Logger Installation Guide Install 6.2
User Manual:
Open the PDF directly: View PDF .
Page Count: 54
Download | |
Open PDF In Browser | View PDF |
HPE Security ArcSight Logger Software Version: 6.2 Installation Guide March 11, 2016 Installation Guide Legal Notices Warranty The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. The network information used in the examples in this document (including IP addresses and hostnames) is for illustration purposes only. HPE Security ArcSight products are highly flexible and function as you configure them. The accessibility, integrity, and confidentiality of your data is your responsibility. Implement a comprehensive security strategy and follow good security practices. This document is confidential. Restricted Rights Legend Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Copyright Notice © Copyright 2016 Hewlett Packard Enterprise Development, LP Follow this link to see a complete statement of copyrights and acknowledgements: https://www.protect724.hpe.com/docs/DOC-13026 Support Contact Information Phone A list of phone numbers is available on the HPE Security ArcSight Technical Support Page: https://softwaresupport.hp.com/documents/10180/14684/espsupport-contact-list Support Web Site https://softwaresupport.hp.com Protect 724 Community https://www.protect724.hpe.com HPE Logger 6.2 Page 2 of 54 Contents About this Guide 5 Chapter 1: Deployment Planning Getting the Latest Documentation Initial Configuration Storage Volume Storage Groups Search Indexes Receivers 6 6 6 6 7 7 8 Chapter 2: Setting Up a Logger Appliance Running Logger on Encrypted Appliances Installing the Logger Appliance Configuring an IP Address for the Appliance Setting Up the Appliance for Remote Access Acquiring a License for the Logger Appliance Logging In for the First Time Initializing the Logger Appliance Using the Logger Appliance Command Line Interface 10 10 11 11 12 13 13 14 15 Chapter 3: Installing Software Logger on Linux Before You Begin Downloading the Installation Package Verifying the Downloaded Installation Software How Licensing Works in Software Logger Acquiring a License for Software Logger Prerequisites for Installation Increasing the User Process Limit Installation Using GUI Mode to Install Software Logger Using Console Mode to Install Software Logger Using Silent Mode to Install Software Logger Licenses for Silent Mode Installations Generating the Silent Install Properties File Installing Software Logger in Silent Mode Connecting to Logger Starting and Stopping Software Logger Uninstalling Logger 19 19 19 19 20 21 21 22 23 23 26 29 29 29 30 31 32 33 HPE Logger 6.2 Page 3 of 54 Installation Guide Chapter 4: Installing Software Logger on VMware Before You Begin Downloading the Installation Package Verifying the Downloaded Installation Software How Licensing Works in Software Logger Acquiring a License Acquiring a License for a Software Logger Preparing the Virtual Machine Prerequisites for Installation Installing Logger on the Virtual Machine Connecting to Logger Starting and Stopping Software Logger Uninstalling Logger 34 34 34 34 35 36 36 37 38 39 42 43 45 Chapter 5: Configuring Logger 46 Receivers 46 Enabling the Preconfigured Folder Follower Receivers 47 Devices 48 Device Groups 48 Storage Rules 48 Using SmartConnectors to Collect Events 49 SmartMessage 49 Downloading SmartConnectors 50 Configuring a SmartConnector to Send Events to Logger 50 Configuring SmartConnectors to Send Events to Both Logger and an ArcSight Manager 51 Configuring SmartConnectors for Failover Destinations 51 Sending Events from ArcSight ESM to Logger 52 Send Documentation Feedback HPE Logger 6.2 54 Page 4 of 54 About this Guide This guide describes how to install and initialize the enterprise version of Logger. It includes information on how to initialize the Logger Appliance and how to install the Software Logger on Linux and on VMware VM. For information on installing Trial Loggers, refer to the Trial Logger Quick Start Guide, available from the same location you downloaded the Trial Logger installation file. This guide includes information on the following subjects. l "Deployment Planning" on page 6 l "Setting Up a Logger Appliance" on page 10 l "Installing Software Logger on Linux" on page 19 l "Installing Software Logger on VMware" on page 34 l "Configuring Logger" on page 46 HPE Logger 6.2 Page 5 of 54 Chapter 1: Deployment Planning Before installing Logger, you should plan how you will store events and how long you need to retain them. Consider the information in the sections below when planning your deployment: • Getting the Latest Documentation • Initial Configuration 6 6 Getting the Latest Documentation The latest version of the documentation for this release is available for download (in PDF format) from the ArcSight Product Documentation Community on Protect 724. Help is available through the Logger user interface (UI) . To access the online help from any userinterface page, click the down-arrow by your user name and then select Help. Initial Configuration The installation and initialization process sets up your Logger with an initial configuration described in the sections below. You can do additional configuration on Logger to implement your retention policies. See "Configuring Logger" on page 46. For further information, refer to the Configuration chapter of the Logger Administrator’s guide. Logger’s initial configuration is described in the sections below: • • • • Storage Volume Storage Groups Search Indexes Receivers 6 7 7 8 Storage Volume Logger’s storage volume varies by version, up to the maximum of 12 TB. The initialization process sets the storage volume. For Logger appliances, the storage volume is set to the maximum capacity for the model. For software Loggers, the storage volume is set to the maximum capacity specified in the license or the available disk space, whichever is smaller. Caution: If Logger’s maximum capacity is exceeded, events will begin to fall out of storage. For information on how to retain these events, refer to the Configuration chapter of the Logger Administrator’s Guide. HPE Logger 6.2 Page 6 of 54 Installation Guide After installing Logger, you can view the current limits on the Configuration > Advanced > License Information page. For instructions, refer to the Configuration chapter of the Logger Administrator’s Guide. For more information about licenses, including how to upload a new one, refer to the System Admin chapter of the Logger Administrator’s Guide. Storage volume can be extended after installation, but not reduced. For more information on increasing the storage volume, refer to the Configuration chapter of the Logger Administrator’s Guide. Storage Groups Two storage groups, the Default Storage Group and the Internal Event Storage Group, are created automatically during Logger initialization. These storage groups come preconfigured with the following settings: Preconfigured Default Storage Group Settings Attribute Appliance Logger Software Logger Size Storage Volume/2 Storage Volume/2 Retention Period 180 days 180 days Preconfigured Internal Storage Group Settings Attribute Appliance Logger Software Logger Size 5 GB 3 GB Retention Period 365 days 365 days Logger can have a maximum of six storage groups; therefore, you can create an additional four storage groups after your Logger has been initialized. Each storage group can have different settings. You can change the retention policy and size for all storage groups, but you can only change the name of the user-defined storage groups. Refer to the Configuration chapter of the Logger Administrator’s Guide for the details of adding and resizing storage groups, and changing their retention policies. Search Indexes Logger comes prepared for full-text searches, also frequently used fields are indexed during initialization. You can add additional fields to the index, but once a field has been added, you cannot unindex it. Refer to the Search chapter of the Logger Administrator’s Guide for more information. HPE Logger 6.2 Page 7 of 54 Installation Guide Receivers The default installation includes several receivers. To start receiving events, you can direct your event sources to the default receivers. After initialization, you can create additional receivers to listen for events. You can also change and delete receivers or disable and enable them as needed. The following receivers are set up and enabled with the default installation: l A UDP receiver: Enabled by default. The UDP receiver is on port 514 for Logger Appliances. If you are installing Software Logger as root, the UDP receiver is on port 514. For non-root installs, it is on port 8514. If this port is already occupied, the initialization process selects the next higher unoccupied port. This port should be allowed through any firewall rules you have configured. l A TCP receiver: Enabled by default. The TCP receiver is on port 515 for Logger Appliances. If you are installing Software Logger as root, the TCP receiver is on port 515. For non-root installs, it is on port 8515. If this port is already occupied, the initialization process selects the next higher unoccupied port. This port should be allowed through any firewall rules you have configured. l A SmartMessage receiver: Enabled by default. To receive events from a SmartConnector, download the SmartConnector and set the Receiver Name to be “SmartMessage Receiver” when configuring the destination. Logger also comes pre-configured with folder follower receivers for Logger’s Apache URL Access Error log, the system Messages log, and the system Audit log (when auditing is enabled on your Linux OS). You must enable these receivers in order to use them. Note: Logger’s Apache URL Access Error Log, http_error_log, is similar in format to the Apache access_log. Only failed access attempts are included in the Apache URL Access Error Log. For Software Logger, the preconfigured folder follower receivers include: l Var Log Messages: /var/log/messages l Audit Log: /var/log/audit/audit.log l Apache URL Access Error Log:/userdata/logs/apache /http_error_log Note: The folder follower receiver for the /var/log/audit/audit.log is only created if the folder /var/log/audit/ already exists on your system at installation time. Auditing is disabled on some Logger Appliance models. Logger Appliances that have auditing enabled will have the same preconfigured receivers as Software Logger. HPE Logger 6.2 Page 8 of 54 Installation Guide When auditing is disabled on the system where Logger is installed, the preconfigured folder follower receivers include: l Var Log Messages: /var/log/messages l Apache URL Access Error Log: /opt/arcsight/userdata/logs/apache /http_error_log For instructions on how to enable the preconfigured receivers, see "Receivers" on page 46. For more information about receivers in general, refer to the Configuration chapter of the Logger Administrator’s Guide. HPE Logger 6.2 Page 9 of 54 Chapter 2: Setting Up a Logger Appliance This chapter describes how to rack mount your Logger appliance, and to configure an IP address and initial settings for it. You do not need to run an installer when setting up your appliance; the Logger software comes preinstalled on it. These basic steps enable you to start using your Logger Appliance: • • • • • • • • Running Logger on Encrypted Appliances Installing the Logger Appliance Configuring an IP Address for the Appliance Setting Up the Appliance for Remote Access Acquiring a License for the Logger Appliance Logging In for the First Time Initializing the Logger Appliance Using the Logger Appliance Command Line Interface 10 11 11 12 13 13 14 15 For information on how to install Software Logger on Linux, see "Installing Software Logger on Linux" on page 19. For information about installing Software Logger on VMware VM, see, "Installing Software Logger on VMware" on page 34. For information about installing Trial Logger on Linux or on VMware VM, refer to the Trial Logger Quick Start guide. Running Logger on Encrypted Appliances Logger can be run on encrypted hardware to help you to meet compliance regulations and privacy challenges by securing your sensitive data at rest. You can encrypt your L7600 Logger Appliance by using HP Secure Encryption, available from the Server Management Software > HP Secure Encryption web page. For instructions, refer to the HP Secure Encryption Installation and User Guide, available in PDF and CHM formats through the Technical Support / Manuals link on that page. L7600 Logger Appliances are encryption-capable. They come pre-installed with everything necessary for you to encrypt them using HP Secure Encryption. The length of time encryption takes depends on the amount of data on the server being encrypted. In our testing, a Gen 9 appliance with 7.5 TB of stored data took about 72 hours to encrypt. You can continue using Logger while the encryption runs. You may notice some performance degradation after encrypting your existing Logger appliance. Caution: After encryption, you cannot restore your Logger to its previously unencrypted state. HPE Logger 6.2 Page 10 of 54 Installation Guide Installing the Logger Appliance Before you Begin: l l Redeem your license key by following the instructions in the enclosed “License Entitlement Certificate” document. Redeeming this key gets you the license that you need to access Logger functionality. For more information, see "Acquiring a License for the Logger Appliance" on page 13. Apply for an account on Protect 724 (https://www.protect724.hpe.com), the ArcSight user community. You will need this account to access product documentation and other community-based resources. To install the appliance: 1. Unpack the appliance and its accompanying accessories. Note: Read carefully through the instructions, cautions, and warnings that are included with the appliance shipment. Failing to do so can result in bodily injury or appliance malfunction. 