Logger V6 in Two Hours
- Pavan Raja
- Apr 8, 2025
- 27 min read
Summary:
The passage provides detailed descriptions and examples of queries using the v4HP ArcSight Logger tool to extract various types of information from network traffic and device logs. Here's a summary of each query mentioned, along with explanations on how to execute them within the ArcSight Logger interface:
1. **Top 20 Products by Event Count**: This query is used to identify the top 20 non-ArcSight devices based on event count. To run this query: - Open the ArcSight Logger interface. - Navigate to the "Event Explorer" or a similar module where you can define custom searches. - Define a filter for events where `deviceProduct` is not equal to "ArcSight" and not null. - Use a basic filter to list these devices without aggregation.
2. **Top 20 Products by Event Count with Aggregation**: This query aggregates event counts for each product: - Define the same filter as in the first query but include an aggregation function (`sum(baseEventCount)`) grouped by `deviceProduct`. - Sort the results in descending order based on the aggregated count of events.
3. **Events by Each Source**: This query focuses on counting bytes transferred from specific sources for Blue Coat appliances: - Filter events where the vendor is not related to Windows updates and include filters for `vendor` and possibly other relevant fields. - Aggregate byte counts in (`bytesIn`) and out (`bytesOut`) by `sourceAddress`. - Sort the results based on user preference, either by incoming or outgoing bytes.
4. **Transaction Analysis**: This query tracks authentication events involving devices other than ArcSight: - Filter for events where `deviceProduct` is not "ArcSight". - Include details like `deviceProduct` and `destinationUserName`. - Set the time span (`maxspan`) to 2 hours for analysis.
5. **Transaction and De-duplication**: This query applies de-duplication based on `deviceProduct` and `destinationUserName`: - Filter out duplicates by these criteria. - Sort the results accordingly.
6. **Reporting Example - Average EPS per Day per Logger**: This query calculates average events per second (EPS) averaged over days: - Define a filter for events where the event class ID is "eps:100". - Ensure `arc_deviceAddress` is not null using "WHERE events.arc_deviceAddress IS NOT NULL". - Organize results by date and logger address. - Calculate average values of custom number 1 associated with each device during the specified period.
These queries are designed to extract specific information from different sources such as network traffic, firewall logs, and authentication events. They use SQL-like syntax within the ArcSight Logger interface to filter and aggregate data based on predefined criteria, which can then be visualized or reported in a user-friendly format. The use of regular expressions (regex) allows for more refined filtering based on specific patterns or keywords, making these queries versatile tools for real-time network monitoring and security analysis.
Details:
This document, titled "HP ArcSight Logger in 2 Hours," provides an introduction to conducting forensic investigations using HP ArcSight Logger. It is intended for those new to the software and covers essential features such as deployment scenarios, configuration settings, and practical use cases like failed logons. The guide is designed to be concise, providing a quick overview of key functionalities and how they can be applied in real-world security scenarios.
The document begins by outlining the history of HP ArcSight Logger and its current models. It then provides information on where to download trial versions or request demos for further exploration. Following this, it details different deployment scenarios including appliance configuration within a network environment. The setup section covers configuring Logger to accept events from Windows Unified Connectors, how to configure these connectors to send data to either an appliance or directly to the software logger.
The document is written by Brian Wolff, who holds CISSP and MBA qualifications, reflecting on his experience as ArcSight Architect for Americas at HP. This background adds credibility to the practical advice provided in the guide regarding using ArcSight Logger effectively.
As a concise resource for those looking to quickly grasp the basics of forensic investigations with ArcSight Logger, this document is structured to be easily navigable and informative, making it suitable for both novice users new to digital forensics and experienced professionals seeking a refresher or quick-start guide on how to utilize HP's ArcSight Logger.
This document outlines the functionalities and features of ArcSight Logger, a software designed for managing and analyzing log data. The primary objectives include securing data, enforcing compliance, and combating cybercrime. Key sections cover use cases, pipeline operators, selected examples, and reporting features.
**Use Cases:**
1. **Search/Analyze**: Allows users to search through large volumes of logs efficiently.
2. **Categorization**: Helps in organizing log data into categories for better analysis.
3. **Viewing a Live Feed**: Provides real-time monitoring of log streams.
4. **Dashboards**: Displays summarized information from the logged data, aiding decision-making.
5. **Reporting**: Includes functionalities to run default and customized reports based on user needs.
6. **Running a Default Report**: Automates report generation using predefined settings.
7. **Creating a Report by Customizing Default Report**: Enables users to tailor existing reports according to specific requirements.
**Pipeline Operators:** Detailed within the document, these operators manage and manipulate log data as it flows through the system.
**Selected Examples:** Illustrative cases demonstrating how ArcSight Logger can be effectively used in practical scenarios.
