ArcMC 2.5 Demo Script 1
- Pavan Raja
- Apr 8, 2025
- 13 min read
Summary:
This summary focuses on the capabilities of HPE ArcSight Management Center (ArcMC) as it relates to monitoring connectors, loggers, and managing licensing scenarios specifically for ADP Licensing. The following points highlight the main functionalities and features discussed:
1. **Connector Details in ArcMC**: When users hover over a Connector within ArcMC, they gain access to detailed information such as per-device EPS ingested and configured destinations. This feature supports deeper analysis of connector health and performance. Clicking directly on the connector provides more granular details about its health status.
2. **ADP Licensing in Multi-Node Deployments**: ArcSight Management Center's ADP (Arcsight Data Platform) Licensing offers flexibility in multi-node setups by providing a unified view across all ADP license entitlements. This approach simplifies management, especially when dealing with various Logger capacities and ensures global reporting from a single console.
3. **Reporting Features**: The ArcMC interface includes functionalities for both monitoring and detailed reporting: - **License Usage Graph**: Users can scroll down on the summary page to view this graph, which provides an overview of licensing consumption across all Loggers. - **Export Feature**: This allows for quick generation of comprehensive reports detailing the licensing consumption of each Logger over a chosen time period. - **Administration and Specific Device Reporting**: Administrators can tailor reports by including specific devices using CLI commands, enabling focused analysis on selected components.
4. **ADP Licensing Mechanism**: The demonstration assumes that ADP Licensing has been applied to virtual machines within the deployment. This setup centralizes Logger licensing management under a single console, facilitating oversight of license usage and identifying any capacity issues or violations.
5. **Centralized Configuration Management and Monitoring**: ArcMC is demonstrated as a tool for managing various components such as Loggers, Connector Appliances, and SmartConnectors centrally. The process includes setting up configurations within the interface and returning virtual machines to their initial snapshot state after use.
In summary, the ArcSight Management Center's capabilities in monitoring connectors, loggers, and managing ADP licensing provide a robust platform for centralized management and reporting across an organization’s security infrastructure.
Details:
The ArcSight Management Center Use Case Demonstration Scripts are provided for evaluation purposes only and contain confidential information belonging to Hewlett Packard Enterprise (HPE). The scripts include data about current HPE products, sales, and service programs. It is important to maintain the confidentiality of this information and not reproduce or disclose it without authorization from HPE. The information may be subject to changes at HPE's discretion. Neither HPE nor its representatives make any representations or warranties regarding the accuracy or completeness of the information provided. This document is intended for informational purposes only, with no liability being assumed by HPE or its representatives as a result of using the information. Only a definitive agreement signed by authorized representatives of both parties shall be binding on HPE or its affiliates. The term "solution" refers to the products and services offered by HPE.
This document outlines a set of demonstration scripts for ArcSight Management Center (ArcMC) along with related components like Logger and Event Broker. It specifies that the use cases require specific demonstration machines, including ArcMC version 2.5, Logger 6.3, and Event Broker 1.0 to be operational. The setup involves opening multiple tabs in a browser and logging into ArcMC and Logger for visual demonstrations as per the provided screenshots from a PowerPoint presentation.
This document outlines a demonstration setup using VMWare virtual machines (VMs) for ArcSight products, specifically Logger 6.3, Event Broker 1.0, and ArcMC 2.5. The process involves downloading the VMs, starting them up, and managing their configurations as outlined below:
1. **Download VM Details:**
Logger 6.3 is available at IP `172.16.100.100` with hostname `vm-logger63-demo`.
ArcMC 2.5 is located at IP `172.16.100.117` with hostname `vm-arcmc25`.
Event Broker 1.0 is hosted at IP `172.16.100.119` with hostname `eventbroker`.
2. **Startup Sequence:**
Upon starting, ArcMC will boot before Logger. It may take several minutes for Logger to fully load and the application to be accessible. During this period, accessing the system via its DNS name might not work; however, it should appear in about 5 minutes once loaded, with the home page showing a health status change from healthy to warning/critical due to an EPS rate breach rule configuration.
