Logger Installation Guide Install 6.2

User Manual:

Open the PDF directly: View PDF .
Page Count: 54

Download
Open PDF In Browser	View PDF

HPE Security ArcSight Logger
Software Version: 6.2

Installation Guide

March 11, 2016

Installation Guide

Legal Notices
Warranty
The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
The information contained herein is subject to change without notice.
The network information used in the examples in this document (including IP addresses and hostnames) is for illustration
purposes only.
HPE Security ArcSight products are highly flexible and function as you configure them. The accessibility, integrity, and
confidentiality of your data is your responsibility. Implement a comprehensive security strategy and follow good security
practices.
This document is confidential.

Restricted Rights Legend
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use or copying.
Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical
Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.

Copyright Notice
© Copyright 2016 Hewlett Packard Enterprise Development, LP
Follow this link to see a complete statement of copyrights and acknowledgements:
https://www.protect724.hpe.com/docs/DOC-13026

Support
Contact Information
Phone

A list of phone numbers is available on the HPE Security ArcSight Technical
Support Page: https://softwaresupport.hp.com/documents/10180/14684/espsupport-contact-list

Support Web Site

https://softwaresupport.hp.com

Protect 724 Community

https://www.protect724.hpe.com

HPE Logger 6.2

Page 2 of 54

Contents
About this Guide

Chapter 1: Deployment Planning
Getting the Latest Documentation
Initial Configuration
Storage Volume
Storage Groups
Search Indexes
Receivers

6
6
6
6
7
7
8

Chapter 2: Setting Up a Logger Appliance
Running Logger on Encrypted Appliances
Installing the Logger Appliance
Configuring an IP Address for the Appliance
Setting Up the Appliance for Remote Access
Acquiring a License for the Logger Appliance
Logging In for the First Time
Initializing the Logger Appliance
Using the Logger Appliance Command Line Interface

10
10
11
11
12
13
13
14
15

Chapter 3: Installing Software Logger on Linux
Before You Begin
Downloading the Installation Package
Verifying the Downloaded Installation Software
How Licensing Works in Software Logger
Acquiring a License for Software Logger
Prerequisites for Installation
Increasing the User Process Limit
Installation
Using GUI Mode to Install Software Logger
Using Console Mode to Install Software Logger
Using Silent Mode to Install Software Logger
Licenses for Silent Mode Installations
Generating the Silent Install Properties File
Installing Software Logger in Silent Mode
Connecting to Logger
Starting and Stopping Software Logger
Uninstalling Logger

19
19
19
19
20
21
21
22
23
23
26
29
29
29
30
31
32
33

HPE Logger 6.2

Page 3 of 54

Installation Guide

Chapter 4: Installing Software Logger on VMware
Before You Begin
Downloading the Installation Package
Verifying the Downloaded Installation Software
How Licensing Works in Software Logger
Acquiring a License
Acquiring a License for a Software Logger
Preparing the Virtual Machine
Prerequisites for Installation
Installing Logger on the Virtual Machine
Connecting to Logger
Starting and Stopping Software Logger
Uninstalling Logger

34
34
34
34
35
36
36
37
38
39
42
43
45

Chapter 5: Configuring Logger
46
Receivers
46
Enabling the Preconfigured Folder Follower Receivers
47
Devices
48
Device Groups
48
Storage Rules
48
Using SmartConnectors to Collect Events
49
SmartMessage
49
Downloading SmartConnectors
50
Configuring a SmartConnector to Send Events to Logger
50
Configuring SmartConnectors to Send Events to Both Logger and an ArcSight Manager 51
Configuring SmartConnectors for Failover Destinations
51
Sending Events from ArcSight ESM to Logger
52
Send Documentation Feedback

HPE Logger 6.2

Page 4 of 54

About this Guide
This guide describes how to install and initialize the enterprise version of Logger. It includes information
on how to initialize the Logger Appliance and how to install the Software Logger on Linux and on
VMware VM.
For information on installing Trial Loggers, refer to the Trial Logger Quick Start Guide, available from
the same location you downloaded the Trial Logger installation file.
This guide includes information on the following subjects.
l

"Deployment Planning" on page 6

"Setting Up a Logger Appliance" on page 10

"Installing Software Logger on Linux" on page 19

"Installing Software Logger on VMware" on page 34

"Configuring Logger" on page 46

HPE Logger 6.2

Page 5 of 54

Chapter 1: Deployment Planning
Before installing Logger, you should plan how you will store events and how long you need to retain
them. Consider the information in the sections below when planning your deployment:

• Getting the Latest Documentation
• Initial Configuration

6
6

Getting the Latest Documentation
The latest version of the documentation for this release is available for download (in PDF format) from
the ArcSight Product Documentation Community on Protect 724.
Help is available through the Logger user interface (UI) . To access the online help from any userinterface page, click the down-arrow by your user name and then select Help.

Initial Configuration
The installation and initialization process sets up your Logger with an initial configuration described in
the sections below. You can do additional configuration on Logger to implement your retention policies.
See "Configuring Logger" on page 46. For further information, refer to the Configuration chapter of the
Logger Administrator’s guide.
Logger’s initial configuration is described in the sections below:

•
•
•
•

Storage Volume
Storage Groups
Search Indexes
Receivers

6
7
7
8

Storage Volume
Logger’s storage volume varies by version, up to the maximum of 12 TB. The initialization process sets
the storage volume. For Logger appliances, the storage volume is set to the maximum capacity for the
model. For software Loggers, the storage volume is set to the maximum capacity specified in the license
or the available disk space, whichever is smaller.
Caution: If Logger’s maximum capacity is exceeded, events will begin to fall out of storage. For
information on how to retain these events, refer to the Configuration chapter of the Logger
Administrator’s Guide.

HPE Logger 6.2

Page 6 of 54

Installation Guide

After installing Logger, you can view the current limits on the Configuration > Advanced > License
Information page. For instructions, refer to the Configuration chapter of the Logger Administrator’s
Guide. For more information about licenses, including how to upload a new one, refer to the System
Admin chapter of the Logger Administrator’s Guide.
Storage volume can be extended after installation, but not reduced. For more information on increasing
the storage volume, refer to the Configuration chapter of the Logger Administrator’s Guide.

