Reviewing Individual ESM Components

Summary:

This text appears to be a guide or documentation for managing and configuring HP ArcSight (ESM) services, focusing on various tasks such as setting up the service, installing a license key, and performing backups of configurations and database tables. Here's a summary of the main points: 1. **Starting/Stopping ArcSight Services**: The command to start or stop ArcSight services is `./arcsight setupmanager`. This command is used to manage the startup and shutdown of ESM (Enterprise Security Manager). 2. **Configuring ESM Manager**: To configure the ESM manager, you can use the same command `./arcsight setupmanager`, which provides a user interface for setting up various configurations such as network settings or service parameters. 3. **Managing ESM License Key**: - **Installing a License Key**: The process involves copying the Zip file to the ESM server and running the command `./arcsight deploylicense` from the `/opt/arcsight/manager/bin` directory. This command is used to install or update the license key for ArcSight. - **Backing Up License Information**: There are no specific details provided in the text about backing up license information, which might be inferred as not applicable based on the context. 4. **ESM Backup Overview**: - **Configuration Parameters Backup**: The command `./arcsight configbackup` is used to backup essential configuration settings like search settings and archive configurations stored in `/opt/arcsight/logger/current/arcsight/logger/tmp/configs`. - **Database Dump / Import**: - Exporting: Use the command `export_system_tables` to generate a database dump file (`arcsight_dump_system_tables.sql`) located in `/opt/arcsight/manager/tmp`. - Importing: The import must be done with the specific file created by `export_system_tables`, which is also named `arcsight_dump_system_tables.sql`. - **Event Data Archiving**: In the ArcSight Command Center GUI, navigate to the Storage and Archive Tab to activate and schedule archive jobs for event data storage. This summary provides a basic understanding of how to manage and configure HP ArcSight services as per the given documentation.

Details:

The document provides an overview of HP ArcSight Enterprise Security Manager (ESM), discussing its features, business needs, licensed options, main components, user roles, content & packages, configuration, and log files. ESM is designed to provide real-time correlation with universal log management, allowing for quick investigations and behavior detection. It supports a wide range of compliance reporting, including zero day attacks, fraud detection, and has enhanced features in Identity View, Reputation Security Monitor, Threat Detector, Application View, Risk InSight, Compliance Insight Pack, and more. ESM can be licensed as a software with high availability options and supports various operating systems like Linux, Windows, and Mac. It includes ArcSight Command Center for management, multiple user roles, customizable content & packages, and detailed configuration settings for log files within the directory. The provided text outlines the features and enhancements of ESM (Enterprise Security Manager) version 6.8c, developed by Hewlett-Packard Company. Key highlights include improvements in query speed with Bloom Filters, support for RHEL and CentOS 6.5 operating systems, transition to Java 7, software upgrades from specific patches, and increased storage capacity up to 12 TB. Additionally, the document mentions enhancements such as correlation and CFC (Common Framework Connector) capabilities improvement. The document also details the Active Channel, List, Asset, Dashboard, and Data Monitor counts across various sections like Reputation, IdentityView, Threat FISMA, Sarbanes-Oxley, PCI, etc., which indicates a comprehensive suite of security features and resources provided by ESM 6.8c for managing enterprise security effectively. This document outlines various metrics and resource usage across different areas such as Integration Command, Configuration, Target, Profile, Query, Query Viewer, Report, Focused Report, Rule, Session List, Trend, Use Case, Alerts, Reports, Filters, Total, Event Schema, Event Lifecycle phases, and CORR-Engine. The data includes numerical counts and percentages for each category from multiple sources including IT Governance Sarbanes-Oxley (v4.01 & v5.5 PCI v3.01), Logger, and ArcSight Event Schema. Specific values are provided for each section ranging from small numbers like 2 to large figures such as the total count of resources in use across different categories which sums up to over a thousand entries combined from all sections mentioned. This information is crucial for understanding the deployment and performance of IT infrastructure, governance, and compliance tools within an organization. This document describes a plugin engine for MySQL called ARC_LOGGER, which stores all events in compressed flat files within the InnoDB storage engine. Events are stored with fields indexed by specific paths and can be updated or deleted. The CORR-engine event storage system has two major parts: active jobs and archives. Active jobs include today's and past days' events, while older data is archived as it becomes inactive. This process continues daily to maintain a clear distinction between active and archived events. This summary outlines the key points from a document related to event storage and archiving in HP ArcSight ESM (Enterprise Security Manager). Here's a breakdown of what it covers: 1. **CORR-Engine Operations**: The system, CORR-Engine, operates on events that are within their retention period or any offline archives that have been activated. It processes events stored in active "jobs" and evaluates them based on set policies. 2. **Retention Periods**: Events remain in active memory for a specified retention period, after which they drop off unless archived. The retention period can be customized (e.g., 30, 60, or 90 days). 3. **Event Time Stamping**: When events enter the system, they are assigned a time stamp known as Manager Receipt Time (MRT). This is crucial for maintaining the chronological order of stored data. 4. **Archives and Retention**: Events that have passed their retention period are moved to archives but remain indefinitely there. The archive serves as a long-term storage solution for events that still need to be retained beyond the active period. 5. **User Interfaces**: Two interfaces, ArcSight Web Console (also known as ArcSight Command Center) and its new user interface, provide a unified management experience across all HP ArcSight products. This enhances administration efficiency by consolidating functionalities into one platform. 6. **Product and Interface Copyrights**: The document includes copyright notices for both the software product features and the user interfaces, emphasizing that information is subject to change without notice and access is restricted internally within HP and its partners. The provided text outlines the functionalities of a specific software console used within an ESM (Enterprise Security Manager) system, likely developed by Hewlett-Packard. This console, known as the "ArcSight Java Console," is designed for internal use by both HP staff and partner organizations to manage security events, monitor logs, inspect data, and generate reports related to cyber threats and system activities. Key features of the ArcSight Java Console include: 1. **User Interface**: It resembles a graphical user interface (GUI) that allows users to navigate through various panels such as Navigator, CCE - Common Condition Editor, Viewer, etc., which provide tools for event management, resource access, and detailed alert inspection. 2. **Version Compatibility**: The console version must be compatible with the corresponding ESM server to ensure seamless operation and data exchange. 3. **Host File Integration**: Manager names along with their IP addresses should exist in the host file configuration to facilitate proper identification and navigation within the system. 4. **Visual Cues for Events**: Alerts or events are color-coded based on a severity scale from 0 to 10, with specific colors representing different levels of criticality (e.g., 'Lightning' represents high priority). 5. **Resource Management**: Users can navigate and drill down into correlated alerts by accessing base event details, which helps in understanding the full extent of potential threats. 6. **Content Sharing**: The console supports both user-specific and shared content management, allowing users to access or share data as required for collaboration within the team or between partner organizations. Overall, this console serves as a comprehensive tool for internal security operations, providing functionalities similar to other enterprise software consoles that facilitate monitoring and response to cyber threats in real-time. This text appears to be documentation related to Hewlett-Packard's (HP) products and internal processes, possibly focused on their Enterprise Security Manager (ESM) or a similar system used for managing security events. Here is a summarized interpretation of the key points from each numbered section: 1. **Copyright Information**: The material is copyrighted by HP and restricted to use within HP and partner organizations. It states that the information contained herein may change without notice, implying dynamic updates are expected. 2. **Drill Down of Correlated Alerts**: Describes a feature where users can access and interact with trigger rules for more detailed alert analysis. This might involve accessing specific rule settings or configurations within an interface to better understand how alerts are being managed. 3. **Rule Display in Inspect/Edit Panel**: When certain rules are activated, they appear in the "Inspect/Edit" panel where users can review and modify them as needed. 4. **Integrated Workflow Case Editor**: Indicates that events or cases within the workflow system are visually edited using a case editor interface, possibly enhancing the organization and handling of alerts through integrated processes. 5. **Architecture Sizing Information Gathering**: A section discussing what data is necessary to determine the appropriate architecture size for systems used in managing security events. Key items include event throughput requirements, type of events expected, log retention needs, high availability specifications, customer-specific requirements, and considerations like bandwidth, NAT, MSSP involvement, regional/global implications, compliance requirements, and use case specifics. 6. **ESM Manager Typical Architecture**: A description of the typical architecture for ESM, which includes:

• A Java-based server as the main processing unit.

• The server being the only component allowed to communicate with the database.

• Utilizing a workflow system named CORR-e and producing dashboards through a user interface that interfaces with ArcSight reports.

• Storing events on a daily basis, which might be indexed for easier access across all fields in web notifications.