3. **Local Hosts File Configuration:**
Update your local hosts file to include the DNS names of the VMs (`vm-logger63-demo`, `vm-arcmc25`, and `eventbroker`) for easier access instead of using IP addresses. Note that updating might not be possible for all systems, in which case direct IP use is necessary.
4. **License Management (Optional):**
AutoPass licensing for Logger is optional but recommended during demonstrations. If choosing to demonstrate ADP licensing:
ArcMC needs to become an ADP License Server by following specific steps.
Once configured, both ArcMC and Logger can be run together in the same demonstration.
5. **Snapshot Management:**
After demonstrating, use VMware Snapshot Manager to revert the ArcMC, Event Broker, and Logger virtual machines back to their initial setup snapshots. This ensures readiness for subsequent demonstrations.
This document provides a step-by-step guide for setting up and configuring the demonstration environment using VMWare VMs for the specified ArcSight products, with considerations for licensing and system access optimization.
To install a demonstration license for the ADP 2.0 (ArcMC 2.5 and Logger 6.3) platform, you need to follow these steps after adding specific IP addresses to your hosts file as described:
1. **Modify Hosts File**: Add the following entries to the hosts file located at `\system32\drivers\etc\`:
```
# ADP demo platform VMs
172.16.100.100 vm-logger63-demo
172.16.100.117 vm-arcmc25
172.16.100.119 eventbroker
```
2. **Install ADP Base License in Logger**:
Go to System Administration License and Update.
Apply the ADP base license, noting that your device will now be managed by ArcMC.
3. **Configure ArcMC as ADP License Server**:
Click on ADP License Server from the ArcMC GUI.
Confirm with "Yes".
4. **Apply Capacity Uplift License in ArcMC**:
In Logger, go to System Administration License and Update and apply the base license.
Notice that the Logger license usage graph indicates an exceeded limit in ArcMC.
Browse to Administration System Admin in ArcMC.
Apply the capacity uplift license to see it reflected in the Logger License Usage dashboard.
By following these steps, you will successfully install a demonstration license for the ADP 2.0 platform, ensuring that your device is managed by ArcMC and has appropriate ingestion capacity.
The provided text outlines a scenario for managing configurations of Logger, Connector Appliance, and SmartConnectors using ArcMC. It highlights how to centrally manage settings such as Logger filters, Syslog Connectors, and Logger SmartMessage Receivers through ArcMC. Notably, it specifies that ArcMC cannot configure EventBroker in this release but can manage its smart connectors. The action talking points detail the process of managing Logger filters by importing existing configurations into ArcMC for distribution to remote Loggers. This ensures consistency across all managed devices without needing direct access to each device.
This document outlines the process of importing and configuring a Logger filter within ArcSight Management Center (ArcMC). The steps involve selecting an existing Logger, searching for filters, adding new properties with specific criteria, saving configurations, assigning subscribers, pushing the configuration to them, and verifying results in the remote Logger interface.
To update the syslog SmartConnector to use a different port (from 514 to 515) across all your HPE ArcSight Management Center (ArcMC) instances using ArcMC, follow these steps in the ArcMC interface:
1. Open a terminal or SSH session within the ArcMC image.
2. Run the command `netstat -au -n | grep 514` to confirm that the syslog SmartConnector is currently listening on port 514.
3. Navigate to Configuration Management in the ArcMC interface and click Import to import an existing configuration of your syslog SmartConnector. Select the syslog SmartConnector and continue through the process, ensuring you choose "Type: Syslog Connector" and name it appropriately.
4. Once imported, select the Syslog Connector from the list and modify its port number by clicking on Details, changing the Port field from 514 to 515, and saving these changes.
5. Add the syslog SmartConnector as a subscriber by navigating to Subscribers, adding it through `//Default/vm-arcmc25/Container 1`, and then pushing the configuration with 'Click Push' followed by 'Yes'.
6. In the terminal, run `netstat -au -n | grep 515` to verify that the syslog SmartConnector is now listening on port 515.
