HPE ArcSight Management Center Administrator's Guide Arc MC Admin 2 6 X

User Manual:

Open the PDF directly: View PDF PDF.
Page Count: 316

DownloadHPE ArcSight Management Center Administrator's Guide Arc MC Admin 2-6-x
Open PDF In BrowserView PDF
HPE Security
ArcSight Management Center
Software Version: 2.6x

Administrator's Guide

July 13, 2017

Administrator's Guide

Legal Notices
Warranty
The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
The information contained herein is subject to change without notice.
The network information used in the examples in this document (including IP addresses and hostnames) is for illustration
purposes only.
HPE ArcSight products are highly flexible and function as you configure them. The accessibility, integrity, and confidentiality
of your data is your responsibility. Implement a comprehensive security strategy and follow good security practices.
This document is confidential.

Restricted Rights Legend
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use or copying.
Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical
Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.

Copyright Notice
© Copyright 2017 Hewlett Packard Enterprise Development, LP
Follow this link to see a complete statement of copyrights and acknowledgements:
https://www.protect724.hpe.com/docs/DOC-13026

Support
Contact Information
Phone

A list of phone numbers is available on the HPE ArcSight Technical Support
Page: https://softwaresupport.hpe.com/documents/10180/14684/esp-support-

contact-list
Support Web Site

https://softwaresupport.hpe.com

Protect 724 Community

https://www.protect724.hpe.com

HPE Security ArcSight Management Center 2.6x

Page 2 of 316

Contents
Chapter 1: HPE ArcSight Management Center Overview
New Features and Enhancements
Chapter 2: Software Installation

15
15
17

Overview

17

Installing ArcSight Management Center
Prerequisites for Installation
Installation Steps
GUI Mode Installation
Console Mode Installation
Silent Mode Installation
About Licenses for Silent Mode Installations
Generating the Silent Install Properties File
Installing Using the Generated Properties File
Next Steps After Installation
Enabling/Disabling ArcSight Management Center as a System Service
Starting Services Automatically for a Non-Root Installation
Configuring Firewall Rules
Configuring the Firewall on ArcSight Management Center Appliance

19
19
20
20
22
23
23
23
25
25
26
26
27
28

ArcSight Management Center Operations
Connecting to the ArcSight Management Center User Interface
ArcSight Management Center Processes
The ArcSight Management Center Daemon (arcmcd)
Uninstalling Software ArcSight Management Center
Uninstalling in GUI Mode
Uninstalling in Console Mode
Uninstalling in Silent Mode

29
29
30
30
31
31
32
32

Installing the ArcSight Management Center Agent

32

ArcSight Management Center Agent Operations
Uninstalling the ArcSight Management Center Agent

34
35

Chapter 3: The User Interface

36

Overview

36

The Menu Bar

36

HPE Security ArcSight Management Center 2.6x

Page 3 of 316

Administrator's Guide

Monitoring Summary
Node Management
Configuration Management
User Management
Administration

36
37
37
38
38

Stats (EPS In/Out)

38

Site Map

38

History Management

39

Chapter 4: Managing Nodes

40

Overview

40

Node Management

41

The Navigation Tree

41

The Management Panel
Management Tabs
Tab Controls
The Locations Tab
The Hosts Tab
The Containers Tab
The Connectors Tab
The Connector Summary Tab
Connector Data
Connector Parameters
Table Parameters (WUC Connectors Only)
Destinations
The ConApps Tab
The Loggers Tab
The ArcMCs Tab
The EB Nodes Tab

42
42
43
43
43
45
47
48
48
48
48
49
49
50
51
52

Locations
Adding a Location
Editing a Location
Viewing All Locations
Deleting a Location

52
52
53
53
53

Hosts
About Adding a Host
Prerequisites for Adding a Host (for each Host Type)
Node Authentication Credentials

54
54
55
57

HPE Security ArcSight Management Center 2.6x

Page 4 of 316

Administrator's Guide

Managing SmartConnectors on ArcMC
Preparing to Add Event Broker as a Host
Adding a Host
Adding a Host with Containers
Importing Multiple Hosts
Prerequisites for Importing Multiple Hosts
CSV File Format
Host Field Values
Import Hosts Procedure
Import Hosts Job Logs
Exporting Hosts
Viewing All Hosts
Viewing Managed Nodes on a Host
Deleting a Host
Moving a Host to a Different Location
Updating (or Installing) the ArcMC Agent
Scanning a Host
The Scan Process
Downloading and Importing Host Certificates
Updating Host Credentials
Chapter 5: Managing HPE ArcSight Products

58
59
59
60
60
60
61
61
62
63
64
64
65
65
65
66
66
67
68
68
70

Overview

70

Managing Connector Appliances (ConApps)
Rebooting a ConApp
Shutting Down a ConApp
Editing or Removing a Configuration for a ConApp
Setting a Configuration on ConApps

70
71
71
71
72

Managing Other ArcSight Management Centers
Rebooting an ArcMC
Shutting Down an ArcMC
Editing or Removing a Configuration for ArcMC
Upgrading ArcMC
Setting a Configuration on Managed ArcMCs
Managing SmartConnectors on ArcMC

73
73
73
74
74
75
76

Managing Loggers
Rebooting a Logger
Shutting Down a Logger
Editing or Removing a Configuration for a Logger

76
77
77
77

HPE Security ArcSight Management Center 2.6x

Page 5 of 316

Administrator's Guide

Upgrading a Logger
Setting a Configuration on Loggers
Managing Containers
Viewing All Containers
Viewing Connectors in a Container
Editing a Container
Deleting a Container
Updating Container Properties
Changing Container Credentials
Sending a Command to a Container
Upgrading All Connectors in a Container
Modifying logger.properties
Restarting a Container
Viewing Container Logs
Deleting a Container Log
Enabling FIPS on a Container
Enabling FIPS Suite B on a Container
Adding a Connector to a Container
Running Logfu on a Container
Managing Certificates on a Container
Adding CA Certificates to a Container
Removing CA Certificates from a Container
Adding a CA Certs File to a Container
Enabling or Disabling a Demo Certificate on a Container
Adding Multiple Destination Certificates to a Container
Viewing Certificates on a Container
Resolving Invalid Certificate Errors
Running Diagnostics on a Container
Managing Connectors
Viewing All Connectors
Adding a Connector
Prerequisites
Editing Connector Parameters
Updating Simple Parameters for a Connector
Updating Table Parameters for a Connector
Updating Simple and Table Parameters for Multiple Connectors
Managing Destinations
Adding a Primary Destination to a Connector
Adding a Failover Destination to a Connector
Adding a Primary or Failover Destination to Multiple Connectors

HPE Security ArcSight Management Center 2.6x

78
79
80
80
81
81
81
82
82
82
83
84
85
85
86
86
87
88
88
89
89
90
91
91
92
92
93
93
94
94
94
94
97
97
97
98
99
99
100
101

Page 6 of 316

Administrator's Guide

Removing Destinations
Re-Registering Destinations
Editing Destination Parameters
Editing Destination Runtime Parameters
Managing Alternate Configurations
Defining a New Alternate Configuration
Editing an Alternate Configuration
Editing Alternate Configurations in Bulk
Sending a Command to a Destination
Deleting a Connector
Sending a Command to a Connector
Running Logfu on a Connector
Remote File Systems
Managing a Remote File System
Changing the Network Interface Address for Events
Developing FlexConnectors
Editing FlexConnectors
Sharing Connectors in ArcExchange
Packaging and Uploading Connectors
Downloading Connectors
Configuration Suggestions for Connector Types
Included FlexConnectors
Configuring the Check Point OPSEC NG Connector
Adding the MS SQL Server JDBC Driver
Adding the MySQL JDBC Driver
Chapter 6: Managing Configurations

102
102
103
103
104
105
105
106
106
106
107
107
108
108
110
110
113
113
114
116
117
118
118
121
121
123

Overview

123

Configuration Management
The Configurations Table
The Details Tab
General
Properties
The Subscribers Tab
Non-Compliance Reports
Creating a Subscriber Configuration
Editing a Subscriber Configuration
Deleting a Subscriber Configuration
Importing a Subscriber Configuration

124
124
125
125
125
126
127
127
128
128
129

Managing Subscribers

130

HPE Security ArcSight Management Center 2.6x

Page 7 of 316

Administrator's Guide

Viewing Subscribers
Adding a Subscriber
Unsubscribing a Subscriber

131
131
132

Pushing a Subscriber Configuration
Push Validation
Common Causes for Push Failure
Push Remediation

132
133
133
134

Checking Subscriber Compliance

134

Comparing Configurations

135

Configuration Management Best Practices

136

Subscriber Configuration Types
Connector Configuration Types
BlueCoat Connector Configuration
FIPS Configuration
Map File Configuration
Parser Override Configuration
Syslog Connector Configuration
Windows Unified Connector (WUC) External Parameters Configuration
Limitations to WUC External Parameters Configurations
Windows Unified Connector (WUC) Internal Parameters Configuration
Limitations to WUC Internal Parameters Configurations
ArcMC/Connector Appliance Configuration Types
ArcMC/Connector Appliance Configuration Backup Configuration
Destination Configuration Types
Destination Configuration Parameters
Networks and Zones
Logger Configuration Types
Logger Configuration Backup Configuration
Logger Connector Forwarder Configuration
Logger ESM Forwarder Configuration
Logger Filter Configuration
Logger SmartMessage Receiver Configuration
Logger Storage Group Configuration
Logger TCP Forwarder Configuration
Logger Transport Receiver Configuration
Logger UDP Forwarder Configuration
System Admin Configuration Types
Authentication External
Authentication Local Password

137
137
137
138
138
139
139
139
140
141
141
142
142
143
143
144
144
145
145
146
147
148
148
149
150
151
152
152
153

HPE Security ArcSight Management Center 2.6x

Page 8 of 316

Administrator's Guide

Authentication Session
DNS Configuration
FIPS Configuration
Network Configuration
NTP Configuration
SMTP Configuration
SNMP Poll Configuration
SNMP Trap Configuration

154
154
155
155
155
156
156
156

Initial Configuration Management
Importing an Initial Configuration
Pushing an Initial Configuration
Deleting an Initial Configuration
Event History

157
158
159
160
161

Managing Logger Event Archives
Managing Event Archives

161
162

Managing Logger Peers
Viewing Peers or Peer Groups
Adding or Removing Peers
Importing a Peer Group
Edit a Peer Group
Pushing a Peer Group
Deleting a Peer Group

163
163
164
164
165
165
165

Managing Event Broker
About Topics
Adding a Topic
About Routes
Creating a Route
Editing a Route
Deleting a Route

166
166
166
167
167
168
169

Chapter 7: Managing Users on Managed Products

170

Overview
User Management Workflow

170
171

Users and User Lists

171

Permission Groups

173

Roles

175

Node Lists

176

Associations

177

HPE Security ArcSight Management Center 2.6x

Page 9 of 316

Administrator's Guide

Compliance Report

179

Chapter 8: Dashboard

180

Overview

180

ArcSight Management Center Dashboard
The Monitoring Summary
License Usage Chart
Drilling Down
Data Charts
ADP Licensed Usage for the Last 30 Days

180
180
182
182
183
183

Monitoring Rules
Preset Rules
Managing Rules
Monitoring Rules Parameters
Rule Verification
Custom Rules Examples
Example 1: Warning Breach
Example 2: Critical Breach
Configuring Email Notifications
Example Email Notification
Configuring SNMP Notifications

184
185
185
186
190
190
190
191
191
192
192

Topology View

194

Chapter 9: Managing Backups and Restores

196

Overview

196

Backup

196

Restore

197

Chapter 10: Snapshots

199

Overview

199

Creating a Snapshot

199

Chapter 11: Logger Consumption Report

201

Chapter 12: Managing Repositories

203

Overview

203

Logs Repository

204

HPE Security ArcSight Management Center 2.6x

Page 10 of 316

Administrator's Guide

Uploading a File to the Logs Repository

204

CA Certs Repository
Uploading CA Certificates to the Repository
Removing CA Certificates from the Repository