Storage Groups
Two storage groups, the Default Storage Group and the Internal Event Storage Group, are created
automatically during Logger initialization.
These storage groups come preconfigured with the following settings:
Preconfigured Default Storage Group Settings
Attribute

Appliance Logger

Software Logger

Size

Storage Volume/2

Retention Period

180 days

Preconfigured Internal Storage Group Settings
Attribute

Appliance Logger

Software Logger

Size

5 GB

3 GB

Retention Period

365 days

Logger can have a maximum of six storage groups; therefore, you can create an additional four storage
groups after your Logger has been initialized. Each storage group can have different settings. You can
change the retention policy and size for all storage groups, but you can only change the name of the
user-defined storage groups. Refer to the Configuration chapter of the Logger Administrator’s Guide
for the details of adding and resizing storage groups, and changing their retention policies.

Search Indexes
Logger comes prepared for full-text searches, also frequently used fields are indexed during
initialization. You can add additional fields to the index, but once a field has been added, you cannot
unindex it. Refer to the Search chapter of the Logger Administrator’s Guide for more information.

HPE Logger 6.2

Page 7 of 54

Installation Guide

Receivers
The default installation includes several receivers. To start receiving events, you can direct your event
sources to the default receivers. After initialization, you can create additional receivers to listen for
events. You can also change and delete receivers or disable and enable them as needed.
The following receivers are set up and enabled with the default installation:
l

A UDP receiver: Enabled by default.
The UDP receiver is on port 514 for Logger Appliances. If you are installing Software Logger as root,
the UDP receiver is on port 514. For non-root installs, it is on port 8514. If this port is already
occupied, the initialization process selects the next higher unoccupied port.
This port should be allowed through any firewall rules you have configured.

A TCP receiver: Enabled by default.
The TCP receiver is on port 515 for Logger Appliances. If you are installing Software Logger as root,
the TCP receiver is on port 515. For non-root installs, it is on port 8515. If this port is already occupied,
the initialization process selects the next higher unoccupied port.
This port should be allowed through any firewall rules you have configured.

A SmartMessage receiver: Enabled by default. To receive events from a SmartConnector, download
the SmartConnector and set the Receiver Name to be “SmartMessage Receiver” when configuring
the destination.

Logger also comes pre-configured with folder follower receivers for Logger’s Apache URL Access Error
log, the system Messages log, and the system Audit log (when auditing is enabled on your Linux OS).
You must enable these receivers in order to use them.
Note: Logger’s Apache URL Access Error Log, http_error_log, is similar in format to the Apache
access_log. Only failed access attempts are included in the Apache URL Access Error Log.
For Software Logger, the preconfigured folder follower receivers include:
l

Var Log Messages: /var/log/messages

Audit Log: /var/log/audit/audit.log

Apache URL Access Error Log: /userdata/logs/apache
/http_error_log

Note: The folder follower receiver for the /var/log/audit/audit.log is only created if the
folder /var/log/audit/ already exists on your system at installation time.
Auditing is disabled on some Logger Appliance models. Logger Appliances that have auditing enabled
will have the same preconfigured receivers as Software Logger.

HPE Logger 6.2

Page 8 of 54

Installation Guide

When auditing is disabled on the system where Logger is installed, the preconfigured folder follower
receivers include:
l

Var Log Messages: /var/log/messages

Apache URL Access Error Log: /opt/arcsight/userdata/logs/apache
/http_error_log

For instructions on how to enable the preconfigured receivers, see "Receivers" on page 46.
For more information about receivers in general, refer to the Configuration chapter of the Logger
Administrator’s Guide.

HPE Logger 6.2

Page 9 of 54

Chapter 2: Setting Up a Logger Appliance
This chapter describes how to rack mount your Logger appliance, and to configure an IP address and
initial settings for it. You do not need to run an installer when setting up your appliance; the Logger
software comes preinstalled on it. These basic steps enable you to start using your Logger Appliance:

•
•
•
•
•
•
•
•

Running Logger on Encrypted Appliances
Installing the Logger Appliance
Configuring an IP Address for the Appliance
Setting Up the Appliance for Remote Access
Acquiring a License for the Logger Appliance
Logging In for the First Time
Initializing the Logger Appliance
Using the Logger Appliance Command Line Interface

10
11
11
12
13
13
14
15

For information on how to install Software Logger on Linux, see "Installing Software Logger on Linux"
on page 19. For information about installing Software Logger on VMware VM, see, "Installing Software
Logger on VMware" on page 34. For information about installing Trial Logger on Linux or on VMware
VM, refer to the Trial Logger Quick Start guide.

Running Logger on Encrypted Appliances
Logger can be run on encrypted hardware to help you to meet compliance regulations and privacy
challenges by securing your sensitive data at rest.
You can encrypt your L7600 Logger Appliance by using HP Secure Encryption, available from the
Server Management Software > HP Secure Encryption web page. For instructions, refer to the HP
Secure Encryption Installation and User Guide, available in PDF and CHM formats through the
Technical Support / Manuals link on that page.
L7600 Logger Appliances are encryption-capable. They come pre-installed with everything necessary
for you to encrypt them using HP Secure Encryption. The length of time encryption takes depends on
the amount of data on the server being encrypted. In our testing, a Gen 9 appliance with 7.5 TB of
stored data took about 72 hours to encrypt. You can continue using Logger while the encryption runs.
You may notice some performance degradation after encrypting your existing Logger appliance.
Caution: After encryption, you cannot restore your Logger to its previously unencrypted state.

HPE Logger 6.2

Page 10 of 54

Installation Guide

Installing the Logger Appliance
Before you Begin:
l

Redeem your license key by following the instructions in the enclosed “License Entitlement
Certificate” document. Redeeming this key gets you the license that you need to access Logger
functionality. For more information, see "Acquiring a License for the Logger Appliance" on page 13.
Apply for an account on Protect 724 (https://www.protect724.hpe.com), the ArcSight user
community. You will need this account to access product documentation and other community-based
resources.

To install the appliance:
1. Unpack the appliance and its accompanying accessories.
Note: Read carefully through the instructions, cautions, and warnings that are included with
the appliance shipment. Failing to do so can result in bodily injury or appliance malfunction.
2. Follow the rack installation instructions to securely mount it.
3. Make the rear panel connections.
4. Power on the appliance.

Configuring an IP Address for the Appliance
The appliance ships with the default IP address 192.168.35.35 (subnet mask 255.255.255.0) on eno1. To
begin setting up your appliance, use the Command Line Interface (CLI) to configure a new IP address.
To run a command in the CLI, type it at the prompt and then press Enter. For more information on the
command line interface, see "Using the Logger Appliance Command Line Interface" on page 15 or enter
help at the prompt for a list of available commands.

