ArcMC Demo Script 1

Summary:

This document provides a comprehensive guide on how to expand the capabilities of a SmartConnector using ArcMC by following several straightforward steps. The focus is on managing different components within a system, including Syslog, Windows Unified Connector, Logger Configuration, Version Management, and System Admin Configuration. Here's an overview of each section: 1. **Syslog**: Introduces the use case where syslog data is forwarded to ArcSight ESM for centralized management and monitoring. It covers how to access the ArcMC interface, manage locations, centralize log gathering, and monitor issues with the ArcSight environment using the ArcMC interface. 2. **Windows Unified Connector**: Describes the process of configuring Logger Configuration (e.g., Backup Configuration, Filter Configuration, SmartMessage Receiver, Storage Group Configuration, Transport Receiver Configuration) and System Admin Configuration (e.g., Authentication External, Local Password, Session, DNS, Network, NTP, SMTP, SNMP, Users). 3. **Logger Configuration**: This section provides detailed steps for configuring the Logger settings mentioned in the previous sections, focusing on how to use ArcMC for centralized administration of these configurations. 4. **Version Management**: Explains how to remotely upgrade a SmartConnector using ArcMC. It involves selecting the SmartConnector version, identifying its current and target versions, initiating the upgrade process, and confirming via the interface. 5. **System Admin Configuration**: Covers setting up external authentication, managing local passwords and sessions, configuring DNS, network settings, NTP, SMTP, and SNMP settings, as well as managing users within the system. 6. **Monitoring**: Focuses on using ArcMC to monitor issues such as EPS (Events Per Second) levels dropping below thresholds indicative of potential device malfunctions or network problems. It involves configuring notifications for critical events and reviewing performance metrics like CPU Usage, JVM Memory, Disk Read, and Disk Write. 7. **Use Cases Addressed by ArcMC**: The report outlines three main use cases addressed by ArcMC: Configuration Management, Version Management, and Monitoring. 8. **Final Note on Snapshot Manager**: Suggests using VMware Snapshot Manager to return ArcMC and Logger virtual machines to their initial snapshots for future use. This document is intended for system administrators and IT professionals responsible for configuring and managing logging systems within an organization. It provides a structured approach to troubleshooting, configuration management, and performance monitoring of both hardware and software components in the logging infrastructure.

Details:

The ArcSight Management Center Use Case Demonstration Scripts are provided by Hewlett Packard Enterprise (HPE) for evaluation purposes only. They contain confidential information about HPE's current products, sales, and service programs. The scripts must be kept confidential and not shared outside of the evaluating party without authorization from HPE. This document does not guarantee the accuracy or completeness of the information provided, and its use is at the recipient's own risk. Only a definitive agreement signed by both parties can bind HPE to any business relationship. In this context, "solution" refers to the products and services offered by HPE. This document outlines a set of demonstration scripts for ArcSight Management Center (ArcMC) and Logger, which require two specific virtual machines to be running. The setup includes logging into both the ArcMC 2.0 and Logger 6.0 interfaces through different browser tabs using the provided IP addresses. For the best results, refer to the included PowerPoint slides for visual guidance on how to navigate the demonstration. The document begins with an overview of what will be covered in the demonstrations, mentioning that it requires two virtual machines: ArcMC 2.0 and Logger 6.0. It provides network settings (VMnet8/NAT with IP addresses 172.16.100.100 for ArcMC and 172.16.100.117 for Logger) to access these interfaces in a browser. The document continues by instructing users on how to use VMware Snapshot Manager once the demonstration is complete, possibly suggesting that this tool would be used for managing snapshots or other relevant tasks during or after the demonstration. To prepare for a demonstration using the ArcMC (ArcSight Management Center) and Logger virtual machines, follow these steps: 1. **Download Virtual Machines**: Obtain the logger6 and arcmc20 virtual machine files from the provided source. These are pre-configured demo VMs for Logger 6.0 and ArcMC 2.0 respectively. 2. **Modify Host Files**: Update the `/etc/hosts` file on both machines:

• On `arcmc20`, add an entry mapping `logger6` to IP address `172.16.100.100`.

