SMC Userguide

SmartConnectorTM
Users Guide
Topics Applicable to All ArcsightTM SmartConnectors
February 13, 2009
SmartConnectorTM Users Guide

Copyright 2003-2009 ArcSight, Inc. All rights reserved.
ArcSight, the ArcSight logo, ArcSight TRM, ArcSight NCM, ArcSight Enterprise Security Alliance, ArcSight
Enterprise Security Alliance logo, ArcSight Interactive Discovery, ArcSight Pattern Discovery, ArcSight Logger,
FlexConnector, SmartConnector, SmartStorage and CounterACT are trademarks of ArcSight, Inc. All other
brands, products and company names used herein may be trademarks of their respective owners.
Follow this link to see a complete statement of ArcSight's copyrights, trademarks, and acknowledgements:
http://www.arcsight.com/company/copyright/
The network information used in the examples in this document (including IP addresses and hostnames) is
for illustration purposes only.
This document is ArcSight Confidential.
Revision History
Date
Description
02/13/2009
Added Overview of SmartConnector Types section.
11/17/2008
Added AUP and Connector Appliance sections. Updated for latest changes
within ESM. SmartConnector build #5177.
08/13/2008
Added CSV Import/export feature, and notation on using multiple connectors

within a single JVM.
07/01/2008
Update to SmartConnector installation procedure and updates to NSP

information.
02/14/2008
Update to SmartConnector installation procedure, and to syslog connector

installation parameters in "Using SmartConnectors with NCM."
12/18/2007
Two new parameters for the HTTP (ESM) destination type have been added to
allow non-ESM destinations to use the automatic updates (AUPs) pushed by
an ESM Manager. See revised installation chapter. Some organizational
changes for usability.
09/20/2007
Added Using SmartConnectors with NCM.
06/26/2007
Updated to comply with v4.0 ESM updates.
09/30/2006
First edition of this users guide. The former SmartConnector Installation

Guide has been revised and updated to become part of this new book.
Document template version: 1.0.2.4
ArcSight Customer Support

Phone
1-866-535-3285 (North America)

+44 (0)870 141 7487 (EMEA)
E-mail
support@arcsight.com
Support Web Site
https://support.arcsight.com
Customer Forum
https://forum.arcsight.com
Contents
About This Book ..................................................................................................................................... vii
Who Should Read this Book .............................................................................................vii
Related Documentation .................................................................................................. viii
ArcSight Customer Support ............................................................................................ viii
Chapter 1: Introduction to ArcSight Components ................................................................ 1
ArcSight Components ...................................................................................................... 2
ArcSight ESM ............................................................................................................ 2
SmartConnectors ................................................................................................ 3
Supported Data Sources ...................................................................................... 3
FlexConnectors ................................................................................................... 4
ESM Manager ..................................................................................................... 4
ESM Database .................................................................................................... 4
ESM Console ...................................................................................................... 4
ArcSight Web ..................................................................................................... 5
ArcSight NSP ............................................................................................................ 5
ArcSight Logger ........................................................................................................ 5
Connector Appliance .................................................................................................. 5
Event Severity ................................................................................................................ 6
Filter and Aggregate Events .............................................................................................. 6
Configurable Attributes .................................................................................................... 7
Chapter 2: SmartConnector Overview ................................................................................. 9
Understanding ArcSight SmartConnectors ........................................................................... 9
Features ...................................................................................................................... 10
Data Collection Methods ................................................................................................. 12
ArcSight Database Mapping to Vendor Events ................................................................... 12
Chapter 3: Planning for Deployment ................................................................................. 13
Overview ..................................................................................................................... 13
Supported Platforms ...................................................................................................... 14
Deployment Scenarios ................................................................................................... 14
Deployment Scenario One ........................................................................................ 15
Deployment Scenario Two ........................................................................................ 16
ArcSight Confidential
SmartConnector Users Guide iii
Deployment Scenario Three ...................................................................................... 16

Estimating Storage Requirements .................................................................................... 17
Understanding ArcSight Turbo Modes ............................................................................... 17
Chapter 4: Installing and Configuring SmartConnectors ................................................... 19
Installing ArcSight ESM .................................................................................................. 19
Installing the SmartConnector ........................................................................................ 20
Using Table Parameters ........................................................................................... 29
Manually Entering Parameter Values .................................................................... 30
Importing and Exporting CSV Files ...................................................................... 30
Installing SmartConnectors from the Command Line .................................................... 31
Installing SmartConnectors in Silent Mode .................................................................. 31
Remotely Upgrading SmartConnectors ............................................................................ 34
Overview of the Upgrade Process .............................................................................. 34
Rolling Back to a Previous Version ............................................................................. 35
Troubleshooting ............................................................................................................ 35
Uninstalling a SmartConnector ........................................................................................ 35
Modifying SmartConnector Parameters after Installation ..................................................... 36
Running SmartConnectors .............................................................................................. 36
Standalone ............................................................................................................ 36
As a Windows Service .............................................................................................. 37
As a UNIX Daemon .................................................................................................. 37
Chapter 5: Using SmartConnectors with Connector Appliance .......................................... 39
Using SmartConnectors on the Connector Appliance ........................................................... 41
Local (on-board) SmartConnectors ............................................................................ 41
Remote Connector Appliance SmartConnectors ........................................................... 42
Software-Based SmartConnectors ............................................................................. 42
Supported SmartConnectors ..................................................................................... 42
Choosing an Event Destination ........................................................................................ 42
Manager ................................................................................................................ 42
Logger ................................................................................................................... 42
CEF Syslog ............................................................................................................. 42
Failover Destination ................................................................................................. 43
Alternate Configurations .......................................................................................... 43
Choosing a Deployment Scenario .................................................................................... 43
ArcSight Logger ...................................................................................................... 43
ArcSight ESM ......................................................................................................... 43
ESM and Logger ...................................................................................................... 43
Chapter 6: Using SmartConnectors with
ArcSight Logger ................................................................................................................ 45
Sending Events from Logger to an ArcSight ESM Manger .................................................... 45
Logger and SmartMessage ....................................................................................... 45
iv SmartConnector Users Guide
Sending Events to Logger ............................................................................................... 46

Sending Events to Both Logger and an ESM Manager ......................................................... 48
Sending Events from ArcSight ESM to Logger .................................................................... 50
Configuring the Forwarding Connector to Send Events to Logger ................................... 50
Defining SmartConnector Settings in Logger ..................................................................... 52
Chapter 6: Using SmartConnectors with NSP .................................................................... 57
Deploying a Syslog SmartConnector with NCM/TRM ........................................................... 58
Configuring the Syslog SmartConnectors .......................................................................... 59
The Syslog Daemon SmartConnector ......................................................................... 60
The Syslog Pipe and File SmartConnectors .................................................................. 60
Configuring the Syslog Pipe or File SmartConnector ............................................... 60
Installing the SmartConnector ......................................................................................... 61
Chapter 7: Configuring SmartConnectors through the Console ......................................... 65
Overview ..................................................................................................................... 65
Obtaining SmartConnector Status .................................................................................... 66
Selecting and Setting SmartConnector Parameters ............................................................ 66
Connector Editor Option Tabs ................................................................................... 67
Configuration Fields ................................................................................................. 67
Default Content Tab Configuration Fields .................................................................... 69
SmartConnector Processing Categories ...................................................................... 81
Using Filters in the SmartConnector Configuration Wizard ................................................... 83
SmartConnector Time Interval Options ............................................................................. 85
Managing SmartConnector Filter Conditions ................................................................ 85
Setting Special Severity Levels ........................................................................................ 86
Sending Control Commands to SmartConnectors ............................................................... 87
Disabling Event Compression .......................................................................................... 89
Managing SmartConnector Groups ............................................................................ 90
Creating a SmartConnector Group ....................................................................... 90
Renaming a SmartConnector Group ..................................................................... 90
Editing a SmartConnector Group ......................................................................... 91
Moving or Linking a SmartConnector Group ......................................................... 91
Deleting a SmartConnector Group ....................................................................... 91
Chapter 8: Configuring Multiple Destinations .................................................................... 93
Additional Destinations .................................................................................................. 93
Failover Destinations ..................................................................................................... 93
Configuring Multiple Destinations ..................................................................................... 94
Adding a Failover Destination .......................................................................................... 96
Re-Registering a SmartConnector .................................................................................... 98
SmartConnector Users Guide v
Chapter 9: Overview of SmartConnector Types ............................................................... 101

File Connectors ............................................................................................................101
Database Connectors ....................................................................................................103
Scanner Connectors .....................................................................................................105
API Connectors ............................................................................................................105
SNMP Connectors .........................................................................................................106
Microsoft Windows Event Log Connectors ........................................................................107
Syslog Connectors ........................................................................................................108
Flex Connectors ...........................................................................................................109
Other Connectors .........................................................................................................110
Appendix A: Payload Support .......................................................................................... 111
Introduction ................................................................................................................111
Working with Payload Data ............................................................................................111
Appendix B: Capturing Events from SmartConnectors ..................................................... 113
Summary ....................................................................................................................113
Installation ..................................................................................................................113
Event Data Rotation .....................................................................................................114
Appendix C: ArcSight Update Packs (AUP) ...................................................................... 115
Defining an AUP ...........................................................................................................115
ArcSight Content AUPs .................................................................................................115
ArcSight ESM ..................................................................................................116
ESM/Logger ....................................................................................................116
Logger ...........................................................................................................116
Connector Appliance .........................................................................................116
ArcSight Connector Upgrade AUP ...................................................................................116
ArcSight ESM ........................................................................................................116
Connector Appliance ...............................................................................................117
ESM Generated AUPs ....................................................................................................118
User Categorization Updates ....................................................................................118
System Zones Updates ...........................................................................................118
User Zones Updates ...............................................................................................118
Appendix D: SmartConnector Frequently
Asked Questions ............................................................................................................. 119
vi
SmartConnector Users Guide
About This Book

ArcSight Enterprise Security Management (ESM) is a comprehensive software solution that
combines traditional security event monitoring with network intelligence, context
correlation, anomaly detection, historical analysis tools, and automated remediation.
ArcSight ESM is a multi-level solution that provides powerful tools for business users,
system administrators, and network security specialists.
The following topics are discussed in this chapter:
Who Should Read this Book on page vii
Related Documentation on page viii
ArcSight Customer Support on page viii
Who Should Read this Book

This book contains information that applies to all SmartConnectors, including installation,
deployment, and management of SmartConnectors. Information about installing and
configuring individual SmartConnectors is provided in the ArcSight SmartConnector
Configuration Guides.
The audience for this book is primarily security administrators who install SmartConnectors
and ensure their connectivity to ArcSight ESM. This can include administrators for:
Networks
Security
Systems
Databases
If this is the first time you are installing an ArcSight component, ArcSight recommends that
you first read the latest ArcSight ESM Administrators Guide.
SmartConnector Users Guide vii
About This Book
Related Documentation
Document Title
Description
Release Notes
ArcSight
SmartConnectors
Describes new product features, latest updates, known

product issues and work-arounds, and technical support
information.
ArcSight ESM
Installation and
Configuration Guide
Explains how to install and configure ArcSight Enterprise

Security Management (ESM) components and tools
including the ArcSight Database, Manager, Console, and
Web applications. Also provides general information about
how to plan for, install, and deploy ArcSight
SmartConnectors.
ArcSight ESM
Administrator's Guide
Describes how to configure ArcSight and its network

interfaces, and maintain ArcSight for ongoing operations.
ArcSight ESM
Reviewers Guide
Introduces major new features in the current version of

ArcSight ESM, including task walk-throughs and usage
guidance. The same information is highlighted in the
Whats New Console Help topics.
ArcSight ESM Users

Guide
Describes how to use the ArcSight Console. These are

printable versions of the online Help topics and glossary.
ArcSight ESM
Reference Guide
ArcSight ESM Web
Users Guide
Provides user and reference information from the ArcSight

Web online Help system.
ArcSight
SmartConnector
Configuration Guides
Provides vendor-specific instructions for how to install

individual SmartConnectors and configure their associated
devices.
ArcSight FlexConnector
Configuration Guide
Describes how to design, create, and install custom

SmartConnectors.
ArcSight makes available the following ESM and SmartConnector product documentation.
Many of these documents are available for download from the ArcSight ESM Console by
choosing the menu option Help > Browse Documentation. The latest and most
complete set of documentation is always offered on the ArcSight Customer Support site
(https://support.arcsight.com) through the Product Documentation link in the Knowledge
Center section.
ArcSight Customer Support

You can obtain a log-in user name and password from your ArcSight Customer Support
representative. You can reach ArcSight Customer Support through the following resources:
viii
Resource
Description
Support website
https://support.arcsight.com. Which provides access to

ArcSight incident reporting, knowledge base, software
downloads, help, and the new Customer Forum.
Customer Forum
https://forum.arcsight.com, which offers a place for

customers to share ArcSight tips and tricks.
Chapter 1
Introduction to ArcSight Components

ArcSight ESM collects, normalizes, aggregates, and filters millions of events from
thousands of assets across your network into a manageable stream prioritized according to
risk, exposed vulnerabilities, and the criticality of the assets involved.
ESM provides ready-made security solutions you can implement as-is, as well as powerful
tools you can use to build customized solutions.
ArcSight Components on page 2
Event Severity on page 6
Filter and Aggregate Events on page 6
Configurable Attributes on page 7
As detailed below, prioritized events are correlated, investigated, analyzed, and
re-mediated using ESM tools, providing you with situational awareness and real-time
incident response time.
After collection, prioritized events are run through
Correlation. Often, interesting activities are represented by more than one event.
Correlation is a process that discovers the relationships between events, infers the
significance of those relationships, prioritizes them, and provides a framework for
taking action.
Monitoring. Once events have been processed and correlated to pinpoint the most
critical or potentially dangerous, ArcSight provides a variety of monitoring tools to
assist you in investigating and remediating potential threats before they can damage
your network.
Workflow. The workflow framework provides a customizable structure of escalation

levels to ensure that events of interest are escalated to the right people in the right
timeframe. This lets members of your team investigate immediately to make informed
decisions and take appropriate and timely action.
Analysis. When events occur that require investigation, ArcSight provides an array of
investigative tools that let your team members drill down into an event to discover its
details and connections, and to perform functions (such as nslookup, ping, portinfo,
traceroute, WebSearch, and whois).
Reporting. Briefing others on the status of your network security is vital to all who
have a stake in the health of your network, including IT and Security Managers,
executive management, and regulatory auditors. You can use ArcSights reporting
SmartConnector Users Guide 1
1 Introduction to ArcSight Components
tools to manually or automatically create versatile reports on a regular schedule,

allowing you to focus on narrow topics or report general system status.
ArcSight Components
ArcSight products comprise several separately installable components working together to
process event data from your network. These components connect to your network
through sensors that report to ArcSight SmartConnectors.
SmartConnectors translate device output into a normalized event schema that becomes the
starting point for ArcSight ESM correlation.
The following graphic illustrates ArcSight basic components. For complete descriptions of
these components, see ESM 101, Concepts for ArcSight ESM v4.0.
Figure 1-1
ArcSight Components
ArcSight SmartConnectors gather and process event data from network devices and
pass it to the ArcSight ESM Manager to be processed and stored in the database.
Users interact with ArcSight ESM using the ArcSight ESM Console or ArcSight Web.
ArcSight NSP uses NCM/TRM software to provide network device inventory,

configuration settings, and additional analysis features.
ArcSight Logger is a hardware storage solution optimized for extremely high event
throughput.
ArcSight ESM
ArcSight ESM consists of several separately installable components that work together to
process event data from your network. These components connect to your network via
sensors that report to ESM SmartConnectors. SmartConnectors translate a multitude of
2 SmartConnector Users Guide
device output into a normalized ESM schema that becomes the starting point for ESM
correlation capabilities. ArcSight ESM components are described in the following pages.
SmartConnectors
SmartConnectors are the interface between the ArcSight ESM Manager and the network
devices that generate ESM-relevant data on your network.
SmartConnectors collect event data from network devices, then normalize it in two ways.
First, they normalize values (such as severity, priority, and time zone) into a common
format. Then they normalize the data structure into a common schema. SmartConnectors
can filter and aggregate the events to reduce the volume sent to the Manager, which
increases ArcSights efficiency and reduces event processing time.
In brief, SmartConnectors:
Parse individual events and normalize them into a common schema (format) for use by
ArcSight ESM.
Collect all the data you need from a source device, which eliminates the need to return
to the device during an investigation or audit.
Filter out data you know is not needed for analysis, thus saving network bandwidth
and storage space.
Aggregate events to reduce the quantity of events sent to the Manager.
Pass processed events to the Manager.
Categorize events using a common, human-readable format, saving you time and
making it easier to use those event categories to build filters, rules, reports, and data
monitors.
Depending upon the network device, some SmartConnectors also can instruct the
device to issue commands to devices. These actions can be executed manually or
through automated actions from rules and some data monitors.
ArcSight releases new and updated SmartConnectors approximately every six weeks.
Supported Data Sources

ArcSight collects output from data sources with network devices, such as intrusion
detection and prevention systems, vulnerability assessment tools, firewalls, anti-virus and
anti-spam tools, encryption tools, application audit logs, and physical security logs.
SmartConnectors can be installed either directly on devices or separately on dedicated
servers, depending upon the network device reporting to them. The SmartConnector can
be co-hosted on the device if the device is a standard PC and its function is entirely
software-based, such as ISS RealSecure devices, Snort devices, and so on. For embedded
data sources (such as most Cisco devices and Check Point Firewall appliances), co-hosting
on the device is not an option.
During SmartConnector configuration, a SmartConnector is registered to your ArcSight ESM
Manager and configured with characteristics unique to the devices it reports on and the
business needs of your network.
By default, SmartConnectors maintain a heartbeat with the ESM Manager every 10
seconds. The Manager sends any Console commands or configuration updates to the
SmartConnector. The SmartConnector sends new event data to the Manager in batches of
100 events or once every second, whichever comes first. You can configure the time and
event count intervals.
FlexConnectors
ArcSights FlexConnector framework is a software development kit (SDK) that lets you
create a SmartConnector tailored to the devices on your network and their specific event
data. The following ArcSight FlexConnectors types are available:
File
Regular Expression File
Time-Based Database
Key-Value File
SNMP
Multiple Database
ID-Based Database
Regular Expression Folder File
XML File
CounterACT
Regular Expression Multiple File
Multi-Folder File
Syslog
In addition, beta support is currently available for the following FlexConnectors:
Scanner Database
Scanner XML Reports
Scanner Text Reports
For complete information about these FlexConnectors and how to use them, contact your
ArcSight Customer Support representative or see the ArcSight FlexConnector Developer's
Guide.
ESM Manager
As events stream into the system, the ESM Manager writes them to the ArcSight database.
It simultaneously processes the events through the correlation engine, which evaluates
each event with network model and vulnerability information to develop real time threat
summaries.
ESM Database
As events stream into the ESM Manager from the SmartConnectors, they are written to the
ESM Database with a normalized schema. This lets ESM collect all events generated by the
devices on your network, which you can analyze and refer to at any time.
The ESM Database is based upon Oracle 9i. A typical installation retains active data online
from weeks to months.
ESM Console
The ArcSight ESM Console is a workstation-based interface intended for use by your
full-time security staff in a Security Operations Center (SOC) or similar security-monitoring
environment. The Console is the authoring tool for building ArcSight ESM filters, rules,
reports, Pattern Discovery, dashboards, and data monitors. It also is the interface for
administering users and resources.
The ArcSight ESM Console version should match the ArcSight ESM Manager
version to ensure that resources and schemas match.
ArcSight Web
ArcSight Web is an independent and remotely installable Web server that provides a secure
interface with the ArcSight ESM Manager for browser clients. ArcSight Web is intended for
use as a streamlined interface for customers of Managed Service Security Providers
(MSSPs), SOC operators, and business users who require access to ArcSight ESM to
investigate events from outside the protected network.
ArcSight NSP
ArcSight NSP is an appliance that consists of these two licensed software components.
Network Configuration Manager (NCM)
Threat Response Manager (TRM)
These components build and maintain a detailed understanding of your networks topology,
letting you centrally manage your network infrastructure and rapidly respond to security
incidents.
The NCM/TRM solution lets you:
Locate and quarantine any device connected to the network instantly
Apply protocol filters to curb an intrusion attempt
Block specific IP ranges from communicating or block specific protocols
Disable individual user accounts
Manage configuration changes centrally on a single device or a group of devices
Audit the change control process granularity
Build wizards that let you to delegate routine network administration tasks to
lower-level administrators.
ArcSight Logger
ArcSight Logger is an event data storage appliance optimized for extremely high event
throughput. Logger stores security events onboard in compressed form, but can always
retrieve unmodified events on demand for forensics-quality litigation data.
Logger can be deployed stand-alone to receive events from syslog messages or log files, or
to receive events in Common Event Format from SmartConnectors. Logger can forward
selected events as syslog messages to ESM.
Multiple Loggers work together to support high sustained input rates. Event queries are
distributed across a peer network of Loggers.
Connector Appliance
ArcSight Connector Appliance is a hardware solution that incorporates a number of
onboard ArcSight SmartConnectors and a web-based user interface that provides
centralized management for SmartConnectors across a potentially large number of hosts.
The Connector Appliance centralizes SmartConnector management and offers unified

control of SmartConnectors on
The Connector Appliance
Remote Connector Appliances
Software-based SmartConnectors (installed on remote hosts)
ArcSight Connector Appliance includes on-board SmartConnectors that connect event

sources to destinations such as ArcSight Logger and ArcSight ESM.
The Connector Appliance delivers the following features and benefits:
Supports bulk operations across all SmartConnectors and is particularly desirable in