To set up a new IP address:
1. Use one of the following methods to connect to the CLI:
l

Log into HP ProLiant Integrated Lights-Out (iLO) and launch the remote console feature. For
more information, see "Setting Up the Appliance for Remote Access " on page 1.
Connect a keyboard and monitor to the ports on the rear panel of the appliance.
Connect a terminal to the serial port on the appliance using a null modem cable with DB-9
connector. The serial port expects a standard VT100-compatible terminal: 9600 bps, 8-bits, no

HPE Logger 6.2

Page 11 of 54

Installation Guide

parity, 1 stop bit (8N1), no flow control.
Once you are connected to the CLI, a log in prompt is displayed.
2. Enter the following default credentials to log in as the administrator:
Login: admin
Password: password

3. Enter the IP address in one of the following formats:
l

set ip eno1 /
(Example: set ip eno1 192.0.2.5/24)

set ip eno1
(Example: set ip eno1 192.0.2.5 255.255.255.0)

4. Enter set defaultgw , replacing with your default gateway IP address.
5. Enter set hostname ., replacing . with
the fully-qualified domain name (FQDN) of the desired host.
6. Enter set dns , ,
replacing each with a search domain, and each with the IP
address of a name server. (Example: set dns domain1.company.com,domain2.company.com
192.0.2.1 192.0.2.2)
Note: When using multiple search domains, separate them with a comma, but no space. When
using multiple name servers separate them with a space but no comma.
7. Enter set ntp replacing
with the NTP server you want to use to set the time.
(Example: set ntp time.nist.gov)
8. Enter show config to review the configuration settings you entered in previous steps. If needed,
change the settings.

Setting Up the Appliance for Remote Access
All ArcSight appliances are equipped with an HP ProLiant Integrated Lights-Out (iLO) Advanced
remote management card. HP strongly recommends setting up and configuring your appliance for outof-band remote access. Doing so ensures that you (and Customer Support, with your permission and
assistance) can remotely access the console of your appliance for troubleshooting, maintenance, and
power control.
Follow the directions in the HP ProLiant Integrated Lights-Out User Guide to set up your appliance for
remote access. The guide is available at http://www8.hp.com/us/en/products/servers/ilo/index.html.

HPE Logger 6.2

Page 12 of 54

Installation Guide

Note: The Lx600 models require you to obtain and enter a license key. Instructions for obtaining
the license key are included on your License Entitlement Certificate. Once you have obtained the
license key, log into iLO, and then go to Administration > Licensing to enter it.

Acquiring a License for the Logger Appliance
A valid license file is required on the Logger Appliance before you can access its functionality. If you
have not obtained a license yet, follow instructions in “Hewlett-Packard Entitlement Certificate”
document included in the shipment with your Logger Appliance to redeem your license key. If you do
not have that document, contact customer support at https://softwaresupport.hp.com.
Note: If you have multiple Loggers, you will need a separate license file for each of them.
After initializing Logger, you can view the specific details of the current license on the License
Information and License & Update pages (Configuration > Advanced > License Information and
System Admin > System > License & Update). For more information, refer to the Configuration and
System Admin chapters of the Logger Administrator’s Guide.

Logging In for the First Time
The Logger user interface (UI) is a password-protected web browser application that uses an encrypted
HTTPS connection. Logger 6.2 supports access through the following browsers:
l

Chrome (current)

Edge (on Windows 10)

Internet Explorer 11

Firefox ESR 38.3.0, Release 41

Safari 9.0.1 (on OS X 10.9)

Ensure that Logger’s publicly-accessible ports are allowed through any firewall rules that you have
configured.
l

For root installs, allow access to port 443 as well as the ports for any protocol that the logger
receivers need, such as port 514 for the UDP receiver and port 515 for the TCP receiver.
For non-root installs, allow access to port 9000 as well as the ports for any protocol that the Logger
receivers need, such as port 8514 for the UDP receiver and port 8515 for the TCP receiver.
Note: The ports listed here are the default ports. Your Logger may use different ports.

JavaScript and cookies must be enabled.

HPE Logger 6.2

Page 13 of 54

Installation Guide

To connect to Logger:
Use the URL configured during Logger installation to connect to Logger through a supported browser.
For Software Logger: https://:
For Logger Appliance: https://
where the hostname or IP address is that of the system on which the Logger software is installed, and
configured_port is the port set up during the Logger installation, if applicable.
The first time you connect, the END USER LICENSE AGREEMENT is displayed. Scroll down to the
bottom of the screen to review and accept the EULA. After you accept, the Login screen is displayed.

To log in:
When the Login dialog is displayed, enter your user name and password, and click Login.
Use the following default credentials if you are connecting for the first time:
Username: admin
Password: password
Note: After logging in for the first time with the default user name and password, you will be
prompted to change the password to a more secure one. Follow the prompts to enter and verify a
more secure password.
For more information about the Login screen and connecting to Logger, refer to the User Interface and
Dashboards chapter of the Logger Administrator's Guide.
Once you have successfully logged in, proceed to the section, "Initializing the Logger Appliance" below.

Initializing the Logger Appliance
After you accept the EULA and log in for the first time, the Logger Configuration screen is displayed.
On this screen, you must upload the license file and configure the initial settings for your Logger
Appliance. Once you complete that configuration, your Logger Appliance will be ready for use.
Note: The initialization of a Logger Appliance can only be changed by restoring Logger to its initial
factory settings. Refer to the Logger Administrator's Guide for more information.

To initialize the Logger Appliance:
1. On the Logger Configuration screen, under Select License File to Upload, navigate to or specify
the path and filename of the license for the Logger Appliance, and click Upload License. If you do

HPE Logger 6.2

Page 14 of 54

Installation Guide

not have a license, see "Acquiring a License for the Logger Appliance" on page 13.
After the upload, the License pane displays updated license status information.
2. Under System Locale Setting, select a Locale for this Logger Appliance from the drop-down list.
The locale setting ensures that the user interface displays information such as date, time, numbers,
and messages in the format and language appropriate for the selected country. Once configured,
this setting cannot be changed.
3. Under Date/Time Settings, ensure that the “Current Time Zone” and the “Current Time” settings
are correct for your environment.
Click Change Time Zone and Change Date/Time, respectively, to update the time settings. For
more information, refer to the System Admin chapter of the Logger Administrator’s Guide.
4. Click Save.
The Logger initialization process begins. Once the initialization is complete, the system reboots.
Now that you are done installing and initializing your Logger, go to the "Configuring Logger"
chapter of the Logger Installation Guide for information on how to set up your Logger to start
receiving events.
Now that you are finished installing and initializing your Logger, you can enable the preconfigured
receivers and configure devices, device groups, and storage groups necessary to implement your
retention policy. See "Configuring Logger" on page 46 and refer to the Configuration chapter of the
Logger Administrator's Guide for information on how to set up your Logger to start receiving events.
Caution: For security reasons, be sure to change the default credentials as soon as possible after
connecting to Logger for the first time. Refer to the System Admin chapter of the Logger
Administrator’s Guide for instructions.
For more information about the login screen and connecting to Logger, refer to the User Interface and
Dashboards chapter of the Logger Administrator’s Guide.