**Reporting Example:** A detailed example of how to create and utilize reports within the software, providing a clear demonstration of its capabilities.
This overview emphasizes the ease of use and comprehensive functionality of ArcSight Logger, making it an attractive solution for organizations looking to enhance their log management strategies.
This document provides information on the ArcSight Logger software product, focusing on its features and benefits for log data collection, analysis, and scalability across enterprises. The software can be used to analyze logs from any system that generates such data, offering flexibility in processing and searching through vast amounts of information. Unlike traditional log management tools which are limited by source type, ArcSight Logger provides a universal solution capable of capturing and analyzing all enterprise log data for specific team needs or expansion into an entire enterprise-wide log management system.
The software comes with 90 days of phone and email support followed by access to the user community, with both downloadable and enterprise versions available. The downloadable version offers full enterprise features for a period of 12 months, during which time users can upgrade if needed. Upgrading is possible at any point during this timeframe.
ArcSight Logger distinguishes itself from traditional log analysis tools because it addresses cross-team log analysis requirements, spanning security, compliance reporting, IT operations search, and application development. It offers high performance for faster forensic analysis and supports multiple regulations by capturing all enterprise log data across the infrastructure. The software is designed to be scalable as business needs grow or change, making it a versatile solution for organizations looking to improve their log management capabilities.
The document also outlines version history, starting with the initial release based on ArcSight Logger 5.2 and subsequent updates addressing enhancements such as support for Windows 2008 logs (updated in November 2012), further development up to Logger 5.5 (April 2014), and finally updating information for Logger 6 released in December 2015. Suggestions or changes related to documentation should be directed to brian.wolff@hp.com.
Lastly, the document confirms that ArcSight Logger is available as both software and an appliance, with a direct link provided for further information at the mentioned URL.
The HP ArcSight Logger is a software and appliance-based system designed for log management, which comes in several formats including the Software Logger and Trial versions, as well as specific trial licenses available on Linux or within VMware environments. It does not require other ArcSight products to function and can interoperate with ArcSight's Enterprise Security Manager (ESM) for enhanced security features. The Logger is typically deployed within a firewalled perimeter for physical security and collects events from various hardware and software network products, acting as a funnel by forwarding selected events to ESM for real-time monitoring and correlation while also serving as a storage solution for compliance or service level agreement needs.
To summarize, this guide provides instructions for setting up a Logger Appliance by configuring its network settings, installing a license, and adjusting the date and time zone. Here are the steps outlined:
1. **Configure Network Settings:**
Log into the appliance using default credentials (Username: admin, Password: password).
Set the IP address for the eth0 interface to 10.0.187.38 with a netmask of 255.255.255.0 by typing "set IP".
Verify the IP configuration by typing "show ip".
Set the default gateway for the eth0 interface to 10.0.187.1 using the command "set defaultgw" and verify it with "show defaultgw".
Connect from a workstation to confirm the configuration at https://10.0.187.38.
2. **Install License:**
Note that a Limited Use Free License is automatically deployed, so this step may be skipped depending on the license type.
Navigate through the user interface to access System Admin -> License & Update.
Upload the license file by clicking "Browse" and then "Upload Update".
3. **Configure Date & Time Zone:**
Set up the date and time zone correctly for accurate event timestamps.
Access the necessary settings through the user interface.
This summary captures the essential steps needed to set up and configure the Logger Appliance as per the detailed instructions provided.
To configure the date and time settings, along with DNS settings and hosts file entries for ArcSight Logger using its user interface, follow these steps:
1. **Access System Admin**: From the top-level menu bar, click on "System Admin."
2. **Navigate to Network Settings**: Within the "System" section of the interface, select "Network."
3. **Configure Time Zone (if necessary)**: If you need to change the time zone, click the "Change Time Zone" button and input the correct time zone information. This may require a system reboot for changes to take effect.
4. **Set Up Time and NTP Settings**: In the interface, navigate to the "Time/NTP" tab where you can manually set or use an NTP server to automatically update the date and time settings. Click "Save" after entering your settings.
5. **Configure DNS Settings**: Go to the "System DNS" tab within the Network section of System Admin. Enter new values for both the primary and secondary DNS servers, as well as edit the list of search domains (with a limit of 6 entries). Click "Save" to apply changes.
6. **Setup Hosts File Entries**: For Connectors on Connector Appliance with an ESM or Express destination, navigate to the "Hosts" tab under Network settings in System Admin. Enter IP addresses and hostnames in the specified format (e.g., ` `). Click "Save" after entering entries.
By following these steps, you can effectively configure DNS settings, set up hosts file entries, and adjust time and date settings for ArcSight Logger.