7. To ensure compliance status is checked in ArcMC, click Check Compliance and review the compliance status of the system running the SmartConnector.
8. In the Logger interface, configure SmartMessage receivers centrally with ArcMC by clicking Configuration > Receivers, and manage naming consistency across your Logger environment.
9. Use ArcMC to check compliance and ensure all systems are up-to-date according to your centralized configuration management standards.
To summarize the process of configuring a new SmartMessage receiver on a HPE Arcsight Logger using ArcMC, follow these steps:
1. **Access ArcMC Interface**: Navigate to the ArcMC interface and go to "Configuration Management."
2. **Create New Configuration**: Click on "New" then select "Logger SmartMessage Receiver Configuration."
3. **Configure the New Configuration**:
Name the configuration (e.g., "Logger").
Set properties including:
Receiver Name as "SmartMessage".
Enable the receiver by selecting "Yes".
Set encoding to UTF-8.
4. **Save and Close Configuration**: Click "Save" then "OK."
5. **Add Subscribers**: In the ArcMC interface, go to "Subscribers," click "Add Subscribers," and select "//Default/vm-logger63-demo/Software Logger." Add this subscriber by clicking "Add" and then "OK."
6. **Push Configuration**: Click "Push" and confirm with "Yes" in the pop-up, followed by "OK."
7. **Verify Configuration in Logger Interface**: Return to the remote Logger interface, click on "Configuration" then "Receivers" to see the new SmartMessage receiver configured.
Additionally, ArcMC allows for managing various connector configurations such as BlueCoat Connector, FIPS, Map File, Parser Override, Syslog Connector, and Windows Unified Connector (WUC) parameters.
This summary outlines the process of upgrading a SmartConnector Parser version using ArcSight Marketplace in HPE Confidential—subject to use restriction. The focus is on centralizing version management within the ArcSight Management Center (ArcMC) interface for Logger, Connector Appliance, and SmartConnectors.
The steps include navigating through the ArcMC interface by clicking Node Management -> View All Nodes, where you can expand locations such as ArcNet on the left-hand pane. The interface allows users to manage their software parameters, including properties, certificates, and credentials. By selecting the SmartConnector in question, administrators can centrally manage versions of various products deployed in their environment without the need for manual downloads or uploads from HPE. This streamlined process saves time by allowing remote upgrades through ArcSight Marketplace.
The text outlines the process of upgrading a parser in the ArcSight Management Center (ArcMC) using Smart Connectors version 7.3+. It explains that connectors and parsers can now be separated, allowing for better utilization of new parsers with existing connectors. To upgrade, follow these steps:
1. **Accessing the Upgrade Containers Page**: In the ArcMC interface, navigate to the Containers tab in the right pane. You will see a yellow icon next to the Parser Version indicating an outdated version. Click on this to access the Upgrade Containers page.
2. **Selecting Upgrade Type**: Under "Select Upgrade Type," ensure that "Parser Upgrade" is selected. This allows for updating the parsers without needing to upgrade the entire framework.
3. **Choosing the Latest Parser Version**: At the time of the script release, the latest parser version was 7.3.1.7910. You can choose this option to update your existing connectors with the new parser version sourced from the Marketplace.
4. **Updating Parsers in Connectors**: Click on "Parser Upgrade" and select the desired version (e.g., 7.3.1.7910). Notice that the shopping trolley indicates this new version is from the Marketplace, not the local repository. Confirm the upgrade.
5. **Framework Upgrade Option**: If you choose to click on "Framework Upgrade," the dropdown menu will show the latest Connector framework installed and an older version available locally. Explain that no new connector framework is available from the Marketplace at this time.
6. **Entering Credentials**: For accessing resources from ArcSight Marketplace, enter your credentials or sign up if you do not have an account. Provide necessary information as prompted by the system.
The provided text outlines a step-by-step guide for upgrading Parsers and Containers in the ArcSight Management Center (ArcMC) using HPE's Confidential documentation. Here’s a summarized version of the key points:
1. **Signing Up**: Users can sign up for free to access ArcSight Marketplace, which includes Parser upgrades. Passwords expire, so users should check them before logging in.