ArcSight ESM deployments with a large number of SmartConnectors, such as a
Managed Security Services Provider (MSSP).
Provides an ArcSight ESM-like SmartConnector management facility in Logger-only

environments.
Provides a single interface through which to configure, monitor, tune, and update
SmartConnectors. The Connector Appliance does not receive events from the
SmartConnectors it manages, and this allows for management of many connectors at
one time. The Connector Appliance does not affect working SmartConnectors unless it
is used to change their configuration. In some cases, the SmartConnector is
commanded to restart.
Event Severity
During the normalization process, the SmartConnector collects data about the level of
danger associated with a particular event, as interpreted by the data source that reported
the event to the SmartConnector. These data points, device severity and
SmartConnector severity, become factors in calculating the events overall priority.
Device severity captures the language used by the data source to describe its
interpretation of the danger posed by a particular event. For example, if a network IDS
detects a DHCP packet that does not contain enough data to conform to the DHCP format,
the device flags this as a high-priority exploit.
SmartConnector severity is the translation of the device severity into
ArcSight-normalized values. For example, Snort uses a device severity scale of 1-10,
whereas Check Point uses a scale of high, medium, and low. ArcSight normalizes these
values into a single severity scale. The default ArcSight scale is Low, Medium, High, and
Very High.
For example, routine file access and successful authentications by authorized users would
be translated into the ArcSight-normalized values as very low severity, whereas a short
DHCP packet would be translated as very high severity.
Filter and Aggregate Events

During SmartConnector installation and configuration, you can configure the
SmartConnector to use filter conditions to focus the events passed to the ESM Manager
according to specific criteria. For example, you can use filters to sort out events with
certain characteristics, from specific network devices, or generated by vulnerability
scanners. Events that do not meet the SmartConnector filtering criteria are not forwarded
to the ESM Manager.
You can configure the SmartConnector to aggregate (summarize and merge) events that
have the same values in a specified set of fields, either for a specified number of times or
within a specified time limit.
SmartConnector aggregation compiles events with matching values into a single event. The
aggregated event contains only the values the events have in common plus the earliest
start time and latest end time. This reduces the number of individual events the Manager
must evaluate.
For example, suppose the SmartConnector is configured to aggregate events with a certain
Source IP and Port, Destination IP and Port, and Device Action whenever the events occur
10 times in 30 seconds. If ten events with these matching values are received by the
SmartConnector within that timeframe, they are grouped together into a single event with
an aggregated event count of 10.
If the 30-second timeframe expires and the SmartConnector has received only two
matching events, the SmartConnector creates a single aggregated event with an
aggregated event count of two. If 900 matching events were to come in during the 30
seconds, the SmartConnector would create 90 aggregated events, each with an
aggregated event count of 10.
Firewalls are a good candidate for aggregation because of the volume of events with
similar data coming in from multiple devices.
Configurable Attributes
All SmartConnector configurable attributes are set during the installation and configuration
process. The following attributes can be edited after installation by the ArcSight ESM
Administrator.
Connector name, location, owner, creation, and update information
The ArcSight network with which the SmartConnector is associated
The default behavior of the SmartConnector, such as batching, time correction, cache
size, Manager connection attributes, aggregation parameters, or filters
The SmartConnector's alternative behavior, which can be initiated to send events

based upon time requirements
For complete instructions about which SmartConnector attributes to configure and how,
see to the ArcSight ESM v4.0 Installation and Configuration Guide.
Chapter 2
SmartConnector Overview
This chapter provides an overview of ArcSight SmartConnectors and how they collect and
send events (generated by various vendor devices) to the ArcSight ESM Manager.
The following topics are included in this chapter:
Understanding ArcSight SmartConnectors on page 9
Features on page 10
Data Collection Methods on page 12
ArcSight Database Mapping to Vendor Events on page 12
Once SmartConnectors normalize and send events to the ArcSight Manager, the events are
stored in the centralized ESM Database. ArcSight ESM then filters and cross-correlates
these events with rules to generate meta-events. The meta-events then are automatically
sent to administrators with corresponding Knowledge Base articles which contain
information supporting their enterprises policies and procedures.
Understanding ArcSight SmartConnectors

SmartConnectors process raw data generated by various vendor devices throughout an
enterprise. Devices consist of routers, e-mail servers, anti-virus products, firewalls,
intrusion detection systems (IDS), access control servers, VPN systems, anti-DoS
appliances, operating system logs, and other sources that detect and report security or
audit information.
ArcSight SmartConnectors collect a vast amount of varying, heterogeneous information.
Due to this variety of information, SmartConnectors format each event into a consistent,
normalized ArcSight message, letting you find, sort, compare, and analyze all events using
the same event fields.
Specific SmartConnector Configuration Guides document device-to-ArcSight ESM event
mapping information for individual vendor devices, as well as specific installation
parameters and configuration information.
2 SmartConnector Overview
Features
For complete information about how the following features work, see the ArcSight ESM
v4.0 Administrators Guide and ArcSight ESM Console Help.

Feature
Description
Filtering and Data

Reduction
Uses AND/OR based Boolean logic to determine what data

is to be included from the device and what data is filtered
out when the event is sent to the ESM Manager.
Aggregation
Compiles events with matching values into a single event,

reducing the number of individual events the ESM Manager
must evaluate.
Batching
Improves ESM Manager performance by sending a

collection of events at one time (rather than after each
occurrence).
Time Error
Correction
Synchronizes the time between the device and the

SmartConnector, and between the SmartConnector and the
ESM Manager.
Time Zone Correction
Corrects the local time zone, as necessary, to support

device-time queries, correlation, and filters.
Categorizer
Assigns ArcSight ESM categories to an event.
Resolver
Attempts to resolve and reverse-resolve host names and

addresses reported by a device.
Data Normalization
Converts each event produced by devices to an ArcSight

ESM common event format message (or ArcSight
message).
The following illustration shows the communication between network devices and ArcSight
SmartConnectors, and between ArcSight SmartConnectors and ArcSight ESM Manager.
Figure 2-1
ArcSight SmartConnector Event Collection and Processing

You can deploy SmartConnectors on a device, on a separate host machine,
or on the host machine where the ArcSight ESM Manager system resides.
SmartConnectors both receive and retrieve information from network devices. If the device
sends information, the SmartConnector becomes a receiver; if the device does not send
information, the SmartConnector retrieves it.
An ArcSight message is created for each event the devices collect. Once an event is
received, the SmartConnector adds device and event information to the event to complete
the message, which is then sent to the ESM Manager.
Data Collection Methods

ArcSight SmartConnectors are specifically developed to interoperate with network and
security products using multiple techniques, including simple log forwarding and parsing,
direct installation on native devices, SNMP, and syslog.
Data collection and event reporting formats for various SmartConnectors include:
Log File Readers (including text and log file)
Syslog
SNMP
Database
XML
Proprietary protocols, such as OPSEC or Cisco PostOffice
The ArcSight Console, Manager, and SmartConnectors communicate using HTTP

(HyperText Transfer Protocol) over SSL (Secure Sockets Layer; also referred to as HTTPS).
Vendor device types for which SmartConnectors are available include:
Network and host-based IDS and IPS
VPN, Firewall, router, and switch devices
Vulnerability management and reporting systems
Access and identity management
Operating systems, Web servers, content delivery, log consolidators, and aggregators
For more information about the latest ArcSight SmartConnectors available, visit our website
at http://www.arcsight.com and click the Support link.
ArcSight Database Mapping to Vendor Events

ArcSight SmartConnectors collect the vendor-specific event definitions contained within a
network device. This information is mapped to the data fields within the SmartConnector,
then sent to the ArcSight ESM Manager.
For specific mappings between the SmartConnector data fields and supported vendorspecific event definitions, see the configuration guide for the device-specific
SmartConnector. For example, for mappings for the SmartConnector for Cisco PIX Syslog,
refer to the SmartConnector for Cisco PIX Syslog Configuration Guide.
For additional information about mappings and parsing information from third-party
devices, see Advanced Topics in the FlexConnector Developers Guide.
Chapter 3
Planning for Deployment

Deployment of an ArcSight SmartConnector is based upon the requirements of your
network security enterprise. This section outlines possible ArcSight deployments based
upon different scenarios.
Overview on page 13
Supported Platforms on page 14
Deployment Scenarios on page 14
Estimating Storage Requirements on page 17
Understanding ArcSight Turbo Modes on page 17
The scenarios and deployments shown here are only examples of how you might introduce
ArcSight ESM into your enterprise. ArcSight ESM is not limited to just these scenarios and
deployments.
Overview
ArcSight components install consistently across UNIX, Windows, and Macintosh platforms.
Whether a host is dedicated to the ArcSight ESM Database, Manager, Console, or other
component, ArcSight ESM software is installed in a directory tree under a single root
directory on each host (DBMS and other third-party software is not necessarily installed
under this directory, however.) The path to this root directory is called $ARCSIGHT_HOME.
In SmartConnector documentation, the 'current' directory is specified rather than presumed
to be part of the $ARCSIGHT_HOME location, and the path separator is a backslash (\) (for
example, $ARCSIGHT_HOME\current). This is consistent with SmartConnector
configuration guide information, and also underscores the fact that ArcSight
SmartConnectors are not installed on the same machine as the remaining ArcSight ESM
components. Rather, they are typically installed on the same machine as the device whose
activity will be monitored.
The directory structure below $ARCSIGHT_HOME is standardized across components and
platforms. ArcSight software is generally available in the
$ARCSIGHT_HOME\current\bin directory, and documentation is found in
$ARCSIGHT_HOME\current\doc. Properties files, which control the ArcSight
configuration, are found in $ARCSIGHT_HOME\config, and log files are written to
$ARCSIGHT_HOME\logs.
3 Planning for Deployment
ArcSight SmartConnectors collect and process the data generated by various vendor
devices throughout your enterprise. Devices consist of routers, email logs, anti-virus
products, firewalls, intrusion prevention systems (IPS), access control servers, VPN
systems, antiDoS appliances, operating system logs, and other sources where information
about security threats are detected and reported.
ArcSight SmartConnectors collect a vast amount of varying, heterogeneous information.
SmartConnectors format every raw security event into a consistent, normalized ArcSight
event. By creating a consistent message format, you can find, sort, compare, and analyze
all events using the same event fields.
When a SmartConnector receives an event, it completes the message by adding device
information, then forwarding the event to various components throughout ArcSight ESM.
Supported Platforms
For information about supported platforms, see the ArcSight SmartConnector Product and
Platform Support document that is shipped with each SmartConnector release. Only
differences to the support detailed in that document are specified in the device's
SmartConnector Configuration Guide.
Deployment Scenarios
You can install SmartConnectors on the ArcSight ESM Manager, a host machine, or a
device. Based upon configuration, they also can receive events over the network using
SNMP, HTTP, syslog, proprietary protocols (such as OPSEC), or direct database connections
to the device's repository (such as ODBC or proprietary database connections).
The best deployment scenario for your system depends upon the SmartConnector type,
your network architecture, and your operating system.
Scenarios for syslog deployment are documented in the SmartConnector for UNIX OS
Syslog Configuration Guide.
Scenarios for deploying Windows Event Log connectors are documented in the
SmartConnector for Microsoft Windows Event Log Configuration Guide.
Deployment Scenario One

In this scenario, there are three ArcSight SmartConnectors residing on three different
devices: a firewall, an IPS, and a UNIX operating system. These SmartConnectors receive
information from the devices or their logs, and send captured events to the ESM Manager
based upon the SmartConnector configuration.
Once events are received by the Manager, it cross-correlates the events using rules and
sends meta-events to the ESM Database and to any ESM Consoles that access the
Database.
The ESM Manager also can perform preset actions. Events and meta-events within the ESM
Database can be played back using the Replay channel to investigate, analyze, or create a
report about event history.
Figure 3-1
Three ArcSight SmartConnectors Residing on Three Devices
Deployment Scenario Two

This scenario is the same as the first, except that the three SmartConnectors reside on a
host machine rather than the device itself. The ArcSight SmartConnector need not reside
on the device in order to retrieve information from that device. The SmartConnector
functions as before, and the ArcSight ESM Manager and Database perform the same
functions.
Figure 3-2
Three ArcSight SmartConnectors Residing on a Host Machine
Deployment Scenario Three

In this scenario, the ArcSight SmartConnectors reside on the ESM Manager itself, not on a
host machine, but still retrieve events from devices in the network. The processing
performed by the ArcSight SmartConnector, Manager, and Consoles are identical to the
other scenarios.
Figure 3-3
Three ArcSight SmartConnectors Residing on an ESM Manager
Estimating Storage Requirements

Understanding the range of devices and SmartConnectors you want to deploy helps in
estimating your daily event volume. Log file size is not accurate enough; you need to know
how many events are generated during an average day. This varies by the type of device,
firewall, IDS, vulnerability management, and so on. Not only do different devices generate
different event volumes, they also respond differently to various event aggregation policies.
The average size of the data stored for each event depends upon the turbo mode
(Fastest, Faster, or Complete) specified for a particular SmartConnector. For detailed
information on turbo modes, see the following section, Understanding ArcSight Turbo
Modes.
SmartConnectors can aggregate events to reduce event traffic. An event that repeats every
500 ms, for example, can be represented by a single event that fires every ten seconds,
producing a 20:1 event compression. Individual SmartConnectors can be configured to
aggregate events in this manner, reducing event traffic to the ESM Manager and the
storage requirements in the Database.
In a distributed environment with multiple ESM Managers, the event volume metric must
consider both the SmartConnector feeds to the Manager and the event forwarding from
other Managers.
Understanding ArcSight Turbo Modes

You can accelerate the transfer of sensor information through SmartConnectors by
choosing one of three turbo modes (Fastest, Faster, or Complete).
The Fastest mode requires the fewest bytes and is most suited to devices such as
firewalls, which have relatively little event data. The Faster mode is the Manager default,
and requires less storage space. Rich event data sources, such as a network operating
system, might use Complete mode, the SmartConnector default. The Complete mode
passes all the data arriving from the device, including any custom or vendor-specific (for
example, "additional") data.
You can configure SmartConnectors to send more or less event data on a perSmartConnector basis, and the ESM Manager can be set to read and maintain more or less
event data, independent of the SmartConnector setting.
Some events require more data than others. For example, operating system syslogs often
capture a considerable amount of environmental data that may not be relevant to a
particular security event. Firewalls, on the other hand, typically report only basic
information.
ArcSight defines turbo modes as follows:
Mode
Description
Fastest (Mode 1)
Recommended for simpler devices, such as firewalls.
Faster (Mode 2)
ESM Manager default. Eliminates all but a core set of event

attributes to achieve the best throughput. Because the
event data is smaller, it requires less storage space and
provides the best performance.
Complete (Mode 3)
SmartConnector default. All event data arriving at the

SmartConnector, including additional data, is maintained.
When a turbo mode is not specified, Mode 3, Complete, is the default. Versions of ArcSight
ESM prior to v3.0 run in turbo mode Complete.
The ESM Manager uses its own turbo mode setting when processing event data. If a
SmartConnector is set at a higher turbo mode than the Manager, it reports more event data
than the Manager requires. The Manager ignores these extra fields.
However, if a Manager is set at a higher turbo mode than the SmartConnector, the
SmartConnector has less event data to report to the Manager. The Manager maintains
fields that remain empty of event data.
Both situations are normal in real-world scenarios because the Manager configuration must
reflect the requirements of a diverse set of SmartConnectors.
Possible Manager-SmartConnector configurations are as follows:
1-1 Manager and SmartConnector in Fastest Mode.
1-2 SmartConnector sending more sensor data than Manager requires.
1-3 SmartConnector sending more sensor data than Manager requires.
2-1 SmartConnector not sending all data that Manager is storing.
2-2 Manager and SmartConnector in Faster mode.
2-3 Default: Manager does not process additional data sent by SmartConnector.
3-1 Manager maintains Complete data; SmartConnector sends minimum.
3-2 Manager maintains additional data, but SmartConnector does not send it.
3-3 Manager and SmartConnector in Complete mode.
Chapter 4
Installing and Configuring

SmartConnectors
When you have purchased and are ready to install an ArcSight SmartConnector, see the
configuration guide of the individual connector for customized information for the device
the connector is monitoring. (For example, when installing a SmartConnector for Windows
Event Log, refer to the SmartConnector for Microsoft Windows Event Log Configuration
Guide.)
Installing ArcSight ESM on page 19
Installing the SmartConnector on page 20
Remotely Upgrading SmartConnectors on page 34
Troubleshooting on page 35
Uninstalling a SmartConnector on page 35
Modifying SmartConnector Parameters after Installation on page 36
Running SmartConnectors on page 36
Individual configuration guides contain installation parameters to enter, how to configure
the particular device to enable SmartConnector event collection, and customized device
event mappings to ArcSight ESM fields.
Installing ArcSight ESM

Before you install any ArcSight SmartConnectors, make sure that ArcSight ESM has already
been installed correctly. Also, ArcSight recommends reading the ArcSight Installation and
Configuration Guide before attempting to install a new ArcSight SmartConnector. For a
successful installation of ArcSight ESM, follow this order:
1
Ensure that the ArcSight ESM Manager, Database, and Console are installed correctly.
Run the ArcSight ESM Manager. The command prompt window or terminal box
displays a "Ready" message when the ESM Manager has started successfully. If the
ArcSight ESM Manager is running as a Windows NT/2000 Service, monitor the
server.std.log file located in ARCSIGHT_HOME\current\logs\default.
Run the ArcSight ESM Console. Although not required, it is helpful to have the Console
running when installing the SmartConnector to verify successful installation.
4 Installing and Configuring SmartConnectors
Before installing the SmartConnector, be sure the following are available:
Local access to the machine where the SmartConnector is to be installed
Administrator privilege
At a minimum, SmartConnectors must be running version 4021 to
communicate with a version 4.0 Manager.
Installing the SmartConnector

For information regarding operating systems and platforms supported, refer to the
SmartConnector Product and Platform Support. For complete installation instructions for a
particular SmartConnector, see the configuration guide for that connector. The productspecific configuration guide provides device configuration information, installation
parameters, and device event mappings to ArcSight ESM fields.
1
Insert the ArcSight Installation CD into your CD-ROM drive or navigate to the location
of the ArcSight SmartConnector Installer directory.
Start the ArcSight SmartConnector Installer by double-clicking on the executable file

for your operating system. Installation files follow the format:
Linux
ArcSight-4.0.x.nnnn.y-Connector-Linux.bin
Solaris
ArcSight-4.0.x.nnnn.y-Connector-Solaris.bin
Windows
ArcSight-4.0.x.nnnn.y-Connector-Windows.exe
A window such as the following is displayed; once you have verified that the ESM
Database, Manager, and Console are installed and operating, click Next.
Installing and Configuring SmartConnectors
When the Introduction window is displayed, read the information and click Next when
ready.
Next, accept the default location for "Where Would You Like to Install?," or click
Choose to select another folder for installation. Click Next when ready.
It is a good practice to develop and use a standard naming convention to specify

directory locations, file names, and menu option names for the SmartConnectors you
install. Typically, if you install multiple connectors on a particular machine, you should
install each SmartConnector in a separate directory.
Choose from the following types installation; for most connectors, Typical is the
appropriate selection. Click Next.
On the following window, accept the default shortcut folder location or select a new or
existing Program Group. (You can also create icons for all users accessing ArcSight
SmartConnector by selecting the Create Icons for All Users check box.) Click Next
when you have finished making your selections.
Verify your selections on the Pre-Installation Summary window; click Install to

begin installation of the SmartConnector core component software.
If the summary is incorrect, click Previous to make changes.

8
An installation process window is displayed during installation of core connector

software (click Cancel if you want to cancel the installation).
When the installation of ArcSight SmartConnector core component software is

finished, the following window is displayed:
10 Make sure ArcSight Manager (encrypted) is selected and click Next.