2. Follow the rack installation instructions to securely mount it. 3. Make the rear panel connections. 4. Power on the appliance. Configuring an IP Address for the Appliance The appliance ships with the default IP address 192.168.35.35 (subnet mask 255.255.255.0) on eno1. To begin setting up your appliance, use the Command Line Interface (CLI) to configure a new IP address. To run a command in the CLI, type it at the prompt and then press Enter. For more information on the command line interface, see "Using the Logger Appliance Command Line Interface" on page 15 or enter help at the prompt for a list of available commands. To set up a new IP address: 1. Use one of the following methods to connect to the CLI: l l l Log into HP ProLiant Integrated Lights-Out (iLO) and launch the remote console feature. For more information, see "Setting Up the Appliance for Remote Access " on page 1. Connect a keyboard and monitor to the ports on the rear panel of the appliance. Connect a terminal to the serial port on the appliance using a null modem cable with DB-9 connector. The serial port expects a standard VT100-compatible terminal: 9600 bps, 8-bits, no HPE Logger 6.2 Page 11 of 54 Installation Guide parity, 1 stop bit (8N1), no flow control. Once you are connected to the CLI, a log in prompt is displayed. 2. Enter the following default credentials to log in as the administrator: Login: admin Password: password 3. Enter the IP address in one of the following formats: l set ip eno1 / (Example: set ip eno1 192.0.2.5/24) l set ip eno1 (Example: set ip eno1 192.0.2.5 255.255.255.0) 4. Enter set defaultgw , replacing with your default gateway IP address. 5. Enter set hostname . , replacing . with the fully-qualified domain name (FQDN) of the desired host. 6. Enter set dns , , replacing each with a search domain, and each with the IP address of a name server. (Example: set dns domain1.company.com,domain2.company.com 192.0.2.1 192.0.2.2) Note: When using multiple search domains, separate them with a comma, but no space. When using multiple name servers separate them with a space but no comma. 7. Enter set ntp replacing with the NTP server you want to use to set the time. (Example: set ntp time.nist.gov) 8. Enter show config to review the configuration settings you entered in previous steps. If needed, change the settings. Setting Up the Appliance for Remote Access All ArcSight appliances are equipped with an HP ProLiant Integrated Lights-Out (iLO) Advanced remote management card. HP strongly recommends setting up and configuring your appliance for outof-band remote access. Doing so ensures that you (and Customer Support, with your permission and assistance) can remotely access the console of your appliance for troubleshooting, maintenance, and power control. Follow the directions in the HP ProLiant Integrated Lights-Out User Guide to set up your appliance for remote access. The guide is available at http://www8.hp.com/us/en/products/servers/ilo/index.html. HPE Logger 6.2 Page 12 of 54 Installation Guide Note: The Lx600 models require you to obtain and enter a license key. Instructions for obtaining the license key are included on your License Entitlement Certificate. Once you have obtained the license key, log into iLO, and then go to Administration > Licensing to enter it. Acquiring a License for the Logger Appliance A valid license file is required on the Logger Appliance before you can access its functionality. If you have not obtained a license yet, follow instructions in “Hewlett-Packard Entitlement Certificate” document included in the shipment with your Logger Appliance to redeem your license key. If you do not have that document, contact customer support at https://softwaresupport.hp.com. Note: If you have multiple Loggers, you will need a separate license file for each of them. After initializing Logger, you can view the specific details of the current license on the License Information and License & Update pages (Configuration > Advanced > License Information and System Admin > System > License & Update). For more information, refer to the Configuration and System Admin chapters of the Logger Administrator’s Guide. Logging In for the First Time The Logger user interface (UI) is a password-protected web browser application that uses an encrypted HTTPS connection. Logger 6.2 supports access through the following browsers: l Chrome (current) l Edge (on Windows 10) l Internet Explorer 11 l Firefox ESR 38.3.0, Release 41 l Safari 9.0.1 (on OS X 10.9) Ensure that Logger’s publicly-accessible ports are allowed through any firewall rules that you have configured. l l For root installs, allow access to port 443 as well as the ports for any protocol that the logger receivers need, such as port 514 for the UDP receiver and port 515 for the TCP receiver. For non-root installs, allow access to port 9000 as well as the ports for any protocol that the Logger receivers need, such as port 8514 for the UDP receiver and port 8515 for the TCP receiver. Note: The ports listed here are the default ports. Your Logger may use different ports. JavaScript and cookies must be enabled. HPE Logger 6.2 Page 13 of 54 Installation Guide To connect to Logger: Use the URL configured during Logger installation to connect to Logger through a supported browser. For Software Logger: https:// : For Logger Appliance: https:// where the hostname or IP address is that of the system on which the Logger software is installed, and configured_port is the port set up during the Logger installation, if applicable. The first time you connect, the END USER LICENSE AGREEMENT is displayed. Scroll down to the bottom of the screen to review and accept the EULA. After you accept, the Login screen is displayed. To log in: When the Login dialog is displayed, enter your user name and password, and click Login. Use the following default credentials if you are connecting for the first time: Username: admin Password: password Note: After logging in for the first time with the default user name and password, you will be prompted to change the password to a more secure one. Follow the prompts to enter and verify a more secure password. For more information about the Login screen and connecting to Logger, refer to the User Interface and Dashboards chapter of the Logger Administrator's Guide. Once you have successfully logged in, proceed to the section, "Initializing the Logger Appliance" below. Initializing the Logger Appliance After you accept the EULA and log in for the first time, the Logger Configuration screen is displayed. On this screen, you must upload the license file and configure the initial settings for your Logger Appliance. Once you complete that configuration, your Logger Appliance will be ready for use. Note: The initialization of a Logger Appliance can only be changed by restoring Logger to its initial factory settings. Refer to the Logger Administrator's Guide for more information. To initialize the Logger Appliance: 1. On the Logger Configuration screen, under Select License File to Upload, navigate to or specify the path and filename of the license for the Logger Appliance, and click Upload License. If you do HPE Logger 6.2 Page 14 of 54 Installation Guide not have a license, see "Acquiring a License for the Logger Appliance" on page 13. After the upload, the License pane displays updated license status information. 2. Under System Locale Setting, select a Locale for this Logger Appliance from the drop-down list. The locale setting ensures that the user interface displays information such as date, time, numbers, and messages in the format and language appropriate for the selected country. Once configured, this setting cannot be changed. 3. Under Date/Time Settings, ensure that the “Current Time Zone” and the “Current Time” settings are correct for your environment. Click Change Time Zone and Change Date/Time, respectively, to update the time settings. For more information, refer to the System Admin chapter of the Logger Administrator’s Guide. 4. Click Save. The Logger initialization process begins. Once the initialization is complete, the system reboots. Now that you are done installing and initializing your Logger, go to the "Configuring Logger" chapter of the Logger Installation Guide for information on how to set up your Logger to start receiving events. Now that you are finished installing and initializing your Logger, you can enable the preconfigured receivers and configure devices, device groups, and storage groups necessary to implement your retention policy. See "Configuring Logger" on page 46 and refer to the Configuration chapter of the Logger Administrator's Guide for information on how to set up your Logger to start receiving events. Caution: For security reasons, be sure to change the default credentials as soon as possible after connecting to Logger for the first time. Refer to the System Admin chapter of the Logger Administrator’s Guide for instructions. For more information about the login screen and connecting to Logger, refer to the User Interface and Dashboards chapter of the Logger Administrator’s Guide. Using the Logger Appliance Command Line Interface Use one of the following methods to connect to the appliance Command Line Interface (CLI): l Log into HP ProLiant Integrated Lights-Out (iLO) and launch the remote console feature. For more information, see "Setting Up the Appliance for Remote Access " on page 1. l Connect a keyboard and monitor to the ports on the rear panel of the appliance. l Connect a terminal to the serial port on the appliance using a null modem cable with DB-9 connector. l The serial port expects a standard VT100-compatible terminal: 9600 bps, 8-bits, no parity, 1 stop bit (8N1), no flow control. Once you are connected to the CLI, a Login prompt displays. HPE Logger 6.2 Page 15 of 54 Installation Guide The following commands are available at the CLI prompt: Category Command Description System Commands exit Logout halt Stop and power down the Logger Appliance help Opens the command line interface help reboot Reboot the Logger Appliance Administrative Commands show admin Show the default administrator user’s name Authentication Commands reset authentication Reset to local authentication Configuration Commands show config Show host name, IP address, DNS, and default gateway for the Logger Date Commands show date Show the date and time currently configured on the Logger set date Set the date and time on Logger The date/time format is yyyyMMddhhmmss Example date: 20101219081533 Default Gateway Commands set