The text discusses the ArcSight Logger product, which is designed to store time-stamped text messages called "events" at high and sustained input rates. It features efficient long-term storage and rapid data analysis capabilities. The Logger is available in two form factors: an appliance and software.
The appliance-based solution is a hardened, dedicated enterprise-class system optimized for handling large volumes of events with minimal latency and maximum throughput. It supports both structured and unstructured event types, which can be searched through a common interface using the ArcSight SmartConnector framework to collect events from various sources like SmartConnectors.
Logger compresses raw data but retains the capability to retrieve unmodified data for forensic purposes. It supports CEF (Common Event Format) messages, an industry standard facilitating interoperability between event- or log-generating devices and technology providers. Syslog is mentioned as a loose standard for event messages that Logger can handle without issues due to its message-agnostic nature. Raw Events include receipt time, event time, source (host name or IP address), and the unparsed message portion.
The document also provides a link to a capacity planning guide specific to the software version of the ArcSight Logger for further information.
The provided text discusses a system called "Logger" which is used for searching and managing data from various sources. Here's a summary of its key features and functionalities:
1. **Query Execution**: Queries can be executed manually or automatically, either through a search field triggered by clicking on terms in an event table or via full-text search using plain English keywords. Queries can also be based on predefined fields or specified as regular expressions.
2. **Flow-Based Search Language**: Logger supports a pipeline format for specifying multiple search commands, which is referred to as the flow-based search language. This allows users to chain together various search operations.
3. **Data Distribution Across Peer Loggers**: By default, queries are executed only against the primary data store of Logger. However, there's an option to configure Logger to distribute a query across any chosen peer Loggers.
4. **Filtering and Saving Searches**: Queries can be saved either as Filters or Saved Searches. Saved filters can be used for selecting events for forwarding or re-querying them later. Saved Searches are utilized for exporting selected events, saving results to files, often scheduled, and providing customized dashboards specific to individual users.
5. **Enhancements in Logger 6.0**: The latest version includes a feature that allows saved filters and searches to be quickly recalled by typing "$" into the search box, which can significantly save time when running multiple queries.
6. **Browser Compatibility**: Logger is compatible with modern browsers such as Internet Explorer (versions 10 and 11), Mozilla Firefox (version ESR 31), and Safari (version 7.0 - on OSX 10.9). It requires JavaScript and cookies to be enabled, and for some features like accessing the user interface through Internet Explorer, an Adobe Flash Player plug-in is necessary but optional for others.
This system appears to be a powerful tool designed for efficient data querying and management across multiple platforms and devices, leveraging advanced search capabilities and customizable interfaces.
The user interface of the Logger software features a secure connection using HTTPS, accessed via the URL format https://:. Upon accessing this URL, users are directed to a login screen where they must input their credentials: Username - admin, Password - password. These should be changed after the initial use. The interface includes a navigation band at the top displaying real-time counters and CPU usage information, along with the current time and username in the top-right corner. A help link provides online assistance through context-sensitive help, while a search helper utility assists users with queries by offering history, examples of operators, suggested next steps, and field details. The Options page allows customization such as setting default or individual user start pages, and Logger 6 offers an option to add a company logo.
This passage discusses several features of a Logger system, primarily focused on its dashboard functionality and search capabilities.
Firstly, it mentions that users can customize the length of time before they are automatically logged out, which is a security practice to prevent unauthorized access when not in use. The default timeout is set at 15 minutes, but this setting can be adjusted via the Logger Administrator's Guide for greater control over user sessions.
Secondly, the passage introduces the concept of Dashboards as global dashboards that provide summarized information about incoming events and indexing status. Users can create custom queries to display specific types of event data alongside real-time or historical status updates of various system components like receivers, forwarders, storage, CPU, and disk usage. Each dashboard consists of panels where users can view either search results matching their query or monitor the ongoing performance and health of these components.
Furthermore, it explains how to use a flow-based search language for complex event searches in Logger, which allows multiple commands to be chained together in a pipeline format. This makes searching more flexible and powerful by enabling advanced filtering and visualization options. Users can also customize the display of their search results, view them graphically if desired, and easily access previously saved searches or filters using special symbols like '$'.
In summary, this passage highlights how Logger offers features for both system security (via automatic logout functionality) and efficient information management through its dashboard interface and advanced querying tools.
The passage provides an overview of how to use Logger's search function, detailing various methods for entering a query and the types of queries it can handle, including simple keyword searches and more complex ones with Boolean expressions, indexed fields, and regular expressions. It explains that after specifying criteria, such as keywords or field values, and applying constraints like device groups and storage groups, users have options to either type in their query directly or utilize auto-suggest functionality for guidance on building queries. The passage also highlights the importance of being familiar with all elements of a query to fully leverage Logger's capabilities.
