Professional Documents
Culture Documents
Users Guide
Topics Applicable to All ArcsightTM SmartConnectors
Revision History
Date
Description
02/13/2009
11/17/2008
Added AUP and Connector Appliance sections. Updated for latest changes
within ESM. SmartConnector build #5177.
08/13/2008
07/01/2008
02/14/2008
12/18/2007
Two new parameters for the HTTP (ESM) destination type have been added to
allow non-ESM destinations to use the automatic updates (AUPs) pushed by
an ESM Manager. See revised installation chapter. Some organizational
changes for usability.
09/20/2007
06/26/2007
09/30/2006
support@arcsight.com
https://support.arcsight.com
Customer Forum
https://forum.arcsight.com
Contents
About This Book ..................................................................................................................................... vii
Who Should Read this Book .............................................................................................vii
Related Documentation .................................................................................................. viii
ArcSight Customer Support ............................................................................................ viii
Chapter 1: Introduction to ArcSight Components ................................................................ 1
ArcSight Components ...................................................................................................... 2
ArcSight ESM ............................................................................................................ 2
SmartConnectors ................................................................................................ 3
Supported Data Sources ...................................................................................... 3
FlexConnectors ................................................................................................... 4
ESM Manager ..................................................................................................... 4
ESM Database .................................................................................................... 4
ESM Console ...................................................................................................... 4
ArcSight Web ..................................................................................................... 5
ArcSight NSP ............................................................................................................ 5
ArcSight Logger ........................................................................................................ 5
Connector Appliance .................................................................................................. 5
Event Severity ................................................................................................................ 6
Filter and Aggregate Events .............................................................................................. 6
Configurable Attributes .................................................................................................... 7
Chapter 2: SmartConnector Overview ................................................................................. 9
Understanding ArcSight SmartConnectors ........................................................................... 9
Features ...................................................................................................................... 10
Data Collection Methods ................................................................................................. 12
ArcSight Database Mapping to Vendor Events ................................................................... 12
Chapter 3: Planning for Deployment ................................................................................. 13
Overview ..................................................................................................................... 13
Supported Platforms ...................................................................................................... 14
Deployment Scenarios ................................................................................................... 14
Deployment Scenario One ........................................................................................ 15
Deployment Scenario Two ........................................................................................ 16
ArcSight Confidential
ArcSight Confidential
ArcSight Confidential
vi
ArcSight Confidential
Networks
Security
Systems
Databases
If this is the first time you are installing an ArcSight component, ArcSight recommends that
you first read the latest ArcSight ESM Administrators Guide.
ArcSight Confidential
Related Documentation
Document Title
Description
Release Notes
ArcSight
SmartConnectors
ArcSight ESM
Installation and
Configuration Guide
ArcSight ESM
Administrator's Guide
ArcSight ESM
Reviewers Guide
ArcSight ESM
Reference Guide
ArcSight ESM Web
Users Guide
ArcSight
SmartConnector
Configuration Guides
ArcSight FlexConnector
Configuration Guide
ArcSight makes available the following ESM and SmartConnector product documentation.
Many of these documents are available for download from the ArcSight ESM Console by
choosing the menu option Help > Browse Documentation. The latest and most
complete set of documentation is always offered on the ArcSight Customer Support site
(https://support.arcsight.com) through the Product Documentation link in the Knowledge
Center section.
viii
Resource
Description
Support website
Customer Forum
ArcSight Confidential
Chapter 1
Correlation. Often, interesting activities are represented by more than one event.
Correlation is a process that discovers the relationships between events, infers the
significance of those relationships, prioritizes them, and provides a framework for
taking action.
Monitoring. Once events have been processed and correlated to pinpoint the most
critical or potentially dangerous, ArcSight provides a variety of monitoring tools to
assist you in investigating and remediating potential threats before they can damage
your network.
Analysis. When events occur that require investigation, ArcSight provides an array of
investigative tools that let your team members drill down into an event to discover its
details and connections, and to perform functions (such as nslookup, ping, portinfo,
traceroute, WebSearch, and whois).
Reporting. Briefing others on the status of your network security is vital to all who
have a stake in the health of your network, including IT and Security Managers,
executive management, and regulatory auditors. You can use ArcSights reporting
ArcSight Confidential
ArcSight Components
ArcSight products comprise several separately installable components working together to
process event data from your network. These components connect to your network
through sensors that report to ArcSight SmartConnectors.
SmartConnectors translate device output into a normalized event schema that becomes the
starting point for ArcSight ESM correlation.
The following graphic illustrates ArcSight basic components. For complete descriptions of
these components, see ESM 101, Concepts for ArcSight ESM v4.0.
Figure 1-1
ArcSight Components
ArcSight SmartConnectors gather and process event data from network devices and
pass it to the ArcSight ESM Manager to be processed and stored in the database.
Users interact with ArcSight ESM using the ArcSight ESM Console or ArcSight Web.
ArcSight Logger is a hardware storage solution optimized for extremely high event
throughput.
ArcSight ESM
ArcSight ESM consists of several separately installable components that work together to
process event data from your network. These components connect to your network via
sensors that report to ESM SmartConnectors. SmartConnectors translate a multitude of
ArcSight Confidential
device output into a normalized ESM schema that becomes the starting point for ESM
correlation capabilities. ArcSight ESM components are described in the following pages.
SmartConnectors
SmartConnectors are the interface between the ArcSight ESM Manager and the network
devices that generate ESM-relevant data on your network.
SmartConnectors collect event data from network devices, then normalize it in two ways.
First, they normalize values (such as severity, priority, and time zone) into a common
format. Then they normalize the data structure into a common schema. SmartConnectors
can filter and aggregate the events to reduce the volume sent to the Manager, which
increases ArcSights efficiency and reduces event processing time.
In brief, SmartConnectors:
Parse individual events and normalize them into a common schema (format) for use by
ArcSight ESM.
Collect all the data you need from a source device, which eliminates the need to return
to the device during an investigation or audit.
Filter out data you know is not needed for analysis, thus saving network bandwidth
and storage space.
Categorize events using a common, human-readable format, saving you time and
making it easier to use those event categories to build filters, rules, reports, and data
monitors.
Depending upon the network device, some SmartConnectors also can instruct the
device to issue commands to devices. These actions can be executed manually or
through automated actions from rules and some data monitors.
ArcSight releases new and updated SmartConnectors approximately every six weeks.
ArcSight Confidential
FlexConnectors
ArcSights FlexConnector framework is a software development kit (SDK) that lets you
create a SmartConnector tailored to the devices on your network and their specific event
data. The following ArcSight FlexConnectors types are available:
File
Time-Based Database
Key-Value File
SNMP
Multiple Database
ID-Based Database
XML File
CounterACT
Multi-Folder File
Syslog
Scanner Database
For complete information about these FlexConnectors and how to use them, contact your
ArcSight Customer Support representative or see the ArcSight FlexConnector Developer's
Guide.
ESM Manager
As events stream into the system, the ESM Manager writes them to the ArcSight database.
It simultaneously processes the events through the correlation engine, which evaluates
each event with network model and vulnerability information to develop real time threat
summaries.
ESM Database
As events stream into the ESM Manager from the SmartConnectors, they are written to the
ESM Database with a normalized schema. This lets ESM collect all events generated by the
devices on your network, which you can analyze and refer to at any time.
The ESM Database is based upon Oracle 9i. A typical installation retains active data online
from weeks to months.
ESM Console
The ArcSight ESM Console is a workstation-based interface intended for use by your
full-time security staff in a Security Operations Center (SOC) or similar security-monitoring
environment. The Console is the authoring tool for building ArcSight ESM filters, rules,
ArcSight Confidential
reports, Pattern Discovery, dashboards, and data monitors. It also is the interface for
administering users and resources.
The ArcSight ESM Console version should match the ArcSight ESM Manager
version to ensure that resources and schemas match.
ArcSight Web
ArcSight Web is an independent and remotely installable Web server that provides a secure
interface with the ArcSight ESM Manager for browser clients. ArcSight Web is intended for
use as a streamlined interface for customers of Managed Service Security Providers
(MSSPs), SOC operators, and business users who require access to ArcSight ESM to
investigate events from outside the protected network.
ArcSight NSP
ArcSight NSP is an appliance that consists of these two licensed software components.
These components build and maintain a detailed understanding of your networks topology,
letting you centrally manage your network infrastructure and rapidly respond to security
incidents.
The NCM/TRM solution lets you:
Build wizards that let you to delegate routine network administration tasks to
lower-level administrators.
ArcSight Logger
ArcSight Logger is an event data storage appliance optimized for extremely high event
throughput. Logger stores security events onboard in compressed form, but can always
retrieve unmodified events on demand for forensics-quality litigation data.
Logger can be deployed stand-alone to receive events from syslog messages or log files, or
to receive events in Common Event Format from SmartConnectors. Logger can forward
selected events as syslog messages to ESM.
Multiple Loggers work together to support high sustained input rates. Event queries are
distributed across a peer network of Loggers.
Connector Appliance
ArcSight Connector Appliance is a hardware solution that incorporates a number of
onboard ArcSight SmartConnectors and a web-based user interface that provides
centralized management for SmartConnectors across a potentially large number of hosts.
ArcSight Confidential
Provides a single interface through which to configure, monitor, tune, and update
SmartConnectors. The Connector Appliance does not receive events from the
SmartConnectors it manages, and this allows for management of many connectors at
one time. The Connector Appliance does not affect working SmartConnectors unless it
is used to change their configuration. In some cases, the SmartConnector is
commanded to restart.