defaultgw [nic] Set the default gateway for one or all network interfaces show defaultgw [nic] Display the default gateway for all or the specified network interface DNS Commands show dns Show the currently configured DNS servers on the Logger set dns Set DNS name server(s) set dns , sd=search domain, ns = name server HPE Logger 6.2 You can add up to three name servers and six search domains Page 16 of 54 Installation Guide Category Command Description Note: When using multiple search domains, separate them with a comma, but no space. When using multiple name servers, separate them with a space but no comma. Hostname Commands show hostname Show the currently configured hostname on the Logger set hostname Set Logger’s host name IP Commands show ip [nic] Show the IP addresses of all or the specified network interface set ip [/prefix] [netmask] Set Logger’s IP address for a specific network interface NTP Commands set ntp ... Sets the NTP server addresses. This entry over writes the current NTP server setting You can specify as many NTP servers as you like. If you specify multiple NTP servers, they are each checked in turn. The time given by the first server to respond is used. Example: logger> set ntp ntp.arcsight.com time.nist.gov 0.rhel.pool.org show ntp Show the current NTP server setting. Example: logger> show ntp ntp.arcsight.com time.nist.gov 0.rhel.pool.org Password Commands set password Set the password the current user’s account Process Commands restart process Restart a process start process Start a process status process Show process status stop process Stop a process HPE Logger 6.2 Page 17 of 54 Installation Guide Category Command Description SSL Certificate Commands show sslcert Show the currently loaded SSL certificate on Logger reset sslcert Creates and installs a new self-signed certificate with the original default information, then restarts the HTTPS server. diag sslcert Display the SSL session information Status Commands show status HPE Logger 6.2 Show the Logger configuration Page 18 of 54 Chapter 3: Installing Software Logger on Linux You can install Software Logger on a Linux system or on a VMware virtual machine (VM). This chapter explains what you need to know to install and start running Software Logger on a Linux system. It includes information on the following topics: • • • • • • • Before You Begin How Licensing Works in Software Logger Prerequisites for Installation Installation Connecting to Logger Starting and Stopping Software Logger Uninstalling Logger 19 20 21 23 31 32 33 For information about installing Software Logger on a VMware VM, see, "Installing Software Logger on VMware" on page 34. For initialization information about the Logger Appliance, see "Setting Up a Logger Appliance" on page 10. For information about installing Trial Logger on Linux or on VMware VM, refer to the Trial Logger Quick Start guide. Before You Begin You need to have a server with supported operating system and storage available to install the Software Logger. For information about the platforms on which you can install and use Logger, refer to the Release Notes and ArcSight Data Platform Support Matrix for your version. These documents are available for download from the ArcSight Product Documentation Community on Protect 724. Downloading the Installation Package The installation package is available for download from the HPE Software Depot at https://h20392.www2.hpe.com/portal/swdepot/index.do. Verifying the Downloaded Installation Software HPE provides a digital public key to enable you to verify that the signed software you received is indeed from HPE and has not been manipulated in any way by a third party. Visit the following site for information and instructions: https://h20392.www2.hpe.com/portal/swdepot/displayProductInfo.do?productNumber=HPLinuxCode Signing HPE Logger 6.2 Page 19 of 54 Installation Guide How Licensing Works in Software Logger Logger licenses are based on Daily Data (the amount of data that comes into Logger per day). Logger uses the sum of the sizes of the events received each day to determine this value. Even if this limit is exceeded, the Logger continues to collect and store events; therefore, no events are lost. However, if the limit is exceeded on more than five days in a 30-day sliding window, all features involving search are disabled. Caution: The disabled search features include forwarders as well as all searching and reporting functionality. If this limit is exceeded six or more days in a given 30-day period, you cannot forward, search, or run reports on the collected events until the 30-day sliding window contains five or less data limit violations. For example, you install the Logger software on January 1 with a data storage limit of 20 GB and start collecting events. Your Logger receives more than 20 GB of event data on these dates: January 5th, 13th, 18th, 19th, and 20th. Because there are five violations so far, you can forward, search, and report on the stored event data on January 21st. However, if there is another violation on January 30th, you cannot forward, search, or report on January 31st because the number of violations has exceeded the maximum allowed. (A search run on January 31st fails and the user interface displays a warning.) If there are no additional data storage-limit violations from January 31st to February 4th, the ability to forward, search, and report resumes on February 5th because the January 5th violation is now outside of the 30day window. The Data Volume Restrictions page (Configuration > Advanced > Data Volume Restrictions) lists the data stored on your Software Logger on day-by-day basis in the last 30 days. It also indicates the days on which data limits were exceeded, as shown in the following figure. HPE Logger 6.2 Page 20 of 54 Installation Guide When a data limit violation occurs, the Search user interface displays a warning. If you exceed the daily data limit frequently, you should consider purchasing a license that suits your needs. For Software Loggers, you can increase your Daily Data limit by purchasing a higher ingestion rate in increments of 5 GB/day. Contact your HPE ArcSight sales representative to purchase a new license. Once you obtain the new license, follow the instructions in the ArcSight Logger Administrator’s Guide to apply it on your Logger. Acquiring a License for Software Logger Software Logger requires a license file for installation. To acquire the license, follow the instructions in the Electronic Delivery Receipt you receive from HPE in an email after you place the order. After installing Logger, you can view the specific details of the current license on the License Information and License & Update pages (Configuration > Advanced > License Information and System Admin > System > License & Update). For more information, refer to the Configuration and System Admin chapters of the Logger Administrator’s Guide. Prerequisites for Installation Make sure these prerequisites are met before you install the Logger software : l l l l l Ensure that you are installing Logger on a supported platform. Refer to the Release Notes and ArcSight Data Platform Support Matrix for this information. These documents are available for download from the ArcSight Product Documentation Community on Protect 724. To install Logger, you will need a valid license file. If you do not have a license file, see "Acquiring a License for the Logger Appliance" on page 13. You need a separate license file for each instance of Software Logger. A license file is uniquely generated for each Enterprise Version download. Make a note of the file name and location; you will need them during the installation process. Increase the user process limit, as described in "Increasing the User Process Limit" on the next page. A non-root user account must exist on the system on which you are installing Logger. Even if you install as root, a non-root user account is still required. Decide whether to install Logger while logged in as root or as a non-root user. Your installation options vary depending on which user you choose. a. If you install as root, you can choose to configure Logger to start as a service and select the port on which Logger listens for secure web connections. b. If you install as the non-root user, Logger can only listen for connections on port 9000. You cannot configure the port to a different value. c. When upgrading, you cannot change a previous non-root installation to a root-user installation. You will need to use the previously configured port 9000 for accessing Software Logger. l The hostname of the machine on which you are installing Logger cannot be “localhost”. If it is, change the hostname before proceeding with the installation. HPE Logger 6.2 Page 21 of 54 Installation Guide l l l Install into an empty folder. If you have uninstalled Logger previously, and are installing into the same location, be sure to remove any files that the uninstaller left in place. You must not have an instance of MySQL installed on the machine on which you install Logger. If an instance of MySQL exists on that machine, uninstall it before installing Logger. You must have an X Window System server installed to use the GUI mode of installation. If if X11 is not installed, the installer will default to console mode. a. If you will be installing Logger over an SSH connection and want to use the GUI mode of installation, make sure that you have enabled X window forwarding using the -X option so that you can view the screens of the installation wizard. b. If you will be using PuTTY, you will also need an X client on the machine from which you are connecting to the machine onto which you want to install Logger. Increasing the User Process Limit Before installing or upgrading Logger, you must increase default user process limit while logged in as user root. This ensures that the system has adequate processing capacity. To increase the default user process limit: 1. Open the file /etc/security/limits.d/ -nproc.conf. ( is 90 for RHEL or CentOS 6.7 and 20 for RHEL and CentOS 7.1.) l l If you do not already have a /etc/security/limits.d/ -nproc.conf file, create one (and the limits.d directory, if necessary). If the file already exists, delete all entries in the file. 2. Add the following lines: * soft nproc 10240 * hard nproc 10240 * soft nofile 65536 * hard nofile 65536 Caution: Be sure to include the asterisk (*) in the new entries. It is important that you add all of the entries exactly as specified. Any omissions can cause system runtime errors. 3. Reboot the machine. 4. Run the following command to verify the new settings: ulimit -a 5. Verify that the output shows the following values for “open files” and “max user processes”: open files 65536 max user processes 10240 HPE Logger 6.2 Page 22 of 54 Installation Guide After you have increased the user process limit and met the other prerequisites, you are ready to install Logger. Installation Software Logger can be installed in three ways: l l GUI mode: A wizard steps you through the installation and configuration of Software Logger. For instructions, see "Using GUI Mode to Install Software Logger" below. You must have an X-Windows server installed on your OS to use GUI mode. Console mode: A command-line process steps you through the installation and configuration of Software Logger. For instructions, see "Using Console Mode to Install Software Logger" on page 26. Tip: If you are installing remotely and bandwidth is an issue, console mode may allow you to install Logger more quickly. l Silent mode: You provide the input required for installation and configuration through a file. Therefore, you do not need to interact with the installer to complete the installation and configuration. However, before you can use this mode, you must run the installation and configuration using one of the other modes to record the input in a file. For instructions, see "Using Silent Mode to Install Software Logger" on page 29. Using GUI Mode to Install Software Logger Make sure the machine on which you will be installing Logger complies with the specifications listed the Release Notes for your version, and that the prerequisites listed in "Prerequisites for Installation" on page 21 are met. Preinstallation steps: l l Before you install, you must increase the user process limit on the OS, as described in "Increasing the User Process Limit" on the previous page. You can verify that you have the correct installation file, as described in "Verifying the Downloaded Installation Software" on page 19. You can install Logger as a root user or as a non-root user. See "Prerequisites for Installation" on page 21 for details and restrictions. Note: If you will be installing the Software Logger over an SSH connection and want to use the GUI mode of installation, make sure that you have enabled X window forwarding using the -X option so that you can view the screens of the installation wizard. If you will be using PuTTY, you will also need an X client on the machine from which you are connecting to the machine onto which you want to install Logger. HPE Logger 6.2 Page 23 of 54 Installation Guide To install the Logger software: 1. Run these commands from the directory where you copied the Logger installation file: chmod +x ArcSight-logger-6.2.0.NNNN.0.bin ./ArcSight-logger-6.2.0.NNNN.0.bin 2. The installation wizard launches, as shown in the following figure. Click Next. You can click Cancel to exit the installer at any point during the installation process. Caution: Do not use the Ctrl+C to close the installer. If you use Ctrl+C to exit the installer and then uninstall Logger, uninstallation may delete your /tmp directory. 