• On `logger6`, map `arcmc20` to `172.16.100.117`.

3. **Add Logger as a Host in ArcMC**:

• Log into the ArcMC user interface.

• Navigate to "Node Management" > "Default" > "Add Host".

• Enter the hostname/IP (`logger6`), select "Software Form Factor", and provide host credentials (admin/password). Set the port to 443. Click "Add" followed by "Import".

4. **Snapshot Virtual Machines**:

• Power off both VMs in VMware Workstation.

• Take snapshots named "ArcMC Demo" with a description, capturing their current state.

5. **Revert and Start VMs**:

• Restart the virtual machines from the saved snapshot.

• The ArcMC VM will start first, followed by the Logger VM. It may take several minutes for the Logger VM to fully boot. During this period, you might not see the logger6 system on the ArcMC home page; be patient as it should appear after about 5 minutes.

This setup ensures that both VMs are ready and configured for demonstration purposes, with the ArcMC managing the Logger as required. The provided text outlines a demonstration of how to centrally manage various configurations in the ArcSight Management Center (ArcMC) for loggers, specifically focusing on Logger Filter, Syslog Connector, and Logger SmartMessage Receiver. Here's a summary of the key steps and actions described: 1. **Logger Filter Configuration:**

• The user has a new search filter they want to distribute across all loggers in their environment.

• They navigate to the ArcMC interface and go to "Configuration Management."

• They click on "Import" to import an existing configuration, selecting their Logger node.

• Upon importing, the system displays the imported configurations, allowing modifications such as adding a new search filter.

• The user selects "Add Property" to add the new search filter and proceeds with the process.

2. **Syslog Connector Configuration:**

• Not explicitly detailed in the provided text but implied that this involves similar steps of configuration management and importation, tailored to the Syslog Connector settings specific to different nodes.

3. **Logger SmartMessage Receiver Configuration:**

• Similarly not detailed in the provided text, but it suggests a process akin to what was described for Logger Filter with respect to other connectors or devices managed by ArcMC.

In summary, the demonstration focuses on central configuration management of logger filters through importation and modification within ArcMC, showcasing how existing configurations can be extended or modified based on specific requirements in a networked environment. In this process, you create a new search filter using UnifiedQuery or Regex in HPE Confidential—subject to use restriction. After naming your filter and entering criteria, save it. You then select subscribers who will receive this configuration. Once added, push the configuration out to them. Finally, when accessing the Logger interface of the remote system, you can see the new search filter among existing ones. You can run searches with the distributed filter and analyze results as needed. In this task, you start by importing the existing configuration in ArcMC and then modify the port from 514 to 515 for Syslog Connector. Next, you select Syslog as a subscriber and push out the modified configuration. Afterward, you check compliance status in the ArcMC interface to ensure that your system is compliant with the new configuration settings. In the Logger interface, you aim to use SmartMessage receivers by configuring them centrally through ArcMC for consistency. You create a new Logger configuration as a SmartMessage receiver and add appropriate subscribers before pushing this configuration out to them. This ensures centralized management of your syslog configurations across all systems involved in the process. The summarized text provides an overview of using a Logger software tool within the context of managing and configuring various components such as connectors, appliances, and configurations in a system administration environment. Here are the key points from the original text: 1. **Logger Interface Navigation**:

• Navigate to the Logger interface by clicking through options like "Add," "OK," "Push," and "Yes."

• Once inside the Logger interface, you can see the new SmartMessage receiver.

2. **Configuration Options in ArcMC (ArcSight Management Center)**:

• Access additional configurations via the ArcMC interface:

• Navigate to Configuration by clicking on it.

• Then go to Receivers to view examples of receivers that can be centrally managed with ArcMC.