Event Severity
During the normalization process, the SmartConnector collects data about the level of
danger associated with a particular event, as interpreted by the data source that reported
the event to the SmartConnector. These data points, device severity and
SmartConnector severity, become factors in calculating the events overall priority.
Device severity captures the language used by the data source to describe its
interpretation of the danger posed by a particular event. For example, if a network IDS
detects a DHCP packet that does not contain enough data to conform to the DHCP format,
the device flags this as a high-priority exploit.
SmartConnector severity is the translation of the device severity into
ArcSight-normalized values. For example, Snort uses a device severity scale of 1-10,
whereas Check Point uses a scale of high, medium, and low. ArcSight normalizes these
values into a single severity scale. The default ArcSight scale is Low, Medium, High, and
Very High.
For example, routine file access and successful authentications by authorized users would
be translated into the ArcSight-normalized values as very low severity, whereas a short
DHCP packet would be translated as very high severity.
ArcSight Confidential
You can configure the SmartConnector to aggregate (summarize and merge) events that
have the same values in a specified set of fields, either for a specified number of times or
within a specified time limit.
SmartConnector aggregation compiles events with matching values into a single event. The
aggregated event contains only the values the events have in common plus the earliest
start time and latest end time. This reduces the number of individual events the Manager
must evaluate.
For example, suppose the SmartConnector is configured to aggregate events with a certain
Source IP and Port, Destination IP and Port, and Device Action whenever the events occur
10 times in 30 seconds. If ten events with these matching values are received by the
SmartConnector within that timeframe, they are grouped together into a single event with
an aggregated event count of 10.
If the 30-second timeframe expires and the SmartConnector has received only two
matching events, the SmartConnector creates a single aggregated event with an
aggregated event count of two. If 900 matching events were to come in during the 30
seconds, the SmartConnector would create 90 aggregated events, each with an
aggregated event count of 10.
Firewalls are a good candidate for aggregation because of the volume of events with
similar data coming in from multiple devices.
Configurable Attributes
All SmartConnector configurable attributes are set during the installation and configuration
process. The following attributes can be edited after installation by the ArcSight ESM
Administrator.
The default behavior of the SmartConnector, such as batching, time correction, cache
size, Manager connection attributes, aggregation parameters, or filters
For complete instructions about which SmartConnector attributes to configure and how,
see to the ArcSight ESM v4.0 Installation and Configuration Guide.
ArcSight Confidential
ArcSight Confidential
Chapter 2
SmartConnector Overview
This chapter provides an overview of ArcSight SmartConnectors and how they collect and
send events (generated by various vendor devices) to the ArcSight ESM Manager.
The following topics are included in this chapter:
Understanding ArcSight SmartConnectors on page 9
Features on page 10
Data Collection Methods on page 12
ArcSight Database Mapping to Vendor Events on page 12
Once SmartConnectors normalize and send events to the ArcSight Manager, the events are
stored in the centralized ESM Database. ArcSight ESM then filters and cross-correlates
these events with rules to generate meta-events. The meta-events then are automatically
sent to administrators with corresponding Knowledge Base articles which contain
information supporting their enterprises policies and procedures.
ArcSight Confidential
2 SmartConnector Overview
Features
For complete information about how the following features work, see the ArcSight ESM
Description
Aggregation
Batching
Time Error
Correction
Categorizer
Resolver
Data Normalization
The following illustration shows the communication between network devices and ArcSight
SmartConnectors, and between ArcSight SmartConnectors and ArcSight ESM Manager.
ArcSight Confidential
2 SmartConnector Overview
Figure 2-1
SmartConnectors both receive and retrieve information from network devices. If the device
sends information, the SmartConnector becomes a receiver; if the device does not send
information, the SmartConnector retrieves it.
An ArcSight message is created for each event the devices collect. Once an event is
received, the SmartConnector adds device and event information to the event to complete
the message, which is then sent to the ESM Manager.
ArcSight Confidential
2 SmartConnector Overview
Syslog
SNMP
Database
XML
Operating systems, Web servers, content delivery, log consolidators, and aggregators
For more information about the latest ArcSight SmartConnectors available, visit our website
at http://www.arcsight.com and click the Support link.
ArcSight Confidential
Chapter 3
Overview
ArcSight components install consistently across UNIX, Windows, and Macintosh platforms.
Whether a host is dedicated to the ArcSight ESM Database, Manager, Console, or other
component, ArcSight ESM software is installed in a directory tree under a single root
directory on each host (DBMS and other third-party software is not necessarily installed
under this directory, however.) The path to this root directory is called $ARCSIGHT_HOME.
In SmartConnector documentation, the 'current' directory is specified rather than presumed
to be part of the $ARCSIGHT_HOME location, and the path separator is a backslash (\) (for
example, $ARCSIGHT_HOME\current). This is consistent with SmartConnector
configuration guide information, and also underscores the fact that ArcSight
SmartConnectors are not installed on the same machine as the remaining ArcSight ESM
components. Rather, they are typically installed on the same machine as the device whose
activity will be monitored.
The directory structure below $ARCSIGHT_HOME is standardized across components and
platforms. ArcSight software is generally available in the
$ARCSIGHT_HOME\current\bin directory, and documentation is found in
$ARCSIGHT_HOME\current\doc. Properties files, which control the ArcSight
configuration, are found in $ARCSIGHT_HOME\config, and log files are written to
$ARCSIGHT_HOME\logs.
ArcSight Confidential
ArcSight SmartConnectors collect and process the data generated by various vendor
devices throughout your enterprise. Devices consist of routers, email logs, anti-virus
products, firewalls, intrusion prevention systems (IPS), access control servers, VPN
systems, antiDoS appliances, operating system logs, and other sources where information
about security threats are detected and reported.
ArcSight SmartConnectors collect a vast amount of varying, heterogeneous information.
SmartConnectors format every raw security event into a consistent, normalized ArcSight
event. By creating a consistent message format, you can find, sort, compare, and analyze
all events using the same event fields.
When a SmartConnector receives an event, it completes the message by adding device
information, then forwarding the event to various components throughout ArcSight ESM.
Supported Platforms
For information about supported platforms, see the ArcSight SmartConnector Product and
Platform Support document that is shipped with each SmartConnector release. Only
differences to the support detailed in that document are specified in the device's
SmartConnector Configuration Guide.
Deployment Scenarios
You can install SmartConnectors on the ArcSight ESM Manager, a host machine, or a
device. Based upon configuration, they also can receive events over the network using
SNMP, HTTP, syslog, proprietary protocols (such as OPSEC), or direct database connections
to the device's repository (such as ODBC or proprietary database connections).
The best deployment scenario for your system depends upon the SmartConnector type,
your network architecture, and your operating system.
Scenarios for syslog deployment are documented in the SmartConnector for UNIX OS
Syslog Configuration Guide.
Scenarios for deploying Windows Event Log connectors are documented in the
SmartConnector for Microsoft Windows Event Log Configuration Guide.
ArcSight Confidential
Figure 3-1
ArcSight Confidential
Figure 3-2
Figure 3-3
ArcSight Confidential
Description
Fastest (Mode 1)
Faster (Mode 2)
Complete (Mode 3)
ArcSight Confidential
When a turbo mode is not specified, Mode 3, Complete, is the default. Versions of ArcSight
ESM prior to v3.0 run in turbo mode Complete.
The ESM Manager uses its own turbo mode setting when processing event data. If a
SmartConnector is set at a higher turbo mode than the Manager, it reports more event data
than the Manager requires. The Manager ignores these extra fields.
However, if a Manager is set at a higher turbo mode than the SmartConnector, the
SmartConnector has less event data to report to the Manager. The Manager maintains
fields that remain empty of event data.
Both situations are normal in real-world scenarios because the Manager configuration must
reflect the requirements of a diverse set of SmartConnectors.
Possible Manager-SmartConnector configurations are as follows:
1-1 Manager and SmartConnector in Fastest Mode.
1-2 SmartConnector sending more sensor data than Manager requires.
1-3 SmartConnector sending more sensor data than Manager requires.
2-1 SmartConnector not sending all data that Manager is storing.
2-2 Manager and SmartConnector in Faster mode.
2-3 Default: Manager does not process additional data sent by SmartConnector.
3-1 Manager maintains Complete data; SmartConnector sends minimum.
3-2 Manager maintains additional data, but SmartConnector does not send it.
3-3 Manager and SmartConnector in Complete mode.
ArcSight Confidential
Chapter 4
Ensure that the ArcSight ESM Manager, Database, and Console are installed correctly.
Run the ArcSight ESM Manager. The command prompt window or terminal box
displays a "Ready" message when the ESM Manager has started successfully. If the
ArcSight ESM Manager is running as a Windows NT/2000 Service, monitor the
server.std.log file located in ARCSIGHT_HOME\current\logs\default.
Run the ArcSight ESM Console. Although not required, it is helpful to have the Console
running when installing the SmartConnector to verify successful installation.
ArcSight Confidential
Administrator privilege
At a minimum, SmartConnectors must be running version 4021 to
communicate with a version 4.0 Manager.
Insert the ArcSight Installation CD into your CD-ROM drive or navigate to the location
of the ArcSight SmartConnector Installer directory.
ArcSight-4.0.x.nnnn.y-Connector-Linux.bin
Solaris
ArcSight-4.0.x.nnnn.y-Connector-Solaris.bin
Windows
ArcSight-4.0.x.nnnn.y-Connector-Windows.exe
A window such as the following is displayed; once you have verified that the ESM
Database, Manager, and Console are installed and operating, click Next.
