ArcMC 2.70 Demo Script
- Pavan Raja
- Apr 8, 2025
- 17 min read
Summary:
This document outlines the process for setting up a Syslog connector in Arcsight to collect logs from a Linux host and deploy an Instant Connector on another VM despite limitations on installation location. Here’s a detailed step-by-step guide:
### Step 1: Access the Deployment View 1. Navigate to the "Dashboard" in Arcsight. 2. Click on the "+ Add Connector" button next to "connectorhost". 3. In the connector deployment interface, click on the "+" sign at the top right and select "Add Connector", then choose Syslog from the options provided.
### Step 2: Add a Syslog Connector 1. Enter the following details: - Username: root or someone with appropriate access. - Password: arcsight (for this specific connector setup). - Job Name: syslog_connector_deployment. - Select Linux 64-bit OS. 2. The install location is typically /opt/connectors/connector. 3. From the Connector Template dropdown, choose Syslog -> Syslog Daemon -> Syslog_Connector_Template.
### Step 3: Customize the Template (if needed) 1. You can customize the template parameters before finalizing the deployment. 2. Multiple connectors with different templates or even cloning them can be managed efficiently for a large number of connectors.
### Step 4: Set Destination Templates 1. Scroll down and choose the destination template, e.g., Event Broker CEF and ESB destination. 2. Ensure all options are correct and add multiple destinations if needed (e.g., eb-cef and eb-esm to an Event Broker cluster).
### Step 5: Deploy the Connector 1. Click OK after setting up everything correctly. 2. Monitor the job status in the Job Manager, checking for completion with detailed information. 3. If a task fails during setup or initial run, identify and resolve the reason using error messages and retry the configuration. 4. Upon successful completion of the job, view the updated Topology View to confirm that the host has been transformed into a managed node. 5. Ensure memory constraints are considered when adding more than one connector to avoid preflight checks failing.
### Step 6: Return VMs to Original Snapshots (if applicable) 1. Access the VM menu and navigate to the Snapshot option within the VM menu. 2. Open VMware Snapshot Manager from the Snapshot submenu. 3. Select and restore the created snapshots for ArcMC, Connector Host, and Logger (if used) virtual machines.
### Conclusion This process demonstrates how to manage and deploy software components such as Logger, Connector Appliance, and SmartConnectors using Arcsight and VMware tools like ArcMC. It emphasizes preflight checks during installation, troubleshooting, and the importance of centralizing management tasks through ArcMC for efficiency and effectiveness in managing a network.
Details:
This is a documentation of a software tool called ArcSight, which seems to be used for managing and monitoring security-related activities. The content includes various scripts that demonstrate how to set up, configure, manage, and use different features of the ArcSight system. Some key sections in this document are:
1. **Overview**: Provides an introduction to what ArcSight is and its purpose.
2. **Setup and Configuration**: Explains how to install and set up the software.
3. **Configuration Management**: Details the management of configurations within the system.
4. **Version Management & ArcSight Marketplace**: Covers updating versions and accessing additional tools/resources from a marketplace.
5. **Monitoring**: Discusses methods for monitoring security events using the tool.
6. **ADP Licensing**: Explains how to handle licensing in relation to Advanced Distributed Processing (ADP).
7. **Deployment Templates**: Provides templates for deploying different modules or connectors within ArcSight.
8. **Instant Connector Deployment**: Offers guidance on deploying connectors quickly for immediate use.
9. **Micro Focus Trademark Information** and **Company Details**: Provide information about the legal aspects of using ArcSight, including trademark usage and details about the company that developed it.
Each section contains scripts or instructions to help users effectively utilize the features provided by ArcSight Management Center version 2.70.
This document outlines a demonstration setup for specific use cases involving three key machines: ArcMC, Connector Host, and optionally Logger. The primary focus is on using ArcMC in conjunction with its corresponding software versions and connectors, though Logger can be used independently based on user choice. Notably, Event Broker, previously a core component of the suite, is no longer required for this demonstration due to hardware complexity and updated licensing considerations.
