SE Tips and Tricks by iRock

Summary:

To summarize the provided text, it discusses a method for handling log files using a system tool called "Logger." The main steps outlined are: 1. **Concatenating Log Files**: Use commands like `gunzip -c logfile3.gz >> //concat.log` to append multiple compressed log files into one continuous "concat.log" file. Ensure the connector is running and check if "concat.log" is being collected by Logger. Verify permissions and configuration settings if necessary. 2. **Managing Growing Log File**: As "concat.log" grows with new compressed files, delete it once parsed by Logger and recreate it as a zero-byte file at the same location to allow continuous appending of new .gz files. 3. **Searching for Historical Logs**: Use the endTime field in Logger for searches. Set up criteria like "endTime" under filter with specific index fields based on your investigation needs. The endTime will be displayed in EPOCH format, but using a calendar icon allows easy input of desired dates and times. 4. **Search Results**: EndTime in search results appears as UNIX or EPOCH time, which can be used to find specific dates and times without manual conversion. Additionally, the text mentions customizing email templates in ESM (Enterprise Security Manager) for more appealing designs during trials. It provides a detailed example of how Ameritrade customized emails based on different correlation alert types using velocity macros. In summary, this method helps manage log files efficiently through concatenation and parsing, with instructions for handling both historical and ongoing logs within the Logger tool. Customizing email templates in ESM allows for more engaging notifications tailored to specific events.

Details:

The document "SE Tips and Tricks | iRock" provides useful information for Sales Engineering (SE) professionals working with ArcSight, a security information and event management platform. It includes tips on using the Connector Syslog Simulator and Replay Generator to efficiently manage and test connectors in a demo environment. The article titled "Connector Syslog Simulator" explains how to utilize a tool that allows users to read syslog files from systems without built-in syslog capabilities, effectively simulating this feature for testing purposes. It highlights an advanced capability through the command line interface using parameters such as -H (hostname), -P (port number), and -f (file path) which can handle much larger datasets than what is visible in the graphical user interface. The second article, "Replay Generator 101," offers a straightforward method for creating demonstration events quickly by following five steps. These include creating a desktop shortcut to run the replay file generator script, setting up necessary connectors and channels, filtering desired events, and initiating the wizard through ESM (Enterprise Security Manager). The process is designed to streamline event creation for demo purposes in an ArcSight environment. These tools are particularly valuable for Sales Engineers who need to demonstrate capabilities of the ArcSight platform or simulate real-world scenarios without deploying full systems, thus saving time and resources during the sales cycle or technical demonstrations. The provided text outlines a step-by-step process for using the Asset 3.5 Resource Generator tool to import zones or assets, detailing each necessary action from start to finish, with some troubleshooting tips included at the end. The steps include: 1. Unzipping the Resource Gen zip file into a designated working folder. 2. Placing the "assetfile".csv file in the same folder where the Resource Gen has been extracted. 3. Opening a Command Window and navigating to the folder containing both the Resource Generator and the "assetfile".csv file. 4. Running the command: `java –cp . ResourceGenerator “assetfile”.csv “assetfile”.xml` from within this directory. 5. Copying the newly generated "assetfile".xml file to the ArcSight Manager folder, typically located at `C:\arcsight\manager`. This method helps in successfully importing zones or assets for customers by ensuring all files are properly placed and commands are correctly executed, with some flexibility in adjusting paths if necessary. The process may require adjustments to filters to avoid unwanted events like ArcSight correlation or ASM events. The email from Gary Freeman outlines the process for using ArcSight to generate a list of dark IP addresses from RADB.NET, which are not allocated to specific users or organizations. Here is a summary of the main points: 1. **Using the Command Window**: Move to the Arcsight Manager bin folder (e.g., `arcsight40\manager\bin`) and open a new command window if needed. 2. **Running the Command**: Use the following command to archive an asset file: ``` arcsight archive -u "user name" -m "manager name" -i -f "Asset File".xml ``` 3. **Ensuring Import is Successful**: Double-check that the ESM manager indicates a successful import. Ensure unique zone names (e.g., Zone A, Zone B, Zone C) and avoid using ampersands in resource names. 4. **Notes on Asset Import**: Provide additional notes if needed:

• Zone names must be unique.

• Avoid using ampersands in resource names to prevent issues with the Resource Generator.