The text discusses various aspects of querying and event handling in a system called Logger. It explains how to display specific fields like deviceAddress and deviceReceiptTime for matching events. Additionally, it covers methods for saving and reusing queries, such as saved filters and saved searches. Furthermore, the text introduces several tools available within Logger to assist with building complex queries:
1. **Search Builder**: A graphical tool that helps users build search queries visually using Boolean logic. It supports keywords, field-based conditions, regular expressions, and constraints like device groups and storage groups.
2. **Regex Helper Tool**: This tool simplifies the creation of regular expressions for use with the rex pipeline operator, aiding in extracting specific fields from events.
3. **Search Helper**: A utility designed specifically for searching that allows users to access recently run queries, facilitating their reuse.
These tools and methods are intended to assist users in efficiently creating and managing complex query structures within the Logger system.
The text describes features and functionalities of a Logger software tool that aids in searching and analyzing data efficiently through various operators, fields, and predefined filters. Key highlights include:
1. **Search Operator History**: Displays previously used search operators based on current input for quicker reuse.
2. **Examples**: Provides relevant examples following the latest query operator typed into the Search text box.
3. **Suggested Next Operators**: Lists potential operators that follow a currently typed query, such as "logger |" which might suggest using "cef," "rex," "extract," or "regex."
4. **Help**: Offers contextual help for the last-listed operator in the query based on current input.
5. **List of Fields and Operators**: Dynamically displays a list of fields matching field names typed by users or available operators relevant to Logger data.
6. **System Filters (Predefined Filters)**: Includes pre-defined queries for common events like unsuccessful login attempts or event counts by source. Users can apply these filters by following specific steps in the software interface.
7. **Configuring Logger for Specific Use Cases**: Specifically addresses setting up the Logger to accept Windows Unified Connector Events, with instructions tailored to different appliance models (those with integrated connectors and those requiring external Smart Connectors). The setup involves navigating through the Logger Menu to the Configuration section, selecting Receivers, adding a new receiver named "Windows" with the type of SmartMessage Receiver, and enabling it for event reception.
The document is part of a guide on how to efficiently use the ArcSight Logger software in 2 hours by summarizing its primary features and procedures for configuring specific data connectors.
The provided text outlines a guide on configuring a Windows Unified Connector to send events to an ArcSight Logger appliance using the v4HP ArcSight Logger in 2 Hours™ software. Here's a summarized version of the steps outlined:
1. **Choose Encoding and Source Type**: Set the default encoding to UTF-8 and select CEF as the source type, then click 'Save'. Note that the receiver is not enabled at this stage.
2. **Enable the Receiver**: Click on the disabled symbol to enable the connector, which should now show a checkmark indicating it's ready to receive events.
3. **Configure Connector Settings**:
Go to Configuration > Manage Connectors and click 'Add Connector'.
Choose "Microsoft Windows Event-Log-Unified" as the connector type.
Follow through with the setup wizard, choosing options relevant to your configuration (e.g., entering devices manually if needed).
4. **Configure Devices**: For each host you want to collect events from:
Click 'Add Row' and fill in parameters such as domain name based on whether the host is using a domain user account or local user account, considering whether it belongs to a domain or workgroup.
This process is designed to help users set up a connector that collects and sends Windows event logs to an ArcSight Logger appliance efficiently.
This document outlines the steps for installing the Windows Unified Connector, which is used to collect and transmit various event logs from a target Windows host (such as Host Name or IP address) to a Software Logger, specifically named "ArcSight Logger" in this context. The process involves setting up user credentials with appropriate privileges, selecting which types of events (Security, System, Application) to collect, specifying the Microsoft OS version and locale, and configuring the destination type for logging.
To install the Windows Unified Connector:
1. Provide the Host Name or IP address of the target Windows host.
2. Enter the User Name of an account with adequate privileges to access Windows events on the target host. This should be a standard domain user account without the domain name. For Windows Server 2003 and Windows 2008 servers, this can also be a built-in "Event Log Readers" account.
3. Enter the corresponding Password for the specified User Name.
4. Decide whether to collect Security events by checking the respective box; default is checked (true).
5. Decide whether to collect System events by checking the respective box; default is unchecked (false).
6. Decide whether to collect Application events by checking the respective box; default is unchecked (false).
7. Select the Microsoft Operating System version that the host is running.
8. Enter the locale code, with possible values including 'en_US' for United States English, 'ja_JP' for Japanese, 'zh_CN' for Simplified Chinese, and 'zh_TW' for Traditional Chinese, among others; default is 'en_US'.
9. Click "Next" to proceed with the installation.
10. Choose "ArcSight Logger SmartMessage" as the Destination Type during configuration.
11. Enter the Hostname/IP of the Logger and the Receiver Name (ensure a receiver has been created on the Logger, named "Windows" in this example).
