Cyber Defense Operations Centre Arc Sight Logger 6.4 Install Guide

User Manual:

Open the PDF directly: View PDF .
Page Count: 6

Cyber Defence Operation Centre

NEC Africa

Installing ArcSight Logger on

CentOS 7

Document Information

Author:

Armand Kruger

Title:

Cyber Defence Analyst

Version:

1.0

Department:

Cyber Defence Operations Centre

Table of Content

Chapter 1

Logger CentOS 7 Prerequisites ………………………………………………………………………….1

Chapter 2

Installing ArcSight Logger ……………………………………………………………………………..…3

Chapter 3

Connecting to the Logger …………………………………………………………………………………3

1 | P a g e

©NEC Africa – Cyber Defence Operation Centre

Logger CentOS 7 Prerequisites

Note: Please make sure that the base OS (CentOS 7) is already preconfigured with the below

setting before attempting the follow the below Logger Installation Guide!

Base OS Pre-Configured Settings:

- Valid Hostname (Not Localhost)

- Static IP

- Subnet Mask

- DNS Name Server

- Default Gateway

- Stable Internet Connection

Refer to – “Installing & Maintaining an CentOS 7 Minimal Server Environment Fact Sheet” for

guidelines regarding the above pre-configured settings

CentOS 7 OS Packages to Install after CentOS 7 Installation:

- Java

- Net-Tools

- Tcpdump

Ports to be Allowed Through the Firewall

- TCP 22

- TCP 9000

- TCP 443

- TCP 515

- UDP 524

Before we can start the ArcSight Logger Installer, we must prepare the system with some custom

configurations changes. A non-root user account must exist in the system before installing the

Logger. Follow the below steps and commands to prepare the system for the Logger installation.

Perform all the below steps as ROOT user!

Create the Following New Folders

Give the New Folder Read & Write Permissions

mkdir /home/ArcSightFiles

mkdir /opt/arcsight

chmod 755 /home/ArcSightFiles

chmod 755 /opt/arcsight

2 | P a g e

©NEC Africa – Cyber Defence Operation Centre

Create a new Group Called ArcSight

Add new User Arcsight & Add User Arcsight to new group

Now we need to change the default User Process Limits to ensure that the logger is operational

after installation. Follow the below steps AFTER the above has been completed successfully. All

steps and commands must be executed as ROOT!

Path to User Process Limits Configuration File

If Limits.d Doesn’t exist, Create the Directory

Edit the Process Limit File

If the File Contains Existing Values, delete them and add the Following

Reboot the Server

After Bootup & Logon, Verify the User Process Limits

Verify the Following Output

vi /etc/security/limits.d/

mkdir /etc/security/limits.d

vi /etc/security/limits.d/20-nproc.conf.

* soft nproc 10240

* hard nproc 10240

* soft nofile 65536

* hard nofile 65536

reboot

groupadd -g 750 arcsight

useradd -m -g arcsight -u 1500 arcsight

ulimit -a

Open files 65536

Max user processes 10240

3 | P a g e

©NEC Africa – Cyber Defence Operation Centre

Now we need to make the last adjustment before we can start the Logger Installer. Follow the

below steps in order and make sure to perform all configurations as ROOT!

Navigate to the Following File

Edit the Following File

Find the Following within the Configuration File

Remove the # before the Line

Restart the Service

Now that the system is prepared, we can start with the Logger Installation. Navigate to where

you placed the Logger Installer File and follow the below as ROOT!

Make the Logger Installer Executable

Note: Replace <LoggerInstaller> with your appropriate ArcSight Logger Installer name.

Execute the Logger Installer

Follow the Installer Process. But make sure to enter the following information during the

Logger Installer!

cd /etc/systemd/

vi logind.conf

#RemoveIPC=no

RemoveIPC=no

chmod +x <LoggerInstaller>.bin

./<LoggerInstaller>.bin -i console

Default Installation Path: /opt/arcsight

Full Path the the License File: “ends with .dat”

Logger System Service: Start Logger as a Service

Specify non-root user account: arcsight

Default Port: 443

Default Locale: 1 for English

systemctl restart system-logind.service

4 | P a g e

©NEC Africa – Cyber Defence Operation Centre

Connecting the Logger via Web

URL Path

Default Credentials (First Logon)

Uninstalling the Logger

Browse to The Logger Installation Directory

Run the Un-Installation File

Note: Change the version at the end of the code if you have a different ArcSight Logger Installation

https://<Hostname> or <IP Address>:<Port>

Username: admin

Password: password

/opt/

./UninstallerData/Uninstall_ArcSight_Logger_6.2