This summary assumes that the text pertains to internal documentation or technical specifications of HP's security management tools. The information is focused on data gathering and architecture sizing for an enterprise-level system used for managing security incidents and alerts. The provided text outlines the structure and components of ArcSight ESM (Enterprise Security Manager), a software application developed by Hewlett-Packard. ArcSight ESM includes several integrated modules, such as the Console, User Interfaces, Command Line Interface (CLI), Connectors for various data sources like logs, databases, networks, CCTV systems, etc., and Management features including process control scripts. ArcSight ESM primarily operates through a GUI called ArcSight CORR-engine or Arcsight Command Center (Web 2.0) and a CLI managed by the /etc/init.d/arcsight_services script which provides unified control over all ArcSight services with commands like start, stop, status, etc., for components such as manager, mysqld, logger_httpd, and others. The software supports various connectors including HP SmartConnectors Hardware Appliance from Hewlett-Packard's product line. These connectors are designed to import data from different sources like DVLabs, FlexConnectors, LOGS, SOURCES, IDENTITY, etc., into the ArcSight platform for security analysis and management. The application uses specific protocols and ports during data transfer as outlined in HP restricted documents. The text concludes with a description of an example command line check /etc/init.d/arcsight_services status | start | stop which is used to verify the status of different services including manager, web service, logger services, mysqld (MySQL), and postgresql within the ArcSight ESM application. This document outlines several key aspects of a system setup for ArcSight software on either RHEL or SUSE Linux systems. It highlights the installation and configuration specifics including file system structure, user permissions, and directory management. Installation Details:

• The ESM (Extended System Management) software is installed in the /opt partition, which has its own separate partition. All ArcSight software and data are consolidated under a single directory: /opt/arcsight.

• File system support varies by Linux distribution; RHEL supports XFS and EXT4 while SUSE supports EXT3.

• The ownership of this /opt/arcsight directory is assigned to the 'arcsight' user, with all ArcSight operations being performed under this user account and not 'root'.

• Event storage and archive directories are located at /opt/arcsight/logger/data/logger for current events and /opt/arcsight/logger/data/archives for archived logs. These archives are stored in a directory named after the date they were logged, ensuring comprehensive archiving of log entries.

HA Architecture Explanation:

• A High Availability (HA) architecture is described with two hosts, PRIMARY (host name 'esm') and SECONDARY (host name 'esm1'). Each host has specific network interface configurations and IP addresses assigned to its primary and secondary interfaces.

• The PRIMARY host uses the IP address 16.103.74.24 on eth0 and a service IP of 192.168.145.24, while the SECONDARY host uses 16.103.74.224 on eth0 and 192.168.145.224 on eth1.

• Both hosts are part of a cluster that shares an interlink cable and distributed replicated block devices, with the service IP/name address acting as the shared address/hostname for both hosts in the cluster configuration.