5. **Scripting for Dark IP List**: Gary Freeman shares a script that uses ArcSight's `whois` tool and Cygwin (or MSU tools) to query IANA’s database, filter out unallocated address space, and generate a list of dark IP addresses in the form of `.txt`. The script is customized based on the install directory. 6. **Generating Dark IP List**: The script can be used to create a list that could be imported into ArcSight for managing dark IP addresses more dynamically. This method helps in comparing what is listed in the asset model with the actual reserved address space, providing an up-to-date view of unused or "dark" IP ranges. 7. **ESM Image Editor 101**: A suggestion to explore the ESM (Event Stream Manager) Image Editor for managing network drawings and configurations within ArcSight. This could be useful in demonstrating capabilities during a Proof of Concept (POC). This email serves as a guide for using ArcSight features, scripting, and tools to manage IP address spaces more effectively through automation and periodic updates. To replicate image views similar to those seen in the PCI Demo using the ArcSight Console, follow these steps: 1. **Prepare the Image**: Obtain or create content in original Visio format for optimal quality, or export a high-resolution JPG (at least 150dpi). 2. **Edit and Export the Image**:

• Open the .vsd file in Visio.

• Export it as a JPG with custom dimensions set to 150dpi x 150dpi.

3. **Modify ArcSight Configuration**:

• Close all instances of the ArcSight Console.

• Locate and edit the `admin.ast` file under `ARCSIGHT_HOME\Console\Current\admin.ast`.

• Change `console.ui.imageEditor=false` to `console.ui.imageEditor=true`.

• Save the file.

4. **Start the Console**:

• Re-start the ArcSight Console and log in as "admin".

5. **Access Image Editor**:

• In the ArcSight Console, go to the `Views` menu, then select `Image Editor`.

• You will now have access to the image editor with an empty palette.

6. **Add a New Image Entry**:

• Click on the `New Image Entry` icon in the left-hand tool list.

• In the open file dialog, select the exported JPG file and click 'OK'.

• Resize the image to fit the screen without distortion.

7. **Customize and Populate**:

• Use the help feature within each option to learn how to add and populate controls like pie charts and bar charts.

• You can drill down into other channels or additional images for a comprehensive view, similar to the PCI Demo.

8. **Save and View**:

• Save the image using the customer's name in the Image Editor.

• To view it, go to an Active Channel (such as Demo Live) and click on the `Channel Viewer type` icon at the bottom right.

• Select `Image Viewer>{customerName}`.

• Ensure that the filters for chart types are correctly populating with data.

9. **Unlock Asset Tree**:

• If you encounter multiple assets in your asset tree, adjust accordingly to avoid duplicates under ArcSIGHT.

By following these steps, you can replicate and customize image views similar to those demonstrated in the PCI Demo using the ArcSight Console. The provided information outlines several configurations and procedures related to ArcSight, which is a security information and event management (SIEM) software by Broadcom. Here are the summaries of each section: 1. **Unlocking Resource Tree for Cleanup:**