Using the Logger Appliance Command Line Interface
Use one of the following methods to connect to the appliance Command Line Interface (CLI):
l

Log into HP ProLiant Integrated Lights-Out (iLO) and launch the remote console feature. For more
information, see "Setting Up the Appliance for Remote Access " on page 1.

Connect a keyboard and monitor to the ports on the rear panel of the appliance.

Connect a terminal to the serial port on the appliance using a null modem cable with DB-9 connector.

The serial port expects a standard VT100-compatible terminal: 9600 bps, 8-bits, no parity, 1 stop
bit (8N1), no flow control.
Once you are connected to the CLI, a Login prompt displays.

HPE Logger 6.2

Page 15 of 54

Installation Guide

The following commands are available at the CLI prompt:
Category Command

Description

System Commands
exit

Logout

halt

Stop and power down the Logger Appliance

help

Opens the command line interface help

reboot

Reboot the Logger Appliance

Administrative Commands
show admin

Show the default administrator user’s name

Authentication Commands
reset authentication

Reset to local authentication

Configuration Commands
show config

Show host name, IP address, DNS, and default gateway for the
Logger

Date Commands
show date

Show the date and time currently configured on the Logger

set date

Set the date and time on Logger
The date/time format is yyyyMMddhhmmss
Example date: 20101219081533

Default Gateway Commands
set defaultgw [nic]

Set the default gateway for one or all network interfaces

show defaultgw [nic]

Display the default gateway for all or the specified network
interface

DNS Commands
show dns

Show the currently configured DNS servers on the Logger

set dns

Set DNS name server(s)

set dns ,

sd=search domain, ns = name server

HPE Logger 6.2

You can add up to three name servers and six search domains

Page 16 of 54

Installation Guide

Category Command

Description
Note: When using multiple search domains, separate them
with a comma, but no space. When using multiple name
servers, separate them with a space but no comma.

Hostname Commands
show hostname

Show the currently configured hostname on the Logger

set hostname

Set Logger’s host name

IP Commands
show ip [nic]

Show the IP addresses of all or the specified network interface

set ip [/prefix]
[netmask]

Set Logger’s IP address for a specific network interface

NTP Commands
set ntp ...

Sets the NTP server addresses. This entry over writes the current
NTP server setting
You can specify as many NTP servers as you like. If you specify
multiple NTP servers, they are each checked in turn. The time
given by the first server to respond is used.
Example:
logger> set ntp
ntp.arcsight.com time.nist.gov 0.rhel.pool.org

show ntp

Show the current NTP server setting.
Example:
logger> show ntp
ntp.arcsight.com time.nist.gov 0.rhel.pool.org

Password Commands
set password

Set the password the current user’s account

Process Commands
restart process

Restart a process

start process

Start a process

status process

Show process status

stop process

Stop a process

HPE Logger 6.2

Page 17 of 54

Installation Guide

Category Command

Description

SSL Certificate Commands
show sslcert

Show the currently loaded SSL certificate on Logger

reset sslcert

Creates and installs a new self-signed certificate with the original
default information, then restarts the HTTPS server.

diag sslcert

Display the SSL session information

Status Commands
show status

HPE Logger 6.2

Show the Logger configuration

Page 18 of 54

Chapter 3: Installing Software Logger on Linux
You can install Software Logger on a Linux system or on a VMware virtual machine (VM). This chapter
explains what you need to know to install and start running Software Logger on a Linux system. It
includes information on the following topics:

•
•
•
•
•
•
•

Before You Begin
How Licensing Works in Software Logger
Prerequisites for Installation
Installation
Connecting to Logger
Starting and Stopping Software Logger
Uninstalling Logger

19
20
21
23
31
32
33

For information about installing Software Logger on a VMware VM, see, "Installing Software Logger on
VMware" on page 34. For initialization information about the Logger Appliance, see "Setting Up a
Logger Appliance" on page 10. For information about installing Trial Logger on Linux or on VMware
VM, refer to the Trial Logger Quick Start guide.

Before You Begin
You need to have a server with supported operating system and storage available to install the
Software Logger. For information about the platforms on which you can install and use Logger, refer to
the Release Notes and ArcSight Data Platform Support Matrix for your version. These documents are
available for download from the ArcSight Product Documentation Community on Protect 724.

Downloading the Installation Package
The installation package is available for download from the HPE Software Depot at
https://h20392.www2.hpe.com/portal/swdepot/index.do.

Verifying the Downloaded Installation Software
HPE provides a digital public key to enable you to verify that the signed software you received is indeed
from HPE and has not been manipulated in any way by a third party.
Visit the following site for information and instructions:
https://h20392.www2.hpe.com/portal/swdepot/displayProductInfo.do?productNumber=HPLinuxCode
Signing

HPE Logger 6.2

Page 19 of 54

Installation Guide

How Licensing Works in Software Logger
Logger licenses are based on Daily Data (the amount of data that comes into Logger per day). Logger
uses the sum of the sizes of the events received each day to determine this value. Even if this limit is
exceeded, the Logger continues to collect and store events; therefore, no events are lost. However, if
the limit is exceeded on more than five days in a 30-day sliding window, all features involving search are
disabled.
Caution: The disabled search features include forwarders as well as all searching and reporting
functionality.
If this limit is exceeded six or more days in a given 30-day period, you cannot forward, search, or run
reports on the collected events until the 30-day sliding window contains five or less data limit violations.
For example, you install the Logger software on January 1 with a data storage limit of 20 GB and start
collecting events. Your Logger receives more than 20 GB of event data on these dates: January 5th,
13th, 18th, 19th, and 20th. Because there are five violations so far, you can forward, search, and report
on the stored event data on January 21st. However, if there is another violation on January 30th, you
cannot forward, search, or report on January 31st because the number of violations has exceeded the
maximum allowed. (A search run on January 31st fails and the user interface displays a warning.) If there
are no additional data storage-limit violations from January 31st to February 4th, the ability to forward,
search, and report resumes on February 5th because the January 5th violation is now outside of the 30day window.
The Data Volume Restrictions page (Configuration > Advanced > Data Volume Restrictions) lists
the data stored on your Software Logger on day-by-day basis in the last 30 days. It also indicates the
days on which data limits were exceeded, as shown in the following figure.