In summary, this setup focuses on optimizing ArcSight performance through proper directory management and user permissions under Linux environments, while also ensuring high availability and fault tolerance through a clustered network architecture. The provided text is a technical summary of an HA (High Availability) architecture for servers, focusing on the use of HP Intelligent Power Distribution Unit (iPDU) and STONITH (Shoot the Other Node in the Head) mechanism. Here's a summarized version of the key points discussed: 1. **HA Module and iPDU Usage**: The HA module within the system uses the iPDU to disable one machine when both primary units think they are the main server, ensuring smooth failover from one unit to another. This is crucial for maintaining system availability by preventing network conflicts or resource issues that might lead to a stalemate where neither node recognizes itself as the active one. 2. **iPDU Specification**: The HP Intelligent Power Distribution Unit (iPDU) is a server-room class power strip with remote on/off capabilities, allowing for automated control of its outlets via an intranet network. This technology helps in managing and monitoring electrical distribution within datacenters, ensuring that the failover mechanism can be executed efficiently by remotely controlling power to servers. 3. **STONITH Mechanism**: The STONITH mechanism involves using a remote power control like iPDU or network-based isolation (I/O fencing) to physically disconnect a node from the network if it becomes unresponsive due to communication problems, software issues, or other reasons. This method is intended to be independent of the primary hardware/software setup and ideally should not rely on SSH for reboot controls unless absolutely necessary. 4. **Failover Process**: The process begins when the IP cluster pacemaker is activated in the secondary unit after detecting an issue with the primary unit. Both units are assumed to have operating systems running, with the ESM application started and file system active. If these conditions are met, the failover procedure can be initiated smoothly using the iPDU for power control and STONITH mechanisms for network isolation when needed. 5. **Technical Limitations**: The text does not explicitly mention any limitations or challenges that might arise from this setup, but it is generally acknowledged in HA setups that complete independence of hardware/software (like STONITH) can be challenging to implement perfectly, especially under high stress conditions. Overall, the architecture described relies heavily on advanced power and network technologies to maintain system uptime through failover mechanisms when primary servers fail or become unresponsive. When the primary host in an ESM (Extended System Management) configuration experiences a failure, such as an operating system crash or application stoppage, the secondary host automatically takes over. This failover process involves several key steps: 1. **Detection of Primary Failure**: The secondary node detects that the primary node has failed by monitoring its status. If the primary node becomes unresponsive or stops functioning for any reason (e.g., crashes), this triggers a fail-over mechanism on the secondary node. 2. **Taking Over IP Cluster Alias Address**: Upon detecting the failure, the secondary node assumes the IP cluster alias address of the primary node, ensuring that the service remains accessible with minimal interruption. This is facilitated by both machines having two network interfaces: one for intranet connection (eth0) and another for disk mirroring (eth1). 3. **Data Replication via DRBD**: The data from the primary node is replicated at a block level using DRBD (Distributed Replicated Block Device), which synchronizes the disks of both nodes. If Disk 1 on the primary node fails, but Disk 2 remains operational and accessible, DRBD will continue to replicate data from Disk 1 to Disk 2, ensuring that operations can continue smoothly. 4. **Restarting ESM Application**: After taking over the IP address and network interface of the primary node, the secondary node reactivates the ESM application, allowing it to resume its functions without any loss of service. This is crucial for maintaining system management and ensuring continuity in managing the systems that rely on this application. 5. **Operating System and Application Continuation**: The secondary node not only assumes the network identity but also restarts critical applications running on the primary node, such as ESM (Extended System Management). This includes reinitializing or restarting any suspended processes to ensure continuous operation of services reliant on these applications. 6. **Fail-Over Illustrated 2/2**: The documented process outlines how a secondary node seamlessly transitions into a primary role upon detecting and confirming the failure of the primary node, taking advantage of its own operational capabilities and those of DRBD for data replication. This setup ensures minimal downtime and maintains system availability as prescribed by HP's internal fail-over architecture. In summary, this failover mechanism within the ESM configuration is designed to ensure high availability and continuity in service operation by leveraging automatic detection of primary node failure, seamless network takeover, real-time data synchronization, and application restart capabilities at the secondary node. This text appears to be a guide or documentation for managing and configuring HP ArcSight (ESM) services, focusing on various tasks such as setting up the service, installing a license key, and performing backups of configurations and database tables. Here's a summary of the main points: 1. **Starting/Stopping ArcSight Services**: The command to start or stop ArcSight services is `./arcsight setupmanager`. This command is used to manage the startup and shutdown of ESM (Enterprise Security Manager). 2. **Configuring ESM Manager**: To configure the ESM manager, you can use the same command `./arcsight setupmanager`, which provides a user interface for setting up various configurations such as network settings or service parameters. 3. **Managing ESM License Key**:

• **Installing a License Key**: The process involves copying the Zip file to the ESM server and running the command `./arcsight deploylicense` from the `/opt/arcsight/manager/bin` directory. This command is used to install or update the license key for ArcSight.

• **Backing Up License Information**: There are no specific details provided in the text about backing up license information, which might be inferred as not applicable based on the context.

4. **ESM Backup Overview**:

• **Configuration Parameters Backup**: The command `./arcsight configbackup` is used to backup essential configuration settings like search settings and archive configurations stored in `/opt/arcsight/logger/current/arcsight/logger/tmp/configs`.

• **Database Dump / Import**:

• Exporting: Use the command `export_system_tables` to generate a database dump file (`arcsight_dump_system_tables.sql`) located in `/opt/arcsight/manager/tmp`.

• Importing: The import must be done with the specific file created by `export_system_tables`, which is also named `arcsight_dump_system_tables.sql`.

• **Event Data Archiving**: In the ArcSight Command Center GUI, navigate to the Storage and Archive Tab to activate and schedule archive jobs for event data storage.

This summary provides a basic understanding of how to manage and configure HP ArcSight services as per the given documentation. This document provides a comprehensive guide for ArcSight ESM (Enterprise Security Manager) version 6.8c, aimed at both administrators and end-users. It includes various guides such as the Administrator's Guide, User's Guides for Intrusion Monitoring and Cisco Monitoring, Configuration Monitoring, NetFlow Monitoring, Installation and Configuration Guide, Release Notes, Upgrade Guide, and Workflow. Additionally, it offers user interface help facilities including searchable online product guides and context-sensitive help. The document is intended for internal use by HP employees and partners, with the disclaimer that information can change without notice.