204
205
205

Upgrade Files Repository
About the AUP Upgrade Process
Uploading an AUP Upgrade File to the Repository
Removing a Connector Upgrade from the Repository

206
206
206
207

Content AUP Repository
Applying a New Content AUP
Applying an Older Content AUP

207
207
208

Emergency Restore

208

User-Defined Repositories
Creating a User-Defined Repository
Retrieving Container Files
Uploading Files to a Repository
Deleting a User-Defined Repository
Updating Repository Settings.
Managing Files in a Repository
Retrieving a File from the Repository
Uploading a File from the Repository
Removing a File from the Repository

209
209
211
211
211
212
212
212
212
213

Pre-Defined Repositories
Settings for Backup Files
Settings for Map Files
Settings for Parser Overrides
Settings for FlexConnector Files
Settings for Connector Properties
Settings for JDBC Drivers
Backup Files
Adding Parser Overrides

213
213
214
215
215
216
217
217
218

Chapter 13: System Administration
System
System Reboot
Network
System DNS
Hosts
NICs
HPE Security ArcSight Management Center 2.6x

220
220
220
221
221
221
222
Page 11 of 316

Administrator's Guide

Static Routes
Time/NTP
SMTP
License & Update
Updating the Appliance
Updating the License File
Process Status
System Settings
SNMP
SNMP Configuration
Viewing SNMP System Information
SSH Access to the Appliance
Enabling or Disabling SSH Access
Connecting to Your Appliance Using SSH
Diagnostic Tools
Display I/O Statistics
Display file
Display network connections
Display network interface details
Display network traffic
Display process summary
Display routing table
Edit text file
List directory
List open files
List processes
Ping host
Resolve hostname or IP Address
Scan network ports
Send signal to container
Tail file
Trace network route

223
224
225
226
226
226
227
227
228
228
229
230
231
231
231
232
232
233
234
234
235
235
236
236
236
237
237
237
238
238
238
239

Logs
Audit Logs
Configuring Audit Forwarding
For Software ArcSight Management Center
For ArcSight Management Center Appliance
Configuring Audit Forwarding to a Specific Destination

239
239
240
240
240
241

Storage
RAID Controller/Hard Disk SMART Data

241
241

HPE Security ArcSight Management Center 2.6x

Page 12 of 316

Administrator's Guide

FTP
Models Supporting FTP
Enabling FTP
Adding a Subdirectory
Processing Log Data Received via FTP
Using FTPS (FTP over SSL)
Using FTPS with Blue Coat ProxySG

242
243
243
244
245
245
245

Security
SSL Server Certificate
Generating a Self-Signed Certificate
Generating a Certificate Signing Request (CSR)
Importing a Certificate
SSL Client Authentication
Uploading Trusted Certificates
Uploading a Certificate Revocation List
Enabling Client Certificate Authentication
FIPS 140-2

246
247
247
248
250
251
251
251
252
252

Users/Groups on ArcMC
Authentication
Sessions
Local Password
Users Exempted From Password Expiration
Forgot Password
External Authentication
Local Password
Client Certificate Authentication
Client Certificate and Local Password Authentication
LDAP/AD and LDAPS Authentication
RADIUS Authentication
Local Password Fallback
Login Banner
User Management
Users
Reset Password
Groups
System Admin Groups
ArcSight Management Center Rights Groups for ArcSight Management Center
Managing a User Group
Change Password

253
253
253
254
256
256
257
257
257
258
259
260
261
262
263
263
265
266
266
267
267
268

HPE Security ArcSight Management Center 2.6x

Page 13 of 316

Administrator's Guide

Appendix A: Audit Logs

270

Audit Event Types

270

Audit Event Information

270

Application Events

271

Platform Events

277

System Health Events
SNMP Related Properties

281
281

Appendix B: Destination Runtime Parameters

284

Appendix C: Special Connector Configurations

292

Microsoft Windows Event Log - Unified Connectors
Change Parser Version by Updating Container Properties
SSL Authentication

292
293
294

Database Connectors

294

Add a JDBC Driver

295

API Connectors

296

File Connectors

297

Syslog Connectors

297

Appendix D: Setting Up Your ArcSight Management Center Appliance

299

Appendix E: Restoring Factory Settings

303

Overview

303

Factory Restore Using HPE System Restore

303

Factory Restore Using Acronis True Image

305

Appendix F: SuperSchema

307

Appendix G: The Topology View and Unmanaged Devices

313

Send Documentation Feedback

316

HPE Security ArcSight Management Center 2.6x

Page 14 of 316

Chapter 1: HPE ArcSight Management Center
Overview
The following topic is discussed here.

• New Features and Enhancements

15

HPE ArcSight Management Center (ArcMC) is a centralized management tool that simplifies security
policy configuration, deployment maintenance, and monitoring in an efficient and cost-effective
manner.
ArcMC offers these key capabilities:
• Management and Monitoring: deliver the single management interface to administrate and monitor
ArcSight managed nodes, such as Connector Appliances, Loggers, Connectors, other ArcMCs, and
Event Broker.
• SmartConnector Hosting: for the hardware appliance, as a platform to instantiate (host and execute)
SmartConnectors
ArcMC includes these benefits:
l

Rapid implementation of new and updated security policies.

l

Increased level of accuracy and reduction of errors in configuration of managed nodes.

l

Reduction in operational expenses.

New Features and Enhancements
This version of ArcMC includes the following new features and enhancements:
l

l

l

Event Broker Management: ArcSight Event Broker management includes route and topic creation,
as well as health and status parameter monitoring. Monitored parameters for Event Broker include
CPU Usage, Memory, Disk Usage, Event Broker Throughput, Total EPS In, Event Parsing Error,
Stream Processing EPS, and Stream Processing Lag.
Improved Node Management Interface: The Node Management interface has been improved for
clarity and ease of use.
Improvements to Topology View: The Topology View now includes time-out settings, to age out
inactive devices and remove them from management.

HPE Security ArcSight Management Center 2.6x

Page 15 of 316

Administrator's Guide
Chapter 1: HPE ArcSight Management Center Overview

l

l

l

Improved Import Hosts Process: Importing hosts from a CSV will take less time than formerly, as
jobs run in parallel.
Improved License Consumption Report: The License Consumption report can now be run for a
specified time interval, instead of an entire year.
New Rules: Several additional monitoring rules have been enabled by default. These can be edited or
deleted as preferred.

HPE Security ArcSight Management Center 2.6x

Page 16 of 316

Chapter 2: Software Installation
This chapter describes how to install Software ArcSight Management Center and the ArcSight
Management Center Agent.
The following topics are discussed here.

•
•
•
•
•

Overview
Installing ArcSight Management Center
ArcSight Management Center Operations
Installing the ArcSight Management Center Agent
ArcSight Management Center Agent Operations

17
19
29
32
34

Overview
The complete process of installing Software ArcSight Management Center includes these steps.

Select an Installation Mode
Select a mode in which to install Software ArcSight Management Center on your selected machine. You
should plan to install as the root user. In addition, during the installation process, ArcMC will prompt
you for a user name, under which the application will be started.
You can install Software ArcSight Management Center in these modes:
l

GUI: In GUI mode, a wizard steps you through the installation and configuration process. For detailed
instructions, see "Installation Steps" on page 20.
Note: If you are using a Windows system to connect to the machine where Software ArcSight
Management Center is to be installed, and prefer to install in GUI mode, you must connect using
an X Window client, such as Xming for Windows.

l

l

Console: In Console mode, a command-line process steps you through the installation and
configuration process. See "Installation Steps" on page 20 for detailed instructions.
Silent: In Silent mode, the installation process is scripted. There is no need to interact with the
installer, as you provide the installation and configuration input through a file. See "Installation Steps"
on page 20 for detailed instructions.

HPE Security ArcSight Management Center 2.6x

Page 17 of 316

Administrator's Guide
Chapter 2: Software Installation

Applying your License
A valid license is required for Software ArcSight Management Center. A license file is uniquely
generated for each instance of a product; therefore, you cannot use the same license file to install
multiple instances of the product.
To obtain your license, follow the instructions in the Electronic Delivery Receipt email received from
HPE after placing your order.
You will be prompted to install a license during the installation of ArcMC. If no license is provided, an
"Instant-On" license will be applied by default. The Instant-On license is valid for 30 days. During this
time, you should obtain and apply the correct license from the HPE Software Entitlement portal.

Start as a Service
If installation was performed as a root user, Software ArcSight Management Center can be configured
to start as a system service. For more information, see "Enabling/Disabling ArcSight Management
Center as a System Service" on page 26

Make Host Resolvable
For the Apache web process to start, the Software ArcSight Management Center hostname must be
resolvable. Add the hostname to either /etc/hosts or DNS.

Secure Your Credentials
After initial setup is complete, connect to the application and change the default password to a secure
password. To change the default password, follow the instructions in "Users/Groups on ArcMC" on
page 253.
Optionally, for additional security, rename the default admin username to a secure name. To change a
username, follow the instructions in "User Management" on page 263.

Install the ArcMC Agent (If Required)
Additionally, if you plan to manage one or more Software ArcMCs, Software Connector Appliances or
Software Loggers, you will need to install the ArcSight Management Center Agent on each. For more
information on manual ArcSight Management Center Agent installation, see "Installing the ArcSight
Management Center Agent" on page 32

HPE Security ArcSight Management Center 2.6x

Page 18 of 316

Administrator's Guide
Chapter 2: Software Installation

No installation is required for ArcMC appliance or the latest versions of software ArcMC and
software Logger.

Open Firewall Ports
Open any required ports on your firewall for best functionality. For a list of required open ports, see
"Configuring Firewall Rules" on page 27

Create an Account on the ArcSight Marketplace
The ArcSight Marketplace is an app store that enables rapid provisioning of your ArcSight SIEM
deployment with content updates, trusted security content packages, and best practices.
ArcSight Management Center requires a global administrative account with the ArcSight Marketplace in
order to download and perform some content updates. Browse to the Marketplace at
https://marketplace.saas.hpe.com/arcsight to set up your administrative account.

Installing ArcSight Management Center
The following section provides instructions to install Software ArcSight Management Center.
l

"Prerequisites for Installation" below

l

"Installation Steps" on the next page

l

"Enabling/Disabling ArcSight Management Center as a System Service" on page 26

l

"Configuring Firewall Rules" on page 27

Prerequisites for Installation
Please note and verify the following prerequisites before beginning the process of installing software
ArcMC

HPE Security ArcSight Management Center 2.6x

Page 19 of 316

Administrator's Guide
Chapter 2: Software Installation

Prerequisite

Description

File
Descriptors
Limit

The host must support a limit of 10240 file descriptors. Perform ulimit -n on the host to determine
its current level. If the limit does not equal 10240, then do the following:
1. Open (or create) /etc/security/limits.conf.
2. Set these two parameters:
* hard nofile 10240
* soft nofile 10240
3. Save the file.
4. Restart your session.

UTF-8
Support

Host must support UTF-8.

Unzip Package The unzip command path need to be set before installing Software ArcSight Management Center.
Non-Root
Account

You can installArcSight Management Center as a root or non-root user. However, when
installing as a root user, a non-root user account is required in order to run some required
processes.
l

When installing ArcSight Management Center as a root user, you can select the port on which it
listens for secure web connections (HTTPS). When installing as a non-root user, the port must be
configured to 9000. This value cannot be changed and must be externally accessible.

If ArcSight Management Center is installed as a non-root user, and the host is rebooted, ArcMC
services will fail to start automatically. Start them manually with this command:
/current/arcsight/arcmc/bin/arcmcd start
l

If installed with a non-root account, use an initialization script to launch services automatically. See
"Starting Services Automatically for a Non-Root Installation" on page 26.

Time Zone
Database

tzdata-2016g or later is required.

OS Upgrade

Upgrade to a supported operating system before performing the ArcMC installation. Refer to the
ArcSight Management Center Release Notes, available from the HPE ArcSight software community, for
the most current information on supported operating systems, supported browsers, and other technical
requirements.