HPE Logger 6.2

Page 20 of 54

Installation Guide

When a data limit violation occurs, the Search user interface displays a warning. If you exceed the daily
data limit frequently, you should consider purchasing a license that suits your needs.
For Software Loggers, you can increase your Daily Data limit by purchasing a higher ingestion rate in
increments of 5 GB/day. Contact your HPE ArcSight sales representative to purchase a new license.
Once you obtain the new license, follow the instructions in the ArcSight Logger Administrator’s Guide
to apply it on your Logger.

Acquiring a License for Software Logger
Software Logger requires a license file for installation. To acquire the license, follow the instructions in
the Electronic Delivery Receipt you receive from HPE in an email after you place the order.
After installing Logger, you can view the specific details of the current license on the License
Information and License & Update pages (Configuration > Advanced > License Information and
System Admin > System > License & Update). For more information, refer to the Configuration and
System Admin chapters of the Logger Administrator’s Guide.

Prerequisites for Installation
Make sure these prerequisites are met before you install the Logger software :
l

l
l

Ensure that you are installing Logger on a supported platform. Refer to the Release Notes and
ArcSight Data Platform Support Matrix for this information. These documents are available for
download from the ArcSight Product Documentation Community on Protect 724.
To install Logger, you will need a valid license file. If you do not have a license file, see "Acquiring a
License for the Logger Appliance" on page 13. You need a separate license file for each instance of
Software Logger. A license file is uniquely generated for each Enterprise Version download. Make a
note of the file name and location; you will need them during the installation process.
Increase the user process limit, as described in "Increasing the User Process Limit" on the next page.
A non-root user account must exist on the system on which you are installing Logger. Even if you
install as root, a non-root user account is still required.
Decide whether to install Logger while logged in as root or as a non-root user. Your installation
options vary depending on which user you choose.
a. If you install as root, you can choose to configure Logger to start as a service and select the port
on which Logger listens for secure web connections.
b. If you install as the non-root user, Logger can only listen for connections on port 9000. You
cannot configure the port to a different value.
c. When upgrading, you cannot change a previous non-root installation to a root-user installation.
You will need to use the previously configured port 9000 for accessing Software Logger.

The hostname of the machine on which you are installing Logger cannot be “localhost”. If it is,
change the hostname before proceeding with the installation.

HPE Logger 6.2

Page 21 of 54

Installation Guide

Install into an empty folder. If you have uninstalled Logger previously, and are installing into the
same location, be sure to remove any files that the uninstaller left in place.
You must not have an instance of MySQL installed on the machine on which you install Logger. If an
instance of MySQL exists on that machine, uninstall it before installing Logger.
You must have an X Window System server installed to use the GUI mode of installation. If if X11 is
not installed, the installer will default to console mode.
a. If you will be installing Logger over an SSH connection and want to use the GUI mode of
installation, make sure that you have enabled X window forwarding using the -X option so that
you can view the screens of the installation wizard.
b. If you will be using PuTTY, you will also need an X client on the machine from which you are
connecting to the machine onto which you want to install Logger.

Increasing the User Process Limit
Before installing or upgrading Logger, you must increase default user process limit while logged in as
user root. This ensures that the system has adequate processing capacity.

To increase the default user process limit:
1. Open the file /etc/security/limits.d/-nproc.conf.
( is 90 for RHEL or CentOS 6.7 and 20 for RHEL and CentOS 7.1.)
l

If you do not already have a /etc/security/limits.d/-nproc.conf file, create
one (and the limits.d directory, if necessary).
If the file already exists, delete all entries in the file.

2. Add the following lines:
* soft nproc 10240
* hard nproc 10240
* soft nofile 65536
* hard nofile 65536

Caution: Be sure to include the asterisk (*) in the new entries. It is important that you add all of
the entries exactly as specified. Any omissions can cause system runtime errors.
3. Reboot the machine.
4. Run the following command to verify the new settings: ulimit -a
5. Verify that the output shows the following values for “open files” and “max user processes”:
open files 65536
max user processes 10240

HPE Logger 6.2

Page 22 of 54

Installation Guide

After you have increased the user process limit and met the other prerequisites, you are ready to install
Logger.

Installation
Software Logger can be installed in three ways:
l

GUI mode: A wizard steps you through the installation and configuration of Software Logger. For
instructions, see "Using GUI Mode to Install Software Logger" below. You must have an X-Windows
server installed on your OS to use GUI mode.
Console mode: A command-line process steps you through the installation and configuration of
Software Logger. For instructions, see "Using Console Mode to Install Software Logger" on page 26.
Tip: If you are installing remotely and bandwidth is an issue, console mode may allow you to
install Logger more quickly.

Silent mode: You provide the input required for installation and configuration through a file.
Therefore, you do not need to interact with the installer to complete the installation and
configuration. However, before you can use this mode, you must run the installation and
configuration using one of the other modes to record the input in a file. For instructions, see "Using
Silent Mode to Install Software Logger" on page 29.

Using GUI Mode to Install Software Logger
Make sure the machine on which you will be installing Logger complies with the specifications listed the
Release Notes for your version, and that the prerequisites listed in "Prerequisites for Installation" on
page 21 are met.

Preinstallation steps:
l

Before you install, you must increase the user process limit on the OS, as described in "Increasing the
User Process Limit" on the previous page.
You can verify that you have the correct installation file, as described in "Verifying the Downloaded
Installation Software" on page 19.

You can install Logger as a root user or as a non-root user. See "Prerequisites for Installation" on page
21 for details and restrictions.
Note: If you will be installing the Software Logger over an SSH connection and want to use the GUI
mode of installation, make sure that you have enabled X window forwarding using the -X option so
that you can view the screens of the installation wizard. If you will be using PuTTY, you will also
need an X client on the machine from which you are connecting to the machine onto which you
want to install Logger.

