When deploying your SIEM Solution Infrastructure with HP ArcSight products, you may consider installing more than one Logger systems for several reasons.
Without
going too much into detail for these reasons, let’s name the 2 major ones,
first reaching the computation levels on your system (RAM, CPU or 15000 EPS
level indicated in HP ArcSight documents) and second providing redundancy,
installing an ArcSight Logger appliance for each datacenter for not consuming
too much bandwidth to send logs.
Whatever
the reason for using several ArcSight Loggers, the problem of lookup in several
databases appears.
The
solution for this problem is establishing peering between your Logger
appliances. Once peering is established, the pattern you are searching for is
executed on all peer Loggers and the result is shown on the Logger you
initiated the search.
For peering 2 or more loggers should first authenticate each other. For authentication, 2 methods exist:
- Authentication with a logger user credentials
- Authentication with Peer Authorization ID and Code
In this article, we will follow the second method to prevent any problems that may be caused by the user credentials in the first method.
Let's assume, we will initiate the peering on Logger1. To be able to realize it, we should first log in to the Logger2 and generate the Authorization ID and Code for Logger 2.
Once the first step is done, generated values must be entered on Logger1. After successfully saving the configuration Logger Peering is done and logs can be queried through either of the loggers.
UPDATE 29/07/2015: There is something odd about peering config for Loggers. "Add Peer Logger"
option must be configured on both loggers and it is not enough so see one line of peer Logger under Peer Loggers menu. Authorization ID and Code generated on Logger2 for Logger1 must be entered on Logger1 and vice versa. At the end of successfull configuration, you should see 2 identical lines for each Logger you established peering relation under Peer Loggers menu.
This comment has been removed by a blog administrator.
ReplyDeleteIm trying to install HPE Arcsight SIEM tool, can somebody help me out with that?
ReplyDeleteHello, What kind of help are you expecting? Have you already watched the videos ??
ReplyDeleteReach out to me using my linkedin profile, I'd be glad to help.
Thank You
ReplyDeleteHow many Peered connections can a logger have ?
ReplyDeleteHello,
ReplyDeleteThe infrastructure for Arcsight has greatly changed since my article and the my suggested solution did as well. The best way these days would be using an Event Broker and sending logs to a system like Investigate as Logger performance degraded over time.
Do not hesitate to reach out to me to discuss more.