3. The License Agreement screen is displayed. Scroll to the bottom of the license agreement to review the agreement and enable the “I accept the terms of the License Agreement” button. 4. Select I accept the terms of the License Agreement and click Next. 5. The installer checks that installation prerequisites are met: l l Operating system check—Logger checks to see if your device is running a supported operating system. If you are not, a message displays, but it does not prevent you from installing Logger software. This happens because some update scenarios start with an earlier OS. Installation prerequisite check—If a check fails, Logger displays a message. You will need to fix the issue before proceeding. For example, if Logger is currently running on this machine, an Intervention Required message is displayed. In that case, type Y and press Enter to stop all current Logger processes and proceed with the installation, or type quit and press Enter to exit the installer. HPE Logger 6.2 Page 24 of 54 Installation Guide 6. Navigate to or specify the location where you want to install Logger. The default installation path is /opt. You can install into this location or another location of your choice. Note: The user you are installing with must have access to the parent directory of the install directory. Otherwise, users will not be able to connect to the Logger UI and will see the following error message when they try to connect, “Error 403 Forbidden. You don't have permission to access / on this server”. 7. Click Next to install into the selected location. l If there is not enough space to install the software at the location you specify, a message is displayed. To proceed with the installation, specify a different location or make sufficient space at the location you specified. Click Previous to specify another location or Quit to exit the installer. l If Logger is already installed at the location you specify, a message is displayed. Click Upgrade to continue or Previous to specify another location. For upgrade instructions and information, refer to the Release Notes for your version. 8. Click Choose and navigate to or type the path and filename of the license file for this Logger. Click Next. 9. Review the pre-install summary and then click Install. Installation may take a few minutes. Please wait. Once installation is complete, the next screen is displayed. 10. If you are logged in as root, the following prompts are displayed. Fill in the fields and click Next. Field Notes Non-root user name This user must already exist on the system. HTTPS port The port number to use when accessing the Logger UI. You can keep the default HTTPS port (443) or enter any other port that suits your needs. If you specify any port except 443, users will need to enter that port number in the URL they use to access the Logger UI. Configure Logger as a service HPE Logger 6.2 Indicate whether to configure Logger to run as a service. Select this option to create a service called arcsight_logger, and enable it to run at levels 2, 3, 4, and 5. Page 25 of 54 Installation Guide Field Notes If you do not enable Logger to start as service during the installation process, you can still do so later. For instructions on how to enable Logger to start as a service after installation, see "Starting and Stopping Software Logger" on page 32. 11. Select the locale of this installation and click Next. 12. Click Next to initialize Logger components. Initialization may take a few minutes. Please wait. Once initialization is complete, the next screen is displayed. 13. Click Next to configure storage groups and storage volume and restart Logger. Configuration may take a few minutes. Please wait. Once configuration is complete, Logger starts up and the next screen is displayed. 14. Make a note of the URL and then click Done to exit the installer. Now that you are done installing and initializing your Logger, you can use the URL you noted during the installation to connect to Logger. For instructions and information, see "Connecting to Logger" on page 31. Using Console Mode to Install Software Logger Before you install, you must increase the user process limit on the OS, as described in "Increasing the User Process Limit" on page 22. You can install Logger as a root user or as a non-root user. See "Prerequisites for Installation" on page 21 for details and restrictions. To install the Logger software: 1. Run these commands from the directory where you copied the logger installation file: chmod +x ArcSight-logger-6.2.0.NNNN.0.bin ./ArcSight-logger-6.2.0.NNNN.0.bin -i console 2. The installation wizard launches in command-line mode, as shown below. Press Enter to continue. Introduction -----------InstallAnywhere will guide you through the installation of ArcSight Logger. HPE Logger 6.2 Page 26 of 54 Installation Guide It is strongly recommended that you quit all programs before continuing with this installation. Respond to each prompt to proceed to the next step in the installation. If you want to change something on a previous step, type 'back'. You may cancel this installation at any time by typing 'quit'. It is strongly recommended that you quit all programs before continuing with this installation. Respond to each prompt to proceed to the next step in the installation. If you want to change something on a previous step, type 'back'. You may cancel this installation at any time by typing 'quit'. PRESS TO CONTINUE: 3. The next several screens display the end user license agreement. Installation and use of Logger 6.2 requires acceptance of the license agreement. Press Enter to display each part of the license agreement, until you reach the following prompt: DO YOU ACCEPT THE TERMS OF THIS LICENSE AGREEMENT? (Y/N): 4. Type Y and press Enter to accept the terms of the License Agreement. You can type quit and press Enter to exit the installer at any point during the installation process. 5. The installer checks that installation prerequisites are met: l l Operating system check—Logger checks to see if your device is running a supported operating system. If you are not, a message displays, but it does not prevent you from installing Logger software. This happens because some update scenarios start with an earlier OS. Installation prerequisite check—If a check fails, Logger displays a message. You will need to fix the issue before proceeding. For example, if Logger is currently running on this machine, an Intervention Required message is displayed. In that case, type Y and press Enter to stop all current Logger processes and proceed with the installation, or type quit and press Enter to exit the installer. Once all checks complete, the installation continues, and the Choose Install Folder screen is displayed. 6. From the Choose Install Folder screen, type the installation path for Logger and then press Enter. The default installation path is /opt. You can install into this location or another location of your choice. Note: The user you are installing with must have access to the parent directory of the install HPE Logger 6.2 Page 27 of 54 Installation Guide directory. Otherwise, users will not be able to connect to the Logger UI and will see the following error message when they try to connect, “Error 403 Forbidden. You don't have permission to access / on this server”. 7. Type Y and press Enter to confirm the installation location. 8. If there is not enough space to install the software at the location you specify, a message is displayed. To proceed with the installation, specify a different location or make sufficient space at the location you specified. Type quit and press Enter to exit the installer. 9. If Logger is already installed at the location you specify, a message is displayed. Type quit and press Enter to exit the installer or type back and press Enter to specify another location and uninstall the previous version. Click Upgrade to continue or Previous to specify another location. For upgrade instructions and information, refer to the Release Notes for your version. 10. Type the absolute path to the license file and then press Enter. 11. Review the pre-install summary and press Enter to install Logger. Installation may take a few minutes. Please wait. Once installation is complete, the next screen is displayed. 12. If you are logged in as root, the following prompts will be displayed. Type your response and press Enter after each. Field Notes User Name This non-root user must already exist on the system. When installing Logger on VMWare VM, use the non-root user arcsight that comes preconfigured on your system. HTTPS Port The port number to use when accessing the Logger UI. You can keep the default HTTPS port (443) or enter any other port that suits your needs. If you specify any port except 443, users will need to enter that port number in the URL they use to access the Logger UI. Choose if you want to run Logger as a system service. Type 1 and press Enter to configure Logger as a service, or type 2 and press Enter to configure Logger as standalone. Select this option to create a service called arcsight_logger, and enable it to run at levels 2, 3, 4, and 5. If you do not enable Logger to start as service during the installation process, you still do so later. For instructions on how to enable Logger to start as a service after installation, refer to the Logger Administrator’s Guide. 13. Type the number that describes the desired locale, and press Enter. 14. Press Enter again to initialize Logger components. HPE Logger 6.2 Page 28 of 54 Installation Guide Initialization may take a few minutes. Please wait. Once initialization is complete, the next screen is displayed. 15. Press Enter to configure storage groups and storage volume and restart Logger automatically. Configuration may take a few minutes. Please wait. Once configuration is complete, Logger starts up and the next screen is displays the URL you should use to connect to Logger. 16. Make a note of the URL and then press Enter to exit the installer. Now that you are finished installing and initializing your Logger, you can use the URL you noted during the installation to connect to Logger. For instructions and information, see "Connecting to Logger" on page 31. Using Silent Mode to Install Software Logger Before you install Software Logger in silent mode, you need to create the properties file required for the silent mode installation. Once you have generated the file, you can use it for silent mode installations. Licenses for Silent Mode Installations As for any Logger installation, each silent mode installation requires a unique license file. You must obtain licenses as described in "Acquiring a License for Software Logger" on page 21 and place them on the machines on which you will be installing Logger in silent mode, or ensure that the location where the licenses are placed is accessible from those machines. Generating the Silent Install Properties File To generate a properties file for future silent installations: 1. Log in to the machine on which you can install Software Logger to generate an installation properties file. If you want the silent mode installations to be done as root user, log in as root. Otherwise, log in as a non-root user. 2. Run these commands: chmod +x ArcSight-logger-6.2.0.XXXX.0.bin ./ArcSight-logger-6.2.0.XXXX.0.bin -r where is the location of the directory where the generated properties file should be placed. The generated properties file is called installer.properties. You cannot specify or change this name. 3. Install Logger in GUI mode. See "Using GUI Mode to Install Software Logger" on page 23. 