HPE Logger 6.2

Page 23 of 54

Installation Guide

To install the Logger software:
1. Run these commands from the directory where you copied the Logger installation file:
chmod +x ArcSight-logger-6.2.0.NNNN.0.bin
./ArcSight-logger-6.2.0.NNNN.0.bin

2. The installation wizard launches, as shown in the following figure. Click Next.

You can click Cancel to exit the installer at any point during the installation process.
Caution: Do not use the Ctrl+C to close the installer. If you use Ctrl+C to exit the installer and
then uninstall Logger, uninstallation may delete your /tmp directory.
3. The License Agreement screen is displayed. Scroll to the bottom of the license agreement to review
the agreement and enable the “I accept the terms of the License Agreement” button.
4. Select I accept the terms of the License Agreement and click Next.
5. The installer checks that installation prerequisites are met:
l

Operating system check—Logger checks to see if your device is running a supported operating
system. If you are not, a message displays, but it does not prevent you from installing Logger
software. This happens because some update scenarios start with an earlier OS.
Installation prerequisite check—If a check fails, Logger displays a message. You will need to fix
the issue before proceeding.
For example, if Logger is currently running on this machine, an Intervention Required message
is displayed. In that case, type Y and press Enter to stop all current Logger processes and
proceed with the installation, or type quit and press Enter to exit the installer.

HPE Logger 6.2

Page 24 of 54

Installation Guide

6. Navigate to or specify the location where you want to install Logger.
The default installation path is /opt. You can install into this location or another location of your
choice.
Note: The user you are installing with must have access to the parent directory of the install
directory. Otherwise, users will not be able to connect to the Logger UI and will see the
following error message when they try to connect, “Error 403 Forbidden. You don't
have permission to access / on this server”.

7. Click Next to install into the selected location.
l If there is not enough space to install the software at the location you specify, a message is
displayed. To proceed with the installation, specify a different location or make sufficient space
at the location you specified. Click Previous to specify another location or Quit to exit the
installer.
l

If Logger is already installed at the location you specify, a message is displayed. Click Upgrade
to continue or Previous to specify another location. For upgrade instructions and information,
refer to the Release Notes for your version.

8. Click Choose and navigate to or type the path and filename of the license file for this Logger. Click
Next.
9. Review the pre-install summary and then click Install.
Installation may take a few minutes. Please wait. Once installation is complete, the next screen is
displayed.
10. If you are logged in as root, the following prompts are displayed. Fill in the fields and click Next.
Field

Notes

Non-root user
name

This user must already exist on the system.

HTTPS port

The port number to use when accessing the Logger UI.
You can keep the default HTTPS port (443) or enter any other port that suits
your needs. If you specify any port except 443, users will need to enter that
port number in the URL they use to access the Logger UI.

Configure
Logger as a
service

HPE Logger 6.2

Indicate whether to configure Logger to run as a service.
Select this option to create a service called arcsight_logger, and enable
it to run at levels 2, 3, 4, and 5.

Page 25 of 54

Installation Guide

Field

Notes
If you do not enable Logger to start as service during the installation process,
you can still do so later. For instructions on how to enable Logger to start as
a service after installation, see "Starting and Stopping Software Logger" on
page 32.

11. Select the locale of this installation and click Next.
12. Click Next to initialize Logger components.
Initialization may take a few minutes. Please wait. Once initialization is complete, the next screen is
displayed.
13. Click Next to configure storage groups and storage volume and restart Logger.
Configuration may take a few minutes. Please wait. Once configuration is complete, Logger starts
up and the next screen is displayed.
14. Make a note of the URL and then click Done to exit the installer.
Now that you are done installing and initializing your Logger, you can use the URL you noted during
the installation to connect to Logger. For instructions and information, see "Connecting to Logger" on
page 31.

Using Console Mode to Install Software Logger
Before you install, you must increase the user process limit on the OS, as described in "Increasing the
User Process Limit" on page 22.
You can install Logger as a root user or as a non-root user. See "Prerequisites for Installation" on page
21 for details and restrictions.

To install the Logger software:
1. Run these commands from the directory where you copied the logger installation file:
chmod +x ArcSight-logger-6.2.0.NNNN.0.bin

./ArcSight-logger-6.2.0.NNNN.0.bin -i console

2. The installation wizard launches in command-line mode, as shown below. Press Enter to continue.
Introduction
-----------InstallAnywhere will guide you through the installation of ArcSight
Logger.

HPE Logger 6.2

Page 26 of 54

Installation Guide

It is strongly recommended that you quit all programs before continuing
with this installation.
Respond to each prompt to proceed to the next step in the installation. If
you want to change something on a previous step, type 'back'.
You may cancel this installation at any time by typing 'quit'.
It is strongly recommended that you quit all programs before continuing
with this installation.
Respond to each prompt to proceed to the next step in the installation. If
you want to change something on a previous step, type 'back'.
You may cancel this installation at any time by typing 'quit'.
PRESS TO CONTINUE:

3. The next several screens display the end user license agreement. Installation and use of Logger 6.2
requires acceptance of the license agreement. Press Enter to display each part of the license
agreement, until you reach the following prompt:
DO YOU ACCEPT THE TERMS OF THIS LICENSE AGREEMENT? (Y/N):

4. Type Y and press Enter to accept the terms of the License Agreement.
You can type quit and press Enter to exit the installer at any point during the installation
process.
5. The installer checks that installation prerequisites are met:
l

HPE Logger 6.2

Page 27 of 54

Installation Guide

directory. Otherwise, users will not be able to connect to the Logger UI and will see the
following error message when they try to connect, “Error 403 Forbidden. You don't
have permission to access / on this server”.

7. Type Y and press Enter to confirm the installation location.
8. If there is not enough space to install the software at the location you specify, a message is
displayed. To proceed with the installation, specify a different location or make sufficient space at
the location you specified. Type quit and press Enter to exit the installer.
9. If Logger is already installed at the location you specify, a message is displayed. Type quit and
press Enter to exit the installer or type back and press Enter to specify another location and
uninstall the previous version. Click Upgrade to continue or Previous to specify another location.
For upgrade instructions and information, refer to the Release Notes for your version.
10. Type the absolute path to the license file and then press Enter.
11. Review the pre-install summary and press Enter to install Logger.
Installation may take a few minutes. Please wait. Once installation is complete, the next screen is
displayed.
12. If you are logged in as root, the following prompts will be displayed. Type your response and press
Enter after each.
Field

Notes

User Name

This non-root user must already exist on the system.
When installing Logger on VMWare VM, use the non-root user arcsight that
comes preconfigured on your system.

