Saturday, July 25, 2015

SIEM Deployment – Configuring Peering Between ArcSight Loggers


When deploying your SIEM Solution Infrastructure with HP ArcSight products, you may consider installing more than one Logger systems for several reasons.

Without going too much into detail for these reasons, let’s name the 2 major ones, first reaching the computation levels on your system (RAM, CPU or 15000 EPS level indicated in HP ArcSight documents) and second providing redundancy, installing an ArcSight Logger appliance for each datacenter for not consuming too much bandwidth to send logs.

Whatever the reason for using several ArcSight Loggers, the problem of lookup in several databases appears.

The solution for this problem is establishing peering between your Logger appliances. Once peering is established, the pattern you are searching for is executed on all peer Loggers and the result is shown on the Logger you initiated the search.

Below you can find the details on peer configuration between two Loggers.

For peering 2 or more loggers should first authenticate each other. For authentication, 2 methods exist:

  • Authentication with a logger user credentials
  • Authentication with Peer Authorization ID and Code

In this article, we will follow the second method to prevent any problems that may be caused by the user credentials in the first method.

Let's assume, we will initiate the peering on Logger1. To be able to realize it, we should first log in to the Logger2 and generate the Authorization ID and Code for Logger 2.





Once the first step is done, generated values must be entered on Logger1. After successfully saving the configuration Logger Peering is done and logs can be queried through either of the loggers.

UPDATE 29/07/2015: There is something odd about peering config for Loggers. "Add Peer Logger"
option must be configured on both loggers and it is not enough so see one line of peer Logger under Peer Loggers menu. Authorization ID and Code generated on Logger2 for Logger1 must be entered on Logger1 and vice versa. At the end of successfull configuration, you should see 2 identical lines for each Logger you established peering relation under Peer Loggers menu.




6 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. Im trying to install HPE Arcsight SIEM tool, can somebody help me out with that?

    ReplyDelete
  3. Hello, What kind of help are you expecting? Have you already watched the videos ??

    Reach out to me using my linkedin profile, I'd be glad to help.

    ReplyDelete
  4. How many Peered connections can a logger have ?

    ReplyDelete
  5. Hello,
    The infrastructure for Arcsight has greatly changed since my article and the my suggested solution did as well. The best way these days would be using an Event Broker and sending logs to a system like Investigate as Logger performance degraded over time.

    Do not hesitate to reach out to me to discuss more.

    ReplyDelete