4. Once the installation completes, navigate to the directory location you specified for the installer.properties file earlier. Then go to "Installing Software Logger in Silent Mode" on the next page. HPE Logger 6.2 Page 29 of 54 Installation Guide The following is an example of a generated installer.properties file. # # # # # Wed Feb 11 18:27:49 PDT 2016 Replay feature output --------------------This file was built by the Replay feature of InstallAnywhere. It contains variables that were set by Panels, Consoles or Custom Code. #Choose Install Folder #--------------------USER_INSTALL_DIR=/opt/Logger/62 #License Information #------------------LICENSE_LOCATION=/home/user/arcsight.lic Installing Software Logger in Silent Mode Make sure the machine on which you will be installing the Software Logger complies with the platform requirements listed in the Release Notes for your version, and that the prerequisites listed in "Prerequisites for Installation" on page 21 are met. If you are installing as root, make sure that non-root user account that you entered when generating the silent mode properties file exists on the machines on which you are using the silent installer to install Logger. To install the Software Logger using the Silent mode: 1. Copy the silent mode properties file you generated previously to the same location where you have copied the Logger software on the new system. 2. Edit the LICENSE_LOCATION property in the silent mode properties file to include the location of license file for this instance of installation. (A unique license file is required for each instance of installation.) Or Set the LICENSE_LOCATION property to point to a file, such as software_logger_ license.zip. Then, for each instance of the silent mode installation, copy the relevant license file to the location and rename it to software_logger_license.zip. Doing so will avoid the need to update the combined properties file for each installation. 3. Run these commands from the directory where you copied the Logger software: chmod +x ArcSight-logger-6.2.0.XXXX.0.bin ./ArcSight-logger-6.2.XXXX.0.bin -i SILENT -f The rest of the installation and configuration proceed silently, without requiring any input from you. HPE Logger 6.2 Page 30 of 54 Installation Guide After the installation and initialization completes, you can use the URL created during the installation to connect to Logger. For instructions and information, see "Connecting to Logger" below. Connecting to Logger The Logger user interface (UI) is a password-protected web browser application that uses an encrypted HTTPS connection. Logger 6.2 supports access through the following browsers: l Chrome (current) l Edge (on Windows 10) l Internet Explorer 11 l Firefox ESR 38.3.0, Release 41 l Safari 9.0.1 (on OS X 10.9) Ensure that Logger’s publicly-accessible ports are allowed through any firewall rules that you have configured. l l For root installs, allow access to port 443 as well as the ports for any protocol that the logger receivers need, such as port 514 for the UDP receiver and port 515 for the TCP receiver. For non-root installs, allow access to port 9000 as well as the ports for any protocol that the Logger receivers need, such as port 8514 for the UDP receiver and port 8515 for the TCP receiver. Note: The ports listed here are the default ports. Your Logger may use different ports. JavaScript and cookies must be enabled. To connect to Logger: Use the URL configured during Logger installation to connect to Logger through a supported browser. For Software Logger: https:// : For Logger Appliance: https:// where the hostname or IP address is that of the system on which the Logger software is installed, and configured_port is the port set up during the Logger installation, if applicable. After you connect, the Login screen is displayed. To log in: When the Login dialog is displayed, enter your user name and password, and click Login. Use the following default credentials if you are connecting for the first time: Username: admin Password: password HPE Logger 6.2 Page 31 of 54 Installation Guide Note: After logging in for the first time with the default user name and password, you will be prompted to change the password to a more secure one. Follow the prompts to enter and verify a more secure password. For more information about the Login screen and connecting to Logger, refer to the User Interface and Dashboards chapter of the Logger Administrator's Guide. Once you have logged in successfully, you can enable the preconfigured receivers and configure devices, device groups, and storage groups necessary to implement your retention policy. See "Configuring Logger" on page 46 and refer to the Configuration chapter of the Logger Administrator's Guide for information on how to set up your Logger to start receiving events. Starting and Stopping Software Logger The loggerd command enables you to start or stop the Logger software running on your machine. In addition, the command includes a number of subcommands that you can use to control other processes that run as part of the Logger software. Note: If your Logger is installed to run as a system service, you can use your operating system’s service command to start, stop, or check the status of a process on Logger. /current/arcsight/logger/bin/loggerd {start|stop|restart|status|quit} /current/arcsight/logger/bin/loggerd {start | stop | restart } To view the processes that can be started, stopped, or restarted with loggerd, click System Admin from the top-level menu bar. Then, under System, pick Process Status. The processes are listed on the right under Processes. The following table describes the subcommands available with loggerd and their purpose. Command Purpose loggerd start Start all processes listed under the System and Process sections in the figure above. Use this command to launch Logger. loggerd stop Stop processes listed under the Process section only. Use this command when you want to leave loggerd running but all other processes stopped. loggerd restart This command restarts processes listed under the Process section only. Note: When the loggerd restart command is used to restart Logger, the status message for the “aps” process displays this message: HPE Logger 6.2 Page 32 of 54 Installation Guide Command Purpose Process ‘aps’ Execution failed After a few seconds, the message changes to: Process ‘aps’ running loggerd status Display the status of all processes. loggerd quit Stops all processes listed under the System and Process sections in the figure above. Use this command to stop Logger. loggerd start Start the named process. For example, loggerd start apache. loggerd stop Stop the named process. For example, loggerd stop apache. loggerd restart Restart the named process. For example, loggerd restart apache You can also start and stop and view the status of Logger processes from the System Admin > System > Process Status page. Refer to the Logger Administrator’s guide or online help for more information. Uninstalling Logger If you will be uninstalling the Software Logger over an SSH connection and want to use GUI mode, make sure that you have enabled X window forwarding using the -X option, so that you can view the screens of the uninstall wizard. If you will be using PuTTY, you will also need an X client on the machine from which you are connecting to the Linux machine. Before uninstalling Logger, stop the Logger processes by using the loggerd stop command, as described in "Starting and Stopping Software Logger" on the previous page. To uninstall the Logger software, enter this command in the installation directory: ./UninstallerData/Uninstall_ArcSight_Logger_6.2 The uninstall wizard launches. Click Uninstall or press Enter to start uninstalling Logger. HPE Logger 6.2 Page 33 of 54 Chapter 4: Installing Software Logger on VMware You can install Software Logger on a Linux system or on a VMware VM. This chapter explains what you need to know to install and start running Software Logger on a VMware VM. It includes information on the following topics: • • • • • • • • Before You Begin How Licensing Works in Software Logger Preparing the Virtual Machine Prerequisites for Installation Installing Logger on the Virtual Machine Connecting to Logger Starting and Stopping Software Logger Uninstalling Logger 34 35 37 38 39 42 43 45 For information on how to install Software Logger on Linux, see "Installing Software Logger on Linux" on page 19. For initialization information about the Logger Appliance, see "Setting Up a Logger Appliance" on page 10. For information about installing Trial Logger on Linux or on VMware VM, refer to the Trial Logger Quick Start guide. Before You Begin You can deploy the Logger virtual machine (VM) on a VMware ESXi server, version 5.5. The VM image includes the Logger 6.2 installer on a 64-bit CentOS 6.6 configured with 12 GB RAM and four physical (and eight logical) cores. For more information on the release, refer to the Release Notes and ArcSight Data Platform Support Matrix. These documents are available for download from the ArcSight Product Documentation Community on Protect 724. Downloading the Installation Package The installation package, Logger6.2_Lxxxx_Qxxxx.ova, is available for download from the HPE Software Depot at http://software.hp.com. Verifying the Downloaded Installation Software HPE provides a digital public key to enable you to verify that the signed software you received is indeed from HPE and has not been manipulated in any way by a third party. HPE Logger 6.2 Page 34 of 54 Installation Guide Visit the following site for information and instructions: https://h20392.www2.hpe.com/portal/swdepot/displayProductInfo.do?productNumber=HPLinuxCod eSigning How Licensing Works in Software Logger Logger licenses are based on Daily Data (the amount of data that comes into Logger per day). Logger uses the sum of the sizes of the events received each day to determine this value. Even if this limit is exceeded, the Logger continues to collect and store events; therefore, no events are lost. However, if the limit is exceeded on more than five days in a 30-day sliding window, all features involving search are disabled. Caution: The disabled search features include forwarders as well as all searching and reporting functionality. If this limit is exceeded six or more days in a given 30-day period, you cannot forward, search, or run reports on the collected events until the 30-day sliding window contains five or less data limit violations. For example, you install the Logger software on January 1 with a data storage limit of 20 GB and start collecting events. Your Logger receives more than 20 GB of event data on these dates: January 5th, 13th, 18th, 19th, and 20th. Because there are five violations so far, you can forward, search, and report on the stored event data on January 21st. However, if there is another violation on January 30th, you cannot forward, search, or report on January 31st because the number of violations has exceeded the maximum allowed. (A search run on January 31st fails and the user interface displays a warning.) If there are no additional data storage-limit violations from January 31st to February 4th, the ability to forward, search, and report resumes on February 5th because the January 5th violation is now outside of the 30day window. The Data Volume Restrictions page (Configuration > Advanced > Data Volume Restrictions) lists the data stored