ArcSight External SMTP Configuration

Summary:

The document provides a comprehensive guide for configuring HP's ArcSight products, specifically ArcSight Express 4.0, to send external SMTP emails through an external SMTP server such as HostMonster. The steps include verifying network access and authentication capabilities with the chosen SMTP server using telnet, setting up configurations within the ArcSight system, and testing email notifications and reports via SMTP servers for both Hostmonster and HP domains. Key instructions cover configuring TCPdump for monitoring SMTP communication, sending test emails from the ArcSight Express console, and verifying notification/report delivery through external SMTP servers. The document also offers troubleshooting tips to ensure successful email setup within the ArcSight solution.

Details:

The document outlines a guide for sending external SMTP emails through HP's ArcSight products, specifically focusing on configuring them to use an external SMTP server for notification and report dispatching from ArcSight Express 4.0. It begins with verifying network access to and authentication capabilities with the chosen SMTP server (in this case, HostMonster) using telnet. The guide provides step-by-step instructions for setting up these configurations as well as troubleshooting steps. The first section of Step 1 involves testing connectivity to an external SMTP server via telnet to ensure that emails can be sent without authentication over port 25 or alternative ports like 26, which were listed in the original documentation but not confirmed by HostMonster's current configuration for public use as of July 2014. Step 2 covers configuring ArcSight systems to utilize this external SMTP server. For version 1 of this guide, it is assumed that users are using ArcSight Express 4.0. This section includes optional steps on verifying email transmission from a Linux system via tcpdump and command-line testing within the Express console. Step 3 focuses on ensuring successful email notifications and reports are sent out from the ArcSight product in question (ArcSight Express 4.0). Lastly, Step 4 is similar but specifically for report emails. The provided text is an instructional guide on how to manually test sending an email using HP's SMTP server via telnet. Here's a summary of the steps outlined in the text: 1. **Setup**: Connect to the HP network via VPN and use a utility like Putty or a *nix command line for telnet. Initiate a connection to the external SMTP server at smtp3.hp.com on port 25. 2. **Introduction**: Greet the SMTP server with either "ehlo" or "helo" commands, using the appropriate mail server name (e.g., "helo localhost" for HP servers). 3. **Authentication**: No additional authentication is required to use the HP SMTP server. 4. **Composing Email**: Use the following syntax to create and send an email:

• `mail from:`

• `rcpt to:`

• `data` (enter data mode)

• Compose the email with headers such as "From:", "To:", "Subject:", and the body content. End the message with a single period (".").

5. **Sending Email**: The server will confirm the email acceptance and confirmation of sending. 6. **Ending Session**: Type "quit" to close the telnet session. 7. **Configuring ArcSight Products**: This section is not summarized as it discusses configuring ArcSight Logger, Express, and ESM products for external SMTP use, which would require specific details from the original source mentioned (“AE_ArcSightConsoleGuide_4.0_CORRE.pdf”). In summary, this guide provides a step-by-step process to manually test email sending capabilities using HP's SMTP server through telnet, and includes information on configuring ArcSight products for external email usage. This document outlines the steps to configure ArcSight Manager via SSH session, with corresponding GUI actions described in brackets where applicable. The process involves navigating to a specific directory and running a setup script, followed by several configuration prompts that are managed through user input or selection within graphical interfaces. Key configurations include setting up a manager host name and port, handling Java heap memory, configuring SMTP settings for notifications, defining ArcSight Web server details, managing asset creation, and restarting the service to apply changes. The final steps involve verifying email setup by testing outgoing emails and checking log files for related output. For GUI-based installations, specific screens are described where inputs can be made for each prompt during configuration. These include selecting authentication methods, configuring SMTP servers, setting up notification acknowledgements, defining ArcSight Web server details, and managing asset creation settings. Upon completion of these configurations, the service is restarted to apply changes, which output related to email configuration steps can be found in specified log files. The document also provides instructions for checking service status and restarting the manager service after SMTP configuration has been defined. This document outlines several steps to test outbound email functionality within the ArcSight solution using various products including Logger, Express, and ESM. The instructions focus on testing notifications and reports via SMTP server for both Hostmonster and HP domains. Key steps include configuring TCPdump for network monitoring of SMTP communication, sending test emails from the ArcSight Express console, and verifying notification/report delivery through external SMTP servers. This process involves accessing a specific report within ArcSight Console, such as the PCI Terminated User report. Follow these steps to generate and email the report: 1. Navigate to the report by clicking on it (e.g., PCI Terminated User in section 8). 2. Select "Run > Report" from the menu. 3. On the report parameters page, under the email options:

• For "Email to:" select Console users or enter specific email addresses who should receive the report. The recipient's information will be based on their user profile in the Users resource (using the email defined for each user).

• If sending to multiple recipients, only their username appears in the "To" field.

• By default, an email is sent even if the report is empty.

• For "Email Addresses:" enter one or more email addresses separated by commas or semicolons. This method does not require that the recipient be a Console user and will only show their email address in the "To" field.

• Choose between sending a URL for web access, attaching the report file (PDF, XLS, RTF, CSV), or embedding the report directly into the email body (only for CSV and HTML formats).

• Specify a subject line for the email notification; it defaults to the report's name but can be customized.

4. Select desired parameters and click "OK" to run the report and send the email as configured. If an ArcSight Console user did not receive the email, double-check their email address in the system settings.