Installation Steps
To begin the installation, select a mode in which to install Software ArcSight Management Center on
your selected machine. The three modes available are GUI Mode, Console Mode, and Silent Install.

GUI Mode Installation
In GUI Mode installation, you use the installer wizard to install the application.

HPE Security ArcSight Management Center 2.6x

Page 20 of 316

Administrator's Guide
Chapter 2: Software Installation

To install Software ArcSight Management Center using the GUI mode:
1. Run these 2 commands from the directory where you copied the Software ArcSight Management
Center installer:
l

chmod +x ArcSight-ArcMC-2.6.0..0.bin

l

./ArcSight-ArcMC-2.6.0..0.bin

where is the build number of the latest installer.
The installation wizard starts. Review the dialog box, and then click Next.
2. Review the License Agreement details, and then scroll down to the end of the License Agreement
details. Select I accept the terms of the License Agreement. Then, click Next.
3. Specify or browse to a folder where you want to install ArcSight Management Center, as shown
below. The default installation directory is /opt. However, you should specify a new installation
directory in /opt that will easily identify ArcSight Management Center files, such as /opt/arcmc,
to distinguish them from files associated with other HPE ArcSight products.
4. Review the summary of installation information on the Pre-Installation Summary dialog, and
then click Install.
The ArcSight Management Center installer begins the installation process.
5. When installation is complete, click Next to begin the configuration wizard.
6. If you run the ArcSight Management Center software installer as a root user, the next dialog
enables you to specify an existing non-root user and to configure a port through which ArcSight
Management Center users will connect through the UI.
For example, you can enter 443, the standard HTTPS port, or any other that suits your needs. If
any port other than 443 is specified, users will need to enter the port number in the URL they use
to access the ArcSight Management Center UI.
Enter the user name of the non-root user and the HTTPS port number, and then click Next. (These
values may not be changed later in the process.)
7. After the software is installed, click Next to begin ArcSight Management Center initialization.
8. After initialization is complete, click Done to launch the ArcSight Management Center
Configuration wizard.
Note: The Configuration wizard should launch automatically. If it does not, use this command
to launch the wizard:
/current/arcsight/arcmc/bin/arcsight arcmcsetup

9. If you have run the ArcSight Management Center software installer as a root user, the next dialog
enables you to configure ArcSight Management Center to run as a system service. By default,
ArcSight Management Center runs as a standalone application, requiring a manual launch.

HPE Security ArcSight Management Center 2.6x

Page 21 of 316

Administrator's Guide
Chapter 2: Software Installation

When you install ArcSight Management Center as a root user, a service called arcsight_arcmc
can be configured, created, and enabled at runlevel 3 and 5.
Additionally, a few libraries are added using ldconfig. For a complete list of those libraries, see
/etc/ld.so.conf.d/arcsight_arcmc.conf and /current/arcsight/install/ldconfig.out.
10. You have installed ArcSight Management Center. Click Start ArcSight Management Center
Now, or click Start ArcSight Management Center later, and then click Finish.
If you have selected to start ArcSight Management Center later, read the information in "The
ArcSight Management Center Daemon (arcmcd)" on page 30 to understand how to start ArcSight
Management Center at a later time.
11. If you selected Start ArcSight Management Center Now, click Finish to exit the wizard.
Alternatively, wait for the next dialog which provides the URL to access the ArcSight Management
Center interface.
ArcSight Management Center continues to start services and processes in the background. If you
have selected to continue within the wizard, follow the instructions on the dialog or use the
instructions in "Connecting to the ArcSight Management Center User Interface" on page 29 to
connect to the ArcSight Management Center.

Console Mode Installation
In Console Mode installation, you use a command-line interface to install the application.
After some initial steps in the CLI, the installation sequence is the same as the one described for the
GUI mode install in "Console Mode Installation" above. Follow the instructions provided for the GUI
mode install to complete the installation.

To install Software ArcSight Management Center using the Console mode:
1. Run these commands from the directory where you copied the ArcSight Management Center
software:
chmod +x ArcSight-ArcMC-2.6.0..0.bin
./ArcSight-ArcMC-2.6.0..0.bin -i console

where is the build number of the latest installer.
The installation wizard starts in command-line mode.
2. Press Enter to continue. Then, follow the prompts to complete installation and configuration.
Note: If ArcSight Management Center is installed in Console mode, it will be uninstalled in Console
mode as well. See "Uninstalling in Console Mode" on page 32 for more information.

HPE Security ArcSight Management Center 2.6x

Page 22 of 316

Administrator's Guide
Chapter 2: Software Installation

Silent Mode Installation
Silent mode enables scripting of the installation process. Before you install ArcSight Management
Center in silent mode, create two properties files required for the silent mode installation:
l

A file to capture the installation properties

l

A file to capture the configuration properties

After you have generated the two files, you need to merge them into one file and use the resulting file
for silent mode installations.

About Licenses for Silent Mode Installations
As for any Software ArcSight Management Center installation, each silent mode installation requires a
unique license file. Obtain licenses from HPE Customer Support and install them on the machines on
which you will be installing in silent mode, or ensure that the location where the license is placed is
accessible from those machines.

Generating the Silent Install Properties File
This procedure generates the two properties files and then instructs you to combine them into one file.
The resulting file is used for future silent installations.
1. Log in to the machine on which you wish to generate the installation properties file.
If you want the silent mode installations to be done as root user, log in as root in this step.
Otherwise, log in as a non-root user.
2. Run this command:
./ArcSight-ArcMC-2.6.0..0.bin -r 

where  is the build number of the installer file,
and  is the location of the directory where the generated properties file
will be placed. This cannot be the same location where ArcSight Management Center is being
installed.
The properties file must be called installer.properties.
3. Install ArcSight Management Center in GUI mode, as described in "Silent Mode Installation" above
until you arrive at step 10.
At Step 10 of the installation procedure, do the following:
a. Click Previous instead of clicking Done to proceed further.
b. Then, click Cancel to stop the installation.
4. When the confirmation message appears, click Cancel. Click Quit to clear this message.
5. Navigate to the directory location you specified for the installer.properties file earlier.

HPE Security ArcSight Management Center 2.6x

Page 23 of 316

Administrator's Guide
Chapter 2: Software Installation

The following is an example of the generated installer.properties file.
# Replay feature output
# --------------------# This file was built by the Replay feature of InstallAnywhere.
# It contains variables that were set by Panels, Consoles or Custom Code.
#Choose Install Folder
#--------------------USER_INSTALL_DIR=/opt///installdir
#Install
#-------fileOverwrite_/opt///installdir/UninstallerData/Uninstall_ArcSight_Management_Center_
2.1.lax=Yes
#Intervention Required
#--------------------USER_AND_PORT_1=username
USER_AND_PORT_2=443

1. Start the configuration wizard with the option to record configuration properties:
/current/arcsight/arcmc/bin/arcsight arcmcsetup -i recorderui

When prompted to enter a file name to capture the configuration properties, enter a meaningful
name; for example, config.properties, and then browse to choose the same directory as the
installer.properties file.
2. Step through the configuration wizard, as described starting at Step 10 of "Silent Mode
Installation" on the previous page.
3. After the configuration properties file is generated, append the contents of this file to the
installer.properties file generated in the previous procedure, "Generating the Silent Install
Properties File" on the previous page, to create a combined file.
For example, you can use the cat command to concatenate both files:
cat installer.properties config.properties > 

4. Include the following property in the combined file:
ARCSIGHT_CONAPP_SETUP_PROPERTIES=/


where  is the path of the directory where the combined file is located,
and  is the file name of the combined file you created earlier.
Use the combined file for future ArcSight Management Center silent mode installations, as
described in "Installing Using the Generated Properties File" on the next page below.

HPE Security ArcSight Management Center 2.6x

Page 24 of 316

Administrator's Guide
Chapter 2: Software Installation

Installing Using the Generated Properties File
To install ArcSight Management Center using Silent mode, do the following.
1. Uninstall the previously installed version of ArcSight Management Center, as explained in
"Uninstalling Software ArcSight Management Center" on page 31
2. Make sure the machine on which you install ArcSight Management Center complies with the
requirements listed in the HPE ArcSight Management Center Release Notes, and the prerequisites
listed in "Prerequisites for Installation" on page 19.
3. Copy the combined properties file you generated previously to the location where you have copied
the ArcSight Management Center software.
4. Do one of the following:
l

l

Edit the licensePanel.path property in the silent mode properties file to include the location
of the license file for this instance of the installation. (A unique license file is required for each
instance of installation.), OR
Set the licensePanel.path property to point to a file, such as arcmc_license.zip. Then,
for each instance of the silent mode installation, copy the relevant license file to the location and
rename it to arcmc_license.zip. Doing so will avoid the need to update the combined
properties file for each installation.

5. Run these 2 commands from the directory where you copied the ArcSight Management Center
software:
l

l

chmod +x ArcSight-ArcMC-2.6.0..0.bin
./ArcSight-ArcMC-2.6.0..0.bin -i silent -f

where  is the build number of the installer file.

The rest of the installation and configuration proceeds silently without requiring further input.
In some cases, a spurious error message may be displayed: "SLF4J: Failed to load
class "org.slf4j.impl.StaticLoggerBinder". This is a harmless error and may
be ignored.

Next Steps After Installation
Finally, to get started managing products with ArcMC, you need to add hosts to manage. For more
information on adding hosts, see "About Adding a Host" on page 54.

HPE Security ArcSight Management Center 2.6x

Page 25 of 316

Administrator's Guide
Chapter 2: Software Installation

Enabling/Disabling ArcSight Management Center as a System Service
If ArcSight Management Center is installed to run as a system service, you can use arcmcd to manage
ArcMCprocesses. For more information, see "The ArcSight Management Center Daemon (arcmcd)" on
page 30.

To enable or disable ArcSight Management Center as a system service:
1. On the menu bar, click Adminstration > System Admin.
2. In the navigation bar, click Startup Settings.
3. Under Software Startup Options, select Start as a Service to enable starting as a system
service, or select Do not start as a service to disable.
4. Click Save.
After enablement, you can reboot (which will automatically restart the service) or start the
service manually without a reboot.

Starting Services Automatically for a Non-Root Installation
If ArcSight Management Center is installed as a non-root user, and the host is rebooted, ArcMC services
will fail to start automatically. However, you can set them to start automatically by using an initialization
script.
Since the initialization script runs as su, it does not log to the console.
An example script is shown here. This is only an example. Your own script will need to be tailored for
your environment.
#!/bin/sh
# ArcMC

Wrapper script for the Arcsight Management Center

# processname:

arcsight_arcmc

# chkconfig:

2345 99 01

# description:

Arcsight Management Center

DAEMON=//current/arcsight/arcmc/bin/arcmcd
DAEMON_USER=
# Exit if the package is not installed
[ -x "$DAEMON" ] || exit 0

HPE Security ArcSight Management Center 2.6x

Page 26 of 316

Administrator's Guide
Chapter 2: Software Installation

if [ $UID -ne 0 ] ; then
echo "You must run this as root."
exit 4
fi
su $DAEMON_USER -c "$DAEMON $1 $2"
exit $?

The DAEMON variable is used to specify the directory where arcmcd process is running.
The DAEMON_USER variable is used to specify which non-root user ArcMC will run as.
Finally, the su command simply wraps your existing script (defined in the variable DAEMON) and passes
any parameters to the $DAEMON script/

To configure an initialization script:
1. SSH to the VM using root user credentials.
2. Go to /etc/init.d
3. Enter the command vi arcsight_arcmc to create a service.
4. Enter the text of your script and save the file.
5. Give execute permission for the script using the command chmod +x arcsight_arcmc
6. Register the script using the command
chkconfig –add arcsight_arcmc
7. Enter the command chkconfig | grep arcsight_arcmc to determine what the
chkconfig will report after you add the init script. Expected results:
arcsight_arcmc 0:off 1:off 2:on 3:on 4:on 5:on 6:off

Configuring Firewall Rules
Before ArcSight Management Center can receive data, some ports on must be opened through the
firewall.
l

l

For Software ArcSight Management Center, you are responsible for setting up the firewall. HPE
ArcSight recommends that you configure your firewall so that only the required ports are open.
For the ArcSight Management Center Appliance, HPE ArcSight provides a script to configure your
firewall. See "Configuring Firewall Rules" above for more information.