2. **Login and Upgrade Process**:
Upon successful login, users can change their user or perform an upgrade if needed.
Click "Upgrade" to initiate the Parser version update.
After completion, click "Done" from the bottom right corner.
The first upgrade attempt might show a blank screen; repeat the process for correction.
3. **Bulk Upgrade (Optional Demonstration)**:
Users can perform bulk upgrades on multiple Containers simultaneously.
Select up to three old-version Containers and click "Upgrade" as in previous single Parser demonstrations.
The upgrade should take less than 30 seconds per Container, and results will be displayed in the right pane.
4. **Benefits of Bulk Upgrade**: This method significantly reduces time and effort required for upgrading a large fleet of Smart Connectors.
5. **Monitoring Scenario**:
Centralized monitoring across Logger, Connector Appliance, and SmartConnectors is demonstrated using ArcMC.
Users can monitor inbound EPS thresholds in SmartConnectors and receive notifications when these thresholds are breached.
The document concludes with a note on the benefits of the new functionality introduced by this upgrade, emphasizing its ability to streamline the management of a large number of Smart Connectors.
To monitor and be notified when a Logger outbound EPS (Event Processing Speed) goes below a certain threshold, follow these steps using the ArcMC interface:
1. **View Monitoring Summary**: In the ArcMC interface, go to the "Dashboard" then click on "Monitoring Summary." This will show you an overview of all hosts managed by ArcMC, including the total number of nodes for each type of device (e.g., 292 devices reporting into Smart Connectors, with breakdowns such as 1 ArcMC/Connector Hosting Appliance, 4 Smart Connectors, and 1 Logger).
2. **Chart #1 - Devices by Product Type**: This is a pie chart that displays the types of devices currently reporting in to the connectors. Hover over specific sections (like Microsoft Windows) to refine the view to only show those types of devices. Notice the "Total number of Nodes" for each type and hover over inactive devices to see details about them.
3. **Drill Down into Specific Devices**: Click on any inactive device to obtain more information about it, such as its timeout interval (the time after which a reporting device is considered 'down').
4. **Sort Devices by Column**: To view detailed information specifically for Unix devices, click on the Unix wedge in the top right of the pie chart and choose how you would like to sort the devices by clicking on the up/down arrows. This will display comprehensive details about your Unix hosts.
5. **Chart #2 - Smart Connector Health**: Observe the Connectors pie chart for insights into the health of the connectors. Adjusting the view as needed, especially focusing on specific types of devices like Microsoft Windows, allows for a targeted look at device performance and connectivity issues.
By following these steps, you can effectively monitor the Logger outbound EPS threshold and stay informed about the status of your reporting devices in the ArcMC interface.
The provided text describes a user interface for monitoring and managing connectors and loggers within the ArcSight Management Center (ArcMC). Here's a summary of the key features and interactions:
1. **Main Interface**: Users can navigate to the main dashboard where they see a pie chart representing either Connectors or Loggers, with states that depend on EPS (Event Processing Speed) and runtime length. This interface is called "Dashboard" under the "Monitoring" section.
2. **Connectors Bar**: Clicking on the connectors bar above the pie chart allows users to drill down into detailed information about all active Connectors. The page displays each Connector's location, host, and state in the top pane.
3. **Individual Connector Details**: By clicking on any row, a context-sensitive bottom pane appears with recent Breach/Health information for that specific Connector. This aids in troubleshooting by providing immediate insights into performance issues.
4. **Detailed Performance Metrics**: Clicking on "Details" shows detailed graphs of the Connector's performance metrics, including EPS IN/EPS OUT values. Hovering over these graphs provides additional information.
5. **Time Range for Charts**: Users can view metric information for different time periods (4 hours, 1 day, and 1 week) by clicking on "Time Range for Charts". This feature helps in analyzing trends and performance over extended periods.