This is a guide on how to install and configure the ArcSight Logger connector for Windows 7 workstation. The process involves downloading and installing the ArcSight-7.0.7.7279.0-Connector-Win.exe, choosing the installation directory, setting up the hostname and receiver name, verifying the connection, and confirming that events are being sent to the logger. Here's a step-by-step summary:
1. Download and install ArcSight Logger connector version 7.0.7 on Windows 7 workstation. Just click 'OK' to continue installation.
2. Choose the installation directory (C:\my_data\Arcsight\Connectors\WUC) and proceed with the installation.
3. In the setup, add appropriate values by clicking 'Add', then enter the hostname and receiver name. For this example, use 172.16.100.100 as the address and "Windows" as the receiver name (case sensitive).
4. If validation and logon to the device pass, you will see a screen indicating that the connector is up and events are being sent to the logger.
5. As an optional recommendation for testing, leave the connector as a standalone application before transitioning it to a service once verified.
6. Start a command window in Windows, change directory to C:\my_data\Arcsight\Connectors\WUC\current\bin where you installed the connector. You should see that the connector is up and events are being sent to the logger.
7. To confirm this, go to the "Analyze" tab of the logger and enter your machine name (e.g., WOLFFB2). Check if you received 56 events from the connector.
The passage discusses how Microsoft categorizes failed logon attempts and provides instructions on how to analyze such events using ArcSight, a security information and event management (SIEM) tool. It explains that there are specific event codes for failed logon attempts in Microsoft Windows, which include numbers like 529, 530, 531, etc., each representing different failure reasons. These codes can be searched for using the term "Security:529" or its equivalent in Windows 2008 ("Microsoft-Windows-Security-Auditing:4625"). ArcSight simplifies this process by categorizing events automatically, allowing users to focus on broader security analysis without needing to know specific event codes. The passage also covers how to use the search feature within ArcSight to find and analyze these failed logon attempts efficiently.
This document explains how to categorize and filter events using ArcSight Logger, focusing on authentication failures across different devices and operating systems.
To begin with categorization, select the "Categories" field set from the available options. The system automatically normalizes, categorizes, and prioritizes all events retrieved from logging systems. This process helps users to easily understand and find specific information by using pre-defined categories such as authentication, failure, warning, etc., without needing to know each vendor's event coding.
The document provides an example of how the categorization is applied: Security:529 is categorized under 'Authentication/Verify' and 'Operating System', while Microsoft-Windows-Security-Auditing:4625 follows a similar pattern across different operating systems, including Windows 2008.
To refine your search for authentication failures regardless of vendor, replace the initial search term "Security:529" with "/Authentication/Verify and /Failure". This modification broadens the scope to include all devices showing authentication failures, not just Microsoft-specific ones. The display highlights entries that meet the criteria, making it easier to locate specific events.
Additionally, the document outlines how to use structured search elements within a free-form text search by selecting relevant columns such as "deviceProduct". This allows for more precise filtering and categorization based on detailed attributes of each device or event type.
This summary involves setting up a search query to find Microsoft authentication failures using the ArcSight Logger. The initial step is to modify the search string by inserting "NOT" and replacing "Unix" with "Microsoft" under deviceProduct. Then, save this query as "Microsoft Authentication Failures." To enhance understanding, explore field summaries which provide rapid information about returned events without manual counting. Finally, visualize data through a line chart for better interpretation by adjusting settings in the Field Summary window.
This document outlines steps for using a software tool called "v4HP ArcSight Logger in 2 Hours™," presumably a tutorial or guide on how to use this particular feature of the system. The user is instructed to follow these steps:
1. **Restore Saved Search**: Click on the save search icon and select the "Saved Search" tab, then click "Load + Close" followed by "Go" to execute the query.
2. **Adjust Settings**: Change field display back to "All Fields". Navigate to the "destinationUserName" field and set the Start Time to "$Now – 1h".
3. **Filter User Activity**: Click on a specific user (e.g., "jimmyj") and adjust the search criteria to filter all activity related to this user ID using the command: `destinationUserName CONTAINS "jimmyj"`. Minimize visual aids that are no longer necessary.
4. **Switch Investigation Focus**: Change the investigation focus from user IDs to IP addresses by selecting an IP in the "deviceAddress" field and updating the search criteria to look for activity related to this specific IP address: `destinationAddress CONTAINS "10.1.1.5"`. This will reveal activity across various event feeds including Tripwire, Microsoft, Oracle, etc., based on the available event feeds in the system.
5. **Live Event Viewer**: Use the Analyze > Live Event Viewer feature to view events that scroll continuously, mimicking a UNIX tail -f command for real-time monitoring of security-related activities.