ArcSight Confidential
When the Introduction window is displayed, read the information and click Next when
ready.
Next, accept the default location for "Where Would You Like to Install?," or click
Choose to select another folder for installation. Click Next when ready.
ArcSight Confidential
Choose from the following types installation; for most connectors, Typical is the
appropriate selection. Click Next.
On the following window, accept the default shortcut folder location or select a new or
existing Program Group. (You can also create icons for all users accessing ArcSight
SmartConnector by selecting the Create Icons for All Users check box.) Click Next
when you have finished making your selections.
ArcSight Confidential
ArcSight Confidential
Manager is, in fact, using a demo SSL certificate. If you are not certain, select No or
consult your system administrator.). If your ArcSight Manager is using a self-signed or
CA-signed SSL certificate, select No, the ArcSight Manager is not using a demo
certificate and click Next.
After completing the SmartConnector installation wizard, remember to
manually configure the connector for the type of SSL certificate your Manager
is using. Refer to the ArcSight ESM v4.0 Administrator's Guide for instructions
about configuring your SmartConnector when the Manager is using a selfsigned or CA-signed certificate and for instructions about enabling SSL client
authentication on SmartConnectors so that the Connectors and the Manager
authenticate each other before sending data.
12 On the next window, replace localhost with the host name of the Manager with
which the SmartConnector is to communicate (localhost is appropriate only when
the SmartConnector is installed on the same host as the Manager, which is not
recommended in a production environment). This name must match the host name in
the Managers certificate, which is usually the fully-qualified name. For example,
instead of gabriel, specify gabriel.sales.mycompany.com.
ArcSight Confidential
13 Enter a valid ArcSight user name and password for the ArcSight ESM Manager. This is
the same user name and password you created during ESM Manager installation.
14 Select one of the possible SmartConnectors from the window displayed. Scroll down to
find the appropriate SmartConnector. If you are installing a syslog SmartConnector,
select the Syslog Pipe, File, or Daemon SmartConnector.
The SmartConnectors that appear in the list are those that can be installed on the
same platform from which you are running the installation program. For example, if
you are running on Windows, the list contains a list of those SmartConnectors that are
supported on Windows. Similarly, if you are running the installer on a Linux or Solarisbased system, the installer displays a list of SmartConnectors supported on those
platforms.
15 After selecting the connector you want to install from the list of SmartConnectors, in
this example, Symantec Gateway Security/Enterprise Firewall NG File, click
Next.
ArcSight Confidential
16 The next window requests specific parameters for the particular SmartConnector you
selected. These parameters vary depending upon the device and are described and
explained in the SmartConnector Configuration Guide for the selected SmartConnector.
There are some SmartConnector types (such as Symantec Gateway
Security/Enterprise Firewall NG, shown in the following example) that require
parameter values to be entered into a table format. You can add this information
manually or import multiple hosts. See Using Table Parameters on page 29 for
detailed information.
To manually enter parameter values, click the Add button. See Manually Entering
Parameter Values on page 30 for details.
Click the Import button to locate the .csv file you want to import. Click the Export
button to create a .csv file containing the values you have entered in the parameter
table. See Importing and Exporting CSV Files on page 30 for details.
If there are no Import and Export buttons on the parameter entry window
for the connector youve selected, the parameters are not entered into a table
format and this feature does not apply.
ArcSight Confidential
18 Give your new SmartConnector a descriptive name to identify it for ArcSight Console
users. You also can specify optional location information and add any appropriate
comments.
In this context, SmartConnector Location refers to the host where you are
installing the SmartConnector and Device Location describes the host on which the
IDS, syslog, or other software is running. If the device is physical hardware, the
Device Location is particularly useful for specifying, for example, a certain position
within a specific rack.
19 Click Next when you have finished entering data.
20 Review the summary of data and click Next.
ArcSight Confidential
If you choose to configure the SmartConnector to run as a service, the wizard prompts
you for the services internal and display names.
If you choose not to run the SmartConnector as a service, a window such as the
following is displayed.
ArcSight Confidential
The parameters for this type of SmartConnector can be entered manually for a few lines of
data, or, for a larger number of entries, you can import a .csv file. You can also create a
.csv file by exporting data youve already entered. See Importing and Exporting CSV Files
on page 30 for specific steps.
Please note the following when using this feature:
Columns that contain private data (shown as asterisks), such as passwords, will not
appear in exported files after using the Export button.
After importing a .csv file (using the Import button), data in private columns remain
hidden (shown as asterisks).
While you can manually enter a private column (either by adding the column to your
CSV within a spreadsheet program or by filling it in through the Configuration Wizard),
it still will not appear in any exported files. This is a precautionary measure.
Importing data from a .csv file (using the Import button) causes all existing data in
the table to be removed and replaced by the incoming data.
ArcSight Confidential
If needed, use the Export button to export your parameter table data into an external .csv
file to save for later use.
Using a spreadsheet program (such as Microsoft Excel), enter the parameter data into
a table and save it as a .csv file.
During SmartConnector installation, click the Import button to locate the .csv file you
created. The window provides a preview of the CSVs contents.
ArcSight Confidential
Click the Import button on the Import window. This populates the SmartConnector
parameters fields, as shown below.
If you wish, you can add more rows manually (using the Add button) and then export
the resulting table (using the Export button) to an external .csv file for later use.
The example above shows a Password column within the Configuration
Wizard that does not appear in the original .csv file. This private column
does not contain actual password data and will not be included in an
exported file.
ArcSight Confidential
On the window displayed, enter the Silent Properties File Name to select an
existing file. Enter the name of the Installation Target Folder to select a location.
Perform the remaining steps on the system on which you want to install the
SmartConnector in silent mode:
5
Copy the Properties file from the other system to your current system, preferably to
the same directory where you downloaded the installation file.
ArcSight Confidential
#======================================================
# Panel 'AgentDetailsPanel'
#======================================================
# Select a name for your SmartConnector and specify location
parameters.
#
# SmartConnector Name
SmartConnectorDetailsPanel.smartConnectorname=SF_SmartConnector1
# Agent Location
AgentDetailsPanel.agentlocation=San Francisco
# Device Location
AgentDetailsPanel.devicelocation=Site_2.2.223
# Comment
AgentDetailsPanel.comment=
#===============================================
9
You can edit any property (Manager Information, user credentials) in the properties file to
suit your needs.
10 Save the properties file.
11 Download the SmartConnector installation file appropriate for your platform.
12 Run the following command to install the new SmartConnector in silent mode:
ArcSight_Agent_install_file -i silent f properties_filename
The command launches the InstallShield program and installs the SmartConnector silently.
Example: To install a SmartConnector on Windows platform with the property file name
silent_properties, enter:
ArcSight-3.5.x.nnnn.y-Agent-Win.exe i silent f silent_properties
After installing ArcSight SmartConnectors, configure your systems default
file permissions so that files created by ArcSight (events, log files, and so on)
are reasonably secure.
On UNIX systems, file permissions typically are set by adding the umask
command to your shell profile. An umask setting of 077, for example, would
deny read or write file access to any but the current user. An umask setting of
000 creates an unnecessary security hole.
ArcSight Confidential
ArcSight ESM now provides the ability to not only centrally manage and configure
SmartConnectors, but also to update them remotely. You can use the Upgrade command
on the ArcSight ESM Console to upgrade to newer versions of ArcSight SmartConnector
software for managed devices. (You also can use the Rollback command to revert to a
previous version of an upgraded SmartConnector.)
The Upgrade command lets you launch, manage, and review the status of upgrades for all
SmartConnectors. A failover mechanism launches SmartConnectors with previous versions
if upgrades fail. All communication and upgrade processes between components (Console,
Manager, and SmartConnectors) take place over secure connections.
The ArcSight ESM Console reflects current version information for all of your ArcSight
SmartConnectors.
You will receive an e-mail notification about new SmartConnector releases from
ArcSight Customer Support.
Download the latest releases to the ArcSight ESM Manager available for
SmartConnector upgrades. Upgrade version files are delivered as .aup files (a
compressed file set).
If the upgrade is successful, the new SmartConnector starts and reports successful
upgrade status.
For details about how to upgrade SmartConnectors from the Console, refer to the ArcSight
Console Help.
SmartConnectors automatically determine their upgrade status when they start.
ArcSight Confidential
Versions of the Connectors you want to upgrade must be available on the Manager to
which you are connected.
The option for remote upgrade is available only in ArcSight ESM v4.0 Console and only
for version 4.0.2.xxxx.0 or newer SmartConnectors. Earlier versions of connectors
(formerly known as SmartAgents) must be upgraded manually per the original process
by installing a newer version of the SmartConnector.
As a prerequisite to upgrading Connectors, both the ArcSight ESM Manager and the
SmartConnector you want to upgrade must be running.
The option for SmartConnector rollback is available only in ArcSight Console v4.0 and only
on previously upgraded SmartConnector versions 4.0.2.xxxx.0 or newer.
Rollback automatically reinstates the most recent version prior to the currently installed
version. You cannot do a remote rollback on a SmartConnector other than the previously
installed version.
For example, if you start with a SmartConnector of version 4.0.2.4793, upgrade to
4.0.2.4794, then upgrade again to 4.0.2.4795, a remote rollback at this point
re-installs/starts SmartConnector version 4.0.2.4794. You can only roll back to an earlier
version manually.
Troubleshooting
If an upgrade or rollback fails, you can review the related logs. Choose Send Command
-> Tech Support -> Get Upgrade Logs from the ArcSight Console menus.