HTTPS Port

The port number to use when accessing the Logger UI.
You can keep the default HTTPS port (443) or enter any other port that
suits your needs. If you specify any port except 443, users will need to enter
that port number in the URL they use to access the Logger UI.

Choose if you
want to run
Logger as a
system service.

Type 1 and press Enter to configure Logger as a service, or type 2 and press
Enter to configure Logger as standalone.
Select this option to create a service called arcsight_logger, and enable it to
run at levels 2, 3, 4, and 5.
If you do not enable Logger to start as service during the installation
process, you still do so later. For instructions on how to enable Logger to
start as a service after installation, refer to the Logger Administrator’s Guide.

13. Type the number that describes the desired locale, and press Enter.
14. Press Enter again to initialize Logger components.

HPE Logger 6.2

Page 28 of 54

Installation Guide

Initialization may take a few minutes. Please wait. Once initialization is complete, the next screen is
displayed.
15. Press Enter to configure storage groups and storage volume and restart Logger automatically.
Configuration may take a few minutes. Please wait. Once configuration is complete, Logger starts
up and the next screen is displays the URL you should use to connect to Logger.
16. Make a note of the URL and then press Enter to exit the installer.
Now that you are finished installing and initializing your Logger, you can use the URL you noted during
the installation to connect to Logger. For instructions and information, see "Connecting to Logger" on
page 31.

Using Silent Mode to Install Software Logger
Before you install Software Logger in silent mode, you need to create the properties file required for the
silent mode installation. Once you have generated the file, you can use it for silent mode installations.

Licenses for Silent Mode Installations
As for any Logger installation, each silent mode installation requires a unique license file. You must
obtain licenses as described in "Acquiring a License for Software Logger" on page 21 and place them on
the machines on which you will be installing Logger in silent mode, or ensure that the location where the
licenses are placed is accessible from those machines.

Generating the Silent Install Properties File
To generate a properties file for future silent installations:
1. Log in to the machine on which you can install Software Logger to generate an installation
properties file.
If you want the silent mode installations to be done as root user, log in as root. Otherwise, log in as
a non-root user.
2. Run these commands:
chmod +x ArcSight-logger-6.2.0.XXXX.0.bin
./ArcSight-logger-6.2.0.XXXX.0.bin -r

where is the location of the directory where the generated
properties file should be placed. The generated properties file is called installer.properties.
You cannot specify or change this name.
3. Install Logger in GUI mode. See "Using GUI Mode to Install Software Logger" on page 23.
4. Once the installation completes, navigate to the directory location you specified for the
installer.properties file earlier. Then go to "Installing Software Logger in Silent Mode" on
the next page.
HPE Logger 6.2

Page 29 of 54

Installation Guide

The following is an example of a generated installer.properties file.
#
#
#
#
#

Wed Feb 11 18:27:49 PDT 2016
Replay feature output
--------------------This file was built by the Replay feature of InstallAnywhere.
It contains variables that were set by Panels, Consoles or Custom Code.

#Choose Install Folder
#--------------------USER_INSTALL_DIR=/opt/Logger/62
#License Information
#------------------LICENSE_LOCATION=/home/user/arcsight.lic

Installing Software Logger in Silent Mode
Make sure the machine on which you will be installing the Software Logger complies with the platform
requirements listed in the Release Notes for your version, and that the prerequisites listed in
"Prerequisites for Installation" on page 21 are met.
If you are installing as root, make sure that non-root user account that you entered when generating
the silent mode properties file exists on the machines on which you are using the silent installer to install
Logger.

To install the Software Logger using the Silent mode:
1. Copy the silent mode properties file you generated previously to the same location where you have
copied the Logger software on the new system.
2. Edit the LICENSE_LOCATION property in the silent mode properties file to include the location of
license file for this instance of installation. (A unique license file is required for each instance of
installation.)
Or
Set the LICENSE_LOCATION property to point to a file, such as software_logger_
license.zip. Then, for each instance of the silent mode installation, copy the relevant license file
to the location and rename it to software_logger_license.zip. Doing so will avoid the need
to update the combined properties file for each installation.
3. Run these commands from the directory where you copied the Logger software:
chmod +x ArcSight-logger-6.2.0.XXXX.0.bin
./ArcSight-logger-6.2.XXXX.0.bin -i SILENT -f

The rest of the installation and configuration proceed silently, without requiring any input from you.

HPE Logger 6.2

Page 30 of 54

Installation Guide

After the installation and initialization completes, you can use the URL created during the installation to
connect to Logger. For instructions and information, see "Connecting to Logger" below.

Connecting to Logger
The Logger user interface (UI) is a password-protected web browser application that uses an encrypted
HTTPS connection. Logger 6.2 supports access through the following browsers:
l

Chrome (current)

Edge (on Windows 10)

Internet Explorer 11

Firefox ESR 38.3.0, Release 41

Safari 9.0.1 (on OS X 10.9)

Ensure that Logger’s publicly-accessible ports are allowed through any firewall rules that you have
configured.
l

JavaScript and cookies must be enabled.

HPE Logger 6.2

Page 31 of 54

Installation Guide

Note: After logging in for the first time with the default user name and password, you will be
prompted to change the password to a more secure one. Follow the prompts to enter and verify a
more secure password.
For more information about the Login screen and connecting to Logger, refer to the User Interface and
Dashboards chapter of the Logger Administrator's Guide.
Once you have logged in successfully, you can enable the preconfigured receivers and configure
devices, device groups, and storage groups necessary to implement your retention policy. See
"Configuring Logger" on page 46 and refer to the Configuration chapter of the Logger Administrator's
Guide for information on how to set up your Logger to start receiving events.

