Cisco NAC Syslog FlexConnector

Summary:

This document provides a step-by-step guide to configure the Cisco NAC Syslog Flex Connector (Smart Connector) for ArcSight ESM. The process involves verifying that ArcSight ESM is installed correctly, installing the Smart Connector via the installer executable or CD, configuring it with necessary parameters, and mapping Cisco NAC events to appropriate ArcSight data fields. It also covers installation and uninstallation procedures, troubleshooting tips, and connector labeling details.

Details:

This document outlines a configuration guide for the Cisco NAC Syslog Flex Connector (Smart Connector), designed to parse and process Cisco NAC log information from syslog files or daemon networks, then report issues if detected events do not conform to specified formats. The Smart Connector is based on provided sample logs and aims to facilitate event processing by logging any discrepancies in a designated log file for further investigation. The text provides instructions on installing the Smart Connector after ensuring that ArcSight ESM (Enterprise Security Manager) is already installed correctly. Before proceeding with the Smart Connector's installation, users must verify that ArcSight ESM has been installed properly and follow a specific order for component installations. The sequence includes: 1. Installing the ArcSight Manager and Console. 2. Ensuring the ArcSight Manager has successfully started by checking logs or monitoring the service log file. 3. Running the ArcSight Console, which is optional but helpful for verification during SmartConnector installation. 4. Following the "SmartConnector Product and Platform Support" guide for OS and platform compatibility details. 5. Inserting the ArcSight Installation CD into the drive or navigating to the appropriate directory to access the SmartConnector Installer executable file. 6. Installing the software by running the installer executable file on the local machine, which will confirm successful installation upon completion. To summarize the provided text about configuring a SmartConnector for use with an ArcSight Manager, follow these steps: 1. **Complete Installation**: After installing the software, read any information on the Install Complete window and click 'Done'. 2. **Access Configuration Wizard**: The SmartConnector Configuration Wizard will appear to assist in configuration. 3. **Select Destination Type**: In the Wizard, choose 'ArcSight Manager (encrypted)' as the destination type and click 'Next'. 4. **Certificate Information**: Provide information about whether your ArcSight Manager is using a demo certificate or not; select 'Yes' if it is using a demo certificate. Click 'Next'. 5. **Enter Manager Host Name and Port**: Input the necessary details for the host name and port, then click 'Next'. 6. **Credentials Entry**: Enter a valid username and password that you set during ArcSight Manager installation; these should be consistent with your setup. Click 'Next'. 7. **Select SmartConnector to Configure**: From the list provided by the Wizard, select 'Syslog Daemon' and click 'Next'. 8. **Configure Parameters**: Provide required parameters for the Syslog Daemon SmartConnector:

• Network Port (port where syslog will listen)

• IP Address (address where syslog will listen)

• Protocol (UDP/Raw TCP)

9. **Name Your SmartConnector**: Assign a name to your connector and provide additional information about its role in your environment. Click 'Next'. 10. **Review Summary**: Review the summary of your configuration settings, make any necessary adjustments by clicking 'Back' if needed, then click 'Next'. 11. **Completion and Service Configuration**: Once configured, the Wizard will prompt you to choose whether to run the SmartConnector as a stand-alone application or as a service. If choosing the latter, define service parameters including protected storage dependencies for SSL use. Click 'Next' to finalize the configuration. This process ensures that your SmartConnector is properly set up to communicate securely with your ArcSight Manager using Syslog Daemon functionality. The provided text outlines a comprehensive guide on how to install and uninstall a SmartConnector, specifically mentioning Cisco NAC (Network Admission Control) as the focus. The installation process involves starting the protected storage automatically, configuring settings through a wizard, and copying specific files to designated directories under $ArcSight_Home/user/agent. After successful setup, users are advised to save their work, shut down running applications, and restart the system if required by the SmartConnector. The uninstallation process starts with stopping the service or daemon of the SmartConnector on Windows systems by navigating to the Start menu and using the Uninstall SmartConnectors program or through ARCSIGHT_HOME\UninstallerData folder for Unix hosts. For specific instructions, refer to the ArcSight ESM Installation and Configuration Guide. The document also includes a table detailing how Cisco NAC events map to ArcSight data fields, providing a reference for event interpretation within the ArcSight platform. The document describes a Cisco NAC (Network Admission Control) Syslog Flex Connector used in ArcSight for event collection and management. Key details extracted from messages include login time, last access time/update scheduled, device severity, name of the event, event class ID, action, message content, destination and source MAC/IP addresses, usernames, custom strings (group, modified items, provider, role, OS version, updated version), and specific updates mentioned as "Updated Items" and "Installed Items." The connector is labeled with details like device vendor, product, and a reference number. It includes troubleshooting notes for both Syslog Daemon and File/Pipe configurations, emphasizing network port firewall setup and log file access requirements.