HP ArcMC Use Case Demonstration Script

Summary:

The document is a script for demonstrating HP ArcSight Management Center (ArcMC) and Logger functionalities using virtual machines. It outlines steps to set up the demonstration environment, configure management, version management, and monitor capabilities of both products. Key points include setting up VMware Snapshot Manager, configuring virtual machines with specific IP addresses, navigating browser tabs for access, and handling confidentiality, disclaimer, use case specifics, and documentation limitations. The script includes detailed instructions on how to add a new search filter in ArcMC, change syslog ports centrally, configure Logger SmartMessage receivers, upgrade SmartConnectors, and monitor systems through ArcMC. This guide aims to facilitate demonstrating HP's ArcSight Management Center products effectively.

Details:

The provided document is a script for demonstrating HP ArcSight Management Center (ArcMC) and Logger functionalities. It outlines a series of steps to be followed using virtual machines, including the setup process, configuration management, version management, and monitoring capabilities of both products. The script also includes instructions on how to access and navigate through the demonstration environment, as well as reference information about the required hardware and software components. Key points from the document include:

• **Purpose**: This script is intended for demonstrating the features and functionalities of HP ArcSight Management Center (ArcMC) 2.0 and Logger 5.5. It requires two virtual machines, which should be started prior to proceeding with the demonstration.

• **Virtual Machines Setup**: The use case involves using VMnet8/NAT networking settings where ArcMC is accessible via IP address 172.16.100.100 and Logger at 172.16.100.117. Users need to open two tabs in their browser to log into both systems (ArcMC and Logger).

• **Required Demonstration Tools**: The script specifies that the demonstration will use HP ArcMC Use Case Demonstration Script - Screenshots.pptx, which likely contains visual aids or step-by-step screenshots for reference during the demo.

• **Confidentiality Notice**: The document is marked as confidential and should not be reproduced or disclosed outside of the evaluation team without permission from Hewlett-Packard Company. This notice underscores the importance of handling proprietary information responsibly.

• **Disclaimer**: Information provided in this document is believed to be accurate based on current knowledge but does not guarantee compatibility with specific customer environments, nor does it imply a contractual commitment for support or maintenance by HP.

• **Use Case Specifics**: The script focuses on ArcMC and Logger functionalities without delving into broader solutions such as enterprise security management platforms offered by HP, which might include additional products like Security Analytics software.

• **Documentation Limitation**: This document is intended solely for evaluation purposes and does not constitute a formal agreement or contract between the parties; contractual obligations would require an executed written agreement signed by authorized representatives of both parties.

This script serves as a guide for those tasked with demonstrating HP's ArcSight Management Center products, providing step-by-step instructions on how to present and interact with these tools in a controlled environment. The article outlines a procedure for setting up VMware Snapshot Manager to ensure two virtual machines, ArcMC and Logger, are ready for a demonstration. It explains how to configure these machines by downloading them, adding hostnames and IP addresses, regenerating SSL certificates, importing configurations, and taking snapshots. The setup is crucial as it facilitates centralized configuration management of Loggers, Connector Appliances, and SmartConnectors via ArcMC, allowing for the distribution and updating of filters, syslog connectors, and smart message receivers across multiple systems from a single interface in ArcMC. To add a new search filter in ArcSight Management Center (ArcMC): 1. **Click Edit** and then select **Add Property**. 2. **Give it a simple name**, such as "UnifiedQuery", and set the **Filter Type** to **UnifiedQuery**. You can also choose **Regex** if needed. 3. **Enter the search filter criteria**, for example: `netflow | top destinationPort`. 4. **Save the configuration** by clicking the save icon or button. 5. **Select the subscribers** who should receive this configuration, typically Logger SmartConnectors. Add them using the steps provided below:

• Click on **Subscribers**.

• Click **Add Subscribers**.

• Select and add the appropriate Logger SmartConnector(s) from the list.

6. **Push the configuration out to subscribers** by clicking **Push**, then confirm with **Yes** and **OK**. 7. In the Logger interface, you can now see the new search filter under **Configuration > Settings > Filters**. You can run a search using this newly distributed filter. To change the syslog port from 514 to 515 centrally in all syslog SmartConnectors: 1. Open a terminal or SSH session and check if any syslog SmartConnector is listening on port 514 by running `netstat -au -n | grep 514`. 2. In the ArcMC interface, navigate to **Configuration Management > Import**. 3. Select the existing syslog SmartConnector configuration and import it. 4. On the imported configuration page, click **Details** for the Syslog Connector. 5. Change the port from 514 to 515 under the **Edit** section. 6. Save the changes by clicking **Save**, then confirm with **OK**. 7. Add the syslog SmartConnector as a subscriber and push the configuration out by following steps similar to adding a new search filter, using the same process outlined in the Logger interface section above. 8. Verify the change by checking compliance status or running `netstat -au -n | grep 515` in the terminal/SSH session. For SmartMessage receivers: 1. In the ArcMC interface under **Configuration Management**, click on **New configuration** and select **Logger SmartMessage Receive**. 2. Configure the new Logger SmartMessage receiver as needed, including naming consistency if required. 3. Add subscribers (Loggers) to receive this configuration. 4. Push the configuration out by clicking **Push**, then confirm with **Yes** and **OK**. This document outlines the process of configuring and managing various components in HP ArcSight using ArcMC (ArcSight Management Center). The primary focus is on setting up a Logger with a SmartMessage receiver, upgrading a SmartConnector version, and monitoring systems. Here's a summarized breakdown of the key steps and actions described: 1. **Logger Configuration:**

• Create a new configuration named "Logger" with a SmartMessage receiver.

• Enable the receiver, set encoding to UTF-8, save, and proceed to click OK.

• Navigate to Subscribers and add a subscriber to //Default/vmlogger-ca/Logger.

• Click Add and then OK to complete the setup. Push changes and confirm by clicking Yes and OK.

• Upon returning to the Logger interface, verify that the new SmartMessage receiver is visible.

2. **Version Management:**

• In ArcMC, navigate to Node Management and expand Default to view deployed HP ArcSight products.

• Select the SmartConnector you want to upgrade (e.g., arcmc20).

• Expand Container 1 and click Default, then select the SmartConnector for upgrade.

• Initiate the upgrade process by selecting the current version (7.0.2.7019) and the desired version (7.0.3.7052), followed by clicking Next and confirming the upgrade.

• Monitor the status, which should show a short wait time (~2 minutes) for completion.

3. **Monitoring:**

• Use ArcMC to centrally monitor SmartConnectors and Logger instances.

• Check properties, certificates, credentials, and logs remotely through the interface.

This document provides a comprehensive guide on how to configure, upgrade, and monitor various components of HP ArcSight using ArcMC, ensuring centralized management and efficient operation of your security information and event management (SIEM) environment. The document describes how to use the ArcMC interface to monitor and manage HP ArcSight solutions in an environment, focusing on centralized configuration management, version management, and monitoring. Key steps include navigating through the ArcMC interface to view health statuses, configuring notifications for specific EPS thresholds (such as below 50 EPS for SmartConnectors or below 100 EPS for Loggers), and drilling down into detailed issues to investigate further. The document also highlights how ArcMC provides graphical representations of issues for visual monitoring and offers customizable configuration options based on the environment's needs, such as changing the default timeframe from past four hours to a full day or week. Lastly, it concludes by emphasizing that ArcMC serves multiple purposes including centralized management and monitoring across Logger, Connector Appliance, and SmartConnectors.