You can also use the Send Logs Wizard to collect and send logs, including upgrade logs, to
ArcSight for support help.
Uninstalling a SmartConnector
Before uninstalling a SmartConnector that is running as a service or daemon, first stop the
service or daemon.
To uninstall on Windows platforms, open the Start menu. Run the Uninstall
SmartConnectors program found under All Programs -> ArcSight
SmartConnectors. If SmartConnectors were not installed on the Start menu, locate the
ARCSIGHT_HOME\current\UninstallerData folder and run:
Uninstall_ArcSight_Agents.exe
ArcSight Confidential
Stop the ArcSight SmartConnector and execute the following command from the
$ARCSIGHT_HOME\current\bin directory:
For UNIX platforms:
./runagentsetup.sh
For Windows platforms:
runagentsetup
Running SmartConnectors
SmartConnectors can be installed and run in standalone mode, as a Windows service, or
as a UNIX daemon. If installed standalone, the SmartConnector must be started manually,
and is not automatically active when a host is re-started. If installed as a Windows service
or UNIX daemon, the SmartConnector runs automatically when the host is re-started.
Some SmartConnectors require that you restart your system before
configuration changes take effect.
SmartConnectors for scanners present a special case. To run a scanner
SmartConnector in interactive mode, run in standalone and not as a Windows
service or Linux/UNIX daemon.
Standalone
To run all installed SmartConnectors on a particular host, open a command window, go to
ARCSIGHT_HOME\current\bin and run:
ArcSight Confidential
arcsight connectors
To view the SmartConnector log, read the file:
ARCSIGHT_HOME\current\logs\agent.log
To stop all SmartConnectors, enter Ctrl+C in the command window.
On Windows platforms, SmartConnectors also can be run using shortcuts and
optional Start Menu entries.
As a Windows Service
SmartConnectors installed as a service can be started and stopped manually using
platform-specific procedures.
To start or stop SmartConnectors installed as services on Windows platforms:
1
Right-click on the ArcSight SmartConnector service name and select Start to begin
running the SmartConnector or Stop to stop running the service.
As a UNIX Daemon
SmartConnectors installed as a daemon can be started and stopped manually using
platform-specific procedures.
On UNIX systems, when you configure a SmartConnector to run automatically, ArcSight
creates a control script in the /etc/init.d directory. To start or stop a particular
SmartConnector, find the control script and run it with either a start or stop command
parameter.
For example:
/etc/init.d/arc_serviceName {start|stop}
To verify that a SmartConnector service has started, view the file:
ARCSIGHT_HOME/logs/agent.out.wrapper.log
To reconfigure SmartConnectors as a daemon, run the SmartConnector Configuration
Wizard again. Open a command window on $ARCSIGHT_HOME/current/bin and enter:
runagentsetup
ArcSight Confidential
ArcSight Confidential
Chapter 5
ArcSight Confidential
Figure 5-1
ArcSight Connector Appliance includes on-board SmartConnectors that connect
event sources to destinations such as ArcSight Logger and ArcSight ESM.
The benefits of Connector Appliance include the following:
40
Provides a single interface through which to configure, monitor, tune, and update
SmartConnectors. The Connector Appliance does not receive events from the
SmartConnectors it manages, and this allows for management of many connectors at
one time. The Connector Appliance does not affect working SmartConnectors unless it
is used to change their configuration. In some cases, the SmartConnector is
commanded to restart.
ArcSight Confidential
Figure 5-2
SmartConnectors that forward events to ArcSight ESM can be managed using the ESM
Console, so the Connector Appliance is not required if all SmartConnectors have ESM as
their only destination. However, the Connector Appliance is very useful when connectors
target multiple heterogeneous destinations (for example, when ArcSight Logger is
deployed along with ESM), in a Logger-only environment, or when a large number of
SmartConnectors are involved, such as in a MSSP deployment.
Connector Appliance SmartConnectors operate within Containers. Each Container runs its
own Java Virtual Machine (JVM). Containers contain one or more SmartConnectors.
Software-based SmartConnectors
ArcSight Confidential
Software-Based SmartConnectors
The Connector Appliance can remotely manage SmartConnectors running on any networkaccessible host. These SmartConnectors must be configured for remote management.
Only fifth-generation SmartConnectors support remote management, so
you'll need connector build 4855 (4.0.5.4878.0) or higher to use this
feature.
If you install software SmartConnectors on your own hardware, you will need
to edit the agent.properties file to allow for remote management.
Remote management is turned off by default.
Supported SmartConnectors
For a complete list of all SmartConnectors supported by the Connector Appliance, see the
Connector Appliance Release Notes or visit the ArcSight Customer Support website. New
SmartConnectors are added on a regular basis.
Manager
When SmartConnectors send events to an ArcSight ESM Manager, the Manager stores the
events in a relational database, processes them using its correlation engine, and makes
them visible to the ArcSight Console or ArcSight Web interfaces.
Logger
SmartConnectors can send CEF events to ArcSight Logger using an encrypted, optionally
compressed, channel called SmartMessage. Logger can also receive CEF Syslog events
from SmartConnectors.
For more detailed information about Logger, see Chapter 6 Using SmartConnectors with
ArcSight Logger on page 45
CEF Syslog
SmartConnectors can forward events as syslog messages. In this case, the normalized
event is sent using Common Event Format (CEF) which uses name/value pairs. The
Connector Appliance can send syslog over UDP or TCP.
42
ArcSight Confidential
Failover Destination
Each SmartConnector destination can have a failover destination. When communication
with the primary destination fails, the SmartConnector automatically begins sending events
to the designated failover. Failover only works with communication protocols that can
detect transmission failure, such as TCP.
For steps to create a failover destination, see Chapter 8 Failover Destinations on page 93.
Alternate Configurations
You can define alternate configurations for SmartConnectors and specify when the
alternate should be active. For example, aggregation might be specified during peak times
to reduce the number of events moving on the network, and disabled during other times.
ArcSight Logger
ArcSight Logger receives and sends events from and to ArcSight SmartConnectors, but
lacks the depth of SmartConnector management found in ArcSight ESM.
A Logger-only deployment benefits from the Connector Appliance in many capacities, and
provides most of ESMs management functionality, but not all (it does not contain the filter
designer, for example). The Connector Appliance also offers new features, such as bulk
operations (enabling control of many Smartconnectors at one time), that ESM does not.
Connector Appliance can also configure SmartConnectors with failover destinations,
providing central failover control when redundant Loggers are deployed for this purpose.
All or some SmartConnectors can be configured to send events to a second Logger or to an
event file in the case of communication failure with the primary destination.
For more detailed information about Logger, see Chapter 6 Using SmartConnectors with
ArcSight Logger on page 45
ArcSight ESM
Deploying the Connector Appliance in an ArcSight ESM environment centralizes
SmartConnector upgrade, log management, and other configuration issues. For more
information, see Chapter 7 Configuring SmartConnectors through the Console on page 65.
ArcSight Confidential
are sent to ESM (for further analysis, for example). In another scenario, all events are sent
to both, but Logger implements a longer retention policy.
Although each SmartConnector has specific destination parameters, the Connector
Appliance allows for bulk management, removing the need to manually access each
remote SmartConnector host to add or change destinations.
For more detailed information and instructions for using Connector Appliance, refer to the
Connector Appliance Administrators Guide.
44
ArcSight Confidential
Chapter 6
ArcSight Confidential
secure channel. At one end is an ArcSight SmartConnector, receiving events from the many
devices it supports; on the other end is SmartMessage Receiver on Logger.
The SmartMessage secure channel uses HTTPS (secure sockets layer
protocol) to send encrypted events to Logger. This is similar to, but different
from, the encrypted binary protocol used between SmartConnectors and
ArcSight ESM Manager.
Use port 443 (rather than ArcSight's traditional port 8443) because the
secure channel uses HTTPS.
Figure 6-1
ArcSight Confidential
Navigate through the panels to the one that states Please select the destination
type: and select ArcSight Logger SmartMessage (encrypted). Click Next.
Enter the Logger Host Name/IP, leave the port number at default (443), and enter
the Receiver Name. This setting should match the Receiver name you created in
step 1 so that Logger can listen to events from this SmartConnector. Click Next.
ArcSight Confidential
Navigate through the subsequent panels until receiving a message that confirms the
configuration was successful. Click Finish to complete the process and exit the wizard.
Register the SmartConnector with a running ArcSight ESM Manager and test that the
SmartConnector is up and running.
ArcSight Confidential
Specify the Host Name/IP, the desired Port, and select either Disabled (the default
value) or Enabled data compression. Click Next.
ArcSight Confidential
A message confirms that the configuration was successful. Click Finish to complete
the process and exit the wizard.
ArcSight Confidential
Install the SmartConnector component normally, but click Cancel to exit the
installation when the Configuration Wizard asks whether the target Manager uses a
demo certificate, as shown below.
Confirm that you want to exit, then click Done to close the wizard. This installs the
SmartConnector core software.
Specify the required parameters for CEF output. Enter the desired port for UDP or TCP
output. These settings should match the Receiver you created in Logger to listen for
events from ArcSight ESM.
Parameter
Description
Ip/Host
Port
Protocol
8443 (default)
SmartConnector Name
SmartConnector Location
ArcSight Confidential
Parameter
Description
Device Location
Comment
Optional comments
To configure the ArcSight Forwarding SmartConnector to send CEF output to Logger and
send events to another ArcSight ESM Manager at the same time, see Sending Events to
Both Logger and an ESM Manager on page 48.
ArcSight Confidential
ArcSight Confidential
The following window provides a choice of destination settings to modify. For this
example, select Time Correction and click Next.
