Saturday, July 11, 2015

SIEM Deployment - Installing HP Arcsight SmartConnector on Windows Servers

SIEM system administrators mostly come from Linux world and they prefer using Linux OS for HP ArcSight component installations. I also agree on that decision as the performance and security they provide is superior comparing to Windows Servers.

However there are some situations where you have to use Windows Servers for SmartConnector installations such as when you want to use WinRM application for Windows log collection. Your company may be lacking experienced Linux admins and that could be the second reason to use Windows based SmartConnectors. Last but not the least, as you can see from the installation video, it is much easier to install Windows based SmartConnectors then Linux based ones.


Below, you can find details about the basic installation of an HP ArcSight SmartConnector on a Windows Server for collecting log messages.

REQUIREMENTS / PREREQUISITES
  1. A Windows 2008 Server installed.
  2. A user with sufficient rights to install the software.
  3. A user with added to "Event Log Readers" group to read the logs on the server. (OPTIONAL)
  4. Connector binaries downloaded. (Download the correct version for your OS, x86 or x64!!)
  5. Connector destinations ( ArcSight Logger and/or ArcSight ESM) installed and working.
  6. Create a receiver on the logger to connect the connector.
  7. Create a subscription on Event Viewer to get logs.
  8. Check the configuration of log receiving folders and increase size.
  9. Define the protocol and port on which you will listen the incoming logs.
  10. Firewall permissions given for incoming log collection.
INSTALLATION
  1. Create installation directory preferably under your second partition E:\SmartConnectors\Microsoft.
  2. Run the setup file.
  3. Install the connector to run standalone or as a service.
  4. Start the connector service from services.msc.
  5. Check events on the logger.
  6. Set agent.properties parameters.(OPTIONAL)
  7. Set agent.wrapper.conf parameters.(OPTIONAL)

1 comment:

  1. Very descriptive blog, I loved that bit.
    Wiill there be a part 2?

    ReplyDelete