To begin the demonstration:
1. Start all virtual machines including ArcMC 2.7 Demo VM, Connector Host Demo VM (optional), and optionally Logger 6.3 or 6.5 Demo VM.
2. Open three tabs in a host browser and log into ArcMC and Logger via their respective interfaces.
3. Utilize VMware Snapshot Manager to return the virtual machines to predefined snapshots after the demonstration concludes.
Regarding AutoPass licensing:
Logger can operate with its instant-on license, but if demonstrating ADP licensing, follow steps to configure ArcMC as an ADP License Server. This setup allows for simultaneous use of both Logger and ArcMC within a single demonstration.
Setup and Configuration involves downloading the following virtual machines:
1. Logger 6.5 (optional) - IP address 172.16.100.100
2. Connector Host 1.0 - IP address 172.16.100.118
3. ArcMC 2.7 - IP address 172.16.100.117
Upon starting, the sequence of operation is: ArcMC starts first and may take several minutes for Logger to fully boot and become operational.
The provided text outlines a scenario related to centralized configuration management using ArcMC (Arc Mapping and Control Center). Here's a summary of the key points:
1. **System Availability**: During this time, the vm-logger63-demo system may not be visible on the ArcMC home page, but it should appear in about 5 minutes. The interface will change from healthy to fatal/warning due to a Breach rule that triggers because the EPS (Error Per Second) rate is below a certain level. This issue is expected and nothing to worry about.
2. **Updating Hosts File**: If possible, update your local hosts file to include three DNS names: vm-logger63-demo, vm-arcmc25, and eventbroker. These entries should be added as follows:
```
# ADP demo platform VMs
172.16.100.100 vm-logger63-demo
172.16.100.117 vm-arcmc25
172.16.100.119 eventbroker
```
For those unable to update the hosts file, they must use IP addresses directly. The hosts file is typically located in `\system32\drivers\etc\`.
3. **Configuration Management Scenario**: This section focuses on managing configurations centrally using ArcMC for Logger, Connector Appliance, and SmartConnectors. Demonstrations will show how to:
Import existing configurations such as Logger Filter, Syslog Connector, and Logger SmartMessage Receiver.
Manage custom search filters in the Logger interface by importing them from a remote Logger that is already managed by ArcMC. This process retains existing filters while adding new ones.
Perform these actions through the ArcMC interface under Configuration Management.
In summary, this text provides guidance on maintaining and updating system configurations with ArcMC, including how to handle DNS resolution for specific systems and managing various components' settings within the platform.
The process involves importing an existing Logger search filter configuration into ArcMC, where it can be viewed and modified. Here’s a step-by-step breakdown of the procedure:
1. **Importing the Logger Search Filter Configuration:**
Navigate to the specific node in ArcMC where you want to import the logger (e.g., `//Default/vm-logger63-/demo/Software Logger`).
Click on "Continue" without selecting any Connector Appliance option, as it doesn't apply to this context.
Select your Logger and choose the import option for a Logger search filter. You will see available import options such as Type: Logger Filter, Name: Logger Filter, etc.
Click "Import," then click "OK" after confirming.
2. **Viewing and Modifying the Imported Configuration in ArcMC:**
Once imported, you can view it centrally in ArcMC by selecting "Logger Filter."
Scroll down to review existing searches and modify them as needed. To add a new search filter:
Click "Edit" and then select "Add Property."
Provide a simple name for the filter (e.g., "A Filter Name"), choose "UnifiedQuery" as the type, and enter your search criteria. You can also choose "UnifiedQuery Regex" if desired.
After entering the query criteria (e.g., `netflow | top`), save the configuration by clicking "Save."
3. **Distributing the Configuration to Subscribers:**
Select the subscribers who should receive this configuration, which are the systems that will use the new or modified filter.
Click "OK" after adding appropriate subscribers and then click "Push" to distribute the updated configuration. Confirm the action by clicking "Yes" and then "OK."
4. **Viewing the New Search Filter in the Remote Logger:**
Return to your remote Logger interface by navigating back to the specific node if necessary (e.g., `//Default/vm-logger63-/demo/Software Logger`).