For information about the ArcSight Logger SmartMessage (encrypted)
destination, see Chapter 6 Using SmartConnectors with ArcSight Logger on page 45.
For information about NSP Device Poll Listener, see Chapter 6 Deploying a Syslog
SmartConnector with NCM/TRM on page 58. The SmartConnector Configuration
Wizard prompts you to specify whether the ArcSight ESM Manager to which you are
going to connect uses a demo certificate to authenticate SmartConnector requests.
11 The Wizard first prompts you for Manager certificate information. The default selection
is No, the ArcSight Manager is not using a demo certificate. Choose Yes if ArcSight
Manager is using a demo certificate. (Before selecting this option, make sure the
Manager is, in fact, using a demo SSL certificate. If you are not certain, select No or
consult your system administrator.). If your ArcSight Manager is using a self-signed or
CA-signed SSL certificate, select No, the ArcSight Manager is not using a demo
certificate and click Next.
After completing the SmartConnector installation wizard, remember to
manually configure the connector for the type of SSL certificate your Manager
is using. Refer to the ArcSight ESM v4.0 Administrator's Guide for instructions
about configuring your SmartConnector when the Manager is using a selfsigned or CA-signed certificate and for instructions about enabling SSL client
authentication on SmartConnectors so that the Connectors and the Manager
authenticate each other before sending data.
12 On the next window, replace localhost with the host name of the Manager with
which the SmartConnector is to communicate (localhost is appropriate only when
the SmartConnector is installed on the same host as the Manager, which is not
recommended in a production environment). This name must match the host name in
the Managers certificate, which is usually the fully-qualified name. For example,
instead of gabriel, specify gabriel.sales.mycompany.com.
For Manager Port, leave the default value of 8443.

For AUP Master Destination, generally leave this false. If, however, you will have
one or more non-ESM destinations, and you want to share this ESM destination's AUP
configuration (such as zones) with those destinations, select true. Only do so for one
primary destination; if you select true for more than one primary destination or any
failover destination, the setting is ignored for all but the first such primary destination.
For Filter Out All Events, select true if you want a ll events filtered out. This means
the connector sends no events to this destination. This is useful when an ESM
destination is added solely for the purpose of being the AUP master; this value is
usually false unless the AUP Master Destination parameter is set to true.
13 Enter a valid ArcSight user name and password for the ArcSight ESM Manager. This is
the same user name and password you created during ESM Manager installation.
14 Select one of the possible SmartConnectors from the window displayed. Scroll down to
find the appropriate SmartConnector. If you are installing a syslog SmartConnector,
select the Syslog Pipe, File, or Daemon SmartConnector.
The SmartConnectors that appear in the list are those that can be installed on the
same platform from which you are running the installation program. For example, if
you are running on Windows, the list contains a list of those SmartConnectors that are
supported on Windows. Similarly, if you are running the installer on a Linux or Solarisbased system, the installer displays a list of SmartConnectors supported on those
platforms.
15 After selecting the connector you want to install from the list of SmartConnectors, in
this example, Symantec Gateway Security/Enterprise Firewall NG File, click
Next.
16 The next window requests specific parameters for the particular SmartConnector you
selected. These parameters vary depending upon the device and are described and
explained in the SmartConnector Configuration Guide for the selected SmartConnector.
There are some SmartConnector types (such as Symantec Gateway
Security/Enterprise Firewall NG, shown in the following example) that require
parameter values to be entered into a table format. You can add this information
manually or import multiple hosts. See Using Table Parameters on page 29 for
detailed information.
To manually enter parameter values, click the Add button. See Manually Entering
Parameter Values on page 30 for details.
Click the Import button to locate the .csv file you want to import. Click the Export
button to create a .csv file containing the values you have entered in the parameter
table. See Importing and Exporting CSV Files on page 30 for details.
If there are no Import and Export buttons on the parameter entry window
for the connector youve selected, the parameters are not entered into a table
format and this feature does not apply.
17 Click Next when you have completed entering data.
18 Give your new SmartConnector a descriptive name to identify it for ArcSight Console
users. You also can specify optional location information and add any appropriate
comments.
In this context, SmartConnector Location refers to the host where you are
installing the SmartConnector and Device Location describes the host on which the
IDS, syslog, or other software is running. If the device is physical hardware, the
Device Location is particularly useful for specifying, for example, a certain position
within a specific rack.
19 Click Next when you have finished entering data.
20 Review the summary of data and click Next.
21 Most SmartConnectors can be installed as a Windows service (or Linux/UNIX daemon)

so that the SmartConnector runs automatically when the host is restarted. If the
SmartConnector is not configured as a service, it must be started manually whenever
it is not running. (For more information about running a SmartConnector as a service,

see As a Windows Service on page 37.) Select Yes or No and click Next.
If you choose to configure the SmartConnector to run as a service, the wizard prompts
you for the services internal and display names.
If you choose not to run the SmartConnector as a service, a window such as the
following is displayed.
22 Click Finish to complete connector configuration.

For some SmartConnectors, a system restart is required before the configuration settings
you made can take effect. If a System Restart window is displayed, read the information
and initiate the system restart operation.
Save any work on your computer or desktop and shut down any other running applications,
including the ArcSight Console, if it is running; then shut down the system.
Using Table Parameters

During SmartConnector installation, a connector using table parameters will show the
following type of window for entering parameter data.
The parameters for this type of SmartConnector can be entered manually for a few lines of
data, or, for a larger number of entries, you can import a .csv file. You can also create a
.csv file by exporting data youve already entered. See Importing and Exporting CSV Files
on page 30 for specific steps.
Please note the following when using this feature:
Columns that contain private data (shown as asterisks), such as passwords, will not
appear in exported files after using the Export button.
After importing a .csv file (using the Import button), data in private columns remain
hidden (shown as asterisks).
While you can manually enter a private column (either by adding the column to your
CSV within a spreadsheet program or by filling it in through the Configuration Wizard),
it still will not appear in any exported files. This is a precautionary measure.
Importing data from a .csv file (using the Import button) causes all existing data in
the table to be removed and replaced by the incoming data.
Manually Entering Parameter Values

To enter parameters manually, use the Add button to create fields and enter the data, as
shown below.
If needed, use the Export button to export your parameter table data into an external .csv
file to save for later use.
Importing and Exporting CSV Files

An easy way to quickly populate many lines of parameter data is to create a .csv file, then
use the Import button to fill the parameter entry table of the SmartConnector
Configuration Wizard.
To use the Import feature:
1
Using a spreadsheet program (such as Microsoft Excel), enter the parameter data into
a table and save it as a .csv file.
During SmartConnector installation, click the Import button to locate the .csv file you
created. The window provides a preview of the CSVs contents.
Click the Import button on the Import window. This populates the SmartConnector
parameters fields, as shown below.
If you wish, you can add more rows manually (using the Add button) and then export
the resulting table (using the Export button) to an external .csv file for later use.
The example above shows a Password column within the Configuration
Wizard that does not appear in the original .csv file. This private column
does not contain actual password data and will not be included in an
exported file.
Click Next if you are finished entering data.
Installing SmartConnectors from the Command Line

To install ArcSight SmartConnectors without using the graphical user interface wizard,
enter i console on the command line when you invoke the self-extracting archive.
Follow the instructions in the command window.
When the installation has successfully completed, manually run the configuration program
by executing runagentsetup.
Installing SmartConnectors in Silent Mode

You can run the ArcSight SmartConnector installation program in silent mode, in which
answers to wizard questions are provided by a Properties file. This feature is useful for
deploying a large number of identical SmartConnectors.
To use this feature, first install and configure one SmartConnector using the graphical-user
interface or the command line. While configuring the first SmartConnector, record its
configuration parameters in a Properties file. To install all other SmartConnectors in silent
mode, use the Properties file you created to provide configuration information.
ArcSight recommends creating and testing the properties file on a system
other than your in-service, production environment. Recording from such a
SmartConnector requires removal.
To record the configuration of a SmartConnector to a Properties file:

1
Run the SmartConnector Configuration Wizard to extract and install the

SmartConnector files. When the wizard asks you to click Done to run the wizard, click
Cancel. Confirm your choice to run the SmartConnector Configuration Wizard
manually.
From a command prompt window (from the ARCSIGHT_HOME\current\bin

directory), enter the following command to launch the SmartConnector
Configuration Wizard in record mode:
On Unix and Linux: ./runagentsetup.sh i recorderui
On Windows: runagentsetup.bat -i recorderui
On the window displayed, enter the Silent Properties File Name to select an
existing file. Enter the name of the Installation Target Folder to select a location.
Continue through all SmartConnector Configuration Wizard windows. The wizard

creates a Properties file using the name and location you specified.
Perform the remaining steps on the system on which you want to install the
SmartConnector in silent mode:
5
Copy the Properties file from the other system to your current system, preferably to
the same directory where you downloaded the installation file.
Open the Properties file in an editor of your choice.
Find the ARCSIGHT_AGENTSETUP_PROPERTIES property in the file and make sure

that the path value is the absolute path to the location where you copied the
properties file on this system.
For example, if you copied the properties file to C:\Program

Files\ArcSightSmartConnectors, the path value should be as follows:
ARCSIGHT_AGENTSETUP_PROPERTIES=C\:\\Program
Files\\ArcSightSmartSmartConnectors\\silent_properties
The equal (=) and backslash (\) characters must be preceded by a backslash
(\).
Find the AgentDetailsPanel.smartConnectorname property in the file and

change its value to the name of the SmartConnector you are going to install in silent
mode, as shown in the following example:
#======================================================
# Panel 'AgentDetailsPanel'
#======================================================
# Select a name for your SmartConnector and specify location
parameters.
#
# SmartConnector Name
SmartConnectorDetailsPanel.smartConnectorname=SF_SmartConnector1
# Agent Location
AgentDetailsPanel.agentlocation=San Francisco
# Device Location
AgentDetailsPanel.devicelocation=Site_2.2.223
# Comment
AgentDetailsPanel.comment=
#===============================================
9
If appropriate, edit the following properties:

AgentDetailsPanel.agentlocation
AgentDetailsPanel.devicelocation
AgentDetailsPanel.comment
You can edit any property (Manager Information, user credentials) in the properties file to
suit your needs.
10 Save the properties file.
11 Download the SmartConnector installation file appropriate for your platform.
12 Run the following command to install the new SmartConnector in silent mode:
ArcSight_Agent_install_file -i silent f properties_filename
The command launches the InstallShield program and installs the SmartConnector silently.
Example: To install a SmartConnector on Windows platform with the property file name
silent_properties, enter:
ArcSight-3.5.x.nnnn.y-Agent-Win.exe i silent f silent_properties
After installing ArcSight SmartConnectors, configure your systems default
file permissions so that files created by ArcSight (events, log files, and so on)
are reasonably secure.
On UNIX systems, file permissions typically are set by adding the umask
command to your shell profile. An umask setting of 077, for example, would
deny read or write file access to any but the current user. An umask setting of
000 creates an unnecessary security hole.
Remotely Upgrading SmartConnectors

Only Windows, Linux, and Solaris platforms are supported for
SmartConnector remote upgrade from the ArcSight ESM Console.
ArcSight ESM now provides the ability to not only centrally manage and configure
SmartConnectors, but also to update them remotely. You can use the Upgrade command
on the ArcSight ESM Console to upgrade to newer versions of ArcSight SmartConnector
software for managed devices. (You also can use the Rollback command to revert to a
previous version of an upgraded SmartConnector.)
The Upgrade command lets you launch, manage, and review the status of upgrades for all
SmartConnectors. A failover mechanism launches SmartConnectors with previous versions
if upgrades fail. All communication and upgrade processes between components (Console,
Manager, and SmartConnectors) take place over secure connections.
The ArcSight ESM Console reflects current version information for all of your ArcSight
SmartConnectors.
Overview of the Upgrade Process

1
You will receive an e-mail notification about new SmartConnector releases from
ArcSight Customer Support.
Download the latest releases to the ArcSight ESM Manager available for
SmartConnector upgrades. Upgrade version files are delivered as .aup files (a
compressed file set).
Copy the .aup file to ARCSIGHT_HOME\updates\ onto a running ArcSight ESM

Manager. The Manager automatically unzips the .aup file and copies its content to
ARCSIGHT_HOME\repository\.)
From the ArcSight ESM Console, select SmartConnectors to be upgraded (one at a

time) and launch the upgrade command for each of them.
If you have installed multiple SmartConnectors in a single JVM, select the

first connector installed in the JVM (if you select any other connector the
upgrade fails) and launch the upgrade command; this action upgrades all
connectors in the JVM.
If your SmartConnector has multiple ESM Manger destinations, you must

perform this process from the primary ESM Console. Any attempt to
upgrade from a secondary or non-primary ESM Console destination will
fail.
Upon receipt of the upgrade command, the selected SmartConnectors upgrade

themselves, restart, and send upgrade results (success or failure) back to the ArcSight
ESM Console through the ESM Manager.
If the upgrade is successful, the new SmartConnector starts and reports successful
upgrade status.
If the upgraded SmartConnector fails to start, the original SmartConnector restarts

automatically as a failover measure.
For details about how to upgrade SmartConnectors from the Console, refer to the ArcSight
Console Help.
SmartConnectors automatically determine their upgrade status when they start.
When upgrading SmartConnectors, be sure to download current versions of the

SmartConnector Configuration Guides from the ArcSight Customer Support website.
These are the most current configuration guides available and contain information
specific to the connector device.
Administrative permission is required to upgrade Connectors.
Versions of the Connectors you want to upgrade must be available on the Manager to
which you are connected.
The option for remote upgrade is available only in ArcSight ESM v4.0 Console and only
for version 4.0.2.xxxx.0 or newer SmartConnectors. Earlier versions of connectors
(formerly known as SmartAgents) must be upgraded manually per the original process
by installing a newer version of the SmartConnector.
As a prerequisite to upgrading Connectors, both the ArcSight ESM Manager and the
SmartConnector you want to upgrade must be running.
Rolling Back to a Previous Version

You can roll back an upgraded SmartConnector to the previous version with the Rollback
command. Refer to the ArcSight Console online Help for details on how to use the Rollback
command.
Administrative permission is required to roll back SmartConnectors.
The option for SmartConnector rollback is available only in ArcSight Console v4.0 and only
on previously upgraded SmartConnector versions 4.0.2.xxxx.0 or newer.
Rollback automatically reinstates the most recent version prior to the currently installed
version. You cannot do a remote rollback on a SmartConnector other than the previously
installed version.
For example, if you start with a SmartConnector of version 4.0.2.4793, upgrade to
4.0.2.4794, then upgrade again to 4.0.2.4795, a remote rollback at this point
re-installs/starts SmartConnector version 4.0.2.4794. You can only roll back to an earlier
version manually.
Troubleshooting
If an upgrade or rollback fails, you can review the related logs. Choose Send Command
-> Tech Support -> Get Upgrade Logs from the ArcSight Console menus.
You can also use the Send Logs Wizard to collect and send logs, including upgrade logs, to
ArcSight for support help.
Uninstalling a SmartConnector
Before uninstalling a SmartConnector that is running as a service or daemon, first stop the
service or daemon.
To uninstall on Windows platforms, open the Start menu. Run the Uninstall
SmartConnectors program found under All Programs -> ArcSight
SmartConnectors. If SmartConnectors were not installed on the Start menu, locate the
ARCSIGHT_HOME\current\UninstallerData folder and run:
Uninstall_ArcSight_Agents.exe
To uninstall on UNIX platform, open a command window on the

ARCSIGHT_HOME\current\UninstallerData directory and run the command:
./Uninstall_ArcSight_Agents
The UninstallerData directory contains a file .com.zerog.registry.xml with
Read, Write, and Execute permissions for everyone. On Windows platforms,
these permissions are required for the uninstaller to work. However, on UNIX
platforms, you can change the permissions to Read and Write for everyone
(that is, 666).
The Uninstaller does not remove all the files and directories under the
ArcSight SmartConnector home folder. After completing the uninstall
procedure, manually delete these folders.
Modifying SmartConnector Parameters after

Installation
If you want to modify any of the ArcSight SmartConnector parameters after installation,
including configuring the SmartConnector to run as a service or standalone application, you
can run the SmartConnector Configuration Wizard again after completing the initial
installation and configuration.
The SmartConnector must be installed on the computer, server, or
workstation on which it was originally installed.
Stop the ArcSight SmartConnector and execute the following command from the
$ARCSIGHT_HOME\current\bin directory:
For UNIX platforms:
./runagentsetup.sh
For Windows platforms:
runagentsetup
Running SmartConnectors
SmartConnectors can be installed and run in standalone mode, as a Windows service, or
as a UNIX daemon. If installed standalone, the SmartConnector must be started manually,
and is not automatically active when a host is re-started. If installed as a Windows service
or UNIX daemon, the SmartConnector runs automatically when the host is re-started.
Some SmartConnectors require that you restart your system before
configuration changes take effect.
SmartConnectors for scanners present a special case. To run a scanner
SmartConnector in interactive mode, run in standalone and not as a Windows
service or Linux/UNIX daemon.
Standalone
To run all installed SmartConnectors on a particular host, open a command window, go to
ARCSIGHT_HOME\current\bin and run:
arcsight connectors
To view the SmartConnector log, read the file:
ARCSIGHT_HOME\current\logs\agent.log
To stop all SmartConnectors, enter Ctrl+C in the command window.
On Windows platforms, SmartConnectors also can be run using shortcuts and
optional Start Menu entries.
As a Windows Service
SmartConnectors installed as a service can be started and stopped manually using
platform-specific procedures.
To start or stop SmartConnectors installed as services on Windows platforms:
1
Right-click on My Computer, then select Manage from the Context menu.
Expand the Services and Applications folder and select Services.
Right-click on the ArcSight SmartConnector service name and select Start to begin
running the SmartConnector or Stop to stop running the service.
To verify that a SmartConnector service has started, view the file:

ARCSIGHT_HOME\logs\agent.out.wrapper.log
To reconfigure a SmartConnector as a service, run the SmartConnector Configuration
Wizard again. Open a command window on $ARCSIGHT_HOME\current\bin and run:
runagentsetup
As a UNIX Daemon
SmartConnectors installed as a daemon can be started and stopped manually using
platform-specific procedures.
On UNIX systems, when you configure a SmartConnector to run automatically, ArcSight
creates a control script in the /etc/init.d directory. To start or stop a particular
SmartConnector, find the control script and run it with either a start or stop command
parameter.
For example:
/etc/init.d/arc_serviceName {start|stop}
To verify that a SmartConnector service has started, view the file:
ARCSIGHT_HOME/logs/agent.out.wrapper.log
To reconfigure SmartConnectors as a daemon, run the SmartConnector Configuration
Wizard again. Open a command window on $ARCSIGHT_HOME/current/bin and enter:
runagentsetup
Chapter 5
Using SmartConnectors with

Connector Appliance
The following topics are covered in this chapter:
Using SmartConnectors on the Connector Appliance on page 41
Choosing an Event Destination on page 42
Choosing a Deployment Scenario on page 43
ArcSight Connector Appliance is a hardware solution that incorporates a number of
onboard ArcSight SmartConnectors and a web-based user interface that provides
centralized management for SmartConnectors across a potentially large number of hosts.
The Connector Appliance centralizes SmartConnector management and offers unified
control of SmartConnectors on
The Connector Appliance
Remote Connector Appliances
Software-based SmartConnectors (installed on remote hosts)
5 Using SmartConnectors with Connector Appliance
Figure 5-1
ArcSight Connector Appliance includes on-board SmartConnectors that connect
event sources to destinations such as ArcSight Logger and ArcSight ESM.
The benefits of Connector Appliance include the following:
40
Supports bulk operations across all SmartConnectors and is particularly desirable in

ArcSight ESM deployments with a large number of SmartConnectors, such as a
Managed Security Services Provider (MSSP).
Provides an ArcSight ESM-like SmartConnector management facility in Logger-only

environments.
Provides a single interface through which to configure, monitor, tune, and update
SmartConnectors. The Connector Appliance does not receive events from the
SmartConnectors it manages, and this allows for management of many connectors at
one time. The Connector Appliance does not affect working SmartConnectors unless it
is used to change their configuration. In some cases, the SmartConnector is
commanded to restart.
Figure 5-2
Connector Appliance manages all your SmartConnectors
SmartConnectors that forward events to ArcSight ESM can be managed using the ESM
Console, so the Connector Appliance is not required if all SmartConnectors have ESM as
their only destination. However, the Connector Appliance is very useful when connectors
target multiple heterogeneous destinations (for example, when ArcSight Logger is
deployed along with ESM), in a Logger-only environment, or when a large number of
SmartConnectors are involved, such as in a MSSP deployment.
Connector Appliance SmartConnectors operate within Containers. Each Container runs its
own Java Virtual Machine (JVM). Containers contain one or more SmartConnectors.
Using SmartConnectors on the Connector Appliance

The Connector Appliance manages three types of SmartConnector:
Local (on-board) SmartConnectors
Remote Connector Appliance SmartConnectors
Software-based SmartConnectors
Local (on-board) SmartConnectors

The Connector Appliance includes multiple Containers and on-board SmartConnectors. The
manager interface can be used to manage these local SmartConnectors as well as remote
connectors.
High load on on-board connectors may impact performance of the Connector
Appliances web-based interface.
Remote Connector Appliance SmartConnectors