Starting and Stopping Software Logger
The loggerd command enables you to start or stop the Logger software running on your machine. In
addition, the command includes a number of subcommands that you can use to control other processes
that run as part of the Logger software.
Note: If your Logger is installed to run as a system service, you can use your operating system’s
service command to start, stop, or check the status of a process on Logger.
/current/arcsight/logger/bin/loggerd
{start|stop|restart|status|quit}
/current/arcsight/logger/bin/loggerd {start | stop | restart }

To view the processes that can be started, stopped, or restarted with loggerd, click System Admin
from the top-level menu bar. Then, under System, pick Process Status. The processes are listed on the
right under Processes.
The following table describes the subcommands available with loggerd and their purpose.
Command

Purpose

loggerd start

Start all processes listed under the System and Process sections in the figure
above. Use this command to launch Logger.

loggerd stop

Stop processes listed under the Process section only. Use this command
when you want to leave loggerd running but all other processes stopped.

loggerd restart

This command restarts processes listed under the Process section only.
Note: When the loggerd restart command is used to restart Logger,
the status message for the “aps” process displays this message:

HPE Logger 6.2

Page 32 of 54

Installation Guide

Command

Purpose
Process ‘aps’ Execution failed

After a few seconds, the message changes to:
Process ‘aps’ running
loggerd status

Display the status of all processes.

loggerd quit

Stops all processes listed under the System and Process sections in the figure
above. Use this command to stop Logger.

loggerd start

Start the named process. For example, loggerd start apache.

loggerd stop

Stop the named process. For example, loggerd stop apache.

loggerd restart

Restart the named process. For example, loggerd restart apache

You can also start and stop and view the status of Logger processes from the System Admin >
System > Process Status page. Refer to the Logger Administrator’s guide or online help for more
information.

Uninstalling Logger
If you will be uninstalling the Software Logger over an SSH connection and want to use GUI mode,
make sure that you have enabled X window forwarding using the -X option, so that you can view the
screens of the uninstall wizard. If you will be using PuTTY, you will also need an X client on the machine
from which you are connecting to the Linux machine.
Before uninstalling Logger, stop the Logger processes by using the loggerd stop command, as
described in "Starting and Stopping Software Logger" on the previous page.
To uninstall the Logger software, enter this command in the installation directory:
./UninstallerData/Uninstall_ArcSight_Logger_6.2

The uninstall wizard launches. Click Uninstall or press Enter to start uninstalling Logger.

HPE Logger 6.2

Page 33 of 54

Chapter 4: Installing Software Logger on VMware
You can install Software Logger on a Linux system or on a VMware VM. This chapter explains what you
need to know to install and start running Software Logger on a VMware VM. It includes information on
the following topics:

•
•
•
•
•
•
•
•

Before You Begin
How Licensing Works in Software Logger
Preparing the Virtual Machine
Prerequisites for Installation
Installing Logger on the Virtual Machine
Connecting to Logger
Starting and Stopping Software Logger
Uninstalling Logger

34
35
37
38
39
42
43
45

For information on how to install Software Logger on Linux, see "Installing Software Logger on Linux"
on page 19. For initialization information about the Logger Appliance, see "Setting Up a Logger
Appliance" on page 10. For information about installing Trial Logger on Linux or on VMware VM, refer
to the Trial Logger Quick Start guide.

Before You Begin
You can deploy the Logger virtual machine (VM) on a VMware ESXi server, version 5.5. The VM image
includes the Logger 6.2 installer on a 64-bit CentOS 6.6 configured with 12 GB RAM and four physical
(and eight logical) cores. For more information on the release, refer to the Release Notes and ArcSight
Data Platform Support Matrix. These documents are available for download from the ArcSight Product
Documentation Community on Protect 724.

Downloading the Installation Package
The installation package, Logger6.2_Lxxxx_Qxxxx.ova, is available for download from the HPE Software
Depot at http://software.hp.com.

HPE Logger 6.2

Page 34 of 54

Installation Guide

Visit the following site for information and instructions:
https://h20392.www2.hpe.com/portal/swdepot/displayProductInfo.do?productNumber=HPLinuxCod
eSigning

HPE Logger 6.2

Page 35 of 54

Installation Guide

Acquiring a License
Software Logger requires a license file for installation. To acquire the license, follow the instructions in
the Electronic Delivery Receipt you receive from HPE in an email after you place the order.
After installing Logger, you can view the specific details of the current license on the License
Information and License & Update pages (Configuration > Advanced > License Information and
System Admin > System > License & Update). For more information, refer to the Configuration and
System Admin chapters of the Logger Administrator’s Guide.

Acquiring a License for a Software Logger
You can increase your daily data limit by purchasing a higher ingestion rate in increments of 5 GB/day.
The Software Logger requires a license file for installation. To acquire the license, follow the instructions
in the Electronic Delivery Receipt you receive from HPE in an email after you place the order.
After installing Logger, you can view the specific details of the current license on the License
Information and License & Update pages (Configuration > Advanced > License Information and
System Admin > System > License & Update). For more information, refer to the Configuration and
System Admin chapters of the Logger Administrator’s Guide.

HPE Logger 6.2

Page 36 of 54

Installation Guide

Preparing the Virtual Machine
Before you can install the Logger software, you must import and configure the VM. This section guides
you through the steps of importing and configuring the VM. As part of the operating system
configuration process, you will need to create a second hard disk before installing Logger. After you
add the second hard disk and power the system back on, the startup scripts attach the second hard disk
and format it with an XFS partition. This partition will be used for storing the Logger data.
Note: The following procedure is a guide for importing and deploying an OVA file. Your exact steps
may vary, depending on your particular ESXi environment and deployment tools. For more
information about your particular environment and instructions on deploying the OVA file, consult
your ESXi or system administrator.

To import the virtual machine:
1. Open the vSphere client and connect to the ESXi server.
2. On the vSphere client, open the File menu and select Deploy OVF Template… and click Next.
3. On the Source panel, browse to select the Logger installation file (Logger6.2_LXXXX_
QXXXX.ova) that you downloaded previously. Click Open and then click Next.
4. The OVF Template Details panel displays product information. Click Next.
5. On the Name and Location panel, enter a name for the virtual machine and click Next.
6. If there is more than one destination storage location available, select where to store the virtual
machine. Click Next.
7. On the Disk Format panel select Thick Provision Lazy Zeroed and click Next.
8. The Ready to complete panel displays options you selected. Click Finish to confirm your selections
and deploy the virtual machine.
A progress bar displays the deployment progress. When the deployment is complete, the VM you
created is displayed in the ESXi server's list.
The existing hard disk is for the Logger software. You must create another virtual hard disk to store
Logger data.

To add a second hard disk:
1. Select the new VM from the ESXi server's list and make sure it is powered off.
2. Right-click the VM to open the dropdown menu, and then select Edit Settings.
3. The Virtual Machine Properties dialog box opens. Click Add....
The Device Type panel displays a list of devices you can add.
4. Select Hard Disk and click Next.

HPE Logger 6.2

Page 37 of 54

Installation Guide

5. The Select a Disk panel displays the type of disks you can use. Select Create a new virtual disk
and click Next.
6. The Create a Disk Panel displays virtual disk size and provisioning options.
l

Set the Disk Size.
Caution: Be sure to set the Disk Size as large as possible. You