6. **Data Monitor Setup**: Create a Data Monitor to display the last 10 Windows logon failures by entering specific criteria into the search field: `categoryBehavior = "/Authentication/Verify" AND categoryOutcome = "/Failure" AND NOT (destinationUserName IS NULL)`.
The document is dated April 20, 2015, and appears to be part of a series of instructions or tips for using v4HP ArcSight Logger in 2 Hours™.
This document outlines a step-by-step process for creating a chart in ArcSight Logger using specific criteria, then saving it as a dashboard panel. The goal is to monitor "Microsoft Authentication Failures" visually and efficiently by adding the results to a dedicated dashboard. Here’s how you can follow these steps:
1. **Define the Search Criteria**: Use the search box to enter the following query:
```
/Authentication/Verify AND /Failure AND deviceProduct CONTAINS "Microsoft"
```
This will filter events related to authentication verifications that have failed, specifically involving Microsoft devices.
2. **Generate and Customize the Chart**: Click on "Top values" to automatically generate a chart based on the criteria. You can then customize this chart by selecting different display options or types as needed. In this case, you are asked to change the chart type to "Pie".
3. **Save the Chart for Future Use**: To save the current chart configuration for future use in a dashboard:
Click on the Save icon (or similar). You will be presented with an option to choose between Dashboard Panel. Select this and enter details such as the name of the saved search ("Microsoft Authentication Failures") and the new dashboard's title ("Microsoft Related Events").
Check "Add both types" if you want to include multiple chart representations or checkmarks that apply to your specific needs.
Choose a suitable Chart type, in this case, "Pie".
Click on Save, which will confirm the selection and finalize the setup process.
4. **Viewing the Dashboard**: After saving, navigate back to Dashboards. You should see your newly created dashboard ("Microsoft Related Events") listed in the dropdown menu. Select it to view the chart as per the settings you have defined.
5. **Additional Customization and Use**: If needed, click on "View on Search Page" to revisit or modify the search criteria directly within the analysis tool. This is particularly useful for refining your search parameters without having to manually re-enter them every time.
This process provides a comprehensive method to track specific security events using ArcSight Logger, customize visual representations of these data points, and efficiently deploy these configurations into operational dashboards, enhancing real-time monitoring capabilities.
This text appears to be a tutorial or guide for using a software tool called "v4HP ArcSight Logger" which is likely part of an enterprise security management system. The document outlines various steps related to configuring and customizing reports within this system.
1. **Initial Setup and Navigation**: The user is instructed to run a command (`t null | top deviceEventClassId`) and filter the results by `deviceProduct` containing "Microsoft". They should then focus on `destinationUserName`.
2. **Context Sensitive Help**: The system includes extensive help prompts with examples, suggesting that it's designed for users who might not be tech-savvy. A call to action follows these instructions (e.g., "Click on GO").
3. **Changing Display Format**: The user is shown how to change the display from a table or list format to a pie chart by selecting "SAVE". This involves entering specific selections and clicking the SAVE button, with further details provided in subsequent sections of the document.
4. **Dashboard Creation and Customization**:
Accessing Dashboards: The user needs to select the "Dashboards" tab and choose from a dropdown menu related to "Microsoft Related Events".
Changing Display Layout: Tools are used to change the layout, which involves clicking on "Change Layout" and then choosing "Save".
5. **Reporting**:
Overview of Reporting: When accessing reports or links via the menu or a specific dialogue ("Take me to..."), users will be directed to the Dashboard Viewer where they can view network event data in an easily digestible format through dashboards.
Widget Placement: Each report or external link must be placed into its own widget, which are then arranged on the dashboard. The dashboard may contain multiple widgets that auto-refresh with new data based on user settings (e.g., every hour).
Scheduling and Retention: Reports should be scheduled to run, published, and saved for a reasonable retention period (like one month) to ensure they are accessible via the dashboard viewer at all times.
Overall, this text is designed to help users efficiently manage and visualize security-related reports using v4HP ArcSight Logger by providing step-by-step instructions on setup, customization, and reporting features.
The provided information outlines how to utilize a tool called v4HP ArcSight Logger for generating and customizing reports efficiently, eliminating the need for manual monitoring of each report every hour. It provides step-by-step instructions on running default reports and creating customized reports using pre-built templates within the tool. Key points include choosing "Reports" from the menu, navigating to "Report Explorer," selecting specific categories like "Device Monitoring" or "Operating System," and customizing queries for new reports before saving them in various formats such as .csv, .pdf, rtf, or sharing via email or a portal. The process involves making a new category for saved reports, copying and modifying existing reports to create customized ones, ensuring no conflicts by using standard templates within the newly created category.