The Connector Appliance can manage SmartConnectors on remote Connector Appliances,
as well as other ArcSight hardware solutions such as ArcSight Logger.
Software-Based SmartConnectors
The Connector Appliance can remotely manage SmartConnectors running on any networkaccessible host. These SmartConnectors must be configured for remote management.
Only fifth-generation SmartConnectors support remote management, so
you'll need connector build 4855 (4.0.5.4878.0) or higher to use this
feature.
If you install software SmartConnectors on your own hardware, you will need
to edit the agent.properties file to allow for remote management.
Remote management is turned off by default.
Multiple software-based SmartConnectors installed on the same host require

a separate port assignment. The default port for ArcSight SmartConnectors is
9001, so the second SmartConnector installed on the same host should use
an alternate port. ArcSight recommends using port 9002, 9003, 9004, and so
on.
Supported SmartConnectors
For a complete list of all SmartConnectors supported by the Connector Appliance, see the
Connector Appliance Release Notes or visit the ArcSight Customer Support website. New
SmartConnectors are added on a regular basis.
Choosing an Event Destination

Event destinations may include ArcSight ESM (or ArcSight Manager), ArcSight Logger,
CEF syslog, or a log file.
Manager
When SmartConnectors send events to an ArcSight ESM Manager, the Manager stores the
events in a relational database, processes them using its correlation engine, and makes
them visible to the ArcSight Console or ArcSight Web interfaces.
Logger
SmartConnectors can send CEF events to ArcSight Logger using an encrypted, optionally
compressed, channel called SmartMessage. Logger can also receive CEF Syslog events
from SmartConnectors.
For more detailed information about Logger, see Chapter 6 Using SmartConnectors with
ArcSight Logger on page 45
CEF Syslog
SmartConnectors can forward events as syslog messages. In this case, the normalized
event is sent using Common Event Format (CEF) which uses name/value pairs. The
Connector Appliance can send syslog over UDP or TCP.
42
Failover Destination
Each SmartConnector destination can have a failover destination. When communication
with the primary destination fails, the SmartConnector automatically begins sending events
to the designated failover. Failover only works with communication protocols that can
detect transmission failure, such as TCP.
For steps to create a failover destination, see Chapter 8 Failover Destinations on page 93.
Alternate Configurations
You can define alternate configurations for SmartConnectors and specify when the
alternate should be active. For example, aggregation might be specified during peak times
to reduce the number of events moving on the network, and disabled during other times.
Choosing a Deployment Scenario

The Connector Appliance can be deployed wherever ArcSight SmartConnectors are needed
and provides the following benefits:
SmartConnector management without ArcSight ESM (that is, Logger-only

environments)
Remote control of runtime parameters, such as bandwidth control
Centralized SmartConnector upgrade management and control
Central troubleshooting of specific SmartConnectors
ArcSight Logger
ArcSight Logger receives and sends events from and to ArcSight SmartConnectors, but
lacks the depth of SmartConnector management found in ArcSight ESM.
A Logger-only deployment benefits from the Connector Appliance in many capacities, and
provides most of ESMs management functionality, but not all (it does not contain the filter
designer, for example). The Connector Appliance also offers new features, such as bulk
operations (enabling control of many Smartconnectors at one time), that ESM does not.
Connector Appliance can also configure SmartConnectors with failover destinations,
providing central failover control when redundant Loggers are deployed for this purpose.
All or some SmartConnectors can be configured to send events to a second Logger or to an
event file in the case of communication failure with the primary destination.
For more detailed information about Logger, see Chapter 6 Using SmartConnectors with
ArcSight Logger on page 45
ArcSight ESM
Deploying the Connector Appliance in an ArcSight ESM environment centralizes
SmartConnector upgrade, log management, and other configuration issues. For more
information, see Chapter 7 Configuring SmartConnectors through the Console on page 65.
ESM and Logger

Connector Appliance centralizes control when events are sent to ESM and Logger
simultaneously. In one scenario, all events are sent to Logger while only high-value events
are sent to ESM (for further analysis, for example). In another scenario, all events are sent
to both, but Logger implements a longer retention policy.
Although each SmartConnector has specific destination parameters, the Connector
Appliance allows for bulk management, removing the need to manually access each
remote SmartConnector host to add or change destinations.
For more detailed information and instructions for using Connector Appliance, refer to the
Connector Appliance Administrators Guide.
44
Chapter 6
Using SmartConnectors with

ArcSight Logger
Sending Events from Logger to an ArcSight ESM Manger on page 45
Logger and SmartMessage on page 45
Sending Events to Logger on page 46
Sending Events to Both Logger and an ESM Manager on page 48
Sending Events from ArcSight ESM to Logger on page 50
Defining SmartConnector Settings in Logger on page 52
ArcSight Logger is a hardware storage solution optimized for extremely high event
throughput. Logger logs (or stores) time-stamped text messages, called events, at high
sustained input rates. Events consist of a receipt time, a source (host name or IP address),
and an un-parsed message portion. Logger compresses raw data, but also can retrieve it in
an unmodified form for forensics-quality litigation reporting. Unlike ArcSight ESM, Logger
does not "normalize" events.
Multiple Loggers can work together to support an extremely high event volume. Logger can
be configured as a peer network with queries distributed across all peer Loggers.
Sending Events from Logger to an ArcSight ESM

Manger
Loggers most basic function is to store a large volume of security events. Logger can send
a subset of these events to an ArcSight ESM Manager. It sends syslog and/or common
event format (CEF) events directly to ArcSight ESM through a built-in SmartConnector
called an ESM Destination. An ESM Destination appears as a SmartConnector to an ESM
Console. For more information about ESM Destinations, refer to the ArcSight Logger
Administrators Guide.
Logger and SmartMessage

SmartMessage is ArcSight technology used by Logger to provide a secure channel between
SmartConnectors and ArcSight Logger. SmartMessage provides an end-to-end encrypted
6 Using SmartConnectors with ArcSight Logger
secure channel. At one end is an ArcSight SmartConnector, receiving events from the many
devices it supports; on the other end is SmartMessage Receiver on Logger.
The SmartMessage secure channel uses HTTPS (secure sockets layer
protocol) to send encrypted events to Logger. This is similar to, but different
from, the encrypted binary protocol used between SmartConnectors and
ArcSight ESM Manager.
Use port 443 (rather than ArcSight's traditional port 8443) because the
secure channel uses HTTPS.
Figure 6-1
Logger Receivers (R) and Forwarders (F)
Sending Events to Logger

1
Set up the SmartMessage Receiver on Logger (Refer to the ArcSight Logger

Administrators Guide for detailed instructions).
Install the SmartConnector component as previously shown (see Chapter 4 Installing

and Configuring SmartConnectors on page 19 for detailed instructions).
Using SmartConnectors with ArcSight Logger
Navigate through the panels to the one that states Please select the destination
type: and select ArcSight Logger SmartMessage (encrypted). Click Next.
Enter the Logger Host Name/IP, leave the port number at default (443), and enter
the Receiver Name. This setting should match the Receiver name you created in
step 1 so that Logger can listen to events from this SmartConnector. Click Next.
Navigate through the subsequent panels until receiving a message that confirms the
configuration was successful. Click Finish to complete the process and exit the wizard.
Sending Events to Both Logger and an ESM Manager

1
Set up the SmartMessage Receiver on Logger (refer to the ArcSight Logger
Administrators Guide for detailed instructions).
Install the SmartConnector component as previously shown (see Chapter 4 Installing

and Configuring SmartConnectors on page 19 for detailed instructions).
Register the SmartConnector with a running ArcSight ESM Manager and test that the
SmartConnector is up and running.
Using the $ARCSIGHT_HOME\current\bin\runagentsetup script (or arcsight

agentsetup -w), restart the SmartConnector configuration program.
When the SmartConnector Configuration Wizard is displayed, select I want to

add/remove/modify ArcSight Manager destinations and click Next.
Select Add new destination and click Next.
Select ArcSight Logger SmartMessage (encrypted).
Specify the Host Name/IP, the desired Port, and select either Disabled (the default
value) or Enabled data compression. Click Next.
A message confirms that the configuration was successful. Click Finish to complete
the process and exit the wizard.
10 Restart the SmartConnector for changes to take effect.
Sending Events from ArcSight ESM to Logger

The ArcSight Forwarding SmartConnector can read events from an ESM Manager and
forward them to Logger using CEF format.
Configuring the Forwarding Connector to Send Events to

Logger
The Forwarding SmartConnector is a separate installable file, named similarly
to this: ArcSight-4.x.x.<build>.x-SuperConnector-<platform>.exe.
Use ArcSight Forwarding Connector build 4810 or later for compatibility with
Logger v1.5 or later.
Install the SmartConnector component normally, but click Cancel to exit the
installation when the Configuration Wizard asks whether the target Manager uses a
demo certificate, as shown below.
Confirm that you want to exit, then click Done to close the wizard. This installs the
SmartConnector core software.
Create a file called agent.properties in the directory

$ARCSIGHT_HOME\current\user\agent. This file should contain a single line:
transport.default.type=cefsyslog
Return to the SmartConnector Configuration Wizard using the

$ARCSIGHT_HOME\current\bin\runagentsetup script (or arcsight
agentsetup -w).
Specify the required parameters for CEF output. Enter the desired port for UDP or TCP
output. These settings should match the Receiver you created in Logger to listen for
events from ArcSight ESM.
Parameter
Description
Ip/Host
IP or host name of the Logger
Port
514 or another port that matches the Receiver
Protocol
UDP or Raw TCP
ArcSight Source Manager

Host Name
IP or host name of the source ArcSight ESM

Manager

Port
8443 (default)

User Name
A user account on the source Manager with the

user type set to Super Agent. This user must have
privileges that allow event reading.

Password
Password for the specified ESM Manager user

account
SmartConnector Name
A name for the ESM-to-Logger connector (visible

in the Manager)
SmartConnector Location
Notation of where this SmartConnector is installed
Parameter
Description
Device Location
Notation of where the source ESM Manager is

installed
Comment
Optional comments
To configure the ArcSight Forwarding SmartConnector to send CEF output to Logger and
send events to another ArcSight ESM Manager at the same time, see Sending Events to
Both Logger and an ESM Manager on page 48.
Defining SmartConnector Settings in Logger

After installing the SmartConnectors to communicate with Logger, you can set up their
properties through the SmartConnector Configuration Wizard. Assuming you have installed
the SmartConnector component as previously shown (see Chapter 4 Installing and
Configuring SmartConnectors on page 19 for detailed instructions), complete these steps:
1
Using the $ARCSIGHT_HOME\current\bin\runagentsetup script (or

arcsight agentsetup -w), restart the SmartConnector configuration program.
After the SmartConnector Configuration Wizard is displayed, select I want to

add/remove/modify ArcSight Manager destinations and click Next.
Select ArcSight Logger SmartMessage (encrypted) and click Next.
Select Modify destination settings and click Next.
The following window provides a choice of destination settings to modify. For this
example, select Time Correction and click Next.
For detailed descriptions of each configurable setting, see Chapter 7

Configuring SmartConnectors through the Console on page 65.
For detailed instructions on using the Filter option, see Chapter 7 Using
Filters in the SmartConnector Configuration Wizard on page 83.
Each choice opens a unique set of windows to configure. Modify the appropriate
settings and click Next.
The next window asks whether you want to end the session or select new destination
settings to modify. To make additional modifications, select No; to end the session,
select Yes.
When No is selected, the list of destination settings is redisplayed. When Yes is

selected, click Finish to end the session.
Chapter 6
Using SmartConnectors with NSP

Deploying a Syslog SmartConnector with NCM/TRM on page 58
Configuring the Syslog SmartConnectors on page 59
Installing the SmartConnector on page 61
ArcSight NSP is an appliance that consists of these two licensed software components, also
known as managers:
Network Configuration Manager (NCM)
Threat Response Manager (TRM)
These two components build and maintain a detailed understanding of your networks
topology, enabling you to centrally manage your network infrastructure and rapidly respond
to security incidents.
The NCM/TRM solution enables you to automate network configuration changes across
heterogeneous networks, manage and audit configuration changes on the network from a
central console, and obtain quick and easy web-based reports for network device inventory
and configuration settings.
The ArcSight Syslog SmartConnector increases NCM/TRMs visibility into the network. It
detects network configuration changes in syslog format using SNMP traps, which can then
trigger NCM/TRM to launch an action to poll the network devices for the complete, new
configuration.
The benefits of the NCM/TRM solution include:
Complete visibility into all changes being made to network devices, even if the
changes are made directly to the network devices.
Real-time detection and notification for any non-compliant or unauthorized changes.
Ensured compliance with internal standard operating procedures as well as external

regulations.
The following instructions apply to SmartConnector version 4.0.6 and
later, which supports SmartMessage communication with NCM/TRM. If you
do not have this or a later SmartConnector build, download the latest from
the ArcSight Customer Support Site.
6 Using SmartConnectors with NSP
Deploying a Syslog SmartConnector with NCM/TRM

Deploying NCM/TRM with an ArcSight Syslog Connector also connects NCM/TRM to
ArcSight ESM, enabling you to use ESM's correlation, trending, reporting, and monitoring
tools to track network configuration activity in conjunction with other activity on your
network. An ArcSight Syslog Connector can also connect NCM/TRM with ArcSight Logger,
which provides a clearer picture of network configuration changes happening on your
network.
Other uses for deploying syslog SmartConnectors in conjunction with NCM/TRM include:
Enabling a hybrid configuration and change control model that permits certain
changes to be made directly to network devices, while still maintaining control,
visibility, auditing, and compliance for all changes in a central repository (NCM/TRM).
Providing a closed-loop solution for capturing network configuration related event

information from all sources from which the change can be made (NCM/TRM directly,
proxied through NCM/TRM, or directly to the device) and forwarding this information
to ESM in an integrated manner.
The SmartConnector installation wizard contains an NSP Device Poll Listener

destination. The Device Poll Listener detects when changes are made to network devices
outside of NCM/TRM. The SmartConnector captures these changes by collecting syslog
output from modified network devices and categorizes the events for ESM.
The SmartConnector then initiates an action through NCM/TRM to poll the specific modified
network devices to determine the precise changes made to the configuration.
At the same time, NCM/TRM can run audits automatically to determine whether the
particular change caused the configuration to fall into a non-compliant state. NCM/TRM
determines this by comparing the current device configuration parameters against the
pre-defined policy or benchmark. If there is a deviation from the policy, the audit fails and
an alert is sent to the appropriate personnel within the organization, notifying them of the
audit failure so they can take immediate action.
You also have the option of forwarding all categorized events to ArcSight ESM or Logger in
a normalized format through ArcSight Common Event Format (CEF) for further analysis or
storage.
By capturing these changes and immediately prompting NCM/TRM to run a device poll or
audit at the precise time of the configuration change, this solution provides an automatic,
real-time, closed-feedback loop for all configuration changes, even if they are made directly
to network devices outside the scope of NCM/TRM.
The following diagram depicts the Syslog SmartConnector solution deployed with
NCM/TRM and ESM.
Figure 6-1
The Syslog SmartConnector solution deployed with ArcSight NSP

The NCM/TRM solution can also be used to remediate the non-compliant
device by rolling back to the previous configuration, or by making the specific
configuration changes required to return the device into a state that is
compliant with the policy or benchmark.
Please keep the following in mind when configuring and deploying NCM/TRM:
It is optional to run NCM/TRM as an audit while the device is polled; however, it does
require that audits be currently subscribed to that particular network device or device
group.
Alert options include syslog, SNMP, and e-mail.
Remediation is an optional step, as some administrators may simply want to be alerted

of the change so they can take their own actions; however, remediation requires that
the appropriate remediation links be built in advance.
It is optional to forward events to ESM or Logger. Neither appliance is required for this
solution to be fully functional.
For NCM/TRM to poll a network device, it must be previously known within the
network.
Configuring the Syslog SmartConnectors

This section describes the Syslog SmartConnectors in more detail, and provides instructions
for how to configure them once the SmartConnector appropriate for your operating system
is installed.
The Syslog Daemon SmartConnector

The Syslog Daemon SmartConnector is a syslogd-compatible daemon designed to work in
operating systems that have no syslog daemon in their default configuration, such as
Microsoft Windows. The ArcSight syslog daemon connector implements a UDP receiver on
port 514 (configurable) that can be used to receive syslog events.
If you are using the syslog daemon connector, simply start the connector, either as a
service or as a standalone application, to start receiving events; no further configuration is
needed.
Messages longer than 1024K are split into multiple messages on syslog
daemon; no such restriction exists on syslog file or pipe.
The Syslog Pipe and File SmartConnectors

When a syslog daemon is already in place and configured to receive syslog messages, an
extra line in the syslog configuration file (syslog.conf) can be added to write the events to
either a file or a system pipe. ArcSight SmartConnector can then be configured to read
the events from this file or pipe. In this scenario, the ArcSight SmartConnector runs on the
same machine as the syslog daemon.
The Syslog Pipe SmartConnector is designed to work with an existing syslog daemon.
This SmartConnector is especially useful when storage space is a factor. In this case,
syslogd is configured to write to a named pipe, and the Syslog Pipe SmartConnector reads
from it to receive events.
The Syslog File SmartConnector is similar to the Syslog Pipe SmartConnector; however,
this SmartConnector monitors events written to a syslog file (such as messages.log) rather
than to a system pipe.
Configuring the Syslog Pipe or File SmartConnector

Once the SmartConnector is installed (see Chapter 4 Installing and Configuring
SmartConnectors on page 19), configuration is required to set up your existing syslog
infrastructure to send events to the ArcSight Syslog Pipe or File SmartConnector.
The standard UNIX implementation of a syslog daemon reads the configuration parameters
from the /etc/syslog.conf file, which contains specific details about which events to
write to files, write to pipes, or send to another host. First, create a pipe or a file; then
modify the /etc/syslog.conf file to send events to it.
For syslog pipe:
1
Create a pipe by executing the following command:

mkfifo /var/tmp/syspipe
Add the following line to your /etc/syslog.conf file:

*.debug /var/tmp/syspipe
For syslog pipe on Linux, use:
*.debug |/var/tmp/syspipe
After you have modified the file, restart the syslog daemon either by executing the
scripts /etc/init.d/syslogd stop and /etc/init.d/syslogd start, or by
sending a `configuration restart` signal.
On RedHat Linux, execute:
service syslog restart
On Solaris and other types of Unix, execute:
kill -HUP cat /var/run/syslog.pid
This command forces the syslog daemon to reload the configuration and start writing
to the pipe you just created.
For syslog file:
Create a file or use the default for the file into which log messages are to be written.
For Solaris, the default is /var/adm/messages
For Linux, the default is var/log/messages
After editing the /etc/syslog.conf file, restart the syslog daemon as described
above.
The SmartConnector Installation Wizard, then prompts you for the absolute path to the
syslog file or pipe you created.
Installing the SmartConnector

Install the daemon, syslog pip or syslog file SmartConnector appropriate for your operating
system using the SmartConnector Installation Wizard. The wizard will guide you through
the installation process. When prompted, select one of the following Syslog
SmartConnectors (see Configuring the Syslog Pipe or File SmartConnector on page 60
for more information):
Syslog Daemon
Syslog Pipe
Syslog File
The Syslog Daemon SmartConnector is supported on Windows, Linux, Solaris, and AIX
platforms. The Syslog Pipe and File Smartconnectors are supported on Linux, Solaris, AIX,
and HP UNIX.
Because all syslog SmartConnectors are sub-connectors of the main syslog
SmartConnector, the name of the specific syslog SmartConnector you are
installing is not required during installation.
The syslog daemon listens on port 514 (configurable) for UDP syslog events; the syslog
pipe and syslog file read events from a system pipe or file, respectively. Select the one that
best fits your syslog infrastructure setup.
Before installing the SmartConnector, be sure the following are available:
Local access to the machine where the SmartConnector is to be installed
Administrator passwords
To install a syslog SmartConnector to send events to the NSP Device Poll Listener:
1
Insert the ArcSight Installation CD into your CD-ROM drive or navigate to the location
of the ArcSight SmartConnector Installer directory.
Start the ArcSight SmartConnector Installer by running the executable for your
operating system.
When installing a syslog daemon SmartConnector in a UNIX environment, run
the executable as 'root' user.
Follow the installation wizard through the following folder selection tasks and
installation of the core connector software:
Introduction
Choose Install Folder
Choose Install Set
Choose Shortcut Folder
Pre-Installation Summary
Installing...
When the installation of ArcSight SmartConnector core component software is
finished, the following window is displayed:
Select NSP Device Poll Listener from the selections and click Next.
Enter the NCM Host name or IP address, the NCM/TRM User, and the NCM/TRM
Password. The NCM/TRM Host is the IP address or hostname of the NCM/TRM
system that will interact with the syslog connector. The NCM/TRM User and
NCM/TRM Password are the user name and password credentials you use to log
into the NCM/TRM system.
Click Next.
The Configuration Wizard displays a list of available SmartConnectors you can

configure. Select Syslog Daemon, Syslog Pipe, or Syslog File and click Next.
Enter the required SmartConnector parameters to configure the SmartConnector, then

click Next.
Parameter
Field
Description
Syslog
Daemon
Parameters
Network port
The SmartConnector for Syslog Daemon listens for

syslog events on this port.
IP Address
The SmartConnector for Syslog Daemon listens for

syslog events only on this IP address (accept the
default (ALL) to bind to all available IP addresses).
Protocol
The SmartConnector for Syslog Daemon uses the

selected protocol (UDP or Raw TCP) to receive
incoming messages.
Pipe Absolute
Path Name
Absolute path to the pipe, or accept the default:

/var/tmp/syspipe
Protocol
The SmartConnector for Syslog Pipe uses the

incoming messages.
File Absolute
Path Name
Absolute path to the file, or accept the default:

/var/adm/messages (Solaris) or
/var/log/messages (Linux)
Protocol
The SmartConnector for Syslog File uses the

incoming messages.
Syslog Pipe
Parameters
Syslog File
Parameter
Enter a name for the SmartConnector and provide any other information that identifies
how the connector is used in your environment. Click Next.
10 Read the SmartConnector summary and click Next. If the summary is incorrect, click
Back to make changes.
11 When the SmartConnector completes its configuration, click Next. The Wizard now
prompts you to choose whether you want to run the SmartConnector stand-alone or
as a service. If you choose to run the SmartConnector as a service, the Wizard
prompts you to define service parameters for the SmartConnector.
When running any SmartConnector as a service on Windows, specify the
file path in UNC (for example, \\10.0.111.4\xyz) and not as a network
mapped drive (Z:\xyz). Also, you will most likely need to change the
user who runs the service (by default SYSTEM), because the user running
the service must have access to the UNC path.
12 After making your selections, click Next. The Wizard displays a dialog confirming the
SmartConnector's setup and service configuration.
13 Click Finish.
For some SmartConnectors, a system restart is required before the configuration
settings you made take effect. If a System Restart window is displayed, read the
information and initiate the system restart operation.
Save any work on your computer or desktop and shut down any other
running applications (including the ArcSight Console, if it is running),
then shut down the system.
Chapter 7
Configuring SmartConnectors through

the Console
Using the ArcSight ESM Console, you can configure and send control commands to
ArcSight SmartConnectors, set conditions that filter out events, and set ArcSight severity
levels. This chapter presents the basic information; for more detailed information about
managing ArcSight SmartConnectors, refer to the ArcSight ESM v4.0 Administrators Guide
and the ArcSight ESM Console Help.
Overview on page 65
Obtaining SmartConnector Status on page 66
Selecting and Setting SmartConnector Parameters on page 66
SmartConnector Time Interval Options on page 85
Setting Special Severity Levels on page 86
Setting Special Severity Levels on page 86
Sending Control Commands to SmartConnectors on page 87
Disabling Event Compression on page 89
Overview
ArcSight SmartConnectors can be configured to optimize their performance and increase
their function. You can configure them to enable aggregation, batching, and time
correction as well as to send control commands from the ArcSight Console to ArcSight
SmartConnectors to manage the flow of events.
Based upon filtering conditions, ArcSight SmartConnectors can filter events sent to the
ArcSight ESM Manager. Filtering conditions are set with a combination of AND or OR
statements and data field values. Extraneous events can be filtered out to minimize the
number of events sent to the ESM Manager and displayed in the Console.
Events filtered out by ArcSight SmartConnectors are not reported to the
ArcSight ESM Manager, so they will not be stored or be available later from
the ArcSight Database.
You can configure SmartConnectors to set a specific severity level for events that match
specific criteria. One typical application is to change the default severity mapping. By
7 Configuring SmartConnectors through the Console
default, SmartConnectors map the device severity (which can contain multiple levels) to
the standard ArcSight severity levels: Very High, High, Medium, and Low.
For example, if a device has eight severity levels (0-7), where 0 is the highest severity,
most likely 0 and 1 are mapped to Very High, 2 and 3 to High, 4 and 5 to Medium, and
6 and 7 to Low. You can change this behavior and make the SmartConnector set the
severity based upon different parameters.
Obtaining SmartConnector Status

ArcSight SmartConnectors display their status on the Connectors tab in the Navigator
window of the ArcSight ESM Console. One of the following messages is displayed next to
the SmartConnector name:
down
The SmartConnector is not connected to the ESM Manager; therefore, no events are
received.
running
The SmartConnector is connected to the ESM Manager; therefore, any events sent are
received.
stopped
The SmartConnector is responding to the ESM Manager, but no events are sent from
the SmartConnector to the Console. When the SmartConnector is stopped, events are
lost.
paused
The SmartConnector is responding to the ESM Manager, but events are being cached
in the SmartConnector. When the SmartConnector is paused, events are cached and
eventually sent to the Manager when the SmartConnector is again active.
For current operational status at any time, in the Connectors resource tree, right-click the
SmartConnector and select Send Command -> Status -> Get Status. The
SmartConnectors current parameters are displayed in the SmartConnector Status
window.
Selecting and Setting SmartConnector Parameters

From the Console, the SmartConnector Configuration Editor is your way to control
SmartConnectors.
1
In the Navigator panel, select the Connectors resource tree.
In the Connectors resource tree, right-click the ArcSight SmartConnector you want to
manage and select Configure. The Inspect/Edit panel for the Connector Editor is
displayed. On the Connector tab, the Name field is automatically populated with the
name assigned during SmartConnector Installation, as well as the creation date and
other information.
On the Default tab, change any additional Batching, Time Correction, or other
parameters as desired, using the configuration field explanations provided in the
following "Connector Editor Option Tabs" and "Configuration Fields" sections.
Click Apply to add your changes and to keep the Connector Editor open. To apply
your changes and close the Connector Editor, click OK, or, if applicable, click Add
Alternate to save your changes as an alternate configuration you can select and
apply later.
These parameters are not localized because they come directly from the SmartConnector
and the SmartConnector may contain new resources (it could be a newer version).
The framework for SmartConnector commands operates in a similar way. Configuration of
the connector command menu is achieved by sending the list of commands that are
supported on the SmartConnector at registration time.
There are several controls you can adjust in the Connector Editor. The variety of options
are best summarized by briefly describing what is available at each of the editor's tabs and
subtabs.
Connector Editor Option Tabs

Connector Tabs
Options
Connector
Basic identification, ownership, and date/time parameters.
Networks
The ArcSight network(s) to which the SmartConnector is or

can be assigned.
Default: Content
Includes options for report batching, aggregation, and time

corrections.
Default: Filters
A filter condition editor for constraining what the

SmartConnector reports.
Alternate: Content
A set of options identical to those under Default, which you

can use to create alternate configurations.
Alternate: Filters
A filter condition editor for constraining what the

SmartConnector reports, in an alternate configuration.
ANotes: Table
A text editor for, and tabular list of, configuration notes.
Notes: List
A text editor for, and text presentation of, configuration

notes.
Configuration Fields
You can perform basic configuration tasks through the Connector and Default: Content
tabs. Find their names and values in the tables below.
Name Field
Value Field
Name
The Name text field is automatically populated with the name

assigned during SmartConnector installation.
ID
The identification string assigned during SmartConnector

installation.
Status
The SmartConnector's current mode of operation.
Connector
Location
A description of the (usually) physical location of the

SmartConnector.
Name Field
Value Field
Device
Location
A description of the (usually) physical location of the device the

SmartConnector is monitoring.
Version
The SmartConnector 's software version number.
External ID
An identification string suitable for, and which can be referenced by,

systems outside ArcSight. Common applications of External IDs
include appropriate naming for Case and Asset resources that are
tracked in common with defect reporting or
vulnerability-management systems. Your ArcSight administrator can
advise you on the correct values for this field, if applicable.
Alias
An identification string suitable for referencing resources within

ArcSight. A given alias appears in place of the resource's name
everywhere it may be seen. Your ArcSight administrator can advise
you on the correct values for this field, if applicable.
Description
A text description of the configuration or other related information.
Owner
An ArcSight user (selected from the Users resource tree) who should
be notified about this SmartConnector.
Notification
Groups
The ArcSight user groups (selected from the Users resource tree)
who should be notified about this SmartConnector.
Created By
A user identity provided at SmartConnector installation.
Creation
Time
The time of SmartConnector installation.
Time Since
Creation
A value calculated from Creation Time.
Last Updated
By
The time of the last configuration change.
Last Update
Time
The time of the last configuration change.
Time Since
Last Update
A value calculated from Last Update Time.
Default Content Tab Configuration Fields

Name Field
Value Field
Batching
SmartConnectors can batch events to

increase performance and optimize network
bandwidth. When activated, SmartConnectors
create blocks of events and send them when
they either (1) reach a certain size or (2) the
time window expires. You can also prioritize
batches by severity, forcing the
SmartConnector to send the highest-severity
event batches first and the lowest-severity
event batches later.
Enable Batching (per
event)
Create batches of events of this specified size

(5, 10, 20, 50, 100 events).
Enable Batching (in

seconds)
The SmartConnector sends the events if this

time window expires (1, 5, 10, 15, 30, 60).
Batch By
This is Time Based should the

SmartConnector send batches as they arrive
(the default) or Severity Based should the
SmartConnector send batches based on
severity (batches of Highest Severity events
are sent first).
Use Connector Time as

Device Time
Yes/No, default is no. Override the time the

device reports and instead use the time at
which the SmartConnector received the
event. This option assumes that the
SmartConnector is more likely to report the
correct time.
Enable Device Time

Correction (in seconds)
The SmartConnector can adjust the time

reported by the device Detect Time, using this
setting. This is useful when a remote device's
clock is not synchronized with the ArcSight
Manager. This should be a temporary setting.
The recommended way to synchronize clocks
between Manager and devices is the NTP
protocol.
Enable Connector Time

Correction (in seconds)
The SmartConnector can also adjust the time

reported by the Connector Time
SmartConnector itself, using this setting. This
is for informational purposes only and does
not modify the local time on the
SmartConnector. This should be a temporary
setting. The recommended way to
synchronize clocks between Manager and
SmartConnectors is the NTP protocol.
Time Correction
Name Field
Value Field
Set Device Time Zone
To
Device Time
Auto-correction
Disabled/Enabled, default is disabled.

Ordinarily, it is presumed that the original
device is reporting its time zone along with its
time. And if not, it is then presumed that the
SmartConnector is doing so. If this is not true,
or the device isn't reporting correctly, you can
switch this option from Disabled to GMT or to
a particular world time zone. That zone is
applied to the reported time.
The values you set for these fields establish
forward and backward time limits that, if
exceeded, cause the SmartConnector to
automatically correct the time reported by the
device.
Future Threshold
Default is -1. Value must be set to a positive

number to activate auto correction.
The SmartConnector sends the internal alert if
the detect time is later than the
SmartConnector time by Future Threshold
seconds.
Past Threshold
Default is -1. Value must be set to a positive

number to activate auto correction.
The SmartConnector sends the internal alert if
the detect time is earlier than the
SmartConnector time by Past Threshold
seconds.
Device List
Time Checking
A comma-separated list of the devices to

which the thresholds apply. The default, (ALL)
means all devices.
These are the time span and frequency
factors for doing device-time checking.
Future Threshold
Default is 5 minutes (300 seconds). The

number of seconds by which to extend the
connector's forward threshold for time
checking.
Past Threshold
Default is 1 hour (3,600 seconds). The

number of seconds by which to extend the
connector's rear threshold for time checking.
Frequency
The SmartConnector checks its future and

past thresholds at intervals specified by this
number of seconds. The default time is 1
minute (60 seconds).
Name Field
Value Field
Cache
Changing these settings does not affect the

events already cached, only new events.
Cache Size
SmartConnectors use a compressed disk

cache to hold large volumes of events when
the ArcSight Manager is down or when the
SmartConnector receives bursts of events.
This parameter specifies the disk space to
use. The default is 1 GB which, depending on
the SmartConnector, can hold about 15
million events, but it also can go down to 5
MB. When this disk space is full, the
SmartConnector drops the oldest events to
free up disk cache space. (5 MB, 50 MB, 100
MB, 200 MB, 250 MB, 500 MB, 1 GB, 2.5 GB,
5 GB, 10 GB, 50 GB.)
Notification Threshold
The size of the cache's event content at which

a trigger notification occurs. The default is
10,000.
Notification Frequency
How often to send notifications once the

Notification Threshold is reached. (1 min, 5
min, 10 min, 30 min, 60 min.)
Heartbeat Frequency
Default is 10 seconds. Range is 5 seconds to

10 minutes.
Network
This setting controls how often the

SmartConnector sends a heartbeat message
to the ArcSight Manager. The default is 10
seconds, but it can go from 5 seconds to 10
minutes. Note that the heartbeat is also used
to communicate with the SmartConnector;
therefore, if its frequency is set to 10
minutes, it could take as much as 10 minutes
to send any configuration information or
commands back to the SmartConnector.
Enable Name
Resolution
Enabled/disabled, default is enabled. The

SmartConnector tries to resolve IP addresses
to host names, and host names to IP
addresses, if the event rate allows it and if
required. This setting controls this
functionality. The Source, Target and Device
IP addresses and Hostnames may also be
affected by this setting.
Name Resolution Host

Name Only
Yes/No, default is yes. If set to yes, for

reverse resolution (IP Address to Host name),
only the host name field is set.
If set to no, the host name is split up and put
into both the DNS domain and the host name
fields. This affects the source, destination,
device and SmartConnector name fields.
Name Field
Value Field
Name Resolution
Domain from Email
Yes/No, default is yes. If set to yes, the host

name and DNS domain fields are empty, and
the corresponding user name field appears as
an email address, then the domain from the
email address is put in the DNS domain field.
This only affects the source and destination
fields.
Clear Host Names

Same as IP Address
Yes/No, default is yes. If set to yes and the

host name field is set to an IP Address that
matches the corresponding IP Address field,
then the host name field is cleared. This
affects the source, destination, and device
fields.
Don't Resolve Host

Names Matching
Default is empty. Takes a regular expression

as a value and skips resolution for host names
matching the regular expression, for example,
.*arcsight.com.
Don't Reverse-Resolve
IP Ranges
Default is empty. Takes a list of IP address

ranges as a value and skips reverse resolution
for all the IP addresses that fall in any given
range.
For example,
10.0.111.1-10.0.111.255,192.168.21.1-192.
168.21.255
Limit Bandwidth To
Enabled/disabled, default is disabled.

Range is 1 kbit/sec to 100 Mbits/sec. A list of
bandwidth options you can use to constrain
the SmartConnector 's output over the
network.
Transport Mode
You can configure the SmartConnector to

cache to disk all the processed events it
receives. This is equivalent to pausing the
SmartConnector. However, you can use this
setting to delay event-sending during
particular time periods. For example, you
could use this setting to cache events during
the day and send them at night. You can also
set the SmartConnector to cache all events,
except for those marked with a very-high
severity, during business hours, and send the
rest at night. (Normal | Cache | Cache (but
send Very High severity events).
Address-based Zone
Population Defaults
Enabled
This field applies to ESM version 3.0 ArcSight

Managers, and is not relevant for v3.5 or v4.0
(these versions have integral zone mapping).
Name Field
Value Field
Address-based Zone
Population
This field applies to ESM version 3.0 ArcSight

Managers, and is not relevant for v3.5 or v4.0
(these versions have integral zone mapping).
For version 3.0, this table allows you to define
ranges of IP addresses to map to specific
zones. Each row of the table defines a range
to map to one zone. The system chooses the
first matching range, and ranges may overlap,
so enter the smaller ranges first. Assuming
the default zones are enabled (Address-based
Zone population Default Enabled = yes), the
zones entered here take precedence over the
default zones, so the default zones are only
used if none of these ranges match.
Zone Population Mode
Default is Normal
Values are
Normal: Zones are computed and

assigned if they are not already set
Rezone (override): re-compute and

reassign if the zones are already
populated
No Zoning (clear): clear the zones if they

are populated
Customer URI
Applies the given customer URI to events

emanating from the SmartConnector.
Provided the customer resource exists, all
customer fields are populated on the ArcSight
Manager. If this particular SmartConnector is
reporting data that might apply to more than
one customer, you can use Velocity templates
in this field to conditionally identify those
customers.
Source Zone URI
When populated, this field shows the URI of

the zone associated with the
SmartConnector's source address. How this
field gets populated is discussed in the Zones
section of the SmartConnectors topic. This
field is present for v3.0 compatibility. It is not
relevant in v3.5 or v4.0 because of integral
zone mapping.
Source Translated Zone

URI

SmartConnector's translated source address.
The translation is presumed to be NAT
(network address translation). How this field
gets populated is discussed in the Zones
zone mapping.
Name Field
Value Field
Destination Zone URI

SmartConnector's destination address. How
this field gets populated is discussed in the
Zones section of the SmartConnectors topic.
This field is present for v3.0 compatibility. It is
not relevant in v3.5 or v4.0 because of
integral zone mapping.
Destination Translated
Zone URI

SmartConnector's translated destination
address. The translation is presumed to be
NAT (network address translation). How this
field gets populated is discussed in the Zones
zone mapping.
Connector Zone URI

SmartConnector's address. How this field gets
populated is discussed in the Zones section of
the SmartConnectors topic. This field is
present for v3.0 compatibility. It is not
zone mapping.
Connector Translated
Zone URI

SmartConnector's translated address. The
translation is presumed to be NAT (network
address translation). How this field gets
populated is discussed in the Zones section of
the SmartConnectors topic. This field is
present for v3.0 compatibility. It is not
zone mapping.
Device Zone URI

the zone associated with the device's address.
How this field gets populated is discussed in
the Zones section of the SmartConnectors
topic. This field is present for v3.0
compatibility. It is not relevant in v3.5 or v4.0
because of integral zone mapping.
Device Translated Zone

