SN42 Internal Auditing and uses

Summary:

The document is a guide created by Ken Mermoud, Senior Security Engineer at ArcSight, aimed at helping users monitor the infrastructure of ArcSight products. Key points include configuring internal events for centralized monitoring, checking device statuses and performance metrics like CPU usage and memory, network traffic, disk usage, and detailed auditing with audit events. The document covers setup for forwarding internal events from connectors, devices, appliances to an enterprise security manager (ESM), including configuration of appliances such as Logger and Connector Appliance. It also discusses the importance of configuring and forwarding these events for a comprehensive view of system health and troubleshooting issues.

Details:

The document is a guide created by Ken Mermoud, a Senior Security Engineer at ArcSight, to help monitor the infrastructure of ArcSight products. It provides instructions on how to monitor different components such as devices, connectors, appliances, and ESM (Enterprise Security Manager). Key aspects include using internal events for centralized monitoring, checking status, performance metrics like CPU usage and memory, network traffic, disk usage, and detailed auditing with audit events. The document also explains the importance of configuring and forwarding these events to gain a comprehensive view of system health and troubleshoot issues effectively. This document outlines the configuration and setup for forwarding internal events from various components such as connectors and devices to a central event management system (ESM). The process involves configuring different appliances like Logger, Connector Appliance, and setting up connections between them. Here's a summary of the key points: 1. **Connector and Device Configuration**:

• **Enable Device Status Monitoring Events**: This is done by modifying properties on the connector to enable monitoring events for device status.

• **Forwarding Connectors**: These are configured based on whether it's a single-tier or multi-tier ESM setup.

2. **Connector Appliance Configuration**:

• **Upload ESM Certificate**: To secure the connection between the Connector Appliance and ESM, an SSL certificate must be uploaded.

• **Add Syslog Connector**: Configure a syslog connector to forward events to the ESM Manager.

• **Enable Status Monitor Events**: This includes enabling system health events and device status monitoring.

3. **Logger Configuration**:

• **Upload ESM Certificate**: Similar to the Connector Appliance, upload an SSL certificate to the Logger for secure communication with ESM.

• **Add Forwarder**: Set up a forwarder of type ArcSight ESM (CEF) to forward audit events directly to the ESM destination.

4. **Single-Tier and Multi-Tier ESM**:

• **Single-Tier**: No additional configuration is needed as internal events are already present in the system.

• **Multi-Tier**: Configure a forwarding connector between the source manager (host, port, user/password) and the destination manager (host, port, user/password).

5. **Content Description**:

• **Active List: Devices** tracks all devices and critical devices that need monitoring.

• **Rule: Critical Device not reporting** triggers a notification if a critical device is down for an extended period.

• **Data Monitor: Devices Up/Down** provides a dashboard to view the status of connected devices.

This document serves as a guide for setting up and maintaining internal event forwarding within ArcSight systems, ensuring that crucial device and connector statuses are monitored and reported efficiently to the central ESM system. This document outlines the content and monitoring capabilities of various components within the ArcSight infrastructure, including Connectors, Appliances, Logger, ESM (Enterprise Security Manager), and Database. The document is intended for users to understand how to monitor their ArcSight environment effectively using internal events. The overview starts with a detailed breakdown of Connector Monitoring, which includes content available in the ESM Foundation Content for versions 4.0 SP3 and above. This content forms part of the ArcSight Administration Package and is located under /All */ArcSight Administration/Connectors/System Health/. The monitoring covers Connectors (Connector Up/Down) and Appliance (Connector Caching). A Connector Status Dashboard provides a visual status of connectors, while Appliance Performance Monitoring includes Logger Overview Dashboard showing CPU Usage, Disk Usage, Memory Usage, Network Usage, and performance over the last hour. ESM Monitoring focuses on Event Throughput and Database Monitoring with statistics related to database performance, free space, event insert/retrieval time, and trends over time. Finally, there's a section on ArcSight Infrastructure Monitoring Checklist, which outlines devices such as Connectors, Appliances (including Logger), and ESM components like the Database. The content provided helps users understand how to monitor each product separately using internal events like Status Monitor Events and Audit Events. The document concludes with encouraging participants to think about leveraging ArcSight's internal events for monitoring their environment, creating custom content, sharing ideas, and providing feedback. It also offers contact information for further assistance from ArcSight.