This is a guide on how to customize and save a report using v4HP ArcSight Logger in 2 Hours™. Here’s a summary of the steps:
1. **Accessing Reports**: Navigate to "Reports" from the menu, then under "Navigation", click on "Report Explorer". In the reports column, expand "Device Monitoring" and select "Operating System", then choose "Login Errors by User". When selected, it will turn blue.
2. **Customizing the Report**: Click on "Customize Report" and then click on the "Save As.." button. This will open a new window for renaming your report.
3. **Renaming and Saving the Report**: Add initials to the name, click "Save", and then close the pop-up by clicking "Close".
4. **Copying the Query**: Click on the data source icon and select "Query Editor". Rename and save it in your folder with a specific query object name.
5. **Editing the Query**: To edit the query, click on the "Design" icon to expose the editor. Update the WHERE clause as needed:
events.arc_categoryDeviceGroup = '/Operating System'
events.arc_categoryBehavior = '/Authentication/Verify'
events.arc_categoryOutcome != '/Success'
(events.arc_categorySignificance = '/Informational/Error' OR events.arc_categorySignificance = '/Informational/Warning')
These steps help in customizing and saving a report according to specific requirements, using the v4HP ArcSight Logger software for better analysis and visualization of login errors by users.
The instructions provided are for configuring a specific query within the ArcSight Logger software to display logon failure events exclusively related to Microsoft devices. Here's a summarized version of the steps outlined in the text:
1. **Modify the Query**: Change the initial query to focus only on logon failures and filter results to include only those from devices manufactured by Microsoft. This involves modifying parameters dynamically (though for educational purposes, it mentions altering a parameter to accept device vendor input).
2. **Select Relevant Fields**: In the modified query, select fields such as "User Name", "End Time", "Error", and other related information about the source and destination of logon attempts. The field for device vendor should be included here.
3. **Set Filter Conditions**: Apply filters to narrow down records:
Ensure events are categorized under operating system-related behaviors.
Confirm that only authentication verification (logon) failures are considered.
Exclude successful logons by filtering out outcomes that are not related to failure.
4. **Order the Results**: Arrange the results based on user names and end times of the logon attempts.
5. **Save and Configure Query Object**: Save your changes, then pair this query with a report by accessing the "Data Source" settings within the ArcSight Logger interface. Navigate to the BW Reports folder and select the "BW Windows Logon Failure" report.
6. **Adjust Report Layout**: In the Fields Editor of the selected report object, adjust the layout by moving the device vendor field to the top for better visibility. Save these changes.
7. **Run the Report**: Finally, execute the configured report through the "Reports" tab in ArcSight Logger. Use the "Report Explorer" and select the specific report named "BW Windows Logon Failure". This will display all logon failure events from Microsoft devices as per the set criteria.
These steps are crucial for effectively monitoring and analyzing logon failures on systems managed by Microsoft, ensuring that relevant information is easily accessible and actionable based on user inputs and configurations within the ArcSight Logger platform.
This document is about a training manual for "v4HP ArcSight Logger in 2 Hours™," which focuses on pipeline operators used by pipeline operators to refine searches and extract specific information from raw events. The key pipeline operators mentioned are:
1. **Keys**: Identifies keys within raw events based on specified delimiters, but can only be used for identifying keys and not for further processing.
2. **Extract**: Displays key-value pairs extracted from raw events.
3. **Fields**: Includes or excludes specific fields in the search results.
4. **Regex**: Selects events that match a specified regular expression.
5. **Rename**: Changes the name of a field if it's extracted as CEF or REX.
6. **Replace**: Replaces a string in one or more specified fields with a new string.
7. **Rex**: Extracts values based on a specified regular expression.
8. **Transaction**: Groups events that share the same values in specified fields, creating transaction IDs sorted in ascending order. It calculates the duration of transactions and displays the number of events within each transaction.
9. **Where**: Displays events matching criteria specified in a "where" expression, allowing field-based operators on raw events (user-defined fields extracted from raw events using pipeline operators).
The manual emphasizes that the order of these operators can significantly affect search results and encourages careful consideration of what to search for and how to structure the search.
On April 20, 2015, HP ArcSight Logger introduced a new feature called "Logger Data through Static Correlation" which allows users to enrich their search results by adding information from external files. This is achieved using the lookup operator where an external data file (Lookup file) can be uploaded and joined with events in Logger for additional context. For instance, if you need to geo-tag or asset tag based on IP addresses, a Lookup file containing IP address and country details can be created and uploaded, then used to join with sourceAddress field in Logger events to display the corresponding country in search results.
To demonstrate this capability, an example query was provided: finding all systems communicating with "The Onion Router" (Tor) using Tor Exit Nodes list. The first step is to obtain the list of Tor IP Addresses from sources like dan.me.uk/tornodes and use it as a .csv file for demonstration purposes.