URI

the zone associated with the device's
translated address. The translation is
presumed to be NAT (network address
translation). How this field gets populated is
discussed in the Zones section of the
SmartConnectors topic. This field is present
for v3.0 compatibility. It is not relevant in
v3.5 or v4.0 because of integral zone
mapping.
Name Field
Value Field
Field Based
Aggregation
This feature is an extension of basic connector

aggregation. Basic aggregation aggregates
two events if, and only if, the fields of the two
events are the same per the fields listed in the
description of Enable Aggregation (in
seconds) on page 78. However, field-based
aggregation implements a more flexible
aggregation mechanism; two events are
aggregated if only the selected fields are the
same for both events. (Note: Field-based
aggregation creates a new alert that contains
only the fields that were specified, so the rest
of the fields are ignored, unless Preserve
Common Fields is set to Yes.)
Field-based aggregation offers several
advantages over basic aggregation, including:
Control over what fields to aggregate on
Start and end time set to the earliest start
time and latest end time, respectively
(instead of taking the values from the first
event in the group, like basic aggregation)
Option to preserve common fields
Option to sum one or more numeric fields
SmartConnector aggregation significantly
reduces the amount of data received, and
should be applied only when you use less than
the total amount of information the event
offers. For example, you could enable
field-based aggregation to aggregate
"accepts" and "rejects" in a firewall, but you
should use it only if you are interested in the
count of these events, instead of all the
information provided by the firewall.
Note: The legacy, basic aggregation feature
is described in the field description for Enable
Aggregation (in seconds) on page 78.
Time Interval
Choose a time interval, if applicable, to use as

a basis for aggregating the events the
SmartConnector collects. It is exclusive of
Event Threshold. (Disabled, 1 sec, 5 sec, and
so on, up to 1 hour.)
Event Threshold
Choose a number of events, if applicable, to

use as a basis for aggregating the events the
SmartConnector collects. This is the
maximum count of events that can be
grouped; for example, if 150 events were
found to be the same within the time interval
selected (i.e., contained the same selected
fields) and you select an event threshold of
100, you will then receive two events, one of
count 100 and another of count 50. This
option is exclusive of Time Interval. (Disabled,
10 events, 50 events, and so on, up to 10,000
events.)
Name Field
Value Field
Field Names
Choose one or more fields, if applicable, to

use as the basis for aggregating the events
the SmartConnector collects. Use Ctrl+click to
select multiple fields. The result is a
comma-separated list of fields to monitor. For
example, "eventName,deviceHostName"
would aggregate events if they have the same
event- and device-host name. You can use
any of the event fields displayed in the event
inspector; the name can contain no spaces
and the first letter should not be capitalized.
Fields to Sum
If specified, this set of numeric fields is

summed rather than aggregated, preserved,
or discarded. The most common fields to sum
are bytesIn and bytesOut. Note that if any of
the fields listed here are also in the list of field
names to aggregate, they are aggregated and
not summed.
Preserve Common
Fields
Yes/No, default is no. Choosing yes, adds

fields to the aggregated event if they have the
same values for each event.
Choosing no, ignores non-aggregated fields in
aggregated events.
Filter
Aggregation
Filter Aggregation is a way of capturing

aggregated event data from events that
would otherwise be discarded due to a
SmartConnector filter. Only events that would
be filtered out are considered for filter
aggregation (unlike Field-based aggregation,
which looks at all events).
Time Interval
Choose a time interval, if applicable, to use as

a basis for aggregating the events the
SmartConnector collects. It is exclusive of
Event Threshold. (Disabled, 1 sec, 5 sec, and
so on, up to 1 hour.)
Event Threshold
Choose a number of events, if applicable, to

use as a basis for aggregating the events the
SmartConnector collects. This is the
maximum count of events that can be
aggregated; for example, if 150 events were
found to be the same within the time interval
selected (i.e., contained the same selected
fields) and you select an event threshold of
100, you will then receive two events, one of
count 100 and another of count 50. This
option is exclusive of Time Interval. (Disabled,
10 events, 50 events, and so on, up to 10,000
events.)
Fields to Sum
If specified, this set of numeric fields is

summed rather than aggregated, preserved,
or discarded. The most common fields to sum
are bytesIn and bytesOut.
Name Field
Value Field
Processing
Preserve Raw Event
Yes/No, default is no. Some devices contain

a raw event that can be captured as part of
the generated event. If that is not the case,
most SmartConnectors can also produce a
serialized version of the data stream that was
parsed/processed to generate the ArcSight
event. This feature allows the
SmartConnector to preserve this serialized
"raw event" as a field in the event inspector.
This feature is disabled, by default, since
using raw data increases the event size and
therefore requires more database storage
space. You can enable this by changing the
Preserve Raw Event setting. If you choose
yes, the serialized representation of the "Raw
Event" is sent to the ArcSight Manager and
preserved in the Raw Event field.
Turbo Mode
If your configuration, reporting, and analytic

usage permits, you can greatly accelerate the
transfer of a sensor's event information
through SmartConnectors by choosing one of
three "turbo" (narrower data bandwidth)
modes.
ArcSight defines turbo modes as follows:
Fastest (Mode 1) Recommended for simpler
devices, such as firewalls.
Faster (Mode 2) Manager default. Eliminates
all but a core set of event attributes in order
to achieve the best throughput. Because the
event data is smaller, it requires less storage
space and provides the best performance.
Complete (Mode 3) SmartConnector
default. All event data arriving at the
SmartConnector, including additional data, is
maintained.
When a turbo mode is not specified, Mode 3,
Complete, is used. Versions of ArcSight ESM
prior to 3.0 ran in turbo mode 3.
Only scanner SmartConnectors must run in
Complete mode, to capture the additional
data.
Note: In processing events, the ArcSight
Managers turbo mode trumps that of a
SmartConnectors in processing events.
Name Field
Value Field
Enable Aggregation (in
seconds)
Note: If you have already used this feature

for setting up previous SmartConnectors, you
can continue to do so. However, ArcSight
recommends that you use the new Field
Based Aggregation feature as a more
flexible option. (Please see Field Based
Aggregation on page 75.)
Here is the description of the legacy Enable
Aggregation feature, for those of you who
are still using it:
When enabled, Enable Aggregation (in
seconds) aggregates two or more events on
the basis of the selected time value.
(Disabled, 1, 2, 3, 4, 5, 10, 30, 60)
The aggregation is performed on one or more
matches for a fixed subset of fields:
Agent ID
Name
Device event category
Agent severity
Destination address
Destination user ID
Destination port
Request URL
Source address
Source user ID
Source port
Destination process name
Transport protocol
Application protocol
Device inbound interface
Device outbound interface
Additional data (if any)
Base event IDs (if any)
The aggregated event shows the event count
(how many events were aggregated into the
displayed event) and event type. The rest of
the fields in the aggregated event take the
values of the first event in the set of
aggregated events.
Name Field
Value Field
Limit Event Processing
Rate
You can moderate the SmartConnector's

burden on the CPU by reducing its processing
rate. This can also be a means of dealing with
the effects of event bursts.
The choices range from -1 (no limitation on
CPU demand) to 1 eps (pass just one event
per second, making the smallest demand on
the CPU).
Be sure to note that this option's effect varies
with the category of SmartConnector in use,
as described in the SmartConnector
Processing Categories table that follows.
Fields to Obfuscate
Using MD5 hashing, this option allows you to

specify a list of fields for obfuscation in a
security event.
Store Original Time In
This parameter allows you to move the

original device receipt time to a specified field
if altered by the time correction.
Enable Port-Service
Mapping
Disabled/Enabled, default is Disabled. If

enabled and one of the two fields destination
port and application protocol is set, and the
other is not, the one that is set is used to set
the other.
For example, if the destination port is 22 and
application protocol is not set, then the
application protocol is set to ssh.
Enable User Name

Splitting
Yes/No, default is no. If this is set to yes and

the destination user name contains commas
in the event, this parameter duplicates that
event. Each user name in the list is placed in
one of the events.
For example, if the destination user name in
an event is User 123, User 456, then that
event is sent twice, with the destination user
name set to User 123 in the first and User
456 in the second.
Split File Name into

Path Name
Yes/No, default is no. If this is set to yes and

an events file name field is set but its file
path field is not, this parameter splits the file
name into a path and a name, placing each
part into appropriate fields.
For example, if the file name field is set to
C:\dir\file.ext and the file path is not set, then
the file path is set to C:\dir and the file name
to file.ext. The separator character can be
either \ or / as the system looks to the
SmartConnector to determine its platform.
Name Field
Value Field
Event Integrity
Algorithm
(Disabled | SHA-256 | SHA-1 | MD5 |

SHA-512)
If this is set to one of the algorithms (such as
SHA-256), and the Preserve Raw Event
parameter is Enabled, then additional event
integrity internal events are generated,
normally at a rate of about 1 per 50 normal
events.
The crypto signature field is also set in each
event in the format: "#seq(alg):digest",
where seq is a persistent event sequence
number, alg is the message digest algorithm,
and digest is the hexadecimal message
digest.
These extra events and the crypto signature
field values can be used to verify that no
events were tampered with after generation.
Supported algorithms are: SHA-256, SHA-1,
MD5, and SHA-512.
Default is Disabled (i.e., no algorithm is
applied).
Generate Unparsed
Events
Yes/No, default is no. If set to yes and some

incoming event data cannot be parsed
(perhaps because a device has been upgraded
since the SmartConnector parser was
written), then a special event named
Unparsed Event is generated. The raw event
appears in the event message field.
If set to no, the SmartConnector log files
indicate the unparsed events.
Preserve System Health

Events
Yes/No, default is no. If enabled, sends

system health events periodically to ArcSight
Manger. Events are named as a Connector
System Health Event, then generated for
several different types of statistics that are
collected. Examples include disk usage,
memory usage, and CPU usage.
Enable Device Status

Monitoring (in mins)
Enabled/Disabled, default is disabled.

Minimum is 1 min (60000 ms). If enabled,
sends an internal event named Connector
Device Status for each device tracked by the
connector containing the following types of
information:
Last timestamp when the connector

received an event from the device
Total number of events from this device

since the connector started
Number of events sent by this device since

the last event of this type
Name Field
Value Field
Payload
Sampling
Payload sampling is used by some

SmartConnectors to send a portion of packet
payload (as opposed to the complete packet
payload) along with the original event.
This portion is retrieved using the on-demand
payload retrieval in the event inspector.
Maximum Length
This feature allows you to configure the

maximum length of the payload sample using
the following values:
Discard, 128 bytes, 256 bytes, 512 bytes, and
1 Kbyte.
When the discard option is chosen, no payload
sample is sent inside the original event.
Mask Non-printable
Characters
Filters
This feature allows you to mask the

non-printable characters in the payload
sample.
Enables you to modify the filtering done for a
destination without access to an ArcSight ESM
Console. See Using Filters in the
SmartConnector Configuration Wizard on
page 83.
SmartConnector Processing Categories

SmartConnector
Tabs
Effects of Limited Usage
Syslog connectors
Due to the nature of UDP (the transport protocol used by syslog), these
SmartConnectors can potentially lose events if the configurable event
rate is exceeded. This is because the SmartConnector delays processing
to match the event rate configured, and while in this state, the UDP
cache may fill up, causing the operating system to drop UDP messages.
Note that ArcSight does not recommend using the Limit CPU Usage
option with these SmartConnectors because of this possibility of event
loss.
SNMP connectors
Similar to Syslog SmartConnectors, when the event rate is limited on

SNMP connectors, they potentially lose events. SNMP is also UDP-based
and has the same issues as syslog.
Database
connectors
Since SmartConnectors "follow" the database tables, limiting the event

rate for database connectors can slow the operation of other
SmartConnector. The result can be an event backlog sufficient to delay
the reporting of alerts by as much as minutes or hours. On the other
hand, note that no events are lost, unless the database tables are
truncated. After the event burst is over, the SmartConnector may
eventually catch up with the database if the event rate does not exceed
the configured limit.
File connectors
Similar to database connectors, file-based SmartConnectors "follow"

files, so limiting their event rates also causes an event backlog. This can
eventually force the SmartConnector to fall behind by as much as
minutes or hours, depending on the actual event rate. Similarly, the
SmartConnectors may catch up if the event rate does not exceed the
configured rate.
SmartConnector
Tabs
Proprietary API
connectors
Effects of Limited Usage

These SmartConnectors' behavior depends on the particular API (e.g.,
OPSEC behaves differently than PostOffice and RDEP). But in most cases,
there is no event loss unless the internal buffers and queues of the API
implementation fill up. Therefore, these SmartConnectors work much like
database or file SmartConnectors.
Using Filters in the SmartConnector Configuration

Wizard
If you would like to modify a destination without accessing an ArcSight ESM Manger, you
can use the SmartConnector Configuration Wizard provided as part of the SmartConnector
setup.
Once you have a SmartConnector installed (if not, see Chapter 4 Installing and Configuring
SmartConnectors on page 19),
1
Proceed through the SmartConnector Configuration Wizard until you reach the
destination setting window, as shown below.
Choose the Filters option.
Click Next.
Within the Filter Out field of the following screen, enter the string that represents
your setting modification.
While its not possible to use the graphical modifiers used within the ArcSight ESM
Console, you can write strings such as the following examples:
name EQ Agent
(name Contains Super) Or (name EQ Agent)
attackerAddress Between (10.0.0.1, 10.0.0.10)
The first example would be written as shown below:
See the table below for a list of usable operators. For additional information regarding data
fields, event mappings, and CEF fields, see the Data Fields, Audit Events, Cases, and
Events sections in the ESM Users Reference.
Usable
Operators
Description
EQ
equals
NE
not equals
LT
less than
LE
less than or equal to
GE
greater than or equal to
GT
greater than
Between
compares any specified range
ContainsBits
equals, for bitmap fields
In
standard CCE operator for membership test
Contains
contains the specified substring
StartsWith
starts with specified substring
EndsWith
ends with specified substring
Like
standard CCE operator for simple pattern matching for string type:
_ wildcard for single character
% wildcard for any number of characters
InSubnet
for IP address that is in the specified subnet
InGroup
for asset in the specified asset category or zone in the specified zone
group.
Is
tests true for the selected state, null or not null
SmartConnector Time Interval Options

These options are the Alternate tab's Time Interval option, which specify when the
alternate settings are to be used by the SmartConnector. For example, if you want to cache
the events during the day and send everything at night, you can configure the Transport
Mode to cache in the default configuration, then configure the Transport Mode to
normal in the Alternate Settings, and set the time interval from 8PM to 8AM (next day).
From: Specifies the starting time to apply the Alternate settings.
To: Specifies the ending time at which the Alternate settings no longer apply (and
revert to the default settings). If this is less than the From setting, the value is
interpreted as "next day." For example, a setting from 8PM to 8AM is interpreted as
starting at 8PM and ending at 8AM the following day.
Managing SmartConnector Filter Conditions

Based upon filtering conditions, SmartConnectors can filter events between devices and
the ArcSight ESM Manager. Filtering conditions are set with a combination of AND or OR
statements and data field values. Extraneous events are filtered out to minimize the
number of events sent to the Manager and analyzed in the ArcSight Console.
To create SmartConnector filters:
1
In the Navigator panel, select the Connectors resource tree.
In the Connectors resource tree, select an ArcSight SmartConnector, right-click and

select Configure from the drop-down menu.
In the SmartConnector Configuration Editor, click the following tabs: Connector:

Name -> Default -> Filters.
Select logic operators from the available buttons.
In the Common Conditions Editor, select the relevant conditions from the data fields.
Logic
Operator
Description
equals
!=
not equals
<
less than
<=
less than or equal to
>=
greater than or equal to
Logic
Operator
Description
>
greater than
Between
event occurs between the specified date time period
ContainsBits
equals, for bitmap fields
In
standard CCE operator for membership test
Contains
contains the specified substring
StartsWith
starts with specified substring
EndsWith
ends with specified substring
Like
standard CCE operator for simple pattern matching for string type:
_ wildcard for single character
% wildcard for any number of characters
InSubnet
for IP address that is in the specified subnet
InGroup
for asset in the specified asset category or zone in the specified zone
group.
Is
tests true for the selected state, null or not null
Enter a value in the last text field.
Click OK.
To add SmartConnector filter conditions:

1
In the Navigator panel, select the SmartConnectors resource tree.
In the SmartConnectors resource tree, select an ArcSight SmartConnector and select

Configure.
In the SmartConnector Configuration Editor, click the following tabs: Connector:

Name -> Default -> Filters.
Enter conditions into Common Conditions Editor text fields.
Click OK.
To delete SmartConnector filter conditions:

1
In the Navigator panel, choose the Connectors resource tree.
In the Connectors resource tree, right-click the ArcSight SmartConnector and select
Configure.
In the Filtering section on the Advanced tab, right-click a condition and select Delete.
Setting Special Severity Levels

You can customize or add conditions to the event-severity levels reported by
SmartConnectors. Customizing means pre-setting a given SmartConnector's filter to one
specific severity level; adding conditions is essentially the same, but with the addition of a
filter condition to determine when the preset severity level is reported.
To set a custom severity level and configure a conditional severity:

1
Select the Connectors resource tree in the Navigator panel.
In the Connectors resource tree, right-click the appropriate SmartConnector and

select Configure.
In the Connector Configuration Editor, click the following tabs: Connector: Name ->
Default -> Filters.
Under the Filters tab, select a severity level event definition from the Filter group:
Filter Out (to drop an event), Very-High, High, Medium, Low, and Unknown.
Select the conditions of the severity level from the Common Conditions Editor.
Click OK in the Common Conditions Editor.
Sending Control Commands to SmartConnectors

From the ESM Console, you can issue basic event-flow-control commands to
SmartConnectors, get the operational status of a SmartConnector, or issue control
commands to network devices through their SmartConnectors. This topic discusses the first
two points.
To send flow-control commands:
1
Select the Connectors resource tree in the Navigator panel.
In the Connectors resource tree, right-click the ArcSight SmartConnector, select Send
Command, and one of the Status, Connector Process, Event Flow, Network, or
Upgrade menu options described below.
The Console's status bar shows a confirmation message when the flow control option
takes effect.
Commands available on this menu vary depending on which
SmartConnectors you are using. The following commands are the standard
set.
Flow-control
Command
Description
Status
Get Status
Provides a full report on the selected

SmartConnectors current operational state.
Get Device
Status
Provides the status of the device that reports to

the SmartConnector. Currently only available for
the Cisco IDS/IPS SmartConnector.
Connector
Process
Flow-control
Command
Description
Restart
Restarts a running SmartConnector.

Once a SmartConnector is terminated, Console
commands cannot access it. Therefore, a "restart"
works only on a SmartConnector that is currently
running. Sending a restart command to a running
SmartConnector terminates and restarts the
SmartConnector.
Terminate
Shuts down the SmartConnector and all the

processes the SmartConnector started.
Once a SmartConnector is terminated, Console
commands (including Connector Process ->
Restart) cannot access it. You must restart the
SmartConnector manually from the machine on
which it is installed.
Only use the Terminate command in very special
circumstances, as this command kills all
SmartConnector processes.
Event Flow
Pause
Stops the SmartConnector from sending events to

the ArcSight Manager.
Events received from the target device are saved
in the SmartConnector cache (even though the
SmartConnector is in a Pause state).
Stop
Stops the SmartConnector from sending events to

the ArcSight Manager.
A Stop command causes the SmartConnector to
drop all events, including events stored in the
SmartConnector cache.
Start
Prompts the SmartConnector (previously in Stop

or Pause state) to start sending events to the
ArcSight Manager.
Name
Resolver
Cache
Clears the cache for Network name resolver
Network
Upgrade
Flow-control
Command
Description
Upgrade
Launches a Command Parameters dialog for

remote upgrade to newer versions of ArcSight
SmartConnectors for managed assets.
Provide the version number of the
SmartConnector to which you want to upgrade
and a wait time to verify that the upgrade
completed successfully. (If the upgrade is not
successful, the system performs an automatic
rollback to the previous version of the
SmartConnector.)
Click OK to start the upgrade.
See Overview of the Upgrade Process on
page 34 for prerequisites for the upgrade process
and detailed information on how to upgrade
Connectors.
Rollback
Upgrade
Launches a Command Parameters dialog for

remote rollback of SmartConnector version to a
specified previous version.Overview of the
Upgrade Process on page 34 for complete
information.
Disabling Event Compression

ArcSight SmartConnectors can send event information to the ESM Manager in a
compressed format using HTTP compression. The compression technique used provides
compression rates of 1 to 10 or greater, depending upon the input data (in this case, the
events sent by the ArcSight SmartConnector). Using compression lowers the overall
network bandwidth used by ArcSight SmartConnectors dramatically without impacting their
overall performance.
By default, all SmartConnectors have compression enabled. To turn it off, add the following
line to the ARCSIGHT_HOME\current\user\agent\agent.properties file:
http.transport.compressed = false
Managing SmartConnector Groups

You can better manage ArcSight SmartConnectors by organizing them into groups.
Ungrouped SmartConnectors are listed in the Site Connectors group.
Groups and SmartConnectors can be managed by dragging-and-dropping groups and

SmartConnectors into other groups from the Administration window. If a group is
deleted, the SmartConnectors within that group are also deleted.
You should not delete a SmartConnector resource at the ESM Console unless you first stop
its corresponding SmartConnector. If the SmartConnector on the device is running, but you
delete its resource, the SmartConnector can no longer send events to the Manager. This
causes the SmartConnector to start caching events and, eventually, drop them.
For more detailed information about managing ArcSight SmartConnectors in general, refer
to the ArcSight ESM v4.0 Administrators Guide and the ArcSight ESM Console Help.
Creating a SmartConnector Group

1
In the Navigator Panel, select the Connectors resource tree.

If hidden, you can display the Navigator panel by selecting Navigator Panel
from the Window menu.
In the Connectors resource tree, right-click a group and choose New Group. A Name
text field appears under the group you selected.
In the Name text field, enter a name.
Click Enter.
Renaming a SmartConnector Group

1
In the Connectors resource tree, right-click a group and select Rename.
In the name text field, rename the group.
Click Enter.
Editing a SmartConnector Group

1
In the Connectors resource tree, right-click a group and select Edit Group.
In the Group Editor, edit the Name and Description text field.
Click OK.
Moving or Linking a SmartConnector Group

1
In the Connectors resource tree, navigate to a group and drag-and-drop it into

another group.
Select Move to move the group or Link to create a copy of the group linked to the
original group.
If you select Link, you create a copy of the group that is linked to the original group.
Therefore, if you edit a linked group, whether it be the original or the copy, all links are
edited as well. When deleting linked groups, you can either delete the selected group or all
linked groups.
Deleting a SmartConnector Group

1
In the Connectors resource tree, right-click a group and choose Delete Group.
In the dialog box, click Yes.
For more detailed information about managing ArcSight SmartConnectors, refer to the
ArcSight ESM v4.0 Administrators Guide and the ArcSight ESM Console Help.
Chapter 8
Configuring Multiple Destinations

This chapter provides information about configuring a SmartConnector to send events to
multiple destinations, as well as how to re-register connectors. A destination is an ArcSight
ESM Manager or ArcSight device that can receive events from a particular SmartConnector.
Destinations can be either additional destinations (additional to the original ESM
destination) or failover destinations.
Additional Destinations on page 93
Failover Destinations on page 93
Configuring Multiple Destinations on page 94
Adding a Failover Destination on page 96
Re-Registering a SmartConnector on page 98
Additional Destinations
ArcSight SmartConnectors send a copy of events to each additional destination for which it
is configured. Additional destinations can be useful, for example, when you have a
development ArcSight environment working in parallel with your production environment
and you want to test rules and reports.
In such cases, you can configure the SmartConnector to send alerts to both your
production Manager and your development Manager to be able to view real-time event
flows on both systems. Because the destinations are independent, you do not compromise
the events sent to the production Manager.
Failover Destinations
A failover destination receives security events from the SmartConnector for which it is
configured only when the primary destination (such as the primary ArcSight ESM Manager)
is not available, or when a network problem occurs. Once these events are backed up in
the failover destination, the SmartConnector caches the events and resends them to the
primary destination.
A failover destination is active only when the primary destination is unavailable, so the
reports and replay features within the secondary Manager could contain incomplete
information. This feature performs as a real-time alternative for severe problems with the
primary ArcSight ESM Manager.
8 Configuring Multiple Destinations

To configure multiple destinations, use the ArcSight SmartConnector Configuration Wizard
after installing the ArcSight SmartConnectors.
To start the wizard, execute the following command:
$ARCSIGHT_HOME\current\bin\runagentsetup
To add, remove, or modify a destination:
1
Select the option I want to add/remove/modify ArcSight Manager

destinations and click Next.
In this example, the SmartConnector currently installed is ActiveCard AAA Server
Accounting Log DB, but the message at the top of the window will be specific to the
connector you previously installed.
You can either modify the existing destination or you can add a new destination. For
this example, select Add new destination and click Next.
Select the destination type. For this example, select ArcSight Manager (encrypted)
and click Next.
Click Add new destination to add a new SmartCOnnector destination and click
Next.
Fill in the parameters for the destination you want to add and click Next to finish.
For information about the AUP Master Destination and Filter Out All Events
fields, see related information on page 24.
6
To apply your changes, restart the SmartConnector.
Adding a Failover Destination

To add a failover destination:
1
Run the ArcSight SmartConnector Configuration Wizard and select the option I want
to add/remove/modify ArcSight Manager destinations.
Select your current destination (Host), as shown below.
Select Add fail over destination and click Next.
Select a failover destination type. For this example, select ArcSight Manager
(encrypted) to set up an alterative Manager in case the production Manager fails.
Enter the settings for the failover destination and click Next to continue to the next
window.
To apply your changes, restart the SmartConnector.