You can configure the firewall on your ArcSight Management Center as you would on any server, by
editing iptables-config and white-listing the appropriate ports. For ArcSight Management Center
Appliances only, you can use the provided script to close all but the appropriate ports in your firewall.

HPE Security ArcSight Management Center 2.6x

Page 27 of 316

Administrator's Guide
Chapter 2: Software Installation

Tip: Be sure to update the firewall configuration when you add or remove any service or function
that requires an open port, such as FTP, SNMP, or local connector.
After you first install or upgrade ArcMC, configure the firewall to be open only for the following ports,
depending on your form factor and install:
Default Inbound Ports
Service

ArcMC
Appliance

Software ArcMC root
install

Software ArcMC non-root
install

ArcMC Agent

7913

7913

7913

FTP

21

N/A

N/A

HTTPS

443

443

9000

NTP

123

N/A

N/A

Remote management of
connectors

9001-9008

N/A

9001-9008

SSH

22

22

22

Configuring the Firewall on ArcSight Management Center Appliance
Your ArcSight Management Center Appliance includes a script that you can use to configure the
firewall. This script looks at your current ArcSight Management Center configuration and decides what
ports to keep open. Alternatively, you can configure the firewall on your appliance as you would on any
server, by editing iptables-config and white-listing the appropriate ports.
When called without arguments, the /usr/sbin/arcfirewall script previews and displays the ports
that it will keep open, but takes no action to alter the firewall configuration. To alter firewall
configuration, use the -set option.

To preview the list of ports the script will open:
1. Log into the appliance as root.
2. Run the following command:
/usr/sbin/arcfirewall

The script displays the ports that it would open, as shown in the following example.
[root@myserver ~]# /usr/sbin/arcfirewall
PREVIEW MODE - NO FIREWALL CHANGES...
List of ports that firewall would allow inbound from any IP address:
21/tcp
22/tcp
443/tcp

HPE Security ArcSight Management Center 2.6x

Page 28 of 316

Administrator's Guide
Chapter 2: Software Installation

7913/tcp
9001/tcp
9002/tcp
9003/tcp
9004/tcp
9005/tcp
9006/tcp
9007/tcp
9008/tcp
123/udp

To configure the firewall:
1. Log into the appliance as root.
2. Run the following command:
[root@myserver ~]# /usr/sbin/arcfirewall --set

The script configures the firewall leaving the previewed ports open.
If you configure an ArcMC appliance local container and assign it a network port, and then run
arcfirewall, the script will detect that the new port should be opened and list it in the preview of
ports. You can then run arcfirewall with the --set option, as described above, to actually
open the port.
If arcfirewall is not run, and the port not opened, the connector will not receive any events.

ArcSight Management Center Operations
This section details the operation of ArcSight Management Center: how to connect, which processes
run while ArcSight Management Center is active, and commands for using the ArcSight Management
Center command-line utility (arcmcd).

Connecting to the ArcSight Management Center User
Interface
Use this URL to connect to ArcSight Management Center:
https://:

HPE Security ArcSight Management Center 2.6x

Page 29 of 316

Administrator's Guide
Chapter 2: Software Installation
where hostname or IP address is the system on which you installed ArcSight Management Center.
If ArcSight Management Center was installed as root and the default port was used, then  is optional.
To login for the first time, use the following default credentials:
Username: admin
Password: password

For security, change the default credentials immediately after first logging in. For more information on
changing credentials, see "User Management" on page 263.

ArcSight Management Center Processes
The following processes run as part of ArcSight Management Center:
l

apache

l

aps

l

postgresql

l

web

Logging Into ArcMC If the Web Service is Down
If the web service stops, you can connect to ArcMC to restart it.
1. SSH to the ArcMC host.
2. Enter /current/arcsight/arcmc/bin/arcmcd stop
all
3. Enter /current/arcsight/arcmc/bin/arcmcd status.
Wait for some time until all process status report “Not monitored”.
4. Enter /current/arcsight/arcmc/bin/arcmcd start
all. Wait for some time until all the process status report “running".
5. Log into the ArcMC web UI as usual.

The ArcSight Management Center Daemon (arcmcd)
arcmcd is available only for the software form factor of ArcMC.
The arcmcd utility enables a number of management and control tasks for the ArcSight Management
Center software process, including starting, stopping and restarting. The syntax to run arcmcd is as
follows:
/current/arcsight/arcmc/bin/arcmcd 

HPE Security ArcSight Management Center 2.6x

Page 30 of 316

Administrator's Guide
Chapter 2: Software Installation
Where  is the installation directory of ArcSight Management Center, and 
is a command listed below.
If ArcSight Management Center is installed to run as a system service, you can use arcmcd to manage a
specific ArcMCprocess.
arcmcd Commands
Command

Description

start

Starts aps, apache, postgresql, and web processes.

stop

Stops aps, apache, postgresql, and web processes.

restart

Restarts aps, apache, postgresql, and web processes.

status

Displays the current status of all processes.

quit

Stops aps, apache, postgresql, and web processes, as well as the ArcSight
Management Center application.

start 

Starts the named process. For example, start apache.

stop 

Stops the named process. For example, stop apache.

restart 

Restarts the named process. For example, restart apache.

Uninstalling Software ArcSight Management Center
Uninstall ArcSight Management Center in the same user mode in which the installation was performed.
For example, if you performed the installation as root, then you must perform the uninstallation as root

Uninstalling in GUI Mode
To uninstall Software ArcSight Management Center in GUI mode:
1. In the directory where you installed ArcSight Management Center, enter:
/UninstallerData/Uninstall_ArcSight_Management_Center_2.6.0

2. The uninstall wizard starts. Click Uninstall to start uninstalling ArcSight Management Center and
follow the prompts in the wizard.
3. After uninstalling, manually delete the /userdata directory.
Note: If using GUI mode and uninstalling ArcSight Management Center software over an SSH
connection, make sure that you have enabled X window forwarding using the -X option, so
that you can view the screens of the uninstall wizard.
If using PuTTY, you also need an X11 client on the host from which you are connecting.

HPE Security ArcSight Management Center 2.6x

Page 31 of 316

Administrator's Guide
Chapter 2: Software Installation

Uninstalling in Console Mode
If you installed ArcSight Management Center in Console mode, then, by default, uninstallation occurs in
Console mode.

To uninstall in Console mode:
1. At the command line, enter: /UninstallerData/Uninstall_ArcSight_
Management_Center_2.6.0

2. After uninstalling, manually delete the /userdata directory.
At the prompt, press Enter again to confirm uninstallation. The application will be uninstalled.

Uninstalling in Silent Mode
If you installed ArcSight Management Center in Silent mode, then, by default, uninstallation occurs in
Silent mode.

To uninstall in Silent mode:
1. At the command line, enter: /UninstallerData/Uninstall_ArcSight_
Management_Center_2.6.0.
The application will be uninstalled without further interaction.
2. After uninstalling, manually delete the /userdata directory.

Installing the ArcSight Management Center Agent
The ArcSight Management Center Agent runs on managed hosts and enables their management by
ArcSight Management Center. Whether you need to install the ArcSight Management Center on a
managed host depends on the host’s form factor, which is summarized in the table and explained in
detail below.
Host Type

ArcMC Agent
Required?

Agent Installation

ArcMC, Logger, or Connector Appliance hardware form
factor (all versions)

Yes

Automatically performed when adding
host.

Software Connector Appliance (all versions)

Yes

Manual installation required; perform
before adding host.

Software Logger (before version 6.0)

Yes

Manual installation required; perform
before adding host.

HPE Security ArcSight Management Center 2.6x

Page 32 of 316

Administrator's Guide
Chapter 2: Software Installation

Host Type

ArcMC Agent
Required?

Agent Installation

Software Logger (version 6.0 or later)

Yes

Automatically performed when adding
host.

Software ArcMC (before version 2.1)

Yes

Manual installation required; perform
before adding host.

Software ArcMC (version 2.1 or later)

Yes

Automatically performed when adding
host.

Software Connector (any)

No

None. ArcMC Agent is not required.

Event Broker

No

None. ArcMC Agent is not required.

Automatic Installation
The ArcMC Agent is automatically installed when adding any of the following host types to ArcMC:
l

Any hardware appliance (ArcSight Management Center Appliance, Connector Appliance, or Logger
Appliance)

l

Software Logger 6.0 or later

l

Software ArcMC 2.1 or later

As part of the Add Host process, ArcSight Management Center automatically pushes the ArcSight
Management Center Agent installer to the added host, installs the Agent, and then starts the service.
The host is then ready to manage in ArcSight Management Center. You will not need to take any
manual installation steps. For more information about the Add Host process, see "About Adding a Host"
on page 54.
Perl is required for the automatic installation of the ArcMC Agent. Ensure that Perl is installed on
the host prior to attempting to add the host to ArcMC.

Manual Installation
You must perform a manual installation of the ArcMC Agent on any of these host types prior to adding
them to ArcMC for management:
l

Software ArcSight Management Center (before version 2.1)

l

Software Logger (before version 6.0)

l

Software Connector Appliance (all versions)

An ArcMC used to manage products must have an Agent installed with the same version number as the
ArcMC. For example, if your ArcMC 2.1 will be used to manage products, then the ArcMC Agent running
on that ArcMC must also be version 2.1.

HPE Security ArcSight Management Center 2.6x

Page 33 of 316

Administrator's Guide
Chapter 2: Software Installation

To manually install the ArcSight Management Center Agent:
1. In the directory to where you transferred the installer, run these 2 commands:
l

l

chmod +x ArcSight-ArcMCAgent-2.6.0..0.bin
./ArcSight-ArcMCAgent-2.6.0..0.bin LAX_VM
/current/local/jre/bin/java

where is the build number of the latest installer and
 is the installation directory of the software product.
The installation wizard starts.
2. Review the dialog box, and then click Next.The required installation path is the install directory
(that is, the same directory where Software Connector Appliance or Software Logger is installed).
3. Follow the prompts to complete the installation. The ArcMC Agent is automatically started upon
completion of the installation process.
If the ArcMC Agent fails to install on the localhost, localhost management will not be enabled.
To verify correct installation of the Agent, check on the Hosts tab under Issues. Follow the
instructions shown in the tooltip to install the Agent properly and resolve any issues shown.

Software Connectors and Event Broker
Software connectors and Event Broker do not require the installation of the ArcSight Management
Center Agent in order to be managed by ArcMC.

ArcSight Management Center Agent Operations
After installation, the arcmcagent process runs on the managed host. This process automatically starts
after either automatic or manual installation. However, if the Agent stops for any reason, it can be
manually started.

To manually start, stop, or restart the Agent on an appliance host:
1. On the managed host, click Setup > System Admin > Process status.
2. Select arcmcagent from the list of processes.
3. Click Start, Stop, or Restart, as necessary.
On Software ArcMC, Software Connector Appliance, or Software Logger

HPE Security ArcSight Management Center 2.6x

Page 34 of 316

Administrator's Guide
Chapter 2: Software Installation

To manually start or stop the Agent on Software ArcMC, Software Connector Appliance,
or Software Logger:
1. Run /current/arcsight//bin/  arcmcagent

Agent Verification
To verify that the Agent is running on a host, use one of the following procedures:
In the managed host’s GUI, click Setup > System Admin > Process Status. The ArcSight
Management Center Agent (arcmcagent) will be shown as a process in the running state.

l

(For Software ArcMC, Software Connector Appliance, or Software Logger Only) After you install the
Agent, run this command at the command line:

l

/current/arcsight//bin/ status

The Agent is shown as a service in the running state.