The process involves using a command-line tool `curl` to download data from an online source and save it as a CSV file named `tornodes.csv`. This file is then prepared by removing unwanted columns and adjusting the header row format before saving again under the same name. Finally, this cleaned CSV file is imported into the Logger application for analysis.
In the Logger application:
1. The user navigates to the LOOKUP section and adds a new table named `tornodes`.
2. A search query using the Tor nodes involves looking up IP addresses as source addresses in the Logger events, matching them with entries from the `tornodes` table and displaying all corresponding columns.
3. As an example, the user performs a Netflow analysis to count events by destination port and charts these counts, optionally sorting the results if needed.
This process demonstrates how to import and manage external data for detailed analysis within Logger, specifically tailored for network security monitoring using TOR nodes as examples.
This document outlines various search strings that can be used in the v4HP ArcSight Logger tool to extract specific information from network traffic and device logs. The searches cover topics such as Firewall traffic, Google search queries, device vendor details, connector versions, TippingPoint events, product changes, and failed login attempts. Each query is presented with a clear explanation of its purpose and how to execute it within the ArcSight Logger interface. Additionally, examples are provided for using regular expressions (regex) to filter data based on specific patterns or keywords, demonstrating practical applications in real-time network monitoring and security analysis.
The provided document outlines several queries used to analyze network traffic data from a system, focusing on events generated by devices other than ArcSight, bytes transferred via Blue Coat appliances, and authentication transactions. Here's a summary of each query presented in the document:
1. **Top 20 Products by Event Count**: This query identifies the top 20 device products that are not ArcSight but have non-null entries. It does so by filtering events where `deviceProduct` is not "ArcSight" and is not null, then using a basic filter to list these devices without considering aggregation.
2. **Top 20 Products by Event Count with Aggregation**: This query builds on the first by aggregating event counts for each product. It filters similarly but includes an aggregation function (`sum(baseEventCount)`) grouped by `deviceProduct`, sorted in descending order based on the aggregated count of events, to provide a more detailed view without simply listing devices.
3. **Events by Each Source**: This query focuses specifically on counting and possibly mapping bytes transferred from specific sources for Blue Coat appliances, filtering by vendor and excluding entries that might be related to Windows updates. It charts both total bytes in (`bytesIn`) and out (`bytesOut`), aggregated by `sourceAddress`, sorted either by the sum of incoming or outgoing bytes as per user preference.
4. **Transaction Analysis**: This query is specific to authentication events within a defined behavior category, including successful outcomes. It tracks transactions involving devices other than ArcSight, showing details like `deviceProduct` and `destinationUserName`. The span (`maxspan`) is set at 2 hours for the analysis period.
5. **Transaction and De-duplication**: This query further refines the previous by applying de-duplication to avoid redundant entries based on `deviceProduct` and `destinationUserName`, ensuring a clean view of unique events, which are then sorted according to these criteria.
6. **Reporting Example - Average EPS per Day per Logger**: The final example in the document provides a specific query scenario for calculating average events per second (EPS) averaged over days, applicable when two loggers are peered. This would typically involve complex aggregation and filtering based on time periods and logger identification to provide an average performance metric across multiple devices.
Each of these queries serves different analytical purposes, ranging from basic product identification in event logs to detailed network traffic analysis involving authentication events and byte transfers.
This passage describes a method for analyzing data related to "Logger" devices within a specific peer group using an SQL query. The query focuses on events from the "events" table where the event class ID is "eps:100". It retrieves and groups these by date, logger address, and calculates the average custom number 1 value associated with each device during that period.
The data visualization in this context involves a chart or graph where you can scroll through different dates to see how the metrics (such as average EPS) for each logger change over time. This interactive feature allows users to explore the data by scrolling through various dates displayed on the chart, which represents the results of the SQL query.
The query is detailed and tailored specifically for extracting information from an "events" table where the event class ID matches "eps:100". It also filters out any entries without a logger address using the condition "WHERE events.arc_deviceAddress IS NOT NULL". Finally, it organizes the results by both date (DATE(events.arc_deviceReceiptTime)) and logger address to provide a detailed breakdown of the data.
The information is presented in a table format with columns for "Date", "Logger" (the device's address), and "Average EPS". This setup allows for easy visual comparison between different loggers across various dates, providing insights into how each logger performed during specific time periods based on the average of custom number 1 values.
The passage is part of a larger document dated April 20, 2015, version 4, attributed to Brian Wolff. It emphasizes the interactive nature of the data representation through graphical means and suggests that this method can be used for understanding how different loggers perform under specific conditions as indicated by their event class ID and address in the database table.
Comments