For information about the AUP Master Destination and Filter Out All Events fields,
see related information on page 24.
Re-Registering a SmartConnector
When the ArcSight Manager recognizes a SmartConnector, it generates an ID token the
SmartConnector uses to identify its security events. If the Manager stops accepting events
from a SmartConnector for an unknown reason, or if you have upgraded a SmartConnector
but its resource was removed from the database, you may need to re-register the
SmartConnector.
To re-register a SmartConnector:
1
Run the ArcSight SmartConnector Configuration Wizard and select the option I want
to add/remove/modify ArcSight Manager destinations.
In the example above, the SmartConnector currently installed is "ActiveCard AAA

Server Accounting Log DB," but you can use the same procedure for any
SmartConnector.
2
Click Next.
Run the ArcSight SmartConnector Configuration Wizard and select your current (Host)
destination. Click Next.
Select the Re-register option:
Log in with a valid User Name on the ArcSight Manager where you are attempting to
re-register the SmartConnector. Click Next.
Restart the SmartConnector to apply the new ID token.
Chapter 9
Overview of SmartConnector Types

SmartConnectors are the interface between the ArcSight ESM Manager and the network
devices that generate ESM-relevant data on your network.
ArcSight SmartConnectors are generally one of the following types
File Connectors on page 101
Database Connectors on page 103
Scanner Connectors on page 105
API Connectors on page 105
SNMP Connectors on page 106
Microsoft Windows Event Log Connectors on page 107
Syslog Connectors on page 108
Flex Connectors on page 109
Other Connectors on page 110
SmartConnectors collect event data from network devices, then normalize this data in two
ways. First, they normalize values (such as severity, priority, and time zone) into a common
format. They then normalize the data structure into a common schema. SmartConnectors
can filter and aggregate events to reduce the volume sent to the
ESM Manager, which increases ArcSight's efficiency and reduces event processing time.
For general information about ArcSight SmartConnectors, see Chapter 1 Introduction to
ArcSight Components on page 1.
For installation information and device-specific configuration and mapping information, see
the SmartConnector Configuration Guide for the specific device.
File Connectors
There are two primary types of log file connector, Real Time and Folder Follower:
Real Time
These connectors can continue to follow a log file that retains its name or changes its
name based upon the current date and other factors. The type of real time file
connector is based upon the number of files monitored by the connector. There are
connectors that monitor a single log file, such as the Snort File connector and
connectors that monitor multiple log files, such as the Cisco Secure ACS and SAP Real
Time Audit connectors.
9 Overview of SmartConnector Types
Real Time log file connectors can read normal log files in which lines are separated by
a new line character as well as fixed length records in which a file consists of only one
line but multiple records of fixed length (such as the SAP Real Time Audit connector).
Folder Follower
Folder follower connectors can follow files deposited into a single folder. There are
connectors that monitor a single log file (such as HP-UX or IBM AIX) and connectors
that monitor log files recursively (such as F-Secure AntiVirus).
.txt and .xml file types are supported by ArcSight SmartConnectors; which type
depends upon the particular device. Text log files are the most common; however,
Tripwire and most of the scanner file connectors, such as Nessus, nCircle, and
NeXpose are in xml format.
The type of log file connector is not usually part of the connector name unless both types
of connector exist for a particular device (such as SAP Audit and SAP Real-Time Audit).
Connectors are normally installed on the device machine, but when the monitored files are
accessible through network shares or NFS mounts, the connectors can be installed on
remote machines.
Files are renamed by default to increments such as .processed, .processed.1, and
so on.
For some connectors, a trigger file is required to tell the connector when the file is
complete and ready for processing. Typically, this is the same file name with a different
extension.
Generally, the only parameter required at installation is the location of the log file or files
(the absolute path). When default file paths are known, they appear in the installation
wizard.
Folders require permissions to rename or delete the files as configured in the
connector.properties file.
ArcSight has dozens of log file connectors, including connectors for:
Aladdin eSafe Gateway
Apache HTTP Server
BEA WebLogic
Blue Coat Proxy SG
Bro IDS
CA eTrust and Top Secret
Cisco IronPort, NetFlow, Secure ACS, and CSA
Enterasys Dragon IDS
F-Secure Anti-Virus
HP-UX Audit and HP OpenVMS
IBM AIX Audit, AS/400 Audit Journal, and DB2 Audit
IBM Lotus Domino Server, Tivoli Access Manager, and WebSphere
IBM OS/390, OS/390 NVAS, RACF and SDSF
Juniper Steel-Belted Radius
Lumeta IPsonar and Brick Managed Services
McAfee VirusScan
Microsoft DHCP
Microsoft Exchange Message Tracking Log
Microsoft IIS, IAS, ISA, and SQL Servers
Symantec NetRecon
Network Appliance NetCache
NFR Central Management and Sentivist Servers
Nmap
Oblix NetPoint
OVAL
Rapid7 NeXpose
SAP Security Audit
Secure Computing SafeWord and Webwasher
Snort
Squid Web Proxy Server
Sun ONE Directory and Web Servers
Symantec AntiVirus Corporate Edition
Symantec Gateway Security/Enterprise Firewall
Symantec Intruder Alert
Tenable Nessus
Tripwire Manager
Database Connectors
Database connectors use SQL queries to periodically poll for events. ArcSight
SmartConnectors support major database types, including MS SQL, MS Access, MySQL,
Oracle, DB2, Postgres, and Sybase.
In addition to the native JDBC driver for each database type, database connectors allow
the use of a JDBC ODBC driver for databases that support them, such as MS SQL, Postgres,
and MS Access. To use a JDBC ODBC driver, a JDBC ODBC data source is required.
During installation, the installation wizard will ask for at a minimum the following
parameters:
JDBC ODBC Driver
JDBC ODBC Data Source
Database User
Database Password
The database user must have adequate permission to access and read the database. For
Audit database connectors, such as SQL Server Audit DB and Oracle Audit DB, system
administrator permissions are required.
In addition to connectors supporting event collection from a single database, some
database connectors support multiple database events such as the Microsoft SQL Server
Multiple DB connector. Others collect events from scanner databases, such as
SmartConnectors for McAfee FoundScan DB and Mazu Profiler.
103
There are three major types of database connector:
Time-Based
Queries use a time field to retrieve events found since the most recent query time until
the current time.
ID-Based
Queries use a numerically increasing ID field to retrieve events from the last checked
ID until the maximum ID.
Job ID-Based
Queries use Job IDs that are not required to increase numerically. Processed Job IDs
are filed in such a way that only new Job IDs are added. Unlike the other two types of
database connector, Job IDs can run both in GUI or Interactive mode as well as in
Automatic mode.
Some of the database products currently supported by ArcSight SmartConnectors include:
ActivCard AAA Server
Application security AppDetective
eEye REM Security Management Console
eEye Retina Network Security Scanner
Harris STAT Scanner (now Lumension Security)
IBM Lotus Domino
IBM SiteProtector
Intrusion SecureNet Provider
Mazu Profiler
McAfee Desktop Firewall
McAfee Entercept
McAfee ePolicy Orchestrator
McAfee ePO Asset Scanner
McAfee FoundScan
McAfee Host Intrusion Detection
McAfee IntruShield
Microsoft Operations Manager
Microsoft SQL Server Audit
NetIQ Security manager
NFR Host Intrusion Detection
Novell Nsure Audit
Oracle Audit
Oracle SYSDBA Audit
PureSight Content Filter
Qualys Vulnerability Scanner
Quest InTrust
Snort
Symantec Critical System Protection
Symantec Endpoint Protection
Symantec Enterprise Security Manager
Symantec ManHunt
Symantec SESA
Trend Micro Asset Scanner
Trend Micro Control Manager
Visionael ESP
Scanner Connectors
There are two types of scanner connector whose results are retained in a file, making them
log file connectors:
XML files (such as Tenable Nessus, nCircle Audit, Qualys Scanner, and Rapid7
NeXpose)
Text files (such as Tenable Nessus NSR, NetRecon NRD)
Other scanners deposit there events in a database per scan and are treated as database
connectors, requiring the same installation parameters as database parameters.
Scan reports or jobs are converted into base events that can be viewed on the ESM
Console, and aggregated meta events that are not shown on the console. Meta events
create assets, asset categories, open ports, and vulnerabilities on the ESM Console.
Scanner SmartConnectors run in either of two modes, automatic or interactive.
Interactive mode
Displays the scan reports or scan jobs that can be individually selected to be sent to
the connector. This mode is not supported for a connector running as a service.
Automatic mode
Checks periodically for any new reports deposited into the folder or any new jobs
inserted into the database, then processes them. This mode is supported for both
stand-alone applications and services.
Other than the operating mode, other parameters required for scanner installation depends
upon whether a file or database connector has been implemented. For file connectors, the
absolute path to and name of the log file is required. For database connectors, see
Database Connectors on page 103.
API Connectors
API connectors use a standard or proprietary API to pull events from devices. In most
cases, a certificate must be imported from the device to authenticate connector access to
the device. There are also a number of configuration steps required on the device side. For
example, Check Point devices require connection type configuration and importing a
certificate, Sourcefire eStreamer devices require adding a client, configuring a certificate,
configuring event types to be sent, and so on.
During installation, the installation wizard will ask for the following types of
parameters, although each device's parameters are specific to its API:
Device IP
Service Port
105
Event types to be pulled
Certificate information
Information specific to the particular API
Some of the product APIs currently supported by ArcSight SmartConnectors include:
CA eTrust SiteMinder
Check Point Firewall and VPN OPSEC NG
Cisco Secure IDS and IPS devices
HP OpenView Operations MSI
McAfee Entercept
Microsoft Auditing Collection System
QoSient ARGUS
Solaris Basic Security Module (BSM)
Solsoft Policy Server
Sourcefire Defense Center eStreamer
SNMP Connectors
SNMP Traps contain variable bindings, each of which holds a different piece of information
for the event. They are usually sent over UDP to port 162, but the port can be changed.
SNMP connectors listen on port 162 (or any other configured port) and process the
received traps. They can process traps only from one device with a unique Enterprise OID,
but can receive multiple trap types from this device.
As with syslog connectors (because SNMP is based upon UDP), there is a slight chance of
events being lost over the network.
Parsers use the knowledge of the MIB to map the event fields, but, unlike some of the
other SNMP-based applications, the connector itself does not need the MIB to be loaded.
No parameters are required during connector installation for SNMP devices.
SNMP devices supported by ArcSight SmartConnectors include:
Check Point Firewall-1
Cisco PIX
Enterasys Dragon
HP ProCurve Ethernet Switch
IBM Lotus Domino
Intrusion SecureNet Provider
nCircle IP360 Threat Monitor
SANA Primary Response
Securify SecurVantage
Symantec Enterprise Firewall
Symantec Intruder Alert
Websense Web Security
Microsoft Windows Event Log Connectors

System administrators use the Windows Event Log for troubleshooting errors. Each entry in
the event log can have a severity of Error, Warning, Information. and Success or
Failure audit.
There are three default Windows Event Logs:
Application log (tracks events that occur in a registered application)
Security log (tracks security changes and possible breaches in security)
System log (tracks system events)
There are three SmartConnectors for Microsoft Windows Event Log:
SmartConnector for Microsoft Windows Event Log Unified, this connector

can connect to local or remote machines, inside a single domain or from multiple
domains, to retrieve and process security and system events.
SmartConnector for Microsoft Windows Event Log Local, which collects

events from the Windows Event Log on your local machine.
SmartConnector for Microsoft Windows Event Log Domain, which lets you
collect Microsoft Windows Event Log events from multiple remote machines and
forward them into the ArcSight system (such as multiple occurrences of the same
application installed on different machines in one domain).
For details about the local and domain connectors deployment, installation, and
configuration, see the SmartConnector Configuration Guide for Microsoft Windows Event
Log. For mappings, see ArcSight SmartConnector Mappings to Windows Security Events.
For details about the new Unified connector, see the SmartConnector Configuration Guide
for Microsoft Windows Event Log Unified. Mappings for this connector are incorporated
into its configuration guide.
The SmartConnector for Microsoft Windows Event Log Unified supports event collection
from Microsoft Windows XP, Server 2000, Server 2003, and beta support for Microsoft Vista
and Server 2008 platforms, as well as beta support for partial event parsing based upon
the Windows event header for all System and Application events as well as support for a
FlexConnector-like framework that enables users to create and deploy their own parsers for
parsing the event description for all System and Application events.
Some individual Windows Event Log applications are supported by the SmartConnector for
Microsoft Windows Event Log Domain, for which Windows Event Log sub-connectors
have been developed. These sub-connectors have individual configuration guides that
provide setup information and mappings for the particular application. These subconnectors include:
CA eTrust AntiVirus
Microsoft Active Directory Service
Microsoft WINS
Oracle Audit
RSA ACE Server
Symantec Mail Security
107
Syslog Connectors
Syslog messages are free-form log messages prefixed with a syslog header consisting of a
numerical code (facility + severity), timestamp, and host name. They can be installed as a
syslog daemon, pipe, or file connector. Unlike file connectors, a syslog connector can
receive and process events from multiple devices. There is a unique regular expression that
identifies the device.
Syslog Daemon connectors listen for syslog messages on a configurable port, using
port 514 as a default. It is the only syslog option supported for Windows platforms.
Syslog Pipe connectors require syslog configuration to send messages with a certain
syslog facility and severity. Solaris under-performs when using Syslog Pipe connectors.
The operating system requires that the connector (reader) open the connection to the
pipe file before the syslog daemon (writer) writes the messages to it.
When using Solaris and running the connector as a non-root user, using a Syslog Pipe
connector is not recommended. It does not include permissions to send an HUP signal
to the syslog daemon.
Syslog File connectors require syslog configuration to send messages with a certain
syslog facility and severity. For high throughput connectors, Syslog File connectors
perform better than Syslog Pipe connectors because of operating system buffer
limitations.
UNIX supports all three types of syslog connector. If a syslogd process is already running,
you can "kill" it or run the daemon connector on a different port.
Because UDP is not a reliable protocol, there is a slight chance of missing syslog messages
over the network. TCP is now a supported protocol for syslog connectors.
There is a basic syslog connector, the SmartConnector for UNIX OS Syslog, which provides
the base parser for all syslog sub-connectors.
For syslog connector deployment information, see the configuration guide for this
SmartConnector.
For device-specific configuration information and field mappings, see the

SmartConnector Configuration Guide for the specific device. Each syslog subconnector has its own configuration guide.
During connector installation, for all syslog connectors, choose Syslog Daemon, Syslog
Pipe, or Syslog File from the installer selections rather than the name of the syslog subconnector.
Syslog connectors include, but are not limited to, the following devices:
AirDefense Enterprise
AirMagnet Enterprise
Alcatel
Apache HTTP Server
Arbor Peakflow
Aruba
Barracuda Spam Firewall
Blue Coat Proxy SG
BroadWeb NetKeeper
Cisco AIRONET, CatOS, PIX/ASA/FWSM, Router, Secure ACS, VPN, and

CiscoWorks
CyberGuard
F5 BIG-IP
Fortinet FortiGate
Foundry BigIron
HoneyD
iPolicy Intrusion Prevention Firewall
InterSect Alliance SNARE
Juniper M Series, NetScreen IDP, NetScreen Firewall, NetScreen VPN
Lancope Stealthwatch
McAfee IntruShield and Secure Internet Gateway
Microsoft IIS
Mirage CounterPoint Appliance
MessageGate
Nagios
NetContinuum
Newbury WiFi Watchdog
NitroSecurity
Nortel VPN
Oracle Audit
Packet Alarm
Radware DefensePro
RSA ACE Server
SaberNet NTsyslog
Secure Computing Gauntlet, IronMail, and Sidewinder
Sendmail
SonicWall
Sourcefire/Snort
Stonesoft StoneGate
Symantec Endpoint Protection, Mail Security, ManHunt, and Network Security
TippingPoint
TopLayer Attack Mitigator NG
Tripwire Enterprise
Type80
Vormetric CoreGuard
Flex Connectors
ArcSight FlexConnectors allow you to create custom SmartConnectors that can read and
parse information from third-party devices and map that information to ArcSights event
schema. When creating a custom SmartConnector, you define a set of properties (a
109
configuration file) that identify the format of the log file or other source that will be
imported into the ArcSight Manager or ArcSight Logger.
Use of this SmartConnector option requires the FlexConnector Developers
Kit.
The following is a list of available FlexConnectors
Log file FlexConnector for reading fixed-format log files
Regular expression FlexConnector for reading variable-format log files
Regular expression FlexConnector for recursively reading variable-format log files

in a folder
Time-based and ID-based database FlexConnectors for reading the latest security
events from a database
Multi-database FlexConnector for reading events from multiple databases
Simple Network Management Protocol FlexConnector for gathering events from

SNMP traps
Syslog FlexConnector for reading events from Syslog messages
Extensible Markup Language (XML) FlexConnector for recursively reading events

from XML-based files in a folder
Scanner FlexConnector to import the scan results from a scanner device
Other Connectors
Some connectors use multiple mechanisms. For example, the SmartConnector for Oracle
Audit monitors both the database tables and audit files. Other examples of connectors with
multiple mechanisms include:
NetFlow
Retrieves data over TCP in a Cisco-defined binary format.
ArcSight Streaming Connector

Retrieves data over TCP from ArcSight Logger in an ArcSight-proprietary format.
Appendix A
Payload Support
Payload support is available with current SmartConnector versions. Payload refers to the
information carried in the body of an event's network packet, as distinct from the packet's
header data.
The following topics are discussed in this appendix:
Introduction on page 111
Working with Payload Data on page 111
Introduction
Extra information can be retrieved by using the on-demand payload feature on the ArcSight
ESM Console. Click on any of the vulnerability events sent by the SmartConnector and you
will see in the Event Inspector that Payload data is available; click on the Payload tab and
you can see additional information including Description and Recommendation. For
services events, you will receive Description and Detail.
You can retrieve, preserve, view, or discard payloads using the ArcSight Console. Because
event payloads are relatively large, ArcSight does not store them by default. Instead, you
can request payloads from devices for selected events through the Console. If the payload
is still held on the device, the ArcSight SmartConnector retrieves it and sends it to the
Console.
Payloads are downloaded and stored only on demand; you must configure ArcSight ESM to
log these packets. By default, 256 bytes of payload are retrieved.
Whether an event has a payload to store is visible in event grids. Unless you specifically
request to do so, only the event's "payload ID" (information required to retrieve the
payload from the event source) is stored. Payload retention periods are controlled by the
configuration of each source device.
Working with Payload Data

The first step in handling event payloads is to be able to locate payload-bearing events
among the general flow of events in a grid view. In an ArcSight Console Viewer panel grid
view, right-click a column header and select Add Column <Device> Payload ID. Look
for events showing a Payload ID in that column.
To retrieve payloads, in a Viewer panel grid view, double-click an event with an associated
payload. In the Event Inspector, click the Payload tab, then click Retrieve Payload.
A Payload Support
To preserve payloads, in a grid view, right-click an event with an associated payload, select
Payload, then Preserve. Alternatively, in the Event Inspector, click the Payload tab, then
the Preserve Payload icon.
To discard payloads, in a grid view, right-click an event with an associated payload, select
Payload, then Discard Preserved. You also can use the Event Inspector: In a grid view,
double-click an event with an associated payload. In the Event Inspector, click the Payload
tab, then click the Discard Preserved Payload icon.
To save payloads to files, in a grid view, double-click an event with an associated payload.
In the Event Inspector, click the Payload tab. Click the Save Payload icon. In the Save
dialog box, navigate to a directory and enter a name in the File name text field. Click
Save.
112
Appendix B
Capturing Events from

SmartConnectors
The information in this appendix applies only to SmartConnectors used with ArcSight ESM
v4.0. The following topics are discussed:
Summary on page 113
Installation on page 113
Event Data Rotation on page 114
Summary
This appendix explains how to capture events a SmartConnector normally would send to
the ArcSight ESM Manager into a file. This is an advanced topic; typical ArcSight
configurations do not require the use of external files to communicate events to the
ArcSight ESM Manager.
Event data is written to a file in Excel-compatible comma-separated values (CSV) format,
with comments prefixed by #. A SmartConnector can be configured to preface the data
with a comment line that describes the fields found on a subsequent line. A typical event
file might look like this:
#event.eventName,event.attackerAddress,event.targetAddress
"Port scan detected","1.1.1.1","2.2.2.2"
"Worm ""Code red"" detected","1.1.1.1","2.2.2.2"
"SQL Slammer detected","1.1.1.1","2.2.2.2"
"Email virus detected","1.1.1.1","2.2.2.2"
Event data is written to files in the specified folder and can be configured to rotate
periodically.
Installation
To create a SmartConnector that logs security events in a CSV file rather than forwarding
them to an ArcSight ESM Manager:
1
Run the SmartConnector Installation Wizard.
B Capturing Events from SmartConnectors
When the wizard asks whether the Manager is using a demo certificate, click the
Cancel button.
When asked for confirmation that you are exiting early, click Yes.
Use a text program to create a new file named agent.properties in the directory
$ARCSIGHT_HOME\current\user\agent\.
This file need contain only the following line:
transport.default.type=file
Return to the SmartConnector Installation Wizard by opening a command window in

the $ARCSIGHT_HOME\current\bin directory and entering arcsight
connectorsetup. When queried whether to use Wizard mode, click Yes.
At the point where the SmartConnector Configuration Wizard ordinarily asks about the
Manager certificate, a new window is displayed that contains parameters for the CSV
file transport.
Enter the following values for these parameters:

Parameter
What to enter or select
CSV Path
The path to the output folder. If it does not exist, the folder is
created.
Fields
A comma-delimited list of field names to be sent to the CSV file.