Each choice opens a unique set of windows to configure. Modify the appropriate
settings and click Next.
ArcSight Confidential
The next window asks whether you want to end the session or select new destination
settings to modify. To make additional modifications, select No; to end the session,
select Yes.
ArcSight Confidential
ArcSight Confidential
Chapter 6
These two components build and maintain a detailed understanding of your networks
topology, enabling you to centrally manage your network infrastructure and rapidly respond
to security incidents.
The NCM/TRM solution enables you to automate network configuration changes across
heterogeneous networks, manage and audit configuration changes on the network from a
central console, and obtain quick and easy web-based reports for network device inventory
and configuration settings.
The ArcSight Syslog SmartConnector increases NCM/TRMs visibility into the network. It
detects network configuration changes in syslog format using SNMP traps, which can then
trigger NCM/TRM to launch an action to poll the network devices for the complete, new
configuration.
The benefits of the NCM/TRM solution include:
Complete visibility into all changes being made to network devices, even if the
changes are made directly to the network devices.
ArcSight Confidential
Enabling a hybrid configuration and change control model that permits certain
changes to be made directly to network devices, while still maintaining control,
visibility, auditing, and compliance for all changes in a central repository (NCM/TRM).
ArcSight Confidential
The following diagram depicts the Syslog SmartConnector solution deployed with
NCM/TRM and ESM.
Figure 6-1
Please keep the following in mind when configuring and deploying NCM/TRM:
It is optional to run NCM/TRM as an audit while the device is polled; however, it does
require that audits be currently subscribed to that particular network device or device
group.
It is optional to forward events to ESM or Logger. Neither appliance is required for this
solution to be fully functional.
For NCM/TRM to poll a network device, it must be previously known within the
network.
ArcSight Confidential
ArcSight Confidential
After you have modified the file, restart the syslog daemon either by executing the
scripts /etc/init.d/syslogd stop and /etc/init.d/syslogd start, or by
sending a `configuration restart` signal.
On RedHat Linux, execute:
service syslog restart
On Solaris and other types of Unix, execute:
kill -HUP cat /var/run/syslog.pid
This command forces the syslog daemon to reload the configuration and start writing
to the pipe you just created.
For syslog file:
Create a file or use the default for the file into which log messages are to be written.
For Solaris, the default is /var/adm/messages
For Linux, the default is var/log/messages
After editing the /etc/syslog.conf file, restart the syslog daemon as described
above.
The SmartConnector Installation Wizard, then prompts you for the absolute path to the
syslog file or pipe you created.
Syslog Daemon
Syslog Pipe
Syslog File
The Syslog Daemon SmartConnector is supported on Windows, Linux, Solaris, and AIX
platforms. The Syslog Pipe and File Smartconnectors are supported on Linux, Solaris, AIX,
and HP UNIX.
Because all syslog SmartConnectors are sub-connectors of the main syslog
SmartConnector, the name of the specific syslog SmartConnector you are
installing is not required during installation.
The syslog daemon listens on port 514 (configurable) for UDP syslog events; the syslog
pipe and syslog file read events from a system pipe or file, respectively. Select the one that
best fits your syslog infrastructure setup.
Before installing the SmartConnector, be sure the following are available:
Administrator passwords
ArcSight Confidential
To install a syslog SmartConnector to send events to the NSP Device Poll Listener:
1
Insert the ArcSight Installation CD into your CD-ROM drive or navigate to the location
of the ArcSight SmartConnector Installer directory.
Start the ArcSight SmartConnector Installer by running the executable for your
operating system.
When installing a syslog daemon SmartConnector in a UNIX environment, run
the executable as 'root' user.
Follow the installation wizard through the following folder selection tasks and
installation of the core connector software:
Introduction
Choose Install Folder
Choose Install Set
Choose Shortcut Folder
Pre-Installation Summary
Installing...
When the installation of ArcSight SmartConnector core component software is
finished, the following window is displayed:
Select NSP Device Poll Listener from the selections and click Next.
ArcSight Confidential
Enter the NCM Host name or IP address, the NCM/TRM User, and the NCM/TRM
Password. The NCM/TRM Host is the IP address or hostname of the NCM/TRM
system that will interact with the syslog connector. The NCM/TRM User and
NCM/TRM Password are the user name and password credentials you use to log
into the NCM/TRM system.
Click Next.
Field
Description
Syslog
Daemon
Parameters
Network port
IP Address
Protocol
Pipe Absolute
Path Name
Protocol
File Absolute
Path Name
Protocol
Syslog Pipe
Parameters
Syslog File
Parameter
ArcSight Confidential
Enter a name for the SmartConnector and provide any other information that identifies
how the connector is used in your environment. Click Next.
10 Read the SmartConnector summary and click Next. If the summary is incorrect, click
Back to make changes.
11 When the SmartConnector completes its configuration, click Next. The Wizard now
prompts you to choose whether you want to run the SmartConnector stand-alone or
as a service. If you choose to run the SmartConnector as a service, the Wizard
prompts you to define service parameters for the SmartConnector.
When running any SmartConnector as a service on Windows, specify the
file path in UNC (for example, \\10.0.111.4\xyz) and not as a network
mapped drive (Z:\xyz). Also, you will most likely need to change the
user who runs the service (by default SYSTEM), because the user running
the service must have access to the UNC path.
12 After making your selections, click Next. The Wizard displays a dialog confirming the
SmartConnector's setup and service configuration.
13 Click Finish.
For some SmartConnectors, a system restart is required before the configuration
settings you made take effect. If a System Restart window is displayed, read the
information and initiate the system restart operation.
Save any work on your computer or desktop and shut down any other
running applications (including the ArcSight Console, if it is running),
then shut down the system.
ArcSight Confidential
Chapter 7
Overview
ArcSight SmartConnectors can be configured to optimize their performance and increase
their function. You can configure them to enable aggregation, batching, and time
correction as well as to send control commands from the ArcSight Console to ArcSight
SmartConnectors to manage the flow of events.
Based upon filtering conditions, ArcSight SmartConnectors can filter events sent to the
ArcSight ESM Manager. Filtering conditions are set with a combination of AND or OR
statements and data field values. Extraneous events can be filtered out to minimize the
number of events sent to the ESM Manager and displayed in the Console.
Events filtered out by ArcSight SmartConnectors are not reported to the
ArcSight ESM Manager, so they will not be stored or be available later from
the ArcSight Database.
You can configure SmartConnectors to set a specific severity level for events that match
specific criteria. One typical application is to change the default severity mapping. By
ArcSight Confidential
default, SmartConnectors map the device severity (which can contain multiple levels) to
the standard ArcSight severity levels: Very High, High, Medium, and Low.
For example, if a device has eight severity levels (0-7), where 0 is the highest severity,
most likely 0 and 1 are mapped to Very High, 2 and 3 to High, 4 and 5 to Medium, and
6 and 7 to Low. You can change this behavior and make the SmartConnector set the
severity based upon different parameters.
In the Connectors resource tree, right-click the ArcSight SmartConnector you want to
manage and select Configure. The Inspect/Edit panel for the Connector Editor is
displayed. On the Connector tab, the Name field is automatically populated with the
name assigned during SmartConnector Installation, as well as the creation date and
other information.
On the Default tab, change any additional Batching, Time Correction, or other
parameters as desired, using the configuration field explanations provided in the
following "Connector Editor Option Tabs" and "Configuration Fields" sections.
ArcSight Confidential
Click Apply to add your changes and to keep the Connector Editor open. To apply
your changes and close the Connector Editor, click OK, or, if applicable, click Add
Alternate to save your changes as an alternate configuration you can select and
apply later.
These parameters are not localized because they come directly from the SmartConnector
and the SmartConnector may contain new resources (it could be a newer version).
The framework for SmartConnector commands operates in a similar way. Configuration of
the connector command menu is achieved by sending the list of commands that are
supported on the SmartConnector at registration time.
There are several controls you can adjust in the Connector Editor. The variety of options
are best summarized by briefly describing what is available at each of the editor's tabs and
subtabs.
Options
Connector
Networks
Default: Content
Default: Filters
Alternate: Content
Alternate: Filters
ANotes: Table
Notes: List
Configuration Fields
You can perform basic configuration tasks through the Connector and Default: Content
tabs. Find their names and values in the tables below.
Name Field
Value Field
Name
ID
Status
Connector
Location
ArcSight Confidential
Name Field
Value Field
Device
Location
Version
External ID
Alias
Description
Owner
An ArcSight user (selected from the Users resource tree) who should
be notified about this SmartConnector.
Notification
Groups
The ArcSight user groups (selected from the Users resource tree)
who should be notified about this SmartConnector.
