SIEM system
administrators mostly come from Linux world and they prefer using Linux OS for
HP ArcSight component installations. I also agree on that decision as the
performance and security they provide is superior comparing to Windows Servers.
However there are some
situations where you have to use Windows Servers for SmartConnector
installations such as when you want to use WinRM application for Windows log
collection. Your company may be lacking experienced Linux admins and that could
be the second reason to use Windows based SmartConnectors. Last but not the
least, as you can see from the installation video, it is much easier to install
Windows based SmartConnectors then Linux based ones.
Below, you can find details about the basic installation of an HP ArcSight SmartConnector on a Windows Server for collecting log messages.
REQUIREMENTS / PREREQUISITES
- A Windows 2008 Server installed.
- A user with sufficient rights to install the software.
- A user with added to "Event Log Readers" group to read the logs on the server. (OPTIONAL)
- Connector binaries downloaded. (Download the correct version for your OS, x86 or x64!!)
- Connector destinations ( ArcSight Logger and/or ArcSight ESM) installed and working.
- Create a receiver on the logger to connect the connector.
- Create a subscription on Event Viewer to get logs.
- Check the configuration of log receiving folders and increase size.
- Define the protocol and port on which you will listen the incoming logs.
- Firewall permissions given for incoming log collection.
INSTALLATION
- Create installation directory preferably under your second partition E:\SmartConnectors\Microsoft.
- Run the setup file.
- Install the connector to run standalone or as a service.
- Start the connector service from services.msc.
- Check events on the logger.
- Set agent.properties parameters.(OPTIONAL)
- Set agent.wrapper.conf parameters.(OPTIONAL)
Very descriptive blog, I loved that bit.
ReplyDeleteWiill there be a part 2?