Installation Steps for ArcSight Proof of Concept Equipment

Summary:

The text you provided outlines a set of procedures for installing and updating components on an ArcSight Express 4.0 Virtual Appliance (VA). It covers specific steps related to time zone settings, service management, and upgrading software versions. Here’s a summary and clarification of some points: 1. **Time Zone Settings:** - For RHEL 6.4 and 6.5, use the `tzdata-2014f-1.el6.noarch.rpm` or later version. Install it using the command `rpm -Uvh `. - Verify that `/etc/localtime` points to a valid time zone by running `ls -altrh /etc/localtime`. It should show something like a symlink, pointing to `/usr/share/zoneinfo/. If not, correct it manually. - Post-installation setup involves updating the time zone as root using the command: `/opt/arcsight/manager/bin/arcsight tzupdater /opt/arcsight /opt/arcsight/manager/lib/jre-tools/tzupdater`. Ensure all Arcsight services are shut down before and restarted after this process. 2. **Appendix F - Upgrading ESM 6.8 to ESM 6.8 patch 1:** - Follow the steps provided in Appendix F: - Log in as root and close any open configuration wizards. - Stop all ArcSight services using `/etc/init.d/arcsight_services stop all`. - Remove ArcSight services with `sh /opt/arcsight/manager/bin/remove_services.sh`. - Run the upgrade script: `./ArcSightESMSuitePatch.bin` as user arcsight. - Re-enable and start ArcSight services with `sh /opt/arcsight/suite/bin/runAsRoot.sh`. 3. **Appendix G - Installing Activate Framework (FosWiki + Base/L1/L2 Packages):** - Upgrade CentOS to version 6.5 if necessary. - Install EPEL release: `rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm`. - Configure yum repositories by downloading the Foswiki repo file to `/etc/yum.repos.d/`: `curl http://fosiki.com/Foswiki_rpms/foswiki.repo > foswiki.repo`. - Install FosWiki and required plugins: `yum install foswiki foswiki-workflowplugin foswiki-jscalendarcontrib foswiki-ldapcontrib`. - Configure firewall for TCP 443 by editing `/etc/sysconfig/iptables` and restarting the service: `service iptables restart`. - Untar the wiki content to `/var/lib/foswiki/`: `cd /var/lib/foswiki/; tar –zxvf activate-wiki.tar.gz`. - Set correct ownership for Apache: `chown –R apache:apache /var/lib/foswiki/data/; chown –R apache:apache /var/lib/foswiki/pub/`. - Access the wiki via the browser as directed by error messages. These steps are crucial for maintaining and updating the ArcSight VA, ensuring that all components work correctly with updated time zones and software versions.

Details:

This document outlines the initial setup steps for ACME's HP ArcSight Appliances and Logger VM, focusing on version control and specific information related to the environment. It covers setting up HP ArcSight Express 4.0 as a physical appliance and configuring it using the First Boot Wizard. Additionally, it details how to configure HP ArcSight ArcMC 2.0 Connector Server (using an HP ProLiant DL360p Server) and deploy the HP ArcSight Logger 6.0 VM onto a VMware ESX server. Key specifications for CPU, memory, and disk space are provided, noting that some settings come pre-configured from the VM template install. The document outlines the steps for installing and configuring Logger 6.0, a software component of HP's ArcSight system. Here's a summary of the key points: 1. **Preparation**: Ensure there is sufficient space in the Software Logger installation directory, with specific allowances made for the root partition (400 GB) and temporary storage (1 GB). Note that using NFS as primary event storage is not recommended. Download the package either from HP SSO or an FTP link provided. 2. **Deployment**: Deploy the downloaded OVA file into VMware ESX by using the VMware vSphere Client. It's crucial not to boot the VM immediately; instead, configure it properly with initial hardware and network settings. 3. **Installation**: After deployment, start the installation of Logger 6.0. This involves starting the Logger service and performing initial configuration on an OS level (setting user information, date/time, IP address, and hostname). The new disk will be auto-partitioned, formatted, and mounted automatically at /opt/arcsight/logger/data. 4. **Upgrade to Logger 6.1**: If upgrading from a previous version, follow specific steps for the upgrade process. Ensure proper ownership of the data directory (chown –R arcsight:arcsight /opt/arcsight/logger/data) and update the /etc/fstab file to include the new partition using its UUID. 5. **Appendix**: Information on HP iLO 3 configuration, which is an embedded management feature for ArcSight appliances. This involves enabling, setting up, and accessing the iLO 3 web interface via a browser using HTTPS. This document provides detailed instructions for deploying and configuring Logger 6.0 within the ArcSight ecosystem, including initial setup and necessary configurations after installation or upgrade. This passage discusses HP iLO 3 functionality and its support for certain ArcSight products. The iLO 3 provides remote management capabilities, accessible via a web interface, even when the server's main power switch is off. It supports specific ArcSight models including L7400-SAN, N5400, C5400, C3400, L7400, M7400, E7400, and E7400. The iLO 3 has a separate LAN port labeled 'ilo' which acquires an IP address based on DHCP settings or static configuration. To access the iLO 3 interface, users need to configure it with a network interface, using credentials protected by a username/password combination. By default, there is an Administrator account preconfigured with a randomly generated password provided on the device's front panel; ArcSight recommends creating additional admin user accounts for enhanced security and management flexibility. The article outlines the setup and configuration process for HP Integrated Lights-Out (iLO) 3 on ArcSight appliances, emphasizing its relevance for troubleshooting and debugging functionalities. To configure iLO 3, follow these steps: 1. **Reboot the Appliance**: Restart the appliance as per the product documentation instructions. 2. **Monitor POST Announcement**: Watch for the POST announcement on the monitor; look for a prompt to press F8 to access the Integrated Lights-Out menu. 3. **Disable DHCP**: In the Integrated Lights-Out menu, navigate to Set network > DNS/DHCP and disable DHCP by setting it to OFF using the space bar. Press