Uninstalling the ArcSight Management Center Agent
To uninstall the ArcSight Management Center Agent, run the following command:
/arcmcagent/UninstallerData/Uninstall_ArcSight_Management_
Center_Agent_

where  is the name of the installation directory, and  is the
version, of the ArcMC Agent.
The Uninstall Wizard will launch. Click Uninstall to begin the wizard. When the uninstallation completes,
click Done.
l

l

Always stop and then uninstall any previous version of the ArcSight Management Center Agent
before installing a new version.
If uninstalling either Software ArcMC, Software Logger, or Software Connector Appliance, make
sure that the ArcSight Management Center Agent is uninstalled from the node before beginning
the uninstall of the managed product.

HPE Security ArcSight Management Center 2.6x

Page 35 of 316

Chapter 3: The User Interface
The following topics are discussed here.

•
•
•
•
•

Overview
The Menu Bar
Stats (EPS In/Out)
Site Map
History Management

36
36
38
38
39

Overview
This chapter provides a general overview of the ArcSight Management Center interface. ArcSight
Management Center uses a browser-based user interface. Refer to the ArcSight Management Center
Release Notes for the latest information on supported browsers.

The Menu Bar
The menu bar provides access to the main functional components of ArcSight Management Center. The
menu bar includes the Dashboard, Node Management, Configuration Management, User
Management and Administration menus.

Monitoring Summary
The Monitoring Summary page displays information on all monitored products.
l

l

l

The aggregated health status for products of each type is displayed in pie graph format, showing
total number of nodes, as well as the number corresponding to each status. A summary table shows
the same data in percentage format.
The management panel displays the Monitoring Summary table, showing all products which are
currently reporting issues.
The navigation panel enables you to display a monitoring summary for individual product types in
the management panel. Click the product type to display the product’s monitoring summary.

For more information on viewing and configuring monitoring, see "Dashboard" on page 180.

HPE Security ArcSight Management Center 2.6x

Page 36 of 316

Administrator's Guide
Chapter 3: The User Interface

Node Management
Use Node Management to manage any of the following node types:
l

Software Connectors

l

Hardware or Software Connector Appliances

l

Hardware or Software Loggers

l

Hardware or Software ArcSight Management Centers

l

Event Broker

For more information on adding and managing nodes, see "Managing Nodes" on page 40. From the
same menu, you can also perform selected management tasks on managed ArcSight products. See
"Managing HPE ArcSight Products" on page 70.

Configuration Management
Use Configuration Management to create and manage node configurations, synchronization
(pushing) of configurations across multiple nodes, and expedite the initial configuration of Loggers.
You can manage any of these configuration types:
l

l

Subscriber configurations for:
o

ArcSight Management Center

o

Connectors

o

Connector Appliances

o

Destinations

o

Loggers

o

System administration

Other configurations:
o Initial configurations for Loggers
o

Logger event archives

o

Management of Logger peers

o

Management of Event Broker

For more information on subscriber configuration management, see "Managing Configurations" on
page 123.
For more information on initial configurations, see "Initial Configuration Management" on page 157.

HPE Security ArcSight Management Center 2.6x

Page 37 of 316

Administrator's Guide
Chapter 3: The User Interface

User Management
User management enables you to manage users across all of your managed nodes. You can create and
edit users, user lists, their associations, and roles. You can also check to see if each node complies with a
list of authorized users on the managing ArcMC.
For more information about user management, see "Overview" on page 170

Administration
The Administration menu contains these items:
l

l

l

l

l

l

Backup enables you to back up your current ArcSight Management Center configuration. For more
information, see "Managing Backups and Restores" on page 196.
Repositories enables you to manage repositories that store files, such as logs, certificates, and
drivers. For more information, see "Managing Repositories" on page 203.
Snapshot enables you to take a snapshot image of HPE ArcSight Management Center, to produce
logs that are useful in troubleshooting. For more information, see " Snapshots" on page 199.
Restore enables you to restore your configuration from a saved backup. For more information, see
"Managing Backups and Restores" on page 196.
System Admin describes the system administration tools that enable you to create and manage
users and user groups, and to configure security settings for your system. For more information, see
"System Administration" on page 220.
Consumption Report: generates a report on Logger data consumption for selected managed nodes.

Stats (EPS In/Out)
The Stats menu item shows the total Events Per Second (EPS) in and out from all managed connectors
(standalone SmartConnectors and connectors running on managed hosts).

Site Map
For ease of accessibility and convenience, the Site Map links to all pages in the ArcSight Management
Center UI.
To access the site map: on the main ArcMC toolbar, click Site Map. Select the desired link to navigate.

HPE Security ArcSight Management Center 2.6x

Page 38 of 316

Administrator's Guide
Chapter 3: The User Interface

History Management
History management enables you to quickly and easily access previously-navigated pages. History
management is available for Node Management, Configuration Management, User Management pages,
and for some Administration pages.
In Node Management, the navigation tree shows the full path for any item selected on the tree. Click
any node in the path to navigate directly to the corresponding page.
You also can return to any previously-browsed page by clicking the corresponding link in the
breadcrumb trail.
In addition, you can use your browser's Back and Forward buttons to navigate to previously visited
pages.

HPE Security ArcSight Management Center 2.6x

Page 39 of 316

Chapter 4: Managing Nodes
The following topics are discussed here.

•
•
•
•
•
•

Overview
Node Management
The Navigation Tree
The Management Panel
Locations
Hosts

40
41
41
42
52
54

Overview
A node is a networked HPE ArcSight product that can be centrally managed throughArcSight
Management Center. Each node is associated with a single networked host which has been assigned a
hostname, an IP address, or both.
Node types can include any of the following HPE ArcSight products:
l

Connector Appliances or Software Connector Appliances

l

Logger Appliances or Software Loggers

l

Containers or software connectors

l

Other ArcSight Management Centers, either software or appliances.

l

Event Broker

A single host, such as a single deployed Event Broker, can comprise multiple nodes for management
purposes. In addition, a node can be in a parent or child relationship with other nodes.
You can perform any of the following node management tasks:
l

View managed nodes by location, by host, or by node type.

l

Add, view, edit, and delete locations for hosts.

l

Add nodes from a host, import hosts from a CSV file, view and delete hosts, view all hosts in a
location, update software on hosts, move hosts to different locations, and scan hosts for new
connectors or containers.

For more information on adding hosts, see "About Adding a Host" on page 54.

HPE Security ArcSight Management Center 2.6x

Page 40 of 316

Administrator's Guide
Chapter 4: Managing Nodes

Node Management
To manage nodes, on the menu bar, click Node Management > View All Nodes. The Node
Management UI displays. The Node Management UI comprises two panels:
l
l

The left side displays the navigation tree.
The right side displays the management panel, enabling you to perform management operations on
items selected in the navigation tree.

The Navigation Tree
The navigation tree organizes managed nodes into a hierarchy, and comprises the following:
System: System displays the entire set of nodes managed by ArcSight Management Center.
Location: Individual locations are displayed under System, listed in the order in which they were
added. Locations are logical groupings you can use to organize a list of hosts. For more information, see
"Locations" on page 52.
Host: Each location branch shows all hosts assigned to that location, listed by hostname, in the
order in which they were added. For more information, see "Hosts" on page 54.
Node Types: Each host branch shows all managed nodes associated with that host. A node can be any
of the following types:
Connector Appliance or Software Connector Appliance: Each Connector Appliance (hardware
or software) is shown as a separate node.
Logger Appliance or Software Logger: Each Logger (hardware or software) is shown as a
separate node.
ArcSight Management Center: Each ArcSight Management Center (hardware or software) is
shown as a separate node.
Container: If the host includes any containers, each is shown as a node.
Connector: If a container node contains a connector, the connector is shown under the container
node in which it is contained.
Event Broker: A managed Event Broker is shown as a node.

HPE Security ArcSight Management Center 2.6x

Page 41 of 316

Administrator's Guide
Chapter 4: Managing Nodes
Since items in the tree are organized hierarchically, each item in the tree includes all branches displayed
below it. For example, a Location branch includes all hosts assigned to that location. Click the wedge
icon to toggle the view of any branch and any items included in the branch.

The Management Panel
Select an item in the navigation tree to display its details on one of the tabs in the central management
panel. For example, to display the details of a host shown in the navigation tree, select the host in the
tree. The management panel to the right of the tree will display details and controls pertaining to
selected host.

Management Tabs
The tabs displayed in the management panel depend on the type of item selected in the navigation tree.
The management tabs displayed will show detailed information associated with the selected item,
depending on its position in the hierarchy.
Selected Item Type in Navigation
Tree

Tabs Shown in Management Panel

System

Locations, Hosts, Containers, Connectors, ConApps, Loggers, ArcMCs,
EB Nodes

Location

Hosts, Containers, Connectors, ConApps, Loggers, ArcMCs, EB Nodes

Host

Containers, Connectors, ConApps, Loggers, ArcMCs, EB Nodes

Node

Connectors, ConApps, Loggers, ArcMCs, EB Nodes

For example, if you selected a location item from the navigation tree, the Hosts, Containers,
Connectors, ConApps, Loggers ArcMCs and EB Nodes tabs would be shown. Each tab would display
the items of the named type associated with the selected location, including details on those items.

Working with Items in the Management Panel
Selecting One or Multiple Items: To select an item from a list of items in the management panel, click
the item. Use Shift+Click to select multiple adjacent list items, or Ctrl+Click to select multiple nonadjacent items.
Column Settings:Click the gear icon to change column settings:
l
l

Sorting: To sort data by a column, select either Sort Ascending or Sort Descending.
Column Display: To change the columns displayed in a table, select Columns. Then toggle one or
more columns to display.

HPE Security ArcSight Management Center 2.6x

Page 42 of 316

Administrator's Guide
Chapter 4: Managing Nodes

l

Filter: To filter a list of items, select Filters. Then enter one or more filter criteria to display items
matching those criteria.

Refreshing a List: To refresh the data in a list, click Refresh in the upper right corner.

Tab Controls
These controls are commonly displayed on all tabs in the management panel:
l
l

l

Toolbar Buttons: Toolbar buttons enable operations related to the items on the tab.
Items Table: Items corresponding to the tab header are displayed in a table. For example, locations
are listed in tabular format on the Locations tab.
Bulk Operations Buttons: On most tabs, bulk operations buttons enable you to perform operations
on one or more items. Choose one or multiple items in the list, and then click the button to perform
the indicated operation. For example, to delete multiple items such as hosts, select one or more hosts
on the Hosts tab, and then click Delete. The selected hosts would be deleted.

In addition, each tab may have controls individual to that item type. For example, the Connectors tab
includes controls related to the management of connectors (see "Managing Connectors" on page 94).

The Locations Tab
The Locations tab displays all locations defined in ArcSight Management Center. The Locations tab
includes these buttons:
Add
Location

Adds a new location. For more information, see "Adding a Location" on page 52

Delete

Deletes one or more selected locations from ArcMC. For more information, see "Deleting a Location" on
page 53

The Locations table displays these parameters for each location.
l

Name: Location name.

l

Number of Hosts: Number of hosts assigned to the location.

l

Action: Drop-down includes a control for editing a location. For more information on editing a
location, see "Editing a Location" on page 53.

For more information on managing locations, see "Locations" on page 52.

The Hosts Tab
The Hosts tab displays all hosts associated with the location selected in the navigation tree. The Hosts
tab includes these buttons:

HPE Security ArcSight Management Center 2.6x

Page 43 of 316

Administrator's Guide
Chapter 4: Managing Nodes

Add
Host

Adds a host. Available on the Hosts tab when a location is selected in the navigation tree. For more
information on adding a host, see "About Adding a Host" on page 54.