6. **Operational Benefit**: The main benefit of these dashboards is the ability to quickly identify problematic devices or connectors through visual cues such as yellow warnings based on EPS levels, which aids in resolving issues promptly.
7. **Logger Health Pie Chart**: Similar to Connectors, Loggers also have a pie chart representation that updates based on EPS and runtime length. This pie chart can show a warning state (yellow) if the Logger is not performing optimally.
In summary, the ArcSight Management Center provides a user-friendly interface for IT and Security staff to monitor and manage connectors and loggers efficiently. The dashboard features help in quick isolation of issues, aiding timely troubleshooting and resolution.
The provided text discusses the functionality and features of HPE ArcSight Management Center (ArcMC), specifically focusing on the "Topology View" feature. Here's a summary of the key points mentioned in the text:
1. **Logger Details**: In ArcMC, users can click on Loggers to view detailed information about each Logger. The lower pane displays contextual breach information for selected Loggers. Clicking on "Details" provides low-level health information such as JVM memory, EPS (Event Processing Speed), and other performance parameters. Users should be aware of potential inaccuracies in the displayed Hardware Status information.
2. **Health Parameters**: ArcMC allows users to scroll through different time frames to view various health parameters, including detailed information about JVM memory, EPS, and more. This flexibility helps in monitoring the system's performance over extended periods or during peak loads.
3. **Topology View Overview**: The "Topology View" is a crucial component that provides an overall summary of all reporting devices, Smart Connectors, and their destinations. It enables administrators to track the flow of device events from start to finish. The view includes sections for Location, Reporting Devices, Smart Connectors, and Destinations. ArcMC also indicates the type of destination (e.g., CEF, File, KAFKA) for each Connector.
4. **Event Flow Analysis**: In the Topology View, users can hover over a device to see detailed event flow statistics. For instance, it shows how many EPS events are processed by the Connector and how many events are sent out from the Connector to its destination (such as Event Broker). This functionality provides insights into the performance of individual devices within the system.
Overall, the ArcSight Management Center's Topology View feature offers a comprehensive method for monitoring the health and performance of various components in an integrated security environment.
The provided text discusses several features and functionalities within ArcSight Management Center (ArcMC) related to monitoring, licensing, and reporting for ADP Licensing scenarios.
1. **Connector Details**: When hovering over a Connector in ArcMC, detailed information such as per-device EPS ingested and configured destinations are displayed. This functionality allows users to drill down for greater detail about the connector's health and performance. Clicking on the connector directly leads to more detailed health and performance information.
2. **ADP Licensing**: The text describes ADP Licensing, which provides flexibility in multi-node deployments by offering a single pane of glass view into all ADP license entitlements. It also eliminates the need to license individual Loggers with different capacities, supporting global reporting across the entire fleet from a single console.
3. **Reporting Features**:
**Dashboard and Monitoring Summary**: Users can scroll down on the summary page to see the License Usage Graph, which provides an overview of licensing consumption.
**Export and Detailed Report**: The export feature allows for quick generation of detailed reports on all Logger licensing consumption over a specified period.
**Administration and Consumption Report**: Administrators can include specific devices in a report by using CLI commands, allowing for focused reporting on selected Loggers.
4. **ADP Licensing Mechanism**: The scenario assumes that the ADP Licensing mechanism has been applied to virtual machines. This setup enables users to manage all Logger licensing from one centralized console and view capacity issues and license violations.
Overall, these features in ArcMC streamline monitoring, management, and reporting of both connectors and licensing across a fleet of devices, enhancing operational efficiency and compliance.
The document outlines a demonstration of ArcMC, which is used for centralized configuration management and monitoring within the ArcSight platform. Key features demonstrated include version management, ingestion, violations, and export capabilities. To achieve realistic report results, it's recommended to run Logger and EventBroker for at least 24 hours before generating reports. The use case focused on centralizing the configurations of various components like Logger, Connector Appliance, and SmartConnectors using ArcMC. Additionally, there are instructions for returning virtual machines used in the demonstration to their initial snapshot state after the session concludes.
Comments