to save this setting. 4. **Set Static IP Addresses**: For more advanced setups like configuring DNS servers, press

. To set up a static IP address for the iLO3 interface:

• Select Network NIC and TCP/IP option from the menu.

• Enter the desired IP address, subnet mask, and gateway settings.

• Save these by pressing .

5. **Create Additional User (Optional)**: While not strictly necessary as iLO 3 comes preconfigured with an Administrator, you can create a new user named 'admin' if needed:

• Navigate to User > Add > Add user.

• Set all administrator privileges to Yes for this user.

6. **Exit and Save Settings**: After making changes, confirm your exit by selecting File > exit. You will be prompted with a confirmation message; press

for Ok. This setup ensures that the iLO 3 is configured appropriately for managing power settings, remote console access, and other troubleshooting features crucial for ArcSight appliances. To access the HP iLO 3 remote console for your appliance, follow these steps: 1. Open a web browser and enter the IP address assigned to the HP iLO 3. 2. Confirm the SSL security warning. 3. Log in using the default administrator account or the credentials you set up during configuration. 4. In the remote console section, choose between Integrated Remote Console (using Microsoft Internet Explorer or Mozilla Firefox) or Java Integrated Remote Console which requires a Java Virtual Machine (JVM). 5. Select Java Integrated Remote Console to access the system KVM session via a Java applet. Additionally:

• Refer to Appendix B for uninstalling RepSM 1.0 before proceeding with RepSM 1.53, but do not follow the solution guides for versions 1.51, 1.52, or 1.53 yet.

• For deploying HP ArcSight Express 4.0 (Virtual Appliance), ensure you have at least 12 GB of memory and approximately 2 TB of disk space available. Allocate as much CPU resources as possible since it is a correlation engine requiring intensive computing power. Download the OVA file from the specified location:

• Filename: B7500_B1312_1800GB_V8.ova

• FTP link: ftp://hansel:hp=ESP+1@h2.usa.hp.com/dir000/ArcSight_installers/AE_4.0_Virtual_Appliance/

• Alternatively, use the HTTPS link provided in the Appendix C description.

The provided text outlines a series of instructions for deploying and upgrading an ArcSight Express (AE) virtual appliance using VMware vSphere Client, as well as details specific procedures for upgrading from CentOS 6.2 to CentOS 6.5. Here's a summarized breakdown of the steps mentioned: 1. **Deployment via VMware vSphere Client:**

• Access the URL provided and log in with the username "hansel" and password "hp=ESP+1".

• Navigate to the specified folder "/dir000/ArcSight_installers/AE_4.0_Virtual_Appliance/" where the OVA file is located.

• Deploy the OVA file using VMware vSphere Client.

• Configure ArcSight Express by performing the First Boot Wizard, following the provided configuration steps from Step #1 in the document "ArcSight Express 4.0 Initial Configuration".

2. **Upgrading CentOS 6.2 to CentOS 6.5:**

• Before starting this procedure, take a snapshot of the VM or create a backup of "/opt/arcsight" if taking a snapshot is not possible.

• Stop all ArcSight services by running `/sbin/service arcsight_services stop all`.

• Switch to the root user using `su - root` and then switch back to the arcsight user with `su - arcsight`.

• Ensure the upgrade script (`mv_boot_partition_to_root.pl`) has executable permissions by running `chmod +x mv_boot_partition_to_root.pl`.