on your Software Logger on day-by-day basis in the last 30 days. It also indicates the days on which data limits were exceeded, as shown in the following figure. HPE Logger 6.2 Page 35 of 54 Installation Guide When a data limit violation occurs, the Search user interface displays a warning. If you exceed the daily data limit frequently, you should consider purchasing a license that suits your needs. For Software Loggers, you can increase your Daily Data limit by purchasing a higher ingestion rate in increments of 5 GB/day. Contact your HPE ArcSight sales representative to purchase a new license. Once you obtain the new license, follow the instructions in the ArcSight Logger Administrator’s Guide to apply it on your Logger. Acquiring a License Software Logger requires a license file for installation. To acquire the license, follow the instructions in the Electronic Delivery Receipt you receive from HPE in an email after you place the order. After installing Logger, you can view the specific details of the current license on the License Information and License & Update pages (Configuration > Advanced > License Information and System Admin > System > License & Update). For more information, refer to the Configuration and System Admin chapters of the Logger Administrator’s Guide. Acquiring a License for a Software Logger You can increase your daily data limit by purchasing a higher ingestion rate in increments of 5 GB/day. The Software Logger requires a license file for installation. To acquire the license, follow the instructions in the Electronic Delivery Receipt you receive from HPE in an email after you place the order. After installing Logger, you can view the specific details of the current license on the License Information and License & Update pages (Configuration > Advanced > License Information and System Admin > System > License & Update). For more information, refer to the Configuration and System Admin chapters of the Logger Administrator’s Guide. HPE Logger 6.2 Page 36 of 54 Installation Guide Preparing the Virtual Machine Before you can install the Logger software, you must import and configure the VM. This section guides you through the steps of importing and configuring the VM. As part of the operating system configuration process, you will need to create a second hard disk before installing Logger. After you add the second hard disk and power the system back on, the startup scripts attach the second hard disk and format it with an XFS partition. This partition will be used for storing the Logger data. Note: The following procedure is a guide for importing and deploying an OVA file. Your exact steps may vary, depending on your particular ESXi environment and deployment tools. For more information about your particular environment and instructions on deploying the OVA file, consult your ESXi or system administrator. To import the virtual machine: 1. Open the vSphere client and connect to the ESXi server. 2. On the vSphere client, open the File menu and select Deploy OVF Template… and click Next. 3. On the Source panel, browse to select the Logger installation file (Logger6.2_LXXXX_ QXXXX.ova) that you downloaded previously. Click Open and then click Next. 4. The OVF Template Details panel displays product information. Click Next. 5. On the Name and Location panel, enter a name for the virtual machine and click Next. 6. If there is more than one destination storage location available, select where to store the virtual machine. Click Next. 7. On the Disk Format panel select Thick Provision Lazy Zeroed and click Next. 8. The Ready to complete panel displays options you selected. Click Finish to confirm your selections and deploy the virtual machine. A progress bar displays the deployment progress. When the deployment is complete, the VM you created is displayed in the ESXi server's list. The existing hard disk is for the Logger software. You must create another virtual hard disk to store Logger data. To add a second hard disk: 1. Select the new VM from the ESXi server's list and make sure it is powered off. 2. Right-click the VM to open the dropdown menu, and then select Edit Settings. 3. The Virtual Machine Properties dialog box opens. Click Add.... The Device Type panel displays a list of devices you can add. 4. Select Hard Disk and click Next. HPE Logger 6.2 Page 37 of 54 Installation Guide 5. The Select a Disk panel displays the type of disks you can use. Select Create a new virtual disk and click Next. 6. The Create a Disk Panel displays virtual disk size and provisioning options. l Set the Disk Size. Caution: Be sure to set the Disk Size as large as possible. You cannot expand the hard disk once created. The minimum size is 40 GB. Logger 6.2 supports up to 12 TB. l Select Thick Provision Lazy Zeroed. l Click Next. 7. The Advanced Options panel displays other options. Keep the default Virtual device Node and click Next. 8. The Ready to complete panel displays options you selected. Click Finish to confirm your selections and add the hard disk. Once created, the new hard disk is displayed in the Hardware list. 9. Click OK and power on the new VM. The second hard disk is attached. Caution: The VM has the default root password arcsight. A non-root user, arcsight, with no password, is also included. For security reasons and so that you can SCP or SSH to your machine, change the root password and add a password for the arcsight user as soon as possible. Prerequisites for Installation The VM has the default root password arcsight. A non-root user, arcsight, with no password, is also included. This user is required for installation. Caution: For security reasons and so that you can SCP or SSH to your machine, change the root password and add a password for the arcsight user as soon as possible. Make sure these prerequisites are met before you install the Logger software on the VM: l l l Boot up the operating system on the VM, log in, set the timezone, and do any other necessary configuration before proceeding with the installation. Configure the network on the VM as appropriate for your environment. The hostname must be resolvable, either by the DNS server or by settings in /etc/hosts. SELinux and SSH are enabled on the OS, but the firewall is disabled. To ensure proper access to Logger, enable a firewall and add your firewall policy to allow or deny devices as soon as possible. HPE Logger 6.2 Page 38 of 54 Installation Guide l l l Before deploying in a production environment, get valid license file. If you do not have a license file, see "Acquiring a License" on page 36. You need a separate license file for each instance of Logger. A license file is uniquely generated for each download. SCP the license to the VM and make a note of the file name and location; you will need them during the installation process. Decide whether to install Logger while logged in as root or as the preconfigured non-root user, arcsight. Your installation options vary depending on which user you choose. a. If you install as root, you can choose to configure Logger to start as a service and select the port on which Logger listens for secure web connections. b. If you install as the non-root user, Logger can only listen for connections on port 9000. You cannot configure the port to a different value. c. When upgrading, you cannot change a previous non-root installation to a root-user installation. You will need to use the previously configured port 9000 for accessing Software Logger. l l l The hostname of the machine on which you are installing Logger cannot be “localhost”. If it is, change the hostname before proceeding with the installation. Install into an empty folder. If you have uninstalled Logger previously, and are installing into the same location, be sure to remove any files that the uninstaller left in place. You must not have an instance of MySQL installed on the machine on which you install Logger. If an instance of MySQL exists on that machine, uninstall it before installing Logger. Installing Logger on the Virtual Machine Make sure the machine on which you will be installing Software Logger complies with the specifications listed the Release Notes for your version, and that the prerequisites listed in "Prerequisites for Installation" on the previous page are met. Preinstallation: You can verify that you have the correct installation file, as described in "Verifying the Downloaded Installation Software" on page 34. You can install Logger as a root user or as a non-root user. See "Prerequisites for Installation" on the previous page for details and restrictions. Note: You must install Logger in the /opt/arcsight/logger directory. To install the Logger software: 1. Run these commands from the directory where you copied the logger installation file: chmod +x ArcSight-logger-6.2.0.NNNN.0.bin HPE Logger 6.2 Page 39 of 54 Installation Guide ./ArcSight-logger-6.2.0.NNNN.0.bin -i console 2. The installation wizard launches in command-line mode, as shown below. Press Enter to continue. Introduction -----------InstallAnywhere will guide you through the installation of ArcSight Logger. It is strongly recommended that you quit all programs before continuing with this installation. Respond to each prompt to proceed to the next step in the installation. If you want to change something on a previous step, type 'back'. You may cancel this installation at any time by typing 'quit'. It is strongly recommended that you quit all programs before continuing with this installation. Respond to each prompt to proceed to the next step in the installation. If you want to change something on a previous step, type 'back'. You may cancel this installation at any time by typing 'quit'. PRESS TO CONTINUE: 3. The next several screens display the end user license agreement. Installation and use of Logger 6.2 requires acceptance of the license agreement. Press Enter to display each part of the license agreement, until you reach the following prompt: DO YOU ACCEPT THE TERMS OF THIS LICENSE AGREEMENT? (Y/N): 4. Type Y and press Enter to accept the terms of the License Agreement. You can type quit and press Enter to exit the installer at any point during the installation process. 5. The installer checks that installation prerequisites are met: l l Operating system check—Logger checks to see if your device is running a supported operating system. If you are not, a message displays, but it does not prevent you from installing Logger software. This happens because some update scenarios start with an earlier OS. Installation prerequisite check—If a check fails, Logger displays a message. You will need to fix the issue before proceeding. For example, if Logger is currently running on this machine, an Intervention Required message is displayed. In that case, type Y and press Enter to stop all current Logger processes and proceed with the installation, or type quit and press Enter to exit the installer. HPE Logger 6.2 Page 40 of 54 Installation Guide Once all checks complete, the installation continues, and the Choose Install Folder screen is displayed. 6. From the Choose Install Folder screen, type the installation path for Logger and then press Enter. The default installation path is /opt. You can install into this location or another location of your choice. Note: The user you are installing with must have access to the parent directory of the install directory. Otherwise, users will not be able to connect to the Logger UI and will see the following error message when they try to connect, “Error 403 Forbidden. You don't have permission to access / on this server”. 7. Type Y and press Enter to confirm the installation location. 8. If there is not enough space to install the software at the location you specify, a message is displayed. To proceed with the installation, specify a different location or make sufficient space at the location you specified. Type quit and press Enter to exit the installer. 9. If Logger is already installed at the location you specify, a message is displayed. Type quit and press Enter to exit the installer or type back and press Enter to specify another location and uninstall the previous version. Click Upgrade to continue or Previous to specify another location. For upgrade instructions and information, refer to the Release Notes for your version. 