Created By
Creation
Time
Time Since
Creation
Last Updated
By
Last Update
Time
Time Since
Last Update
ArcSight Confidential
Value Field
Batching
Batch By
Time Correction
ArcSight Confidential
Name Field
Value Field
Set Device Time Zone
To
Device Time
Auto-correction
Future Threshold
Past Threshold
Device List
Time Checking
Future Threshold
Past Threshold
Frequency
ArcSight Confidential
Name Field
Value Field
Cache
Notification Threshold
Notification Frequency
Heartbeat Frequency
Network
ArcSight Confidential
Name Field
Value Field
Name Resolution
Domain from Email
Don't Reverse-Resolve
IP Ranges
Limit Bandwidth To
Transport Mode
Address-based Zone
Population Defaults
Enabled
ArcSight Confidential
Name Field
Value Field
Address-based Zone
Population
Default is Normal
Values are
ArcSight Confidential
Customer URI
Name Field
Value Field
Destination Zone URI
Destination Translated
Zone URI
Connector Translated
Zone URI
ArcSight Confidential
Name Field
Value Field
Field Based
Aggregation
ArcSight Confidential
Time Interval
Event Threshold
Name Field
Value Field
Field Names
Fields to Sum
Preserve Common
Fields
Filter
Aggregation
Event Threshold
Fields to Sum
ArcSight Confidential
Name Field
Value Field
Processing
Preserve Raw Event
Turbo Mode
ArcSight Confidential
Name Field
Value Field
Enable Aggregation (in
seconds)
ArcSight Confidential
Name Field
Value Field
Limit Event Processing
Rate
Fields to Obfuscate
Enable Port-Service
Mapping
ArcSight Confidential
Name Field
Value Field
Event Integrity
Algorithm
Generate Unparsed
Events
ArcSight Confidential
Name Field
Value Field
Payload
Sampling
Mask Non-printable
Characters
Filters
Syslog connectors
Due to the nature of UDP (the transport protocol used by syslog), these
SmartConnectors can potentially lose events if the configurable event
rate is exceeded. This is because the SmartConnector delays processing
to match the event rate configured, and while in this state, the UDP
cache may fill up, causing the operating system to drop UDP messages.
Note that ArcSight does not recommend using the Limit CPU Usage
option with these SmartConnectors because of this possibility of event
loss.
SNMP connectors
Database
connectors
File connectors
ArcSight Confidential
SmartConnector
Tabs
Proprietary API
connectors
ArcSight Confidential
Proceed through the SmartConnector Configuration Wizard until you reach the
destination setting window, as shown below.
Click Next.
Within the Filter Out field of the following screen, enter the string that represents
your setting modification.
While its not possible to use the graphical modifiers used within the ArcSight ESM
Console, you can write strings such as the following examples:
name EQ Agent
ArcSight Confidential
See the table below for a list of usable operators. For additional information regarding data
fields, event mappings, and CEF fields, see the Data Fields, Audit Events, Cases, and
Events sections in the ESM Users Reference.
Usable
Operators
Description
EQ
equals
NE
not equals
LT
less than
LE
GE
GT
greater than
Between
ContainsBits
In
Contains
StartsWith
EndsWith
Like
standard CCE operator for simple pattern matching for string type:
_ wildcard for single character
% wildcard for any number of characters
InSubnet
InGroup
for asset in the specified asset category or zone in the specified zone
group.
Is
ArcSight Confidential
To: Specifies the ending time at which the Alternate settings no longer apply (and
revert to the default settings). If this is less than the From setting, the value is
interpreted as "next day." For example, a setting from 8PM to 8AM is interpreted as
starting at 8PM and ending at 8AM the following day.
In the Common Conditions Editor, select the relevant conditions from the data fields.
Logic
Operator
Description
equals
!=
not equals
<
less than
<=
>=
ArcSight Confidential
Logic
Operator
Description
>
greater than
Between
ContainsBits
In
Contains
StartsWith
EndsWith
Like
standard CCE operator for simple pattern matching for string type:
_ wildcard for single character
% wildcard for any number of characters
InSubnet
InGroup
for asset in the specified asset category or zone in the specified zone
group.
Is
Click OK.
Click OK.
In the Connectors resource tree, right-click the ArcSight SmartConnector and select
Configure.
In the Filtering section on the Advanced tab, right-click a condition and select Delete.
ArcSight Confidential
In the Connector Configuration Editor, click the following tabs: Connector: Name ->
Default -> Filters.
Under the Filters tab, select a severity level event definition from the Filter group:
Filter Out (to drop an event), Very-High, High, Medium, Low, and Unknown.
Select the conditions of the severity level from the Common Conditions Editor.
In the Connectors resource tree, right-click the ArcSight SmartConnector, select Send
Command, and one of the Status, Connector Process, Event Flow, Network, or
Upgrade menu options described below.
The Console's status bar shows a confirmation message when the flow control option
takes effect.
Commands available on this menu vary depending on which
SmartConnectors you are using. The following commands are the standard
set.
Flow-control
Command
Description
Status
Get Status
Get Device
Status
Connector
Process
ArcSight Confidential
Flow-control
Command
Description
Restart
Terminate
Event Flow
Pause
Stop
Start
Name
Resolver
Cache
Network
Upgrade
ArcSight Confidential
Flow-control
Command
Description
Upgrade
Rollback
Upgrade
ArcSight Confidential
In the Connectors resource tree, right-click a group and choose New Group. A Name
text field appears under the group you selected.
Click Enter.
Click Enter.
ArcSight Confidential
In the Connectors resource tree, right-click a group and select Edit Group.
In the Group Editor, edit the Name and Description text field.
Click OK.
Select Move to move the group or Link to create a copy of the group linked to the
original group.
If you select Link, you create a copy of the group that is linked to the original group.
Therefore, if you edit a linked group, whether it be the original or the copy, all links are
edited as well. When deleting linked groups, you can either delete the selected group or all
linked groups.
In the Connectors resource tree, right-click a group and choose Delete Group.
For more detailed information about managing ArcSight SmartConnectors, refer to the
ArcSight ESM v4.0 Administrators Guide and the ArcSight ESM Console Help.
ArcSight Confidential
ArcSight Confidential
Chapter 8
Additional Destinations
ArcSight SmartConnectors send a copy of events to each additional destination for which it
is configured. Additional destinations can be useful, for example, when you have a
development ArcSight environment working in parallel with your production environment
and you want to test rules and reports.
In such cases, you can configure the SmartConnector to send alerts to both your
production Manager and your development Manager to be able to view real-time event
flows on both systems. Because the destinations are independent, you do not compromise
the events sent to the production Manager.
Failover Destinations
A failover destination receives security events from the SmartConnector for which it is
configured only when the primary destination (such as the primary ArcSight ESM Manager)
is not available, or when a network problem occurs. Once these events are backed up in
the failover destination, the SmartConnector caches the events and resends them to the
primary destination.
A failover destination is active only when the primary destination is unavailable, so the
reports and replay features within the secondary Manager could contain incomplete
information. This feature performs as a real-time alternative for severe problems with the
primary ArcSight ESM Manager.
ArcSight Confidential
You can either modify the existing destination or you can add a new destination. For
this example, select Add new destination and click Next.
Select the destination type. For this example, select ArcSight Manager (encrypted)
and click Next.
ArcSight Confidential
Click Add new destination to add a new SmartCOnnector destination and click
Next.
Fill in the parameters for the destination you want to add and click Next to finish.
For information about the AUP Master Destination and Filter Out All Events
fields, see related information on page 24.
6
ArcSight Confidential
Run the ArcSight SmartConnector Configuration Wizard and select the option I want
to add/remove/modify ArcSight Manager destinations.
ArcSight Confidential
Select a failover destination type. For this example, select ArcSight Manager
(encrypted) to set up an alterative Manager in case the production Manager fails.
ArcSight Confidential
Enter the settings for the failover destination and click Next to continue to the next
window.
Re-Registering a SmartConnector
When the ArcSight Manager recognizes a SmartConnector, it generates an ID token the
SmartConnector uses to identify its security events. If the Manager stops accepting events
from a SmartConnector for an unknown reason, or if you have upgraded a SmartConnector
but its resource was removed from the database, you may need to re-register the
SmartConnector.
To re-register a SmartConnector:
1
Run the ArcSight SmartConnector Configuration Wizard and select the option I want
to add/remove/modify ArcSight Manager destinations.
ArcSight Confidential
Click Next.
Run the ArcSight SmartConnector Configuration Wizard and select your current (Host)
destination. Click Next.
ArcSight Confidential
Log in with a valid User Name on the ArcSight Manager where you are attempting to
re-register the SmartConnector. Click Next.
ArcSight Confidential
Chapter 9
File Connectors
There are two primary types of log file connector, Real Time and Folder Follower:
Real Time
These connectors can continue to follow a log file that retains its name or changes its
name based upon the current date and other factors. The type of real time file
connector is based upon the number of files monitored by the connector. There are
connectors that monitor a single log file, such as the Snort File connector and
connectors that monitor multiple log files, such as the Cisco Secure ACS and SAP Real
Time Audit connectors.
ArcSight Confidential
Real Time log file connectors can read normal log files in which lines are separated by
a new line character as well as fixed length records in which a file consists of only one
line but multiple records of fixed length (such as the SAP Real Time Audit connector).
Folder Follower
Folder follower connectors can follow files deposited into a single folder. There are
connectors that monitor a single log file (such as HP-UX or IBM AIX) and connectors
that monitor log files recursively (such as F-Secure AntiVirus).
.txt and .xml file types are supported by ArcSight SmartConnectors; which type
depends upon the particular device. Text log files are the most common; however,
Tripwire and most of the scanner file connectors, such as Nessus, nCircle, and
NeXpose are in xml format.
The type of log file connector is not usually part of the connector name unless both types
of connector exist for a particular device (such as SAP Audit and SAP Real-Time Audit).
Connectors are normally installed on the device machine, but when the monitored files are
accessible through network shares or NFS mounts, the connectors can be installed on
remote machines.
Files are renamed by default to increments such as .processed, .processed.1, and
so on.
For some connectors, a trigger file is required to tell the connector when the file is
complete and ready for processing. Typically, this is the same file name with a different
extension.
Generally, the only parameter required at installation is the location of the log file or files
(the absolute path). When default file paths are known, they appear in the installation
wizard.
Folders require permissions to rename or delete the files as configured in the
connector.properties file.