• Execute the script: `./mv_boot_partition_to_root.pl` and follow prompts, including rebooting after the script completion.

• After reboot, stop all ArcSight services again and switch to the root user.

• Extract the upgrade archive (`ae-centos62-to-centos65-upgrade.tar.gz`) in the same directory: `/bin/tar zxvf ae-centos62-to-centos65-upgrade.tar.gz`.

• Navigate to the extracted folder and run `./osupgrade.sh` for the actual upgrade process.

3. **Install Time Zone Package (Appendix E):**

• This section, though cut off in the provided text, would typically outline steps specific to installing the time zone package as part of the setup or update process for the ArcSight Express appliance.

This summary aims to provide a concise overview of key actions and procedures detailed in the original document, focusing on deployment and system upgrade tasks related to the ArcSight Express virtual appliance. The text is providing a guide on how to update the time zone and handle changes in operating systems that may affect time zones or switch between standard and daylight savings time. Here's a summarized version of the key points: 1. **Time Zone Update Package Installation**:

• During installation, the system checks if the appropriate operating system time zone package is installed. If not, it offers two options: to exit the installer for installing the latest OS timezone update or continue without updating and skip the timezone setting for ESM components. It's recommended to install the time zone update.

2. **Specific Package for RHEL 6.4/6.5**:

• For versions RHEL 6.4 and 6.5, use tzdata-2014f-1.el6.noarch.rpm or any later version. Install it using the command `rpm -Uvh `.

3. **Verifying /etc/localtime**:

• Ensure that `/etc/localtime` points to a valid time zone. Verify this by running `ls -altrh /etc/localtime`, which should show something likelrwxrwxrwx. 1 root root 39 Nov 27 08:28 /etc/localtime -> /usr/share/zoneinfo/. If not, correct it manually as per the instructions provided.

4. **Post-Installation Setup**:

• After completing the installation of the time zone package and ensuring that `/etc/localtime` is correctly set:

• As user arcsight, shut down all Arcsight services using `killAllFast`.

• As root, run the command `/opt/arcsight/manager/bin/arcsight tzupdater /opt/arcsight /opt/arcsight/manager/lib/jre-tools/tzupdater` to update the time zone.

• Monitor for any failures during this process and restart all Arcsight services afterward.

This guide ensures that your system correctly handles time zones, which is crucial for applications like Arcsight that may be affected by changes in timezone settings. Appendix F and Appendix G provide detailed instructions for installing and upgrading components on an ArcSight Express 4.0 Virtual Appliance (VA). Here's a summarized version of the key steps in both appendices: **Appendix F - Upgrade ESM 6.8 to ESM 6.8 patch 1:** 1. **Boot into AE 4.0 VA:** The system will automatically log in as root. 2. **Close the Configuration Wizard:** If it appears, close it. 3. **Stop ArcSight services:** As user arcsight, run: `/etc/init.d/arcsight_services stop all` 4. **Remove ArcSight services:** As root, execute: `sh /opt/arcsight/manager/bin/remove_services.sh` 5. **Extract and install the patch:**

• As user arcsight, run: `./ArcSightESMSuitePatch.bin`

6. **Setup and start services:** As root, run: `sh /opt/arcsight/suite/bin/runAsRoot.sh` **Appendix G - Install Activate Framework (FosWiki + Base/L1/L2 Packages):** 1. **Upgrade CentOS to minimum required version for foswiki installation (6.5).** 2. **Install necessary packages:**

• Run: `rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm`

3. **Configure yum repositories:**

• Navigate to `/etc/yum.repos.d/`, then run: `curl http://fosiki.com/Foswiki_rpms/foswiki.repo > foswiki.repo`

4. **Install FosWiki and plugins:**

• Run: `yum install foswiki foswiki-workflowplugin foswiki-jscalendarcontrib foswiki-ldapcontrib`

5. **Configure firewall for TCP 443:**

• Edit `/etc/sysconfig/iptables` to add TCP 443, then restart the service: `service iptables restart`

6. **Untar Wiki Content:**

• Navigate to `/var/lib/foswiki/`: `cd /var/lib/foswiki/`, then run: `tar –zxvf activate-wiki.tar.gz`

7. **Set correct ownership for Apache:**

• Run: `chown –R apache:apache /var/lib/foswiki/data/` and `chown –R apache:apache /var/lib/foswiki/pub/`

8. **Browse to the Wiki:** Access the wiki via the browser as explained in the error message (Error! Hyperlink reference not valid.) **Appendix H - Install Use Cases from ArcSight Marketplace:** This appendix is incomplete and does not provide details on what it entails, only that use cases can be installed from the ArcSight Marketplace.