10. Type the absolute path to the license file and then press Enter. 11. Review the pre-install summary and press Enter to install Logger. Installation may take a few minutes. Please wait. Once installation is complete, the next screen is displayed. 12. If you are logged in as root, the following prompts will be displayed. Type your response and press Enter after each. Field Notes User Name This non-root user must already exist on the system. When installing Logger on VMWare VM, use the non-root user arcsight that comes preconfigured on your system. HTTPS Port The port number to use when accessing the Logger UI. You can keep the default HTTPS port (443) or enter any other port that suits your needs. If you specify any port except 443, users will need to enter that port number in the URL they use to access the Logger UI. Choose if you want to run Logger as a system service. HPE Logger 6.2 Type 1 and press Enter to configure Logger as a service, or type 2 and press Enter to configure Logger as standalone. Select this option to create a service called arcsight_logger, and enable it to run at levels 2, 3, 4, and 5. Page 41 of 54 Installation Guide Field Notes If you do not enable Logger to start as service during the installation process, you still do so later. For instructions on how to enable Logger to start as a service after installation, refer to the Logger Administrator’s Guide. 13. Type the number that describes the desired locale, and press Enter. 14. Press Enter again to initialize Logger components. Initialization may take a few minutes. Please wait. Once initialization is complete, the next screen is displayed. 15. Press Enter to configure storage groups and storage volume and restart Logger automatically. Configuration may take a few minutes. Please wait. Once configuration is complete, Logger starts up and the next screen is displays the URL you should use to connect to Logger. 16. Make a note of the URL and then press Enter to exit the installer. Now that you are finished installing and initializing your Logger, you can use the URL you noted during the installation to connect to Logger. For instructions and information, see "Connecting to Logger" on page 31. Connecting to Logger The Logger user interface (UI) is a password-protected web browser application that uses an encrypted HTTPS connection. Logger 6.2 supports access through the following browsers: l Chrome (current) l Edge (on Windows 10) l Internet Explorer 11 l Firefox ESR 38.3.0, Release 41 l Safari 9.0.1 (on OS X 10.9) Ensure that Logger’s publicly-accessible ports are allowed through any firewall rules that you have configured. l l For root installs, allow access to port 443 as well as the ports for any protocol that the logger receivers need, such as port 514 for the UDP receiver and port 515 for the TCP receiver. For non-root installs, allow access to port 9000 as well as the ports for any protocol that the Logger receivers need, such as port 8514 for the UDP receiver and port 8515 for the TCP receiver. Note: The ports listed here are the default ports. Your Logger may use different ports. JavaScript and cookies must be enabled. HPE Logger 6.2 Page 42 of 54 Installation Guide Connecting to Logger: Use the URL configured during Logger installation to connect to Logger through a supported browser. For Software Logger: https:// : For Logger Appliance: https:// where the hostname or IP address is that of the system on which the Logger software is installed, and configured_port is the port set up during the Logger installation, if applicable. Logging into Logger When the Login dialog is displayed, enter your user name and password, and click Login. Use the following default credentials if you are connecting for the first time: Username: admin Password: password Note: After logging in for the first time with the default user name and password, you will be prompted to change the password to a more secure one. Follow the prompts to enter and verify a more secure password. For more information about the Login screen and connecting to Logger, refer to the User Interface and Dashboards chapter of the Logger Administrator's Guide. Once you have logged in successfully, you can enable the preconfigured receivers and configure devices, device groups, and storage groups necessary to implement your retention policy. See "Configuring Logger" on page 46 and refer to the Configuration chapter of the Logger Administrator's Guide for information on how to set up your Logger to start receiving events. Starting and Stopping Software Logger The loggerd command enables you to start or stop the Logger software running on your machine. In addition, the command includes a number of subcommands that you can use to control other processes that run as part of the Logger software. Note: If your Logger is installed to run as a system service, you can use your operating system’s service command to start, stop, or check the status of a process on Logger. /current/arcsight/logger/bin/loggerd {start|stop|restart|status|quit} /current/arcsight/logger/bin/loggerd {start | stop | restart } HPE Logger 6.2 Page 43 of 54 Installation Guide To view the processes that can be started, stopped, or restarted with loggerd, click System Admin from the top-level menu bar. Then, under System, pick Process Status. The processes are listed on the right under Processes. The following table describes the subcommands available with loggerd and their purpose. Command Purpose loggerd start Start all processes listed under the System and Process sections in the figure above. Use this command to launch Logger. loggerd stop Stop processes listed under the Process section only. Use this command when you want to leave loggerd running but all other processes stopped. loggerd restart This command restarts processes listed under the Process section only. Note: When the loggerd restart command is used to restart Logger, the status message for the “aps” process displays this message: Process ‘aps’ Execution failed After a few seconds, the message changes to: Process ‘aps’ running loggerd status Display the status of all processes. loggerd quit Stops all processes listed under the System and Process sections in the figure above. Use this command to stop Logger. loggerd start Start the named process. For example, loggerd start apache. loggerd stop Stop the named process. For example, loggerd stop apache. loggerd restart Restart the named process. For example, loggerd restart apache You can also start and stop and view the status of Logger processes from the System Admin > System > Process Status page. Refer to the Logger Administrator’s guide or online help for more information. HPE Logger 6.2 Page 44 of 54 Installation Guide Uninstalling Logger To uninstall the Logger software, simply delete the VM. Alternatively, you can uninstall the software Logger from the VM. If you will be uninstalling the Software Logger over an SSH connection and want to use GUI mode, make sure that you have enabled X window forwarding using the -X option, so that you can view the screens of the uninstall wizard. If you will be using PuTTY, you will also need an X client on the machine from which you are connecting to the Linux machine. Before uninstalling Logger, stop the Logger processes by using the loggerd stop command, as described in "Starting and Stopping Software Logger" on page 32. To uninstall the Logger software, enter this command in the installation directory: ./UninstallerData/Uninstall_ArcSight_Logger_6.2 The uninstall wizard launches. Click Uninstall or press Enter to start uninstalling Logger. HPE Logger 6.2 Page 45 of 54 Chapter 5: Configuring Logger This chapter includes basic deployment and configuration information on the following topics. It is applicable to all Logger types. If you have installed multiple Loggers, you must connect to each and configure it separately or use ArcSight Management Center to make bulk configuration changes. • • • • • • Receivers Devices Device Groups Storage Rules Using SmartConnectors to Collect Events Sending Events from ArcSight ESM to Logger 46 48 48 48 49 52 For more information on directly configuring and administering your Logger, refer to the Logger Administrator’s Guide. For more information on configuring and administering your Logger using ArcMC, refer to the ArcSight Management Center Administrator’s Guide. For more information on setting Connectors, refer to the documentation for each Connector. Receivers Now that you have finished installing Logger, you can set up receivers to listen for events. Logger comes preconfigured with several receivers that are ready to receive events and log files directly from devices and systems on your network, such as syslog servers, NFS, CIFS, or SAN systems. You can use the preconfigured receivers or add your own. Receivers can be disabled and re-enabled later. You can add, change, and delete them as needed. The preconfigured receivers include a TCP receiver, a UDP Receiver, and a SmartMessage receiver already enabled and ready to receive events. Logger also comes preconfigured with folder follower receivers for Logger’s Apache Access Error Log, the system Messages Log, and the system Messages Audit Log (if auditing is enabled on your Linux OS). You must enable these receivers in order to use them. See "Enabling the Preconfigured Folder Follower Receivers" on the next page for instructions. The preconfigured receivers are described more detail in "Receivers" on page 8. For further information on receivers, refer to the Configuration chapter of the Logger Administrator’s Guide. Logger can also receive events from ArcSight SmartConnectors that collect event data from sources on your network. To learn more about ArcSight SmartConnectors, visit https://www.hpe.com/us/en/solutions/security.html. HPE Logger 6.2 Page 46 of 54 Installation Guide Enabling the Preconfigured Folder Follower Receivers The preconfigured receivers are described more detail in "Receivers" on page 8. For further information on receivers, refer to the Configuration chapter of the Logger Administrator’s Guide. When you first log in by using the URL you configured, the preconfigured folder follower receivers are disabled. The Home page displays an Add Data button. Click Add Data ( ) to open the Receivers page and enable the receivers. Tip: Before enabling these receivers, you must make /var/log/audit/audit.log and /var/log/messages readable by the non-root user you installed with or specified during Logger installation. To enable a receiver, click the disabled icon ( ) at the end of the row. Alternately, you can navigate to the Receivers page from the menu to enable the receivers. To open the Receivers page from the menu and enable a receiver: 1. Open the Configuration > Data menu and click Receivers. 