Field names are in the form event.targetPort.
File rotation
interval
The desired file rotation interval, in seconds. The default is 3,600

(one hour).
Write format
header
Select true to send a header row with labels for each column, as
described above.
After you enter the file trans port parameters and click Continue, the SmartConnector
Configuration Wizard proceeds as usual.
Event Data Rotation

Events are appended to the current file until the rotation time interval expires, at which
time a new current file is created and the previous current file is renamed. One hour is a
typical rotation time interval.
Event files are named using the timestamp of their creation, and all files, with the
exception of the current file, have the text '.done' appended. For example, a typical CSV
file set configured to rotate every hour might consist of files named in this manner:
2007-01-28-10-55-33.csv
2007-01-28-09-55-33.csv.done
2007-01-28-08-55-33.csv.done
Using the properties file, you can customize the configuration of your CSV SmartConnector
to filter and aggregate events as desired.
You also can configure a SmartConnector to send events to a CSV file and an ESM Manager
at the same time.
114
Appendix C
ArcSight Update Packs (AUP)

This appendix details the different ArcSight Update Packs (AUPs) used in updating content
to and from the ArcSight Manager and ArcSight SmartConnectors. AUP files may contain
information that applies to SmartConnectors or ESM related updates.
The following topics are discussed in this appendix:
Defining an AUP on page 115
ArcSight Content AUPs on page 115
ArcSight Connector Upgrade AUP on page 116
ESM Generated AUPs on page 118
Defining an AUP
AUP files provide a way to collect a set of files together and update ArcSight resources as
well as distribute parsers to ArcSight SmartConnectors.
For some AUPs, ArcSight provides downloadable packages of new content available to
subscribing customers. You can obtain a content subscription through ArcSight Sales or
Customer Support. Subscribers also have access to related articles in the ArcSight
Customer Support Center's Knowledge Base.
The download files are offered through a special subdirectory on the ArcSight software
server. The directory is visible only to subscribers, who receive a notification e-mail from
ArcSight Customer Support when files are posted.
ArcSight Content AUPs

ArcSight continuously develops new SmartConnector event categorization mappings, often
called "content." This content is packaged in ArcSight Update Packs (AUP) files.
All existing content is included with major product releases, but it is possible to stay
completely current by receiving up-to-date, regular content updates via Arcsight
announcements and the Customer Support website
(https://software.arcsight.com). Under "Content Subscription Downloads", the
files are located in "RELEASE3.X".
Content updates (ArcSight-xxxx-ConnectorContent.aup) are provided by ArcSight
and contain data that is then transferred to registered connectors. An AUP can provide
updates for:
1
Event categorizations (Category Behavior, Category Object, etc.)
C ArcSight Update Packs (AUP)
Default zone mappings (what IP maps to which zone by default)
OS mappings (when a network is scanned, where the asset is created)
As shown below, the method of uploading an AUP varies depending on the ArcSight
product.
ArcSight ESM
As an ArcSight customer, you will receive an e-mail notification about content updates from
ArcSight support. To update,
1
Download the latest AUP release from the Customer Support website
(https://software.arcsight.com).

Manager. SmartConnectors registered to this ESM automatically download the .aup
and, once completed, an audit event is generated.
ESM/Logger
A SmartConnector can send events to ArcSight ESM and Logger simultaneously. In this
configuration, its helpful to use the AUP Master Destination feature. AUP Master
Destination allows ESM to push AUP content to the SmartConnector used for its Logger
destination(s). Logger is not capable of storing or pushing its own AUP content.
1
Using the SmartConnector Configuration Wizard, add the ESM destination and set the
AUP Master Destination parameter to true (the default is false).
If you have not already done so, you can also add the Logger destination.
Copy the .aup file to ARCSIGHT_HOME\updates\ on the running ArcSight ESM

Manager you added in step 1.
The AUP content is pushed from ESM to the SmartConnector, which then sends an internal
event to confirm. Since the AUP Master Destination flag was set for the ESM destination,
that AUP content is used by the SmartConnector for Logger or any other non-ESM
destinations.
The AUP Master Destination flag should be set to true for only one ESM
destination at a time. If more than one ESM destination is set and the flag is
true for more than one, only the first is treated as master.
Failover ESM destinations cannot be AUP Masters.
Logger
Logger has no facility to store or forward AUPs to SmartConnectors.
Connector Appliance
Connector Appliance does not support automatic deployment of an AUP. This feature will
be included in future releases. Please call customer support for assistance.
ArcSight Connector Upgrade AUP

ArcSight ESM
1
Download the latest AUP release from the Customer Support website (at
https://software.arcsight.com).

Manager. SmartConnectors registered to this ESM automatically download the .aup
and, once completed, an audit event is generated.
From the ArcSight Console, select connectors to be upgraded (one at a time) and
launch the upgrade command for each of them.
Upon receipt of the upgrade command, the selected connectors upgrade themselves,
restart, and send upgrade results (success or failure) back to the ArcSight Console
through the ArcSight Manager.
a
If the upgrade is successful, the new connector starts and reports a successful
upgrade status. (The upgraded connector runs in the same home directory as the
old one.)
If the upgraded connector fails to start, the original connector restarts

automatically as a fail-over measure. (This is essentially an automatic rollback,
and re-start).
Connector Appliance
Uploading an AUP through Connector Appliance is performed through its web-based user
interface. From the Advanced Operations tab, the Connector Upgrade Repository
displays upgrades that have been uploaded using the Connector Upgrade command.
To upload .aup updates,
1
Download the latest AUP release from the Customer Support website (at
https://software.arcsight.com).
From the Advanced Operations tab, click Upgrade, and then click the Upgrade
Repositories sub-tab.
Click Upload to browse to the downloaded .aup file.
Click the Submit button.
The next step is to push this upgrade to one or more containers. To push the upgrade
.aup to a container(s),
1
Click the Upgrade Connectors sub-tab.
Click the check box for container(s) that you wish to upgrade.
Click the Upgrade button.
From the drop down menu, select the appropriate upgrade.
Click Save.
The file you updated should now appear in the list.

For more detailed information about Connector Appliance, see the Connector Appliance
Administrator's Guide.
ESM Generated AUPs

Some AUPs are generated by ESM itself for internal maintenance and operation.
User Categorization Updates

User Categorization Updates (usercategorizations_user_supplied_00000000001300014581.aup) are generated
by ESM when a user modifies the way an event is categorized through the ArcSight Console
tools. These updates are then transferred to the registered connectors to update the way
the newly sent events will be categorized. This is generally used for categorizing custom
signatures for which ArcSight does not provide categorization.
System Zones Updates

System Zones updates (system-zone-mappings_00000000000000000001.aup) are
generated by ESM when a change to the ArcSight System zones is detected, then
transported to the necessary connectors. It contains the new System-Zone mappings so
incoming events are attached to the correct zones or assets in ESM.
As System Zones are always present, all SmartConnectors connected to ESM routinely
receive them as an AUP.
User Zones Updates

User Zones updates (user-zonemappings_3RxkkOxYBABDRZlZyr6nrWg==_00000000001700001895.aup) are
generated by ESM when a change to a user-created zone configuration is detected, then
transported to the necessary connector. It contains the new zone mappings so that
incoming events are attached to the correct zones or assets in ESM.
118
Appendix D
SmartConnector Frequently
Asked Questions
What if my device is not one of the listed SmartConnectors?
ArcSight offers an optional feature called the FlexConnector Development Kit (SDK),
which can assist you in creating a custom SmartConnector for your device.
ArcSight can create a custom SmartConnector; contact ArcSight Customer Support for
more information.
My device is on the list of supported products; why doesn't it appear in the

SmartConnector Configuration Wizard?
SmartConnectors are installable based upon the operating system you are using. If your
device is not listed, either it is not supported by the operating system on which you are
attempting to install, or your device is served by a Syslog server and is, therefore, a syslog
sub-connector. To install a Syslog SmartConnector, select Syslog Daemon, Syslog Pipe,
or Syslog File during the installation process.
Why isn't the SmartConnector reporting all events?
Check that event filtering and aggregation setup is appropriate for your needs.
Why are some event fields not showing up in the Console?
Check that the two separate turbo modes for the SmartConnector and the ArcSight ESM
Manager are compatible for the specific SmartConnector resource. If the Manager is set for
a faster turbo mode than the SmartConnector, some event details will be lost. See
"Understanding ArcSight Turbo Modes on page 17 for detailed information.
Why isn't the SmartConnector reporting events?
Check the SmartConnector log for errors. Also, if the SmartConnector cannot communicate
with the Manager, it caches events until its cache is full. A full cache can result in the
permanent loss of events.
How can I get my database SmartConnector to start reading events from the
beginning?
If it is a FlexConnector for Time-Based DB, set the following parameter in agent.properties:
agents[0].startatdate=01/01/1970 00:00:00
If it is an FlexConnector for ID-Based DB, set the following parameter in agent.properties:
agents[0].startatid=0
D SmartConnector Frequently Asked Questions
When events are cached and the connection to the Manager is re-established,
which events are sent?
Events are sent with a 70% live and 30% cached events ratio. If live events are not arriving
quickly, the percentage of cached events can be higher. This can reach 100% if there are
no live events.
Also, if the settings dictate that certain event severities are not sent at the time connection
is restored, those events are never sent. This is true even if they were originally generated
(and cached) at a time when they would ordinarily go out.
Why does the status report the size of the cache as smaller than it should be?
For example, I know that a few events have been received by the
SmartConnector since the Manager went down, yet the report marks events as
zero.
Some of the events are in other places in the system, such as the HTTP transport queue.
Shut down the SmartConnector and look at the cache size in the .size.dflt file to confirm
that the events are really still there.
Why does the estimated cache size never change in some SmartConnectors?
Why is the estimated cache size negative in others?
The estimated cache size is derived from a size file that gets read at startup and written at
shutdown. If the SmartConnector could not write the size at shutdown (for example, due to
an ungraceful shutdown, disk problem, or similar problem) the number could be incorrect.
Newer versions will attempt to rebuild this cache size if they find it to be incorrect, but
older builds do not.
One solution is to:
1
Stop the SmartConnector.
Delete the size file (a file with extension .size under

current\user\agent\agentdata.
Re-start the SmartConnector.
The SmartConnector detects that there is no size file and re-builds the cache size by
reading all the cache files.
Can the SmartConnector cache reside somewhere other than....
/user/agent/agentdata?
You can change the folder to contain the SmartConnector cache by adding the following
property in agent.properties:
agentcache.base.folder=<relative-folder-path>
where <relative-folder-path> is the path of the folder relative to
$ARCSIGHT_HOME.
Why is my end time always set to an earlier date and time?
ArcSight Manager performs auto time correction for older events. If the end time is older
than your retention period, it is set automatically to that lower bound. A warning is
displayed and an internal event with the same message is sent to you.
120
Do our Syslog SmartConnectors support forwarded messages from KIWI or

AIX?
Yes.
The property related to KIWI is
syslog.kiwi.forwarded.prefix=KiwiSyslog Original Address
Kiwi adds a prefix with the original address. For example, the message:
Jan 01 10:00:00 myhostname SSH connection open to 1.1.1.1
is converted to
Jan 01 10:00:00 myhostname KiwiSyslog Original Address
myoriginalhost: SSH connection open to 1.1.1.1
The SmartConnector strips out the prefix and uses myoriginalhost as the Device
Host Name.
The property related to AIX is
syslog.aix.forwarded.prefixes=Message forwarded from,Forwarded
from
Similar actions are performed for messages forwarded using AIX.
What does the T mean in the periodic SmartConnector status lines?
"T" is shorthand for "throughput(SLC)." The following lines are in
agent.defaults.properties:
status.watermark.stdoutkeys=AgentName,Events
Processed,Events/Sec(SLC),Estimated Cache
Size,status,throughput(SLC),hbstatus,sent
status.watermark.stdoutkeys.alias=N,Evts,Eps,C,ET,T,HT,S
The SLC stands for Since Last Check, which means "in the last minute," assuming
status.watermark.sleeptime=60 has not been overridden.
The throughput (SLC) status is returned by the AgentHTTPEventTransport class.
What do EVTS AND EPS refer to?
EVTS is an acronym for Events Processed and EPS is an acronym for Events/Sec(SLC).
These values are calculated by the SimpleObjectCounter.getStatus method, although the
class is actually instantiated as the SimpleEventCounter subclass.
Does a file reader SmartConnector reading files over a network share display
errors when the network share is disconnected? How can I recognize which
error message refers to which file in agent.log and agent_out_wrapper.log?
If the network share is a Linux/UNIX NFS mount or a Windows network mapped drive, the
file reader SmartConnector displays errors in the agent log.
If files are being read using a Windows UNC path that does not require network mapping,
the file reader SmartConnector cannot detect a network connection loss.
Error messages related to file access contain the file name, but error messages related to
log line parsing do not.
Are log files accessed sequentially or in parallel?
This depends upon the SmartConnector you are using. Some log file connectors process
files sequentially and others process log files in parallel.
After reading a log file, can a SmartConnector move them using NFS?
Yes. Folder Follower connectors can rename or move the files using NFS, as long as the
folders containing the log files give the correct permissions for the SmartConnector.
My SmartConnector must read log files from a remote machine through a
network share. How can I do this?
To establish a network share to a remote machine, you can use network mapping on
Windows platforms, and NFS or Samba mounting on Linux/UNIX platforms.
If you are running the SmartConnector as a Windows service, access privileges to the
network share are required. To access the user name and password panel:
1
From the Start menu, select Control Panel.
Double-click Administrative Tools.
Double-click Services.
Right-click the name of the appropriate SmartConnector and select Properties.
Click the Log on tab, and enter the user name and password for the user with access
permissions to the file share. Specify the file path using UNC notation, not as a
network mapped drive.
How do you disable the DOS Protector component?

To disable the component, add the following property to agent.properties:
agent.mainevent.component.com.arcsight.agent.loadable._DOSProtecto
r.enabled=false
What is the maximum event rate per SmartConnector?
These rates are subjective and depend upon the system resources, number of devices,
number of events, and so on. ArcSight recommends limiting each SmartConnector to 500
eps to allow for growth.
Is there any limitation on performance relating to EPS?
These limitations are subjective and depend upon system resources, number of devices,
number of events, and so on.
How many log files can a SmartConnector access at one time?
The SmartConnector can access as many log files as it is configured with. The folders are
processed in parallel.
122
What is the recommended maximum number of SmartConnectors per ArcSight

ESM Manager?
There is no hard and fast maximum. The Manager has a restriction of 64 concurrent
SmartConnector threads by default. The more threads you add, the more it affects
performance, because there is more thread context-switching overhead. The general
recommendation is to definitely stay lower than the triple-digit range.
How can I determine the hardware requirements for my SmartConnector box?
If enough memory is available (256 MB per SmartConnector by default plus at least 256 MB
for the operating system), SmartConnectors are usually CPU bound. Therefore, the number
of SmartConnectors you can install on a single box depends upon the number of events per
second that all the SmartConnectors are to process.
It also depends upon how many eps' the combined SmartConnectors will be processing.
For example, if you have the Check Point, RDEP, and Syslog SmartConnectors and, when
combined, they process fewer than 500 eps, a dual Pentium IV with 2GB Ram would be
enough (and it would let you process bursts of about 2-times if needed, amounting to 1000
eps).
However, the SmartConnector for Check Point itself, for example, could easily go beyond
1000 eps. If that is the case with one or more of the SmartConnectors, you most likely
need at least two SmartConnector boxes; one for a SmartConnector that goes beyond 1000
eps, and another one for RDEP and syslog. RDEP usually is under 100 eps, but syslog can
go anywhere from 10 eps to more than 1000 eps; you need to know the expected volume
before sizing the hardware.
An easy rule of thumb is to limit each SmartConnector to 500 eps, which should give you
some room to grow.
124

SMC Userguide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SMC Userguide

Uploaded by

Copyright:

Available Formats

SmartConnectorTM

February 13, 2009

SmartConnectorTM Users Guide

Added Overview of SmartConnector Types section.

Added CSV Import/export feature, and notation on using multiple connectors

Update to SmartConnector installation procedure and updates to NSP

Update to SmartConnector installation procedure, and to syslog connector

Added Using SmartConnectors with NCM.

Updated to comply with v4.0 ESM updates.

First edition of this users guide. The former SmartConnector Installation

Document template version: 1.0.2.4

ArcSight Customer Support

1-866-535-3285 (North America)

Support Web Site

SmartConnector Users Guide iii

Deployment Scenario Three ...................................................................................... 16

iv SmartConnector Users Guide

Sending Events to Logger ............................................................................................... 46

SmartConnector Users Guide v

Chapter 9: Overview of SmartConnector Types ............................................................... 101

SmartConnector Users Guide

About This Book

Who Should Read this Book

SmartConnector Users Guide vii

About This Book

Describes new product features, latest updates, known

Explains how to install and configure ArcSight Enterprise

Describes how to configure ArcSight and its network

Introduces major new features in the current version of

ArcSight ESM Users

Describes how to use the ArcSight Console. These are

Provides user and reference information from the ArcSight

Provides vendor-specific instructions for how to install

Describes how to design, create, and install custom

ArcSight Customer Support

https://support.arcsight.com. Which provides access to

https://forum.arcsight.com, which offers a place for

SmartConnector Users Guide

Introduction to ArcSight Components

Workflow. The workflow framework provides a customizable structure of escalation

SmartConnector Users Guide 1

1 Introduction to ArcSight Components

tools to manually or automatically create versatile reports on a regular schedule,

ArcSight NSP uses NCM/TRM software to provide network device inventory,

2 SmartConnector Users Guide

1 Introduction to ArcSight Components

Aggregate events to reduce the quantity of events sent to the Manager.

Pass processed events to the Manager.

Supported Data Sources

SmartConnector Users Guide 3

1 Introduction to ArcSight Components

Regular Expression File

Regular Expression Folder File

Regular Expression Multiple File

In addition, beta support is currently available for the following FlexConnectors:

Scanner XML Reports

Scanner Text Reports

4 SmartConnector Users Guide

1 Introduction to ArcSight Components

Network Configuration Manager (NCM)

Threat Response Manager (TRM)

Locate and quarantine any device connected to the network instantly

Apply protocol filters to curb an intrusion attempt