ArcSight has dozens of log file connectors, including connectors for:
BEA WebLogic
Bro IDS
F-Secure Anti-Virus
ArcSight Confidential
McAfee VirusScan
Microsoft DHCP
Symantec NetRecon
Nmap
Oblix NetPoint
OVAL
Rapid7 NeXpose
Snort
Tenable Nessus
Tripwire Manager
Database Connectors
Database connectors use SQL queries to periodically poll for events. ArcSight
SmartConnectors support major database types, including MS SQL, MS Access, MySQL,
Oracle, DB2, Postgres, and Sybase.
In addition to the native JDBC driver for each database type, database connectors allow
the use of a JDBC ODBC driver for databases that support them, such as MS SQL, Postgres,
and MS Access. To use a JDBC ODBC driver, a JDBC ODBC data source is required.
During installation, the installation wizard will ask for at a minimum the following
parameters:
Database User
Database Password
The database user must have adequate permission to access and read the database. For
Audit database connectors, such as SQL Server Audit DB and Oracle Audit DB, system
administrator permissions are required.
In addition to connectors supporting event collection from a single database, some
database connectors support multiple database events such as the Microsoft SQL Server
Multiple DB connector. Others collect events from scanner databases, such as
SmartConnectors for McAfee FoundScan DB and Mazu Profiler.
ArcSight Confidential
103
Time-Based
Queries use a time field to retrieve events found since the most recent query time until
the current time.
ID-Based
Queries use a numerically increasing ID field to retrieve events from the last checked
ID until the maximum ID.
Job ID-Based
Queries use Job IDs that are not required to increase numerically. Processed Job IDs
are filed in such a way that only new Job IDs are added. Unlike the other two types of
database connector, Job IDs can run both in GUI or Interactive mode as well as in
Automatic mode.
Some of the database products currently supported by ArcSight SmartConnectors include:
IBM SiteProtector
Mazu Profiler
McAfee Entercept
McAfee FoundScan
McAfee IntruShield
Oracle Audit
Quest InTrust
Snort
ArcSight Confidential
Symantec ManHunt
Symantec SESA
Visionael ESP
Scanner Connectors
There are two types of scanner connector whose results are retained in a file, making them
log file connectors:
XML files (such as Tenable Nessus, nCircle Audit, Qualys Scanner, and Rapid7
NeXpose)
Other scanners deposit there events in a database per scan and are treated as database
connectors, requiring the same installation parameters as database parameters.
Scan reports or jobs are converted into base events that can be viewed on the ESM
Console, and aggregated meta events that are not shown on the console. Meta events
create assets, asset categories, open ports, and vulnerabilities on the ESM Console.
Scanner SmartConnectors run in either of two modes, automatic or interactive.
Interactive mode
Displays the scan reports or scan jobs that can be individually selected to be sent to
the connector. This mode is not supported for a connector running as a service.
Automatic mode
Checks periodically for any new reports deposited into the folder or any new jobs
inserted into the database, then processes them. This mode is supported for both
stand-alone applications and services.
Other than the operating mode, other parameters required for scanner installation depends
upon whether a file or database connector has been implemented. For file connectors, the
absolute path to and name of the log file is required. For database connectors, see
Database Connectors on page 103.
API Connectors
API connectors use a standard or proprietary API to pull events from devices. In most
cases, a certificate must be imported from the device to authenticate connector access to
the device. There are also a number of configuration steps required on the device side. For
example, Check Point devices require connection type configuration and importing a
certificate, Sourcefire eStreamer devices require adding a client, configuring a certificate,
configuring event types to be sent, and so on.
During installation, the installation wizard will ask for the following types of
parameters, although each device's parameters are specific to its API:
Device IP
Service Port
ArcSight Confidential
105
Certificate information
CA eTrust SiteMinder
McAfee Entercept
QoSient ARGUS
SNMP Connectors
SNMP Traps contain variable bindings, each of which holds a different piece of information
for the event. They are usually sent over UDP to port 162, but the port can be changed.
SNMP connectors listen on port 162 (or any other configured port) and process the
received traps. They can process traps only from one device with a unique Enterprise OID,
but can receive multiple trap types from this device.
As with syslog connectors (because SNMP is based upon UDP), there is a slight chance of
events being lost over the network.
Parsers use the knowledge of the MIB to map the event fields, but, unlike some of the
other SNMP-based applications, the connector itself does not need the MIB to be loaded.
No parameters are required during connector installation for SNMP devices.
SNMP devices supported by ArcSight SmartConnectors include:
Cisco PIX
Enterasys Dragon
Securify SecurVantage
ArcSight Confidential
SmartConnector for Microsoft Windows Event Log Domain, which lets you
collect Microsoft Windows Event Log events from multiple remote machines and
forward them into the ArcSight system (such as multiple occurrences of the same
application installed on different machines in one domain).
For details about the local and domain connectors deployment, installation, and
configuration, see the SmartConnector Configuration Guide for Microsoft Windows Event
Log. For mappings, see ArcSight SmartConnector Mappings to Windows Security Events.
For details about the new Unified connector, see the SmartConnector Configuration Guide
for Microsoft Windows Event Log Unified. Mappings for this connector are incorporated
into its configuration guide.
The SmartConnector for Microsoft Windows Event Log Unified supports event collection
from Microsoft Windows XP, Server 2000, Server 2003, and beta support for Microsoft Vista
and Server 2008 platforms, as well as beta support for partial event parsing based upon
the Windows event header for all System and Application events as well as support for a
FlexConnector-like framework that enables users to create and deploy their own parsers for
parsing the event description for all System and Application events.
Some individual Windows Event Log applications are supported by the SmartConnector for
Microsoft Windows Event Log Domain, for which Windows Event Log sub-connectors
have been developed. These sub-connectors have individual configuration guides that
provide setup information and mappings for the particular application. These subconnectors include:
CA eTrust AntiVirus
Microsoft WINS
Oracle Audit
ArcSight Confidential
107
Syslog Connectors
Syslog messages are free-form log messages prefixed with a syslog header consisting of a
numerical code (facility + severity), timestamp, and host name. They can be installed as a
syslog daemon, pipe, or file connector. Unlike file connectors, a syslog connector can
receive and process events from multiple devices. There is a unique regular expression that
identifies the device.
Syslog Daemon connectors listen for syslog messages on a configurable port, using
port 514 as a default. It is the only syslog option supported for Windows platforms.
Syslog Pipe connectors require syslog configuration to send messages with a certain
syslog facility and severity. Solaris under-performs when using Syslog Pipe connectors.
The operating system requires that the connector (reader) open the connection to the
pipe file before the syslog daemon (writer) writes the messages to it.
When using Solaris and running the connector as a non-root user, using a Syslog Pipe
connector is not recommended. It does not include permissions to send an HUP signal
to the syslog daemon.
Syslog File connectors require syslog configuration to send messages with a certain
syslog facility and severity. For high throughput connectors, Syslog File connectors
perform better than Syslog Pipe connectors because of operating system buffer
limitations.
UNIX supports all three types of syslog connector. If a syslogd process is already running,
you can "kill" it or run the daemon connector on a different port.
Because UDP is not a reliable protocol, there is a slight chance of missing syslog messages
over the network. TCP is now a supported protocol for syslog connectors.
There is a basic syslog connector, the SmartConnector for UNIX OS Syslog, which provides
the base parser for all syslog sub-connectors.
For syslog connector deployment information, see the configuration guide for this
SmartConnector.
During connector installation, for all syslog connectors, choose Syslog Daemon, Syslog
Pipe, or Syslog File from the installer selections rather than the name of the syslog subconnector.
Syslog connectors include, but are not limited to, the following devices:
AirDefense Enterprise
AirMagnet Enterprise
Alcatel
Arbor Peakflow
Aruba
BroadWeb NetKeeper
ArcSight Confidential
CyberGuard
F5 BIG-IP
Fortinet FortiGate
Foundry BigIron
HoneyD
Lancope Stealthwatch
Microsoft IIS
MessageGate
Nagios
NetContinuum
NitroSecurity
Nortel VPN
Oracle Audit
Packet Alarm
Radware DefensePro
SaberNet NTsyslog
Sendmail
SonicWall
Sourcefire/Snort
Stonesoft StoneGate
TippingPoint
Tripwire Enterprise
Type80
Vormetric CoreGuard
Flex Connectors
ArcSight FlexConnectors allow you to create custom SmartConnectors that can read and
parse information from third-party devices and map that information to ArcSights event
schema. When creating a custom SmartConnector, you define a set of properties (a
ArcSight Confidential
109
configuration file) that identify the format of the log file or other source that will be
imported into the ArcSight Manager or ArcSight Logger.
Use of this SmartConnector option requires the FlexConnector Developers
Kit.
Time-based and ID-based database FlexConnectors for reading the latest security
events from a database
Other Connectors
Some connectors use multiple mechanisms. For example, the SmartConnector for Oracle
Audit monitors both the database tables and audit files. Other examples of connectors with
multiple mechanisms include:
NetFlow
Retrieves data over TCP in a Cisco-defined binary format.
ArcSight Confidential
Appendix A
Payload Support
Payload support is available with current SmartConnector versions. Payload refers to the
information carried in the body of an event's network packet, as distinct from the packet's
header data.
The following topics are discussed in this appendix:
Introduction on page 111
Working with Payload Data on page 111
Introduction
Extra information can be retrieved by using the on-demand payload feature on the ArcSight
ESM Console. Click on any of the vulnerability events sent by the SmartConnector and you
will see in the Event Inspector that Payload data is available; click on the Payload tab and
you can see additional information including Description and Recommendation. For
services events, you will receive Description and Detail.