2. Identify the receiver you want to enable, and click the disabled icon ( ) at the end of that row. For information on how to use the preconfigured SmartMessage receiver, see "Using SmartConnectors to Collect Events" on page 49. HPE Logger 6.2 Page 47 of 54 Installation Guide Devices Logger begins storing events when an enabled receiver receives data or, in the case of a file receivers, when the files become available. Using a process called autodiscovery, Logger automatically creates resources called devices to keep track of source IP addresses and uses DNS to map them to hostnames. Eventually, a device is created for each device from which Logger received events. You can also create devices preemptively, by entering the IP addresses or hostnames of data sources that you expect to be sending events to Logger. You might do this if you do not want to wait for autodiscovery, or if you want to control the initial naming of each device. Discovered devices are named for their host, or if the DNS lookup fails, for their IP address, and their receiver. For information about creating devices, refer to the Configuration chapter of the Logger Administrator’s Guide. Device Groups Device groups are containers or logical groupings for devices, in the same way folders (or directories) contain files. They are a name for a group of devices. A given device can be a member of several device groups. Each device group can be associated with particular storage group, which would assign a retention policy. You can change and delete device groups freely as your needs change. Setting up device groups initially is not critical; incoming events that are not assigned to a device group are automatically sent to the Default Storage Group. For the details of setting up device groups, refer to the Configuration chapter of the Logger Administrator’s Guide. Storage Rules Events are stored in the Default Storage Group unless otherwise specified. Storage rules are a way to direct events from certain device groups to certain storage groups. You can use them to implement additional retention policies. If you created additional storage groups, and want to send events to them, you can do that with storage rules. If you choose not to create storage rules, events from all devices will be sent to the Default Storage Group and use its specified retention policy. If you want to implement multiple retention policies, you can create storage rules that associate the specific device groups with the storage groups that implement the desired retention policy. For example, you could create one device group for each retention policy. However, for more control, you could associate device groups with storage groups and storage rules and use them to categorize events. For example, you could search for events that match a certain pattern and which belong to a particular device group, and send them to a particular storage group for retention based on event category. HPE Logger 6.2 Page 48 of 54 Installation Guide Storage rules are evaluated in order of priority; the first matching rule determines to which storage group an event is sent. This approach means that a single device can belong to several device groups without ambiguity about which storage group it will end up in. Refer to the Configuration chapter of the Logger Administrator’s Guide for more information on storage rules. Using SmartConnectors to Collect Events Similar to ArcSight Manager, Logger leverages the ArcSight SmartConnectors to collect events. SmartConnectors can read security events from heterogeneous devices on a network (such as firewalls and servers) and filter events of interest (and optionally aggregate them) and send them to a Logger receiver. Logger can receive structured data in the form of normalized Common Event Format (CEF) events from the SmartConnectors. This section gives basic information on each of these topics. For details, refer to the documentation for that Connector. • • • • • SmartMessage Downloading SmartConnectors Configuring a SmartConnector to Send Events to Logger Configuring SmartConnectors to Send Events to Both Logger and an ArcSight Manager Configuring SmartConnectors for Failover Destinations 49 50 50 51 51 SmartMessage SmartMessage is an HPE ArcSight technology that provides an efficient secure channel for Common Event Format (CEF) events between ArcSight SmartConnectors and Logger. Caution: SmartMessage and FIPS require SmartConnector 4.7.5 or later. You can download the latest version from the HPE ArcSight web site. Older SmartConnectors will work with Logger, but may not support SmartMessage or FIPS. SmartMessage provides an end-to-end encrypted secure channel using secure sockets layer (SSL). One end is an ArcSight SmartConnector, receiving events from the many devices supported by ArcSight SmartConnectors. The other end is a SmartMessage receiver on Logger. Note: The SmartMessage secure channel uses SSL protocol to send encrypted events to Logger. This is similar to, but different from, the encrypted binary protocol used between SmartConnectors and ArcSight Manager. HPE Logger 6.2 Page 49 of 54 Installation Guide Downloading SmartConnectors Contact your HPE ArcSight sales representative or customer support for the location to download the supported SmartConnectors. To learn more about ArcSight SmartConnectors, visit https://www.hpe.com/us/en/solutions/security.html. Note: If you are using ArcSight Connectors to send events to Software Logger, make sure you are running connector version 5.1.3.5870.0 or later on your connectors to ensure that event size is accurately accounted on the Logger. Configuring a SmartConnector to Send Events to Logger Logger comes pre-configured with a SmartMessage Receiver. To use it to receive events from a SmartConnector, you must configure the SmartConnector as described below. You can also create new SmartMessage receivers and configure the SmartConnectors with these newly created receivers. When configuring a SmartConnector, be sure to specify the correct receiver name. To configure a SmartConnector to send events to Logger: 1. Install the SmartConnector component using the SmartConnector User’s Guide as a reference. Specify Logger as the destination instead of ArcSightESM or a CEF file. Note: Refer to the documentation that came with your SmartConnector for instructions. 2. Specify the required parameters. Enter the Logger hostname or IP address and the name of the SmartMessage receiver. These settings must match the receiver in Logger that listen for events from this connector. l l l l To use the preconfigured receiver, specify “SmartMessage Receiver” as the Receiver Name. To use SmartMessage to communicate between an ArcSightSmartConnector and a Logger Appliance, configure the SmartConnector to use port 443. To communicate between an ArcSightSmartConnector and Software Logger, configure the SmartConnector to use the port configured for the Software Logger. For unencrypted CEF syslog, enter the Logger hostname or IP address, the desired port, and choose UDP or TCP output. HPE Logger 6.2 Page 50 of 54 Installation Guide Configuring SmartConnectors to Send Events to Both Logger and an ArcSight Manager You can configure a SmartConnector to send CEF syslog output to Logger and send events to an ArcSight Manager at the same time. For more information about the Common Event Format (CEF), refer to Implementing ArcSight CEF. For a downloadable a copy of this guide, search for “ArcSight Common Event Format (CEF) Guide” on the ArcSight Product Documentation Community on Protect 724. 1. Install the SmartConnector normally. Register the SmartConnector with a running ArcSight Manager and test that the SmartConnector is up and running. 2. Start the SmartConnector configuration program again using the $ARCSIGHT_ HOME/current/bin/runagentsetup script (or arcsight agentsetup -w). 3. Select I want to add/remove/modify ArcSight Manager destinations, then choose Add new destination. 4. Choose Logger and specify the requested parameters. Restart the SmartConnector for changes to take effect. Configuring SmartConnectors for Failover Destinations SmartConnectors can be configured to send events to a secondary, failover, destination when a primary connection fails. To configure a failover destination, follow these steps: 1. Configure the SmartConnector for the primary Logger as described above. The transport must be raw TCP in order to detect the transmission errors that trigger failover. 2. Edit the agent.properties file in the directory $ARCSIGHT_HOME/current/user/agent, where $ARCSIGHT_HOME is the root directory where the SmartConnector component was installed. a. Add this property: transport.types=http,file,cefsyslog b. Delete this property: transport.default.type 3. Start the SmartConnector configuration program again using the $ARCSIGHT_ HOME/current/bin/runagentsetup script (or arcsight agentsetup -w). 4. Choose I want to add/remove/modify and, with the primary Logger selected, choose Modify. Then select Add failover destination. 5. Enter information for the secondary Logger. 6. Restart the SmartConnector for the changes to take effect. HPE Logger 6.2 Page 51 of 54 Installation Guide 7. For more information about installing and configuring ArcSight SmartConnectors, refer to the ArcSight SmartConnector User's Guide, or specific SmartConnector Configuration Guides, available from the ArcSight Product Documentation Community on Protect 724. Sending Events from ArcSight ESM to Logger The ArcSight Forwarding SmartConnector can read events from an ArcSight Manager and forward them to Logger as CEF-formatted syslog messages. Note: The Forwarding SmartConnector is a separate installable file, named similar to this: ArcSight-4.x.x. .x-SuperConnector- .exe Use build 4810 or later for compatibility with Logger. To configure the ArcSight Forwarding SmartConnector to send events to Logger: 1. Install the SmartConnector component normally, but cancel the installation when the SmartConnector Wizard asks whether the target Manager uses a demo certificate. When the first screen of the SmartConnector Configuration Wizard appears, asking about a demo certificate, click Cancel. 2. Confirm that you want to exit, then click Done to dismiss the Install Wizard. This will install the SmartConnector, but leave it un-configured. 3. Create a file called agent.properties in the directory $ARCSIGHT_HOME/current/user/agent, where $ARCSIGHT_HOME is the root directory where the SmartConnector component was installed. This file should contain a single line: transport.default.type=cefsyslog 4. Start the SmartConnector configuration program again using the $ARCSIGHT_ HOME/current/bin/runagentsetup script (or arcsight agentsetup -w). 5. Specify the required parameters for CEF output. Enter the desired port for UDP or TCP output. These settings will need to match the receiver you create in Logger to listen for events from ArcSight ESM. Parameter Description IP/Host IP or host name of the Logger Port 514 or another port that matches the receiver Protocol UDP or Raw TCP ArcSight Source Manager IP or host name of the source ArcSight Manager HPE Logger 6.2 Page 52 of 54 Installation Guide Parameter Description Host Name ArcSight Source Manager Port 8443 (default) ArcSight Source Manager User Name A user account on the source Manager with sufficient privileges to read events ArcSight Source Manager Password Password for the specified Manager user account SmartConnector Name A name for the ESM to Logger connector (visible in the Manager) SmartConnector Location Notation of where this connector is installed Device Location Notation of where the source Manager is installed Comment Optional comments To configure the Forwarding SmartConnector to send CEF output to Logger and send events to another ArcSight Manager at the same time, see "Configuring SmartConnectors to Send Events to Both Logger and an ArcSight Manager" on page 51. For more information about the Common Event Format (CEF), refer to Implementing ArcSight CEF. For a downloadable copy of this guide, search for “ArcSight Common Event Format (CEF) Guide” in the ArcSight Product Documentation Community on Protect 724. HPE Logger 6.2 Page 53 of 54 Send Documentation Feedback If you have comments about this document, you can contact the documentation team by email. If an email client is configured on this system, click the link above and an email window opens with the following information in the subject line: Feedback on Installation Guide (Logger 6.2) Just add your feedback to the email and click send. If no email client is available, copy the information above to a new message in a web mail client, and send your feedback to arc-doc@hpe.com. We appreciate your feedback! HPE Logger 6.2 Page 54 of 54
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.4 Linearized : Yes Author : Hewlett Package Enterprise Development LP Create Date : 2016:03:11 12:20:58-08:00 Keywords : Logger Appliance, Logger Software, Logger on VMWare VM Modify Date : 2016:03:11 12:23:13-08:00 Subject : Installation and Initial Configuration of ArcSight Logger Language : en-us XMP Toolkit : Adobe XMP Core 5.4-c005 78.147326, 2012/08/23-13:03:03 Format : application/pdf Creator : Hewlett Package Enterprise Development LP Description : Installation and Initial Configuration of ArcSight Logger Title : Logger Installation Guide Metadata Date : 2016:03:11 12:23:13-08:00 Producer : madbuild Document ID : uuid:d8e38e63-7224-4a18-90c3-a14d9ab9fe10 Instance ID : uuid:02a21134-6652-4654-8a3e-c98d0bb58a3d Page Layout : SinglePage Page Mode : UseOutlines Page Count : 54EXIF Metadata provided by EXIF.tools