Click on "Configuration" and then "Filters."
Load the newly distributed filter by clicking on its name (e.g., "A Filter Name") and selecting "Load + Close."
Finally, click "Go!" to run a search with this new filter.
This process ensures that your Logger configurations are efficiently managed and synchronized across multiple systems using ArcMC.
In a terminal or SSH session within the ArcMC image, you currently have syslog SmartConnectors deployed using the default syslog port 514. To change this to a different port, such as 515, follow these steps in the ArcMC interface:
1. Navigate to Configuration Management and click Import to import your existing configuration. Select the syslog SmartConnector configuration for import.
2. Continue through the process by clicking "Continue," selecting "Type: Syslog Connector" and naming it "Syslog Connector." Click "Import" followed by "OK."
3. In the imported configuration, modify the port from 514 to 515 under the Syslog Connector details. Save these changes and click "OK."
4. Add the syslog SmartConnector as a subscriber by clicking on Subscribers, then "Add Subscribers," selecting the appropriate system entry (//Default/vm-arcmc25/Container 1), and adding it with "OK." Push out the configuration with "Push" and confirm with "Yes" followed by "OK."
5. Verify the change in the terminal or SSH session using the command `netstat -au -n | grep 515`, which should show your syslog SmartConnector now listening on port 515.
6. To ensure centralized configuration management, check compliance status within ArcMC to see if the system running the SmartConnector is compliant. In the Logger interface, you can start using SmartMessage receivers and manage them centrally with ArcMC by configuring them through "Configuration" -> "Receivers."
To summarize the steps provided in the text, here's a brief outline of how to configure and manage SmartMessage receivers using ArcMC (Arc Mobile Console) for Logger configurations:
1. **Accessing Configuration Management**: Navigate to the "Configuration Management" section in ArcMC.
2. **Creating a New Configuration**: Click on "New" to create a new configuration. Select "Logger SmartMessage Receiver" as the configuration type.
3. **Configuring the New Logger SmartMessage Receiver**:
Set the configuration name and ensure it is enabled.
Define encoding settings (e.g., UTF-8).
Save these settings by clicking "Save".
4. **Adding Subscribers to the Configuration**: Click on "Subscribers", then add subscribers by selecting specific Logger identities from the list, such as "//Default/vm-logger63-demo/Software Logger".
5. **Pushing the Configuration**: Confirm that you want to push this configuration out to the selected subscribers by clicking "Push" and selecting "Yes".
6. **Verifying the Configuration in the Logger Interface**: After pushing, go back into your remote Logger interface to verify the addition of the new SmartMessage receiver under the "Receivers" section.
7. **Exploring Additional Configurations**: In ArcMC, you can also explore other configuration types available for management, such as connector configurations or system administration settings like authentication methods and network configurations.
These steps help in setting up a new logger configuration with SmartMessage receivers using ArcMC, ensuring that the configuration is efficiently managed and deployed across multiple loggers.
This use case is about managing versions of Logger, Connector Appliance, and SmartConnectors in an environment using ArcMC (ArcSight Management Center). The main goal is to simplify version upgrades by centralizing the process without going through multiple intermediate steps like downloading from Micro Focus, uploading to ArcMC, and then distributing to all devices.
Key benefits include:
1. Administrators can centrally upgrade versions of these products, saving time compared to manual methods.
2. In the ArcMC interface, users can manage parameters such as properties, certificates, and credentials for SmartConnectors.
3. The SmartConnector framework allows separating Connectors and Parsers, enabling quicker adoption of new Parsers.
Steps to upgrade a SmartConnector Parser version using ArcMC:
1. Access the Node Management section in the ArcMC interface and view all nodes to see deployed ArcSight products.
2. Expand "ArcNet" on the left pane to display locations where you can group hosts logically for easier management.
3. Select your software SmartConnector, then go to the right navigation pane, click Containers, select Container 1, and click "Up" to upgrade the version.
The text provided is a description of an interface feature in a software application related to upgrading parsers for use with an ArcSight system. Here's a summarized version of what it describes:
1. **Yellow Icon Indication**: A yellow icon next to the "Parser" in the "Containers" tab indicates that the current parser version is outdated and needs updating.