3. **Connector and Configuration Types in ArcMC**:

• Explore various configuration types available for management, including Connector Configuration (e.g., BlueCoat, FIPS, Map File, Parser Override, Syslog, Windows Unified Connector), Logger Configuration (e.g., Backup Configuration, Filter Configuration, SmartMessage Receiver, Storage Group Configuration, Transport Receiver Configuration), and System Admin Configuration (e.g., Authentication External, Local Password, Session, DNS, Network, NTP, SMTP, SNMP, Users).

4. **Version Management**:

• The use case demonstrates how to centrally manage the versions of Logger, Connector Appliance, and SmartConnectors using ArcMC.

• As an example, it shows how to remotely upgrade a SmartConnector.

This summary helps in understanding the process of configuring and managing different components within a system using the specified software tool (Logger) integrated with ArcMC for centralized administration. This use case demonstrates how to expand the capabilities of a SmartConnector using ArcMC by following several straightforward steps: 1. **Accessing ArcMC Interface**: Begin by accessing the ArcMC interface through the left navigation pane, which includes options like "ArcSight" and "Container 1." Here, you can view all deployed products including syslog Logger, logger6 arcmc20, and a Logger system, logger6. 2. **Managing Locations**: For production deployments, create locations to logically group hosts (e.g., Boston, Chicago for geographical grouping or Sales, Marketing based on business units). This helps in centrally managing logs from different groups of hosts. 3. **Central Management and Monitoring**: In the ArcMC interface, navigate to properties, certificates, and credentials settings to centralize management tasks such as log gathering. You can also monitor remote SmartConnectors' inbound EPS levels through the system. 4. **Upgrading SmartConnector**: To upgrade your SmartConnector version:

• Select the SmartConnector you wish to upgrade (e.g., arcmc20).

• Identify its current version (7.0.2.7019) and the desired target version (7.0.3.7052).

• Initiate the upgrade process by clicking "Upgrade." Follow through with further steps like selecting versions, waiting a few minutes for completion, and confirming the upgrade via the interface.

By following these steps, you can efficiently manage and expand the functionality of your SmartConnectors using ArcMC, enhancing overall system performance and capabilities. The text outlines how to monitor issues with an ArcSight environment using the ArcMC interface, a tool designed to keep track of the health and status of such environments. To start monitoring, navigate to the 'Monitoring Summary' page in ArcMC by clicking on it from the home screen. Here you can see graphical representations and details about various issues across deployed solutions like SmartConnectors and Loggers. The system uses four severities (Healthy, Warning, Critical, Fatal) to classify these issues. For specific instances of problems with a Logger and its associated SmartConnector, detailed information is available by clicking on the relevant nodes in the 'Connector Stats' pane or under 'Products' in the left navigation pane. A crucial part of this process involves configuring notifications for critical events like EPS (Events Per Second) going below a threshold specific to each device type (e.g., SmartConnectors requiring over 50 EPS and Loggers needing more than 50 EPS out). In this case, the Logger was configured to notify when its EPS drops below 50, indicating potential issues such as device malfunction or network problems. This setup is not only about identifying immediate technical issues but also ensuring proactive management of the system's performance and connectivity with external devices like syslog-sending devices. The report discusses an issue with a forwarding connector sending events at over 100 EPS (events per second) to ArcSight ESM, which is likely related to a previous notification about the syslog SmartConnector receiving less than 50 EPS. To investigate further and monitor performance, use the ArcMC interface to review parameters such as CPU Usage, JVM Memory, Disk Read, and Disk Write on the Monitoring Summary page. The default timeframe is set to past 4 hours but can be adjusted to past 1 day or week. The report covers three main use cases addressed by ArcMC: 1. Configuration Management: Centralized management of configurations for Logger, Connector Appliance, and SmartConnectors using ArcMC. 2. Version Management: Centralized management of versions for Logger, Connector Appliance, and SmartConnectors within the environment through ArcMC. 3. Monitoring: Centralized monitoring of Logger, Connector Appliance, and SmartConnectors using ArcMC to track performance metrics. Finally, the report suggests using VMware Snapshot Manager to return ArcMC and Logger virtual machines to their initial snapshots after the demonstration for future use.