewall instead !!)

Selinux can be an important performance drawback!

#chkconfig iptables off
#chkconfig ip6tables off
# vim cat /etc/sysconfig/selinux

SELINUX=disabled

9. Change release file if not using recommended versions
vim /etc/redhat-release
CentOS release 6.5 (Final)

10. Make OS changes specific to Logger
chmod +x /sbin
chmod +x /sbin/ifconfig
chmod +x /sbin/lspci
chmod +x /usr/sbin

#vim /etc/security/limits.d/90-nproc.conf
* soft nproc 10240
* hard nproc 10240
* soft nofile 65536
* hard nofile 65536

#reboot

11.Install Logger
#cd /home/arcsight

#./ArcSight-logger-6.0.0.7307.1.bin

2 comments:

  1. can logger setup with 1 IP Address on 2 eth port for port redundancy?

    ReplyDelete
  2. The question depends on over what platform you use Logger. I cannot comment on all ready VM images and appliances as my experience is limited to installations over RedHat Enterprise Linux OS.

    Using a port channel configuration however is on OS level and is possible of course. Please refer to your OS config guides for how to configure it.

    ReplyDelete