Move

Moves selected hosts to a new location. For more information, see "Moving a Host to a Different Location" on
page 65

Update Updates the ArcMC Agent on selected hosts. If the Agent is not currently installed, this button will install the
Agent Agent. For more information, see "Updating (or Installing) the ArcMC Agent " on page 66.
Delete

Deletes selected hosts from ArcMC. For more information, see "Deleting a Host" on page 65

The Hosts table displays these parameters for each host:
l

Hostname: Fully qualified domain name (FQDN) or IP address of the host. The hostname must
match the hostname in the host’s SSL certificate. (If IP address was used to add the host, then the
certificate will match the IP address used.)

l

Path: Path to the host.

l

Agent Version: Version number of the ArcSight Management Center Agent running on the host.

l

Issues: Status of any issues associated with the host. Possible indicators include:
o

None: No issues are associated with the host.

o

Internet connection Not Present: The host is currently not reachable by internet connection.
Displayed when ArcMC is not able to connect to the Marketplace for retrieving parser upgrade
versions. If the user environment needs a proxy server for an internet connection, configure the
logger.properties file. If the user environment is an appliance, save the DNS settings on the System
Admin > Network page.

o

Valid Marketplace Certificate Not Found in ArcMC: Displayed when the Marketplace certificate
does not match the one found in ArcMC's trust store.

o

Host Certificate Mismatch: The hostname does not match the hostname in the SSL certificate.
For instructions on downloading and importing certificates for the host, see "Downloading and
Importing Host Certificates" on page 68. If this issue is displayed for the localhost, and the
certificate cannot be downloaded, please restart the web service on the localhost.

o

ArcMC Agent Out of Date: The host’s Agent version cannot be upgraded from the managing
ArcMC, or the ArcSight Management Center cannot communicate with the ArcSight Management
Center Agent on the managed node. You may need to manually install the ArcMC Agent. For
requirements and instructions, see "Installing the ArcSight Management Center Agent" on page 32

o
o

ArcMC Agent Stopped: The Agent process on the host has been stopped.
ArcMC Agent Upgrade Recommended: The host's Agent version is older than the one on the
managing ArcMC. An Agent upgrade is recommended.

o

ArcMC Agent Uninstalled: The Agent on the host has been uninstalled.

o

ArcMC Agent Down: The Agent on the host is not running.

o

Update the authentication credentials on the localhost, and then install the ArcMC Agent.: For a
localhost added for remote management, authentication credentials need to be updated to ensure

HPE Security ArcSight Management Center 2.6x

Page 44 of 316

Administrator's Guide
Chapter 4: Managing Nodes

authentication, and then the ArcMC Agent needs to be installed to enable management. Take both
of these steps to correct this issue.
o

Error in REST Authentication.: The Event Broker node lacks the ArcMC certificate,
ArcMC session ID, or ArcMC URL and port. To resolve this issue:
l Make sure the user has the permission rights for the Event broker operations.
l

l

l

l

Make sure the valid ArcMC certificate (with FQDN and .crt extension) is present in the Event
Broker's location: /opt/arcsight/k8s-hostpath-volume/eb/arcmccerts
Make sure that the ArcMC URL is updated with correct FQDN and port in ArcSight Installer
> Event Broker Configuration > ArcMC_Monitoring field.
Note that each time time the user replaces the ArcMC certificate to the EB's location, the EB's
webservice pod has to be restarted for the new certificate to be read and to be updated in the
trust store.

Model: If the host is an appliance, this shows the HPE ArcSight model number of the appliance. If the
host is not an appliance, the label Software is shown.

l

Type: Type of installation, either ArcMC Appliance or Software.

l

Version:Version number of the software on the host.

l

Action: Drop-down shows controls for executing host management tasks, which include:
o Scanning a host
o

Downloading certificate details

o

Updating host credentials

For more information on host management, see "Hosts" on page 54.

The Containers Tab
The Containers tab displays all containers associated with the item selected in the navigation tree. For
example, if you selected a location in the tree, since locations include hosts, the Containers tab would
display all containers associated with all hosts in the selected location. The Containers tab includes
these buttons:
Properties

Set properties on selected containers. For more information, see "Updating Container Properties" on
page 82.

Certificates Manage certificates on selected containers. For more information, see "Managing Certificates on a
Container" on page 89.
FIPS

Enable or disable FIPS on selected containers. For more information, see "Enabling FIPS on a Container" on
page 86.

Upgrade

Upgrades all connectors in selected containers. For more information, see "Upgrading All Connectors in a
Container" on page 83.

Credentials Manage credentials on selected containers. For more information, see "Changing Container Credentials" on
page 82.

HPE Security ArcSight Management Center 2.6x

Page 45 of 316

Administrator's Guide
Chapter 4: Managing Nodes

Logs

Manage logs on selected containers. For more information, see "Viewing Container Logs" on page 85.

Restart

Restart all connectors in selected containers. For more information, see "Restarting a Container" on page 85.

Delete

Deletes the selected containers from ArcSight Management Center. For more information, see "Deleting a
Container" on page 81.

The Containers table includes the following columns:
l

Name: Name of the container.

l

Path: Path to the container.

l

Issues: Status of any issues associated with the container.

l

Port: Port number through which the container is communicating.

l

Framework Ver: Framework version number of the container.

l

Parser Ver: Parser version number of the container.

l

Status: Status of the container. Possible values for container status are:

l
l

o

Improper configuration: Initial default state.

o

Initializing connection: The connector has a resolvable URL, but ArcSight Management Center has
not logged in to the connector yet.

o

Down: There was an exception trying execute the login command.

o

Unauthorized: The login command was executed, but login has failed.

o

Connecting: The login is in progress.

o

Connected: The login was successful.

o

Empty: Login successful, but the container doesn't have connectors.

o

Initialized: Login successful and the container has connectors.

o

Unknown: No information on status. To resolve, manually SSH to the system and restart the
container.

Last Check: Date and time of last status check.
Action: Drop-down shows a variety of controls for executing container management tasks, which
include:
o

Edit Container

o

Send Container Command

o

Add Connector

o

Run Logfu

o

Download Certificate

o

Display Certificates

o

Deploy (to ArcExchange)

o

Run FlexConnector Wizard

HPE Security ArcSight Management Center 2.6x

Page 46 of 316

Administrator's Guide
Chapter 4: Managing Nodes
For more information on container management, see "Upgrading All Connectors in a Container" on
page 83

The Connectors Tab
The Connectors tab displays all software connectors associated with the item selected in the navigation
tree. For example, if you selected a container in the navigation tree, the Connectors tab would show all
connectors in the selected container. For the details on managing connectors, see "Managing
Connectors" on page 94.
The Connectors tab includes these buttons, which perform operations on one or more selected
connectors:
Add
Connector

(Only shown when a container is selected in the navigation tree.) Adds a connector to the selected
container.

Runtime
Parameters

Edit the runtime parameters on selected connectors. For more information, see "Editing Connector
Parameters" on page 97.

Destinations

Sets the destinations of selected connectors. For more information, see "Managing Destinations" on
page 99.

Parameters

Sets parameters for selected connectors. For more information, see "Editing Connector Parameters" on
page 97.

Delete

Deletes connectors from ArcSight Management Center. For more information, see "Deleting a Connector"
on page 106.

The Connectors table displays the following parameters for each connector:
l

Name: Name of the connector.

l

Path: Path to the connector.

l

Type: Type of connector.

l

EPS In: Events per second received by the connector.

l

EPS Out: Events per second sent by the connector to its destination.

l

Cache: Connector cache size.

l

Last Check: Date and time of the last status check.

l

Action: Drop-down shows a variety of controls for executing software connector management tasks.
These include:
o

Send Connector Command

o

Share a connector to ArcExchange

o

Edit a FlexConnector

For more information on connector management, see "Managing Connectors" on page 94.

HPE Security ArcSight Management Center 2.6x

Page 47 of 316

Administrator's Guide
Chapter 4: Managing Nodes

The Connector Summary Tab
To view a single connector in detail, click the connector in the navigation tree. The toolbar on the
summary tab includes the following buttons for operations on the connector:
Connector
Command

Sends a command to the connector. For more information, see "Sending a Command to a
Connector" on page 107.

Remove
Connector

Removes the connector. For more information, see "Deleting a Connector" on page 106.

Run Logfu

Run Logfu diagnostics on the connector. For more information, see "Running Logfu on a
Connector" on page 107.

Share

Shares the connector through ArcExchange. For more information, see "Sharing Connectors in
ArcExchange" on page 113.

Tables below the toolbar show connector specifics, including basic connector data, parameters, and
connector destinations. These tables include the following columns:

Connector Data
l

Type: Type of connector.

l

Status: Connector status.

l

l

l

Input Events (SLC): Total number of events received by the connector since it was last checked
(generally once per minute).
Input EPS (SLC): Events per second received by the connector since it was last checked (generally
once per minute).
In addition, the columns to the right include tools for editing a connector, editing runtime
parameters, adding a failover destination, and sending a destination command.

Connector Parameters
Click Connector Parameters to toggle display of this table. Connector Parameters includes:
l
l

l

Click to edit parameters.
Parameters: Parameters can include connector network port, IP address , and protocol, and other
information.
Value: Parameter value.

Table Parameters (WUC Connectors Only)
WUC connectors (only) display these parameters.

HPE Security ArcSight Management Center 2.6x

Page 48 of 316

Administrator's Guide
Chapter 4: Managing Nodes

l

Domain Name: Connector domain name.

l

Host Name: Connector host name.

l

User Name: Connector user name.

l

Security Logs: Indicates whether security events are collected.

l

System Logs: Indicates whether system events are collected.

l

Application: Indicates whether application events are collected from the Common Application Event
Log.

l

Custom Log Names: List of custom application log names, if any.

l

Microsoft OS Version: Microsoft operating system for the connector.

l

Locale: Connector locale.

Destinations
Click Destinations to toggle display of this table. The Destinations table includes:
l
l
l

l

Click to add additional destinations.
Name: Destination name.
Output Events (SLC): Total number of events output by the connector to the destination since it
was last checked (generally once per minute).
Output EPS (SLC): Events per second output by the connector to the destination since it was last
checked (generally once per minute).

l

Cached: Total number of events cached to be transmitted to the destination.

l

Type: Destination type. Destination types are described in the SmartConnector User's Guide.

l

Location: Location of the destination.

l

Device Location: Location of the device on which the destination is located.

l

Comment: Comments on the destination.

l

Parameters: Destination-specific parameters, such as IP address , port, and protocol.

l

Action Buttons: Action buttons enable destination management tasks, such as editing the
destination, editing the runtime parameters, adding a new failover destination, sending destination
commands and removing the destination.

For more information on managing connectors, see "Managing Connectors" on page 94.

The ConApps Tab
The ConApps tab displays all hardware and software Connector Appliances associated with the item
selected in the navigation tree. For example, if you selected System in the navigation tree, the
Connector Appliances tab would display all Connector Appliances in ArcSight Management Center; if
you selected a Location, the tab would display all Connector Appliances in the selected location.

HPE Security ArcSight Management Center 2.6x

Page 49 of 316

Administrator's Guide
Chapter 4: Managing Nodes
The Connector Appliances tab includes the following button, which operates on one or more selected
Connector Appliances:
Sets the configuration for selected Connector Appliances. For more information, see "Setting a
Set
Configuration Configuration on ConApps" on page 72

The Connector Appliances table displays these parameters for each Connector Appliance:
l

Name: Name of the Connector Appliance.

l

Path: Path to the Connector Appliance.

l

Port: Port number through which the Connector Appliance is communicating.

l

Version: Software version of the Connector Appliance.

l

Status: Status of the Connector Appliance.

l

Last Check: Date and time of last status check.

l

Action: Drop-down shows a variety of controls for executing Connector Appliance management
tasks, including the following:
o

Rebooting

o

Shutting down

o

Editing or removing a configuration

For more information on Connector Appliance management, see "Managing Connector Appliances
(ConApps)" on page 70.

The Loggers Tab
The Loggers tab displays all hardware and software Loggers associated with the item selected in the
navigation tree. For example, if you selected System in the navigation tree, the Loggers tab would
display all Loggers in ArcSight Management Center; while if you selected a Location, you would see all
Loggers in that location.
The Loggers tab includes the following buttons, which perform operations on one or more selected
Loggers:
Set
Configuration

Sets the configuration for selected Loggers. For more information, see "Setting a Configuration on
Loggers" on page 79.

