In HP ArcSight
solution architecture one of the most value adding components is the Smart Connectors. With the several functions they provide, Smart Connectors really help
differentiating HP ArcSight’s SIEM solution from other.
So what
exactly are ArcSight Smart Connectors? In a 3 layered SIEM Architecture, Arcsight Smart Connectors constitute the second layer between log processing systems ( Arcsight Logger or Arcsight ESM) and source systems generating logs according to defined audit policies.
From technical SIEM perspective, ArcSight Smart Connectors are Java applications which allow receiving or fetching logs from one defined log source, which can be several devices sending their logs in syslog format over the same protocol and port number (e.g. UDP 514) or an application writing its logs to a flat file. ArcSight Smart Connectors come with 256 MB minimum memory size and that memory is adjustable up to 1024 MB by configuration agent.properties file, among other connector properties to be changed according to your specific needs.
From technical SIEM perspective, ArcSight Smart Connectors are Java applications which allow receiving or fetching logs from one defined log source, which can be several devices sending their logs in syslog format over the same protocol and port number (e.g. UDP 514) or an application writing its logs to a flat file. ArcSight Smart Connectors come with 256 MB minimum memory size and that memory is adjustable up to 1024 MB by configuration agent.properties file, among other connector properties to be changed according to your specific needs.
One
physical server can host up to 8 connector processes, meaning that you can
collect logs from 8 different source groups as long as your server support that
much capacity.
Below, you
can find details about the basic installation of an HP ArcSight Smart Connector on a CentOS Linux server for collecting syslog messages.
REQUIREMENTS / PREREQUISITES
1. A RHEL
or CentOS Linux 6.X Server installed.
2. Root or
sudo rights for connector user.
3.
Connector binaries downloaded. (Download the correct version for your OS, x86
or x64 !!)
4.
Connector destinations (Logger and/or ESM) installed and working.
5. Define
the protocol and port on which you will listen the incoming logs.
Choose port numbers over 1024 if you are installing
with a non-root user as non-root users are not allowed to listen ports below 1024.
INSTALLATION
1. Create
installation directory under /opt path. In this example it is /opt/arcsight/connectors .
2. Create a
receiver on the logger to connect the connector.
3. Run the connector
binary you previously downloaded. (From /home/arcsight
directory in my installation).
# ./ArcSight-7.1.1.7348.0-Connector-Linux64.bin
-i console
4. Install
the connector to run standalone or as a service.
INSTALLATION_PATH\current\bin\arcsight
connectors à Run Standalone
INSTALLATION_PATH \current\bin\arcsight
agentsvc -i -u arcsight -sn syslog_unix à Run with arcsight user as a service
with arc_syslog_unix service name
5. Check
events on the logger.
6. Set
agent.properties parameters (Optional)
7. Set
agent.wrapper.conf parameters (Optional)
Excellent Blog, thank you for writing this and putting it up there.
ReplyDeleteJust what I was looking for! Clear, concise, and right on point.
ReplyDeleteExcellent Blog really love it !
ReplyDeleteGreat Blog!! I'm new to ArcSight and needed it broken down what I had to do.
ReplyDeleteHi, im tring to install HPE Arcsight SIEM tool. Can somebody please tell how to do that?
ReplyDeletei have 2 smartconnector in 1 server. 1 is syslog_daemon, 1 is snort_multiple_file. but only received log only for snort..any advise?
ReplyDelete