You can retrieve, preserve, view, or discard payloads using the ArcSight Console. Because
event payloads are relatively large, ArcSight does not store them by default. Instead, you
can request payloads from devices for selected events through the Console. If the payload
is still held on the device, the ArcSight SmartConnector retrieves it and sends it to the
Console.
Payloads are downloaded and stored only on demand; you must configure ArcSight ESM to
log these packets. By default, 256 bytes of payload are retrieved.
Whether an event has a payload to store is visible in event grids. Unless you specifically
request to do so, only the event's "payload ID" (information required to retrieve the
payload from the event source) is stored. Payload retention periods are controlled by the
configuration of each source device.
ArcSight Confidential
A Payload Support
To preserve payloads, in a grid view, right-click an event with an associated payload, select
Payload, then Preserve. Alternatively, in the Event Inspector, click the Payload tab, then
the Preserve Payload icon.
To discard payloads, in a grid view, right-click an event with an associated payload, select
Payload, then Discard Preserved. You also can use the Event Inspector: In a grid view,
double-click an event with an associated payload. In the Event Inspector, click the Payload
tab, then click the Discard Preserved Payload icon.
To save payloads to files, in a grid view, double-click an event with an associated payload.
In the Event Inspector, click the Payload tab. Click the Save Payload icon. In the Save
dialog box, navigate to a directory and enter a name in the File name text field. Click
Save.
112
ArcSight Confidential
Appendix B
Summary
This appendix explains how to capture events a SmartConnector normally would send to
the ArcSight ESM Manager into a file. This is an advanced topic; typical ArcSight
configurations do not require the use of external files to communicate events to the
ArcSight ESM Manager.
Event data is written to a file in Excel-compatible comma-separated values (CSV) format,
with comments prefixed by #. A SmartConnector can be configured to preface the data
with a comment line that describes the fields found on a subsequent line. A typical event
file might look like this:
#event.eventName,event.attackerAddress,event.targetAddress
"Port scan detected","1.1.1.1","2.2.2.2"
"Worm ""Code red"" detected","1.1.1.1","2.2.2.2"
"SQL Slammer detected","1.1.1.1","2.2.2.2"
"Email virus detected","1.1.1.1","2.2.2.2"
Event data is written to files in the specified folder and can be configured to rotate
periodically.
Installation
To create a SmartConnector that logs security events in a CSV file rather than forwarding
them to an ArcSight ESM Manager:
1
ArcSight Confidential
When the wizard asks whether the Manager is using a demo certificate, click the
Cancel button.
When asked for confirmation that you are exiting early, click Yes.
Use a text program to create a new file named agent.properties in the directory
$ARCSIGHT_HOME\current\user\agent\.
This file need contain only the following line:
transport.default.type=file
At the point where the SmartConnector Configuration Wizard ordinarily asks about the
Manager certificate, a new window is displayed that contains parameters for the CSV
file transport.
CSV Path
The path to the output folder. If it does not exist, the folder is
created.
Fields
File rotation
interval
Write format
header
Select true to send a header row with labels for each column, as
described above.
After you enter the file trans port parameters and click Continue, the SmartConnector
Configuration Wizard proceeds as usual.
114
ArcSight Confidential
Appendix C
Defining an AUP
AUP files provide a way to collect a set of files together and update ArcSight resources as
well as distribute parsers to ArcSight SmartConnectors.
For some AUPs, ArcSight provides downloadable packages of new content available to
subscribing customers. You can obtain a content subscription through ArcSight Sales or
Customer Support. Subscribers also have access to related articles in the ArcSight
Customer Support Center's Knowledge Base.
The download files are offered through a special subdirectory on the ArcSight software
server. The directory is visible only to subscribers, who receive a notification e-mail from
ArcSight Customer Support when files are posted.
ArcSight Confidential
As shown below, the method of uploading an AUP varies depending on the ArcSight
product.
ArcSight ESM
As an ArcSight customer, you will receive an e-mail notification about content updates from
ArcSight support. To update,
1
Download the latest AUP release from the Customer Support website
(https://software.arcsight.com).
ESM/Logger
A SmartConnector can send events to ArcSight ESM and Logger simultaneously. In this
configuration, its helpful to use the AUP Master Destination feature. AUP Master
Destination allows ESM to push AUP content to the SmartConnector used for its Logger
destination(s). Logger is not capable of storing or pushing its own AUP content.
1
Using the SmartConnector Configuration Wizard, add the ESM destination and set the
AUP Master Destination parameter to true (the default is false).
If you have not already done so, you can also add the Logger destination.
The AUP content is pushed from ESM to the SmartConnector, which then sends an internal
event to confirm. Since the AUP Master Destination flag was set for the ESM destination,
that AUP content is used by the SmartConnector for Logger or any other non-ESM
destinations.
The AUP Master Destination flag should be set to true for only one ESM
destination at a time. If more than one ESM destination is set and the flag is
true for more than one, only the first is treated as master.
Failover ESM destinations cannot be AUP Masters.
Logger
Logger has no facility to store or forward AUPs to SmartConnectors.
Connector Appliance
Connector Appliance does not support automatic deployment of an AUP. This feature will
be included in future releases. Please call customer support for assistance.
Download the latest AUP release from the Customer Support website (at
https://software.arcsight.com).
ArcSight Confidential
From the ArcSight Console, select connectors to be upgraded (one at a time) and
launch the upgrade command for each of them.
Upon receipt of the upgrade command, the selected connectors upgrade themselves,
restart, and send upgrade results (success or failure) back to the ArcSight Console
through the ArcSight Manager.
a
If the upgrade is successful, the new connector starts and reports a successful
upgrade status. (The upgraded connector runs in the same home directory as the
old one.)
Connector Appliance
Uploading an AUP through Connector Appliance is performed through its web-based user
interface. From the Advanced Operations tab, the Connector Upgrade Repository
displays upgrades that have been uploaded using the Connector Upgrade command.
To upload .aup updates,
1
Download the latest AUP release from the Customer Support website (at
https://software.arcsight.com).
From the Advanced Operations tab, click Upgrade, and then click the Upgrade
Repositories sub-tab.
The next step is to push this upgrade to one or more containers. To push the upgrade
.aup to a container(s),
1
Click the check box for container(s) that you wish to upgrade.
Click Save.
ArcSight Confidential
118
ArcSight Confidential
Appendix D
SmartConnector Frequently
Asked Questions
What if my device is not one of the listed SmartConnectors?
ArcSight offers an optional feature called the FlexConnector Development Kit (SDK),
which can assist you in creating a custom SmartConnector for your device.
ArcSight can create a custom SmartConnector; contact ArcSight Customer Support for
more information.
ArcSight Confidential
When events are cached and the connection to the Manager is re-established,
which events are sent?
Events are sent with a 70% live and 30% cached events ratio. If live events are not arriving
quickly, the percentage of cached events can be higher. This can reach 100% if there are
no live events.
Also, if the settings dictate that certain event severities are not sent at the time connection
is restored, those events are never sent. This is true even if they were originally generated
(and cached) at a time when they would ordinarily go out.
Why does the status report the size of the cache as smaller than it should be?
For example, I know that a few events have been received by the
SmartConnector since the Manager went down, yet the report marks events as
zero.
Some of the events are in other places in the system, such as the HTTP transport queue.
Shut down the SmartConnector and look at the cache size in the .size.dflt file to confirm
that the events are really still there.
Why does the estimated cache size never change in some SmartConnectors?
Why is the estimated cache size negative in others?
The estimated cache size is derived from a size file that gets read at startup and written at
shutdown. If the SmartConnector could not write the size at shutdown (for example, due to
an ungraceful shutdown, disk problem, or similar problem) the number could be incorrect.
Newer versions will attempt to rebuild this cache size if they find it to be incorrect, but
older builds do not.
One solution is to:
1
The SmartConnector detects that there is no size file and re-builds the cache size by
reading all the cache files.
Can the SmartConnector cache reside somewhere other than....
/user/agent/agentdata?
You can change the folder to contain the SmartConnector cache by adding the following
property in agent.properties:
agentcache.base.folder=<relative-folder-path>
where <relative-folder-path> is the path of the folder relative to
$ARCSIGHT_HOME.
Why is my end time always set to an earlier date and time?
ArcSight Manager performs auto time correction for older events. If the end time is older
than your retention period, it is set automatically to that lower bound. A warning is
displayed and an internal event with the same message is sent to you.
120
ArcSight Confidential
ArcSight Confidential
Error messages related to file access contain the file name, but error messages related to
log line parsing do not.
Are log files accessed sequentially or in parallel?
This depends upon the SmartConnector you are using. Some log file connectors process
files sequentially and others process log files in parallel.
After reading a log file, can a SmartConnector move them using NFS?
Yes. Folder Follower connectors can rename or move the files using NFS, as long as the
folders containing the log files give the correct permissions for the SmartConnector.
My SmartConnector must read log files from a remote machine through a
network share. How can I do this?
To establish a network share to a remote machine, you can use network mapping on
Windows platforms, and NFS or Samba mounting on Linux/UNIX platforms.
If you are running the SmartConnector as a Windows service, access privileges to the
network share are required. To access the user name and password panel:
1
Double-click Services.
Click the Log on tab, and enter the user name and password for the user with access
permissions to the file share. Specify the file path using UNC notation, not as a
network mapped drive.
122
ArcSight Confidential
ArcSight Confidential
124
ArcSight Confidential