Upgrade
Logger

Upgrades selected Loggers. For more information, see "Upgrading a Logger " on page 78

The Loggers table displays these parameters for each Logger:
l

Name: Name of the Logger.

l

Path: Path to the Logger.

l

Port: Port number through which the Logger is communicating.

l

Version: Software version of the Logger.

HPE Security ArcSight Management Center 2.6x

Page 50 of 316

Administrator's Guide
Chapter 4: Managing Nodes

l

Top Storage Use: Displays the most used storage group and its percentage of storage.

l

Status: Status of the Logger.

l

Last Check: Date and time of last status check.

l

Action: Shows controls for executing Logger management tasks, including the following:
o Rebooting
o

Shutting down

o

Editing or removing a configuration

The ArcMCs Tab
The ArcMCs tab displays all Software ArcSight Management Centers and ArcSight Management
Center Appliances associated with the item selected in the navigation tree. For example, if you selected
System in the navigation tree, the ArcMCs tab would display all managed ArcSight Management
Centers; while if you selected a Location, you would see all ArcMCs in that location.
The ArcMCs tab includes the following buttons, which perform operations on one or more selected
ArcMCs:
Sets the configuration for selected ArcMCs. For more information, see "Setting a Configuration on
Set
Configuration Managed ArcMCs" on page 75

Upgrade
ArcMC

Upgrades selected ArcMCs. For more information, see "Upgrading ArcMC" on page 74

The ArcMCs table displays these parameters for each ArcMC:
l

Name: Name of the ArcSight Management Center.

l

Path: Path to the ArcSight Management Center.

l

Port: Port number through which the ArcSight Management Center is communicating.

l

Version: Software version of the ArcSight Management Center.

l

Status: Status of the ArcSight Management Center.

l

Last Check: Date and time of last status check.

l

Action: Shows controls for executing ArcMC management tasks, including the following:
o Rebooting
o

Shutting Down

o

Editing a configuration

For more information on managing other ArcSight Management Centers in ArcSight Management
Center, see "Managing Other ArcSight Management Centers" on page 73.

HPE Security ArcSight Management Center 2.6x

Page 51 of 316

Administrator's Guide
Chapter 4: Managing Nodes

The EB Nodes Tab
ArcMC can only manage a single Event Broker. However, the single managed Event Broker may have
any number of Event Broker nodes, each of which can be managed and monitored by ArcMC. When you
add an Event Broker as a host to ArcMC, you add all of its nodes.
The EB Nodes tab displays all Event Broker nodes present in the managed Event Broker. For example, if
you selected System in the navigation tree, the EB Nodes tab would display all managed Event Broker
nodes; while if you selected a Location, you would see all Event Broker nodes in that location.
The tab displays these parameters for each managed Event Broker node:
l

Name: Name of the Event Broker node.

l

Port: Port number through which the Event Broker node is communicating.

l

Type: Type of Event Broker node.

Last Check: Date and time of last status check.
For more information on managing Event Broker in ArcSight Management Center, see "Managing
Event Broker" on page 166.
l

Locations
A location is a logical grouping of hosts. The grouping can be based on any criteria you choose, such as
geographical placement or organizational ownership. Locations are a useful way to organize a set of
hosts.
For example, you could group all hosts in New York separately from hosts in San Francisco and assign
them to locations named “New York” and “San Francisco”. Similarly, you could group hosts in a location
named “Sales” and others in the location “Marketing”.
A location can contain any number of hosts. For information on adding hosts to locations, see "About
Adding a Host" on page 54.
Note: ArcSight Management Center includes one location by default (called Default) but you may
add any number of others. The name of the Default location may be edited, and the location itself
may be deleted.

Adding a Location
You can add any number of locations.

HPE Security ArcSight Management Center 2.6x

Page 52 of 316

Administrator's Guide
Chapter 4: Managing Nodes

To add a location:
1. Click Node Management.
2. In the navigation tree, click System.
3. In the management panel, click Add Location.
4. Enter the name of the new location, and then click Next.
5. Click Done. The new location is shown in the System tree.

Editing a Location
You can edit the name of a location.

To edit a location:
1. Click Node Management.
2. In the navigation tree, click System, and then click the Locations tab.
3. On the Locations tab, choose a location to rename.
4. In the Action drop-down of the selected location, select Edit Location.
5. Enter the new name of the location, and then click Next.
6. Click Done. The location is renamed.

Viewing All Locations
You can see all the locations that exist in ArcSight Management Center.

To view all locations:
1. Click Node Management.
2. In the navigation tree, click System, and then click the Locations tab to view all locations.

Deleting a Location
When you delete a location from ArcSight Management Center, any hosts in the location (and their
associated nodes) are also deleted.
Tip: If you want to delete a location but still want to keep its hosts in ArcSight Management Center,
relocate the hosts before deleting the location. See "Moving a Host to a Different Location" on
page 65.

HPE Security ArcSight Management Center 2.6x

Page 53 of 316

Administrator's Guide
Chapter 4: Managing Nodes

To delete a location:
1. Click Node Management.
2. In the navigation tree, click System, and then click the Locations tab.
3. On the Locations tab, choose one or more locations to delete.
4. Click Delete.
5. Click OK to confirm deletion. The selected locations are deleted.

Hosts
A host is a networked system associated with a unique IP address or hostname. A host can be an
ArcSight appliance, or a system running an ArcSight software product, such as Software Logger.
For information on adding hosts to manage, see "About Adding a Host" below.

About Adding a Host
After a host is added to ArcSight Management Center, ArcSight products on the host becomes nodes,
and can be managed. For example, adding a host running Connector Appliance with 4 containers
would add 5 nodes to ArcSight Management Center: the Connector Appliance itself, and each
container.
In ArcMC 2.2 and later, the ArcMC localhost is added automatically for remote management. You
will be able to manage the localhost as you would any other node.

HPE Security ArcSight Management Center 2.6x

Page 54 of 316

Administrator's Guide
Chapter 4: Managing Nodes

Prerequisites for Adding a Host (for each Host Type)
Connection Information for Adding a Host
Host Type
Appliance with Local
Connectors
(includes ArcSight Management
Center Appliance, Connector
Appliance, or Logger Appliance
(L3XXX))

Required Information
l

l

Hostname (FQDN) or IP address . Hostname or IP must be resolvable by ArcSight
Management Center: either through DNS for a hostname, or directly for an IP
address. If hostname is used, the hostname entered must match the hostname
from the host’s SSL certificate. (If the FQDN fails to resolve, restart the web
service.)
Authentication credentials (username and password) for logging into the host. If
the host is configured for external authentication, such as LDAP or RADIUS, use
the external authentication credentials, if possible, or use the fall back credentials.
Note: See "Prerequisites for Adding a Host (for each Host Type)" above for more
information about authentication credentials.

l

Appliance without Local
Connectors (includes Logger
Appliance (non-L3XXX))

l

l

Authentication credentials (username and password) for any local containers. If
the appliance includes multiple containers, then the credentials for each
container must be identical. For example, if the username and password for one
container managed by a Connector Appliance is myusername and mypassword,
then myusername and mypassword must be the credentials for all local
containers managed by the same Connector Appliance.
Hostname (FQDN) or IP address . Hostname or IP must be resolvable by ArcSight
Management Center: either through DNS for a hostname, or directly for an IP
address. If hostname is used, the hostname entered must match the hostname
from the host’s SSL certificate. (If the FQDN fails to resolve, restart the web
service.)
Authentication credentials (username and password) for logging into the host. If
the host is configured for external authentication, such as LDAP or RADIUS, use
the external authentication credentials, if possible, or use the fall back credentials.
Note: See "Prerequisites for Adding a Host (for each Host Type)" above for more
information about authentication credentials.

HPE Security ArcSight Management Center 2.6x

Page 55 of 316

Administrator's Guide
Chapter 4: Managing Nodes
Connection Information for Adding a Host, continued
Host Type
Software Form Factor
(includes Software ArcSight
Management Center, Software
Connector Appliance, or
Software Logger)

Required Information
Hostname (FQDN) or IP address . Hostname or IP must be resolvable by ArcSight
Management Center: either through DNS for a hostname, or directly for an IP
address. If hostname is used, the hostname entered must match the hostname
from the host’s SSL certificate. (If the FQDN fails to resolve, restart the web
service.)

l

Authentication credentials (username and password) for logging into the host. If
the host is configured for external authentication, such as LDAP or RADIUS, use
the external authentication credentials if possible, or use the fall back
credentials.`

l

Note: See "Prerequisites for Adding a Host (for each Host Type)" on the previous
page for more information about authentication credentials.
Port number assigned to the product.

l

Software Connector

Hostname (FQDN) or IP address . Hostname or IP must be resolvable by ArcSight
Management Center: either through DNS for a hostname, or directly for an IP
address. (If the FQDN fails to resolve, restart the web service.)

l

(includes SmartConnectors of all
types)

Authentication credentials (username and password) for the connector.

l

Note: See "Prerequisites for Adding a Host (for each Host Type)" on the previous
page for more information about authentication credentials.
Optionally, specify an inclusive port range separated by a hyphen (such as 90049008) to scan a port range for all software connectors.

l

Note: If the port range includes multiple connectors, then the credentials for each
connector in the range must be identical. For example, if the username and
password for one connector in the range was myusername and mypassword, then
myusername and mypassword must be the credentials for every connector in the
port range.
Prior to adding a software-based SmartConnector as a host, you must prepare
the Smart Connector as explained in SmartConnectors on ArcMC.

Event Broker

Hostname (FQDN) or IP address. Hostname or IP must be resolvable by ArcSight
Management Center: either through DNS for a hostname, or directly for an IP
address. (If the FQDN fails to resolve, restart the web service.)

l

l
l

Port number for the Event Broker (default 38080)
In order to add Event Broker as a host, the active user must belong to an ArcMC
permission group with rights to do so. By default, the admin user has such rights.

Note: Prior to performing the Add Host process, you will need to generate the
ArcMC certificate with complete FQDN and download the .crt file, and then copy the
certificate file to your Kubernetes master node. See Preparing to Add Event Broker
as a Host for details on this process.
l

An SSL Certificate: An SSL certificate must be generated for any of the following host types to be
managed:

HPE Security ArcSight Management Center 2.6x

Page 56 of 316

Administrator's Guide
Chapter 4: Managing Nodes

o

Connector Appliance or Software Connector Appliance

o

Logger Appliance or Software Logger

o

Event Broker

o

ArcSight Management Center Appliance or Software ArcSight Management Center
The hostname in the certificate must match the hostname you will add to ArcSight Management
Center. For more information on generating certificates for these host types, consult the HPE
ArcSight Administrator’s Guide for each product. (If a host to be added already has a certificate
installed, you can use the existing certificate, as long as the hostname on the certificate matches the
hostname of the host you will be adding.)
Note: If the hostname does not match the hostname in the SSL certificate, you can regenerate
a matching certificate by doing one of the following:
l

l

l

For a hardware appliance, in System Admin > Network, click the NICS tab. Under Host
Settings, note the entry in the Hostname field. (This is the value you should use to add the
host to ArcSight Management Center.) Click Restart Network Service. Then, in the
navigation menu, under Security, pick SSL Server Certificate. Click Generate Certificate.
A new certificate will be generated that matches the hostname from the NICS tab.
For software form factor, in System Admin > SSL Server Certificate, under Enter
Certificate Settings, verify that the hostname from the NICS tab noted previously is
entered in the Hostname field. Then, click Generate Certificate. A new certificate will be
generated that matches the hostname from the NICS tab.

Check for Agent Installation:Check the table under "Installing the ArcSight Management Center
Agent" on page 32 to determine if the ArcMC Agent needs to be installed on a host prior to adding it
to ArcMC. For some host types, the Agent will be installed automatically upon adding a host.
Perl is required for the automatic installation of the ArcMC Agent. Ensure that Perl is installed on
the host prior to attempting to add the host to ArcMC.