• To unlock specific resource tree branches in ArcSight System Administration, add the following properties to `server.properties` file:

```plaintext resource.lock.uri.exclude.list=/All Assets/ArcSight System Administration, /All Assets/ArcSight System Administration/Agents, /All Assets/ArcSight System Administration/Devices, /All Assets/ArcSight System Administration/Managers, /All Assets/ArcSight System Administration/Databases, /All Assets/ArcSight System Administration/Consoles ```

• After making these changes, bounce the Manager to unlock this resource tree for cleanup.

2. **How-To Docs by Paul Bowen:**

• A zipfile containing a collection of tips that might be helpful during trials uploaded by Paul Bowen. The contents are not detailed in the provided text but suggest general troubleshooting or guidance documents.

3. **Migrating ESM Zones to Logger Destinations:**

• This document explains how to move an ESM (Event Server Manager) network model to connectors that send events to Logger. It involves assigning zones to logger destinations for better event management and segregation.

4. **ArcSight Logger RBAC MSSP Procedures:**

• The document provides a step-by-step guide on achieving multi-customer mapping using a connector like Syslog on the Connector Appliance, specifically designed for MSSPs (Managed Security Service Providers). This setup helps in segregating data and providing necessary Role-Based Access Control (RBAC) on Logger.

• During testing, logs are sent from a VMWare instance of Windows to two NAT destinations using Snare with virtual interfaces performing NAT. A Syslog connector is required, which can be either software-based or on the Connector Appliance. Mapping files will parse NAT IP addresses and set the Customer URI accordingly.

These summaries provide an overview of the functionalities and configurations related to ArcSight that are essential for system administration and troubleshooting in a SIEM environment. The document discusses setting up filters for user groups in ArcSight Logger, specifically for two customers (CustomerA and CustomerB) with restricted access. Two user groups named GroupA and GroupB are created with Logger rights and search permissions, each containing two users (UserA and UserB). The respective group filters are assigned to these groups. After creating the necessary filters and assigning them, the document suggests logging in as each user to verify that they can only view their designated customer data. Additionally, Mathew Varghese provides information on forwarding SYSLOG events from Cisco MARS to ESM (Event Management System). The process involves setting up a Syslog relay with specific configurations for the destination IP address and exclusion of unwanted IPs. The document also includes links for further reference and troubleshooting steps. The provided text outlines a method for restoring historical UNIX syslog files using Logger 3.0 Patch 1, without encountering issues related to misconfigured device time. It emphasizes the importance of having the latest SmartConnector executable and running it on a Red Hat-based Linux distribution with at least dual-core processing and 4 GB RAM. The procedure involves configuring a CEF UDP receiver in Logger for faster data transfer and setting up the connector to read from multiple compressed log files, which are then concatenated into one file named "concat.log." The steps include: 1. Setting up a CEF UDP receiver in Logger as "SyslogFileTest". 2. Logging into the Linux box with root permissions (sudo can be used). 3. Creating a 0-byte file called "concat.log" in the directory where the connector will read from. 4. Installing and configuring the Syslog File Reader connector to read "concat.log" and send data to Logger's "SyslogFileTest" receiver. 5. Starting the connector instance by running "./arcsight agents" in the connector /bin directory. 6. Attaching or copying the external storage device containing historical log files, or directly accessing them on-site. 7. Opening a new shell window and changing to the location of the .gz compressed log files. 8. Concatenating the original compressed log files into "concat.log" using the command "gunzip -c logfile1.gz logfile2.gz > concat.log". This method ensures that historical syslog data can be processed without issues related to device time and provides a structured approach for handling large volumes of data. This text describes a process for handling log files in a system using a tool called "Logger." The goal is to ensure that historical logs are properly searched and indexed, even though Logger does not automatically handle this for historical data. Here's a summary of the main points: 1. **Concatenating Log Files**: To manage growing log files, use commands like `zcat logfile3.gz >> //concat.log` to append multiple compressed log files into one continuous "concat.log" file. This can be done using a tool called gzcat if needed. Ensure the system's connector is running and check that the "concat.log" file is being collected by Logger. If not, verify permissions and ensure proper configuration or look for errors in the agent log ("agent.log"). 2. **Managing Growing Log File**: Since "concat.log" will continue to grow with more compressed files, it should be deleted once parsed by Logger and recreated as a zero-byte file at the same location. This allows new .gz files to be appended continuously into the "concat.log". 3. **Searching for Historical Logs**: When searching for historical logs, use the endTime field in Logger. This is not user-friendly due to displaying time in EPOCH format (UNIX timestamp). To make this process easier:

• Open "Search Composer" in Logger and select "endTime" as a search criterion under filter.

• Set the operator to "=" and choose the Condition field, then use a calendar icon to input the desired date and time. This will automatically populate the display with the exact timestamp.

• Add other specific index fields for your investigation based on the criteria you need.

4. **Search Results**: The endTime in search results will appear as UNIX or EPOCH time, which can be used to find specific dates and times without converting it manually. This procedure is designed to facilitate historical log searches efficiently using Logger, even though it does not natively support full indexing of historical data based on receipt time. The text discusses the customization of email templates in ESM (Enterprise Security Manager), which are basic by default. It suggests that customers might prefer more sophisticated or nicer-looking templates for testing purposes during trials. The article mentions a specific example provided by Ameritrade, which was anonymized and distributed to provide guidance on customizing the emails using velocity macros based on different correlation alert types. This method allows for tailored email notifications according to various events. To sum up: Customers can enhance basic ESM email templates with more appealing designs or functionalities through customization using velocity and specific templates linked to alerts, as demonstrated by a detailed example provided in an anonymized format. This text appears to be related to document management and collaboration tools, possibly within a corporate or organizational environment. The content is tagged with "resource_generator," suggesting it may be part of a system that facilitates the creation or distribution of resources such as documents, presentations, or spreadsheets. The interface includes options for tagging content, which presumably helps in organizing and searching for specific types of information within the repository. There's also a comment section where users can provide feedback or comments, although it requires login credentials to access. The document itself is marked as "final," implying that there are multiple versions available from which to choose, potentially managed through version control features. The interface includes various actions such as editing, creating copies, viewing the document as a PDF, and managing different versions of the content. There's also an option to delete the document if needed. The "Sync Your Office Documents" section is promoting a Jive plugin for Microsoft Office, which allows users to interact with the platform directly from their office applications to create, open, collaborate on, and share documents. Finally, at the bottom of the interface, there's information about the software version and technical details related to its deployment within the organization.