2. **Upgrade Containers Page**: When you click on this feature, you are directed to an "Upgrade Containers" page where you can enter your Marketplace credentials for caching purposes. If you don't have a Marketplace account, you should create one.
3. **Select Upgrade Type**: Choose between "Parser Upgrade" and "Framework Upgrade". The default option is likely the Parser Upgrade. When choosing this, ensure that the version available in the dropdown menu matches what was noted as being sourced from the latest available on the platform at the time (7.3.1.7910).
4. **Marketplace Sourcing**: Notice that when a new parser version is selected, it shows "shopping trolley" indicating it's sourced from Marketplace rather than local repository. This implies there might be network connectivity issues or specific licensing requirements for accessing certain versions directly.
5. **Framework Upgrade**: If you click on "Framework Upgrade", the dropdown menu will change to reflect that a newer version of the Connector framework is available, while an older one remains in the local repository. There's no mention of Marketplace availability for this particular upgrade.
6. **Entering Credentials**: When prompted to enter your credentials for the ArcSight Marketplace, you can either sign up if you don't have an account or log in with existing details. Note that passwords on Marketplace do expire and it’s advised to check this before demonstrating changes.
7. **Performing the Upgrade**: Clicking "Upgrade" will start the process of updating the Parser version. After completion, a blank update screen might appear initially; repeat the action for confirmation if necessary. The final step is marked by clicking "Done" in the bottom right corner.
8. **Confirmation and Further Actions**: Ensure that you take note of the initial performance feedback as it can sometimes be unclear whether the upgrade was successful or not. Finally, navigate to the ArcNet location from the left pane and show the updated Containers list including the newly upgraded Parser.
This document outlines a demonstration on how to upgrade containers, specifically mentioning an optional bulk parser upgrade for the remaining three containers after completing the single-container parser upgrade. The process involves selecting these three containers with the old parser version, clicking "Upgrade," and noting that it takes less than 30 seconds for the upgrade to complete. Afterward, all containers will be upgraded, showcasing a significant time saving in upgrading and maintaining multiple Smart Connectors.
Additionally, there is a focus on centralized monitoring using ArcMC, demonstrating how to monitor Logger, Connector Appliance, and SmartConnectors. The scenario involves viewing and being notified when the inbound EPS of SmartConnectors drops below a set threshold and when the outbound EPS of Loggers does so. This section also includes action talking points about navigating through the ArcMC interface to view the monitoring summary for all managed hosts, noting the total number of nodes reporting from devices like Smart Connectors and Logger appliances. The chart provided is a pie chart displaying the types of devices currently reporting in the system, which can be refined by hovering over specific sectors within the circle to focus on Microsoft Windows devices only.
To effectively manage and monitor Unix devices connected through connectors in a system like ArcMC, follow these steps:
1. **Identify Inactive Devices**: Look for any inactive devices by hovering over them to view details. Click on the inactive device to get more information about it.
2. **Device Time-out Interval**: Understand that this refers to the time required for a reporting device to be considered ‘down’, which is crucial for maintaining system performance and troubleshooting.
3. **Navigate Back to Main Page**: To return to the main page from any detailed view, click on "Dashboard Monitoring Summary".
4. **View Per-Device Information**: For all Unix devices, click on the Unix wedge in the top right of the inner circle to drill down into the specific Unix device details. You can also sort devices by clicking on the up/down arrows next to the column headers.
5. **Check Connector Health**:
Examine the Connectors pie chart for an overall status update.
Click on the Connectors bar above the pie chart to view detailed health information about each connector.
For individual connectors, click on any row to see recent breach or health information in the bottom pane, and then click "Details" to access detailed performance metrics.
6. **Adjust Time Range for Charts**: To view metrics over different time periods (4 hours, 1 day, and 1 week), use the "Time Range for Charts" option. This feature is invaluable for tracking changes in performance and troubleshooting issues.
By following these steps, you can efficiently monitor Unix devices connected via connectors, ensuring optimal system operation and quick resolution of any issues or inefficiencies.