Node Authentication Credentials
ArcSight Management Center authenticates to each managed node each time it communicates with the
node, using the node's authentication credentials—that is, username and password—you supply when
first adding the host. If the host includes connectors or containers, then authentication credentials must
also be supplied for these as well. (Exception: Event Broker does not require authentication credentials
for individual nodes.) As a result, valid credentials for each node are required when adding a host.

Determining a Node’s Credentials:
Consult the system administrator for each managed node to determine its current login credentials.
Each ArcSight product ships with a default set of credentials. However, for optimal security, it is

HPE Security ArcSight Management Center 2.6x

Page 57 of 316

Administrator's Guide
Chapter 4: Managing Nodes
expected that the default credentials are changed as soon as possible by the administrator, so the
default credentials may no longer be valid for authentication.
l

l

For default credentials for HPE ArcSight products, consult the relevant product administrator’s
guide. (For SmartConnector default credentials, consult the SmartConnector User's Guide, available
from the HPE support community at Protect724.)
Some products can be configured by administrators to use external authentication, in which case the
external authentication credentials or fallback credentials should be provided when adding the host
to ArcSight Management Center. (SmartConnectors may not be configured for external
authentication.)

Changed or Expired Credentials
If the username or password on a node are changed (or expire) any time after the node is added to
ArcSight Management Center, then the node will no longer be managed. However, it will still appear in
the list of managed nodes. For example, on some hosts, passwords are set to expire automatically after
some time period, which would prevent successful authentication by ArcSight Management Center
using the node’s initial credentials. To avoid this issue, you may wish to use node credentials that do not
expire. To continue management of node on which the credentials have changed or expired, use the
Update Host Credentials feature.

Dynamic Credentials
If authentication credentials are configured to change dynamically (such as with RADIUS one-time
passwords), then instead of providing external authentication credentials, you can instead provide the
credentials of a local user on the managed node who is permitted to use fallback authentication.
ArcSight Management Center will then try to authenticate to the managed node using the external
authentication method first, and if this fails, it will try to authenticate to the managed node using the
local user credentials.

Managing SmartConnectors on ArcMC
ArcMC can remotely manage previously-installed, software-based SmartConnectors; however, the
remote management feature is disabled on software SmartConnectors by default.
You can install several SmartConnectors on a single host if supported by the hardware. ArcSight
certifies a maximum of 4 SmartConnectors on Windows hosts and 8 on Linux hosts.
To manage software-based SmartConnectors with ArcMC, you need to enable remote management on
each connector, as follows:
1. In a text editor, in the installation directory for the SmartConnector, open the file //user/agent/agent.properties.
2. Add the line: remote.management.enabled=true

HPE Security ArcSight Management Center 2.6x

Page 58 of 316

Administrator's Guide
Chapter 4: Managing Nodes

3. If desired, customize the connector's listening port. The default is 9001. To change this value, add
the line: remote.management.listener.port=, where  is the new port number.
4. Save the file.
5. Restart the SmartConnector for changes to take effect.

Preparing to Add Event Broker as a Host
Before you can add Event Broker as a managed host, you will need to generate the ArcMC certificate
with complete FQDN and download the .crt file, and then copy the certificate file to your Kubernetes
master node.

To prepare for adding Event Broker as a host:
1. In ArcMC, click Administration > System Admin.
2. Under Security > SSL Server Certificate, under Hostname, enter the FQDN of the ArcMC.
3. Click Generate Certificate.
4. Save the certificate locally.
5. Connect to your Kubernetes master node.
6. Copy the previously generated certificate to /opt/arcsight/k8shostpath/eb/arcmccerts.
7. Launch the ArcSight Installer.
8. Click Configuration > ArcSight Event Broker.
9. On the ArcMC Monitoring tab, in ArcMC URL, enter the FQDN and port number of the managing
ArcMC.
In ArcMC, you can now follow the process outlined under Adding a Host.

Adding a Host
Before adding a host, ensure that the host meets the prerequisites for the process. For more
information, see "Prerequisites for Adding a Host (for each Host Type)" on page 55.

To add a host to ArcMC:
1. Click Node Management.
2. In the navigation tree, select a location to which you plan to add the host.
3. On the Hosts tab, click Add Host.
4. On the Add a new Host dialog, in Hostname/IP, enter either the hostname or IP address of the

HPE Security ArcSight Management Center 2.6x

Page 59 of 316

Administrator's Guide
Chapter 4: Managing Nodes

host.
5. In Type, select the type of node from the drop-down list.
6. Enter values for the required settings. (Required information will depend on the node type.)
l

l

In Host Credentials or Connector Credentials, enter the username and password required for
authentication.
In Port, if required, enter the value of the port on which ArcSight Management Center will
connect to the host.

7. Click Add. The host is added to ArcSight Management Center.

Adding a Host with Containers
When you add a host that includes containers (such as Connector Appliance), ArcSight Management
Center also attempts to retrieve the SSL certificates from any containers that reside on the host, and
add each container as a separate node. Containers on the remote host can be managed only if ArcSight
Management Center can authenticate using the certificates and supplied credentials. When the
certificates are retrieved, you are prompted to import them into ArcSight Management Center.
Note: On ArcSight Management Center Appliance, all local containers are added automatically as
hosts of type Software Connector.

Importing Multiple Hosts
To quickly and easily add multiple hosts in bulk, you can import a comma-separated values (CSV) file
that lists the names and required attributes of the hosts to be added.
Note: ArcSight Management Center 1.0 used a slightly different file format for importing connector
hosts. That file format is not supported by ArcSight Management Center 2.1. Use the file format
described here instead.

Prerequisites for Importing Multiple Hosts
The following prerequisites apply to importing hosts.
l

l

l

Add Host Prerequisites: Any prerequisites for the Add Host process also apply to importing
multiple hosts by a CSV file. See "About Adding a Host" on page 54.
Valid CSV File: Ensure the values in your CSV file are valid and correct. An import hosts job will fail
immediately upon receiving an invalid or incorrect value. The CSV file format is described under "CSV
File Format" on the next page.
Stop the Agent 1.0 Process: In addition, if any of the hosts to be imported are running the ArcSight

HPE Security ArcSight Management Center 2.6x

Page 60 of 316

Administrator's Guide
Chapter 4: Managing Nodes

Management Center 1.0 Agent, stop the Agent process on each such host before the import. (This is
not needed for later versions of the ArcMC Agent.)

CSV File Format
The CSV (comma-separated value) file requires the following header line to be its first line:
location,hostname,type,host username,host password,connector
username,connector password,port/port range

Each subsequent line represents one host to be imported. Each line must include values for the
following comma-separated fields for each host:
, ,,,,
,,

Some host types require values for all fields, and some are optional. An optional field with no value
specified must still include a comma to represent the empty field.

Host Field Values
Valid values for host fields are detailed in the following table. An asterisk (*) indicates a required field.
An optional field with no value specified must still include a comma to represent the empty field.
Field

Description

Location*

Location to which the host will be assigned.

Hostname* Hostname (FQDN) or IP address of the host.
l

l
l

Host
Type*

FQDN or IP must be resolvable by ArcSight Management Center: either through DNS for a hostname,
or directly for an IP address.
If hostname is used, the hostname entered must match the hostname from the host’s SSL certificate.
For a hardware appliance, DNS must be configured on the managing appliance (System Admin >
DNS).

Host type. Valid (case-insensitive) values are:
l

l
l

l

appliance_with_local_connectors: includes ArcSight Management Center Appliance,
Connector Appliance and Logger Appliance (L3XXX)
appliance_without_local_connectors: includes Logger Appliance (non-L3XXX).
software_form_factor: includes Software ArcSight Management Center, Software Connector
Appliance or Software Logger.
software_connector: includes all software connectors and SmartConnectors.

HPE Security ArcSight Management Center 2.6x

Page 61 of 316

Administrator's Guide
Chapter 4: Managing Nodes

Field

Description

Host
Username/
Password*

User name and password used to authenticate to the host.

Connector
Username/
Password

Username and password used to authenticate to the software connector. Required for hosts of type
Appliance with Local Connector and Software Connector; otherwise optional.

Port/Port
Range

Starting port or port range for connector scan. Valid values:

Note: See "About Adding a Host" on page 54 for more information about authentication credentials.

Note: See "About Adding a Host" on page 54 for more information about authentication credentials.

l

Port number

l

Port range

l

Comma-separated port numbers (for example, 9000,9004,9007)

Notes:
l
l

l

For software form factors, port is required.
For appliance form factors, to add all local containers, leave the field blank. However, if any port
numbers are entered, then certificates will be downloaded only for the specified port numbers, and only
those containers will be imported.
For software connectors, either a port or port range is required. If using port range, specify an inclusive
port range, using a hyphen between starting and ending port. For example, a specified port range of
9001-9003 would scan ports 9001, 9002, and 9003.
Note: If the port range includes multiple connectors, then the credentials for each connector in the
range must be identical. For example, if the username and password for one connector in the range
was myusername and mypassword, then myusername and mypassword must be the credentials for
every connector in the port range.

An example of a valid import file, importing two hosts, is shown here:
location,hostname,type,host_username,password1,connector_
username,password2,port/port range
CorpHQ,hostname.example.com,software_connector,username,password,connector__
username,connector_password,9001-9010
EMEA,hostname2.example.com,appliance_without_local_connectors,
logger_user,logger_pword,,,

In this example, the first line would represent the required header line, the second line a Software
Connector, and the third line would represent a Logger Appliance.

Import Hosts Procedure
Only a single Import Hosts job may be executed at one time.

HPE Security ArcSight Management Center 2.6x

Page 62 of 316

Administrator's Guide
Chapter 4: Managing Nodes

To import hosts from a CSV file:
Note: Before beginning the import, stop the Agent processes on any hosts running version 1.0 of
the ArcMC Agent.
1. Create and save your CSV file in a text editor.
2. Log into ArcSight Management Center.
3. Select Node Management > Import Hosts. The Import Hosts wizard starts.
4. Click Browse, and browse to the location of your hosts CSV file.
5. Click Import. The hosts are imported as a background job.
If the CSV file is valid, connector certificates are retrieved automatically so that ArcSight
Management Center can communicate with each connector in a container. The Upload CSV wizard
lists the certificates. (To see certificate details, hover over the certificate.).
Automatic installation of the ArcMC Agent may increase the time required for the Import Hosts job.
l

l

Select Import the certificates..., and then click Next to import the certificates and continue.
Select Do not import the certificates..., and then click Next if you do not want to import the
certificates. The Upload CSV wizard does not complete the upload CSV process.
Note: The Import Hosts wizard does not complete the upload if certificate upload failed for
any of the connectors in a container, or if any of the certificates failed to import into the trust
store.

2. The Import Hosts job executes.

Import Hosts Job Logs
ArcSight Management Center logs the results of all Import Hosts jobs. Each job produces a new log,
named import_hosts__
Source Exif Data: 
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.4
Linearized                      : No
Has XFA                         : No
Language                        : en-us
XMP Toolkit                     : Adobe XMP Core 5.4-c006 80.159825, 2016/09/16-03:31:08
Format                          : application/pdf
Creator                         : Hewlett Packard Enterprise Development LP
Description                     : 
Title                           : HPE ArcSight Management Center Administrator's Guide
Create Date                     : 2017:07:11 12:50:15-07:00
Modify Date                     : 2017:07:12 13:05:57-07:00
Metadata Date                   : 2017:07:12 13:05:57-07:00
Keywords                        : 
Producer                        : madbuild
Document ID                     : uuid:0607092e-38ff-4e0b-aec2-18bb02e85c32
Instance ID                     : uuid:d85f8057-9f43-4464-81d2-aa982a91e2b6
Page Layout                     : SinglePage
Page Mode                       : UseOutlines
Page Count                      : 316
Author                          : Hewlett Packard Enterprise Development LP
Subject                         :
EXIF Metadata provided by EXIF.tools

Navigation menu