The provided text provides a summary of how to use dashboard features within ArcMC for IT and Security staff. The key benefits include quick isolation of problem devices and connectors, aiding in timely resolution. Here's a breakdown of the main points:
1. **Logger Health**:
Navigate to the Loggers pie chart in the ArcMC interface.
Click on Dashboard > Logger Health to view the overall status.
The pie chart may show a yellow/warning state if ingesting low EPS (Events Per Second).
Drill down into detailed information by clicking on specific Loggers and then on 'Details' for lower-level health data.
Various health parameters such as JVM memory, EPS, etc., are displayed over different time frames: 4 hours, 1 day, and 1 week.
2. **Topology View**:
Click on Dashboard > Topology View to see an overall view of all reporting devices, connectors, and their destinations.
The layout includes Location, Reporting Devices, Smart Connectors, and Destinations for events.
ArcMC also indicates the type of destination (e.g., CEF, File, KAFKA).
Hovering over a device group like "Intrushield (9)" shows detailed event flow.
This guide helps in monitoring and managing system health efficiently using the ArcMC dashboard features for IT and Security staff.
This summary describes a system where you can monitor the performance and health of connectors, providing detailed information about their metrics, error messages, and more. The steps include drilling down to see devices in a group, identifying Connectors with issues by color (red), hovering over them for additional details, and clicking on the Connector for even more specific information. Metrics are displayed graphically, showing data from the last 4 hours, 1 day, or 1 week.
The scenario focuses on ADP Licensing within an ADP Platform, highlighting its benefits such as flexibility in multi-node deployments, a unified view of all ADP licenses, and automated global reporting. It emphasizes how this system allows for easier management of licensing across various nodes (Loggers) by providing a single console to monitor license usage and detect violations.
The text discusses ArcMC (ArcSight Command Center Management) within a demonstration scenario for managing connectors in an IT environment using ArcSight ESM (Extended Security Manager). It highlights the following key points:
1. **Consumption Report**: An Administrator can generate a report to track device usage, including ingestion, violations, and export options. The report is particularly useful as it provides insights into performance and configuration items related to managing the ArcSight ADP platform.
2. **Deployment Templates**: This section focuses on using deployment templates for Smart Connectors, which allows for predefined configurations of connectors. Examples include a Syslog daemon connector template and a CEF file destination template. The demonstration showcases how these templates facilitate easy deployment and management of connector infrastructure. Administrators can either use pre-configured templates or create new ones as needed.
In summary, ArcMC within this context provides valuable insights for Security and IT staff to manage the performance and configuration of the ArcSight ADP platform efficiently, while deployment templates simplify and streamline the setup and maintenance of connectors.
The provided text outlines a process for creating a Syslog connector template and deploying it using a destination template, ultimately aiming to set up an Instant Connector deployment. Here's a summary of the steps and details mentioned:
1. **Connector Template Creation**:
**Template Name:** "Syslog_Connector_Template"
**Network Port:** 15141 (UDP)
**Additional Field/File Type:** JavaLibrary, which is then deleted as it's not required.
**Common Fields:**
**Name:** "Syslog_15141_UDP"
**Location:** ArcNet
**Device Location:** HQ
**Service Internal Name:** syslog15141udp
**Service Display Name:** ArcSight Syslog Daemon Connector
After filling in the details, click "Save."
2. **Destination Template Creation**:
Click on the arrow next to "Destination" and select "CEF File."
Click "New" from the top right of the browser.
Choose "CEF File" as the destination type.
Set the CEF path to "/opt/cef/" since it is intended for a Linux host.
3. **Completion and Deployment**:
Once completed, click "Save." The new Connector template details will be displayed in the browser window.
Now, create a Destination template by clicking on the arrow next to "Destination" and selecting "CEF File."
Click "New" from the top right of your browser. This action reveals available destination types within the Connector framework.
Name the template and set the CEF path as "/opt/cef/".
4. **Instant Connector Deployment**:
The text describes deploying a Smart Connector on a host with admin rights, specifically using a Linux VM named "connectorhost."
It mentions that while direct installation on ArcMC host is unsupported, you can manually install Connectors and manage them by scanning the host.
The initial 7.7 Connector and Collector framework for Linux (64-bit only) has been preloaded in the ArcMC repository, which might not be the latest version.
In summary, this guide walks through setting up a Syslog connector template with specific details, creating a destination template for CEF files on a Linux host, and outlining the process of deploying an Instant Connector on another VM, despite official limitations regarding the installation location.
This process involves setting up a Syslog connector in Arcsight for log collection. Here’s a summarized version of what needs to be done and some points to consider during the setup:
1. **Access the Deployment View**: Navigate to the "Dashboard" and then click on the "+ Add Connector" button next to "connectorhost". This will open the connector deployment interface.
2. **Add a Syslog Connector**:
Click on the "+" sign at the top right of the screen, select "Add Connector", and choose Syslog from the options provided.
You'll be prompted to enter details such as the Username (usually root or someone with appropriate access), Password (which should be arcsight for this specific connector setup), a Job Name (e.g., syslog_connector_deployment), and select Linux 64-bit OS.
The install location is typically /opt/connectors/connector.
From the Connector Template dropdown, choose Syslog -> Syslog Daemon -> Syslog_Connector_Template.
3. **Customize the Template**: Once selected, you can customize the template if needed before finalizing the deployment. Explain that multiple connectors with different templates or even cloning them is possible for efficiency in managing large numbers of connectors.
4. **Set Destination Templates**: Scroll down to choose the destination template created earlier (e.g., a custom Event Broker CEF and ESB destination). Ensure all options are correct, and explain how adding multiple destinations can be facilitated by clicking "Add" once or more for different configurations like eb-cef and eb-esm to an Event Broker cluster.
5. **Deploy the Connector**: Click OK after setting up everything correctly. You can now check the job status in the Job Manager, which should show a running task with detailed information available by clicking on the small arrow beside it for more details. Keep monitoring until the task is complete.
The document provides a comprehensive guide on using ArcMC for managing and deploying software components such as Logger, Connector Appliance, and SmartConnectors. It emphasizes the importance of preflight checks during installation, which ensures that all necessary conditions are met before proceeding with the deployment. The process involves checking if the Operating System meets certain requirements, followed by detailed information from ArcMC for each stage including preflight checks, binary installation, configuration, and runtime.
The document also highlights the troubleshooting aspect of the process, explaining that if a task fails during the setup or initial run, users can identify the reason through detailed error messages and use the "Retry" button to reconfigure the task. Upon successful completion of the job, it is recommended to view the updated Topology View in order to demonstrate that the host has been transformed into a managed node with all remote management capabilities enabled.
In the context of Connector Deployment View, users can add more than one Connector to a host during or after deployment based on available memory constraints (note: attempting to add more than one connector when memory is limited will result in preflight checks failing).
The document concludes by summarizing how ArcMC addresses various use cases: configuration management, version management, monitoring, and instant connector deployment. It also emphasizes the time-saving features that come with centralizing these tasks through ArcMC, thereby enhancing overall efficiency and effectiveness of managing and deploying software across a network.
This text is about a process for managing virtual machines using VMware Snapshot Manager. After completing a demonstration with ArcMC and Connector Host (plus Logger if used) virtual machines, the user should follow these steps to return the VMs to their previous snapshots:
1. Access the VM menu.
2. Navigate to the Snapshot option within the VM menu.
3. Open VMware Snapshot Manager from the Snapshot submenu.
4. Select and restore the created snapshots for ArcMC, Connector Host, and Logger (if used) virtual machines.
5. This ensures that all virtual machines are returned to their original state before the demonstration, ready for future use or demonstrations.
The text also includes trademark information from Micro Focus and company details:
"Micro Focus" and related logos are registered trademarks of Micro Focus (IP) Limited or its subsidiaries in multiple countries.
Other marks belong to their respective owners.
The company, Micro Focus International plc, is registered in England and Wales with registration number 5134647. Its address is at The Lawn, 22-30 Old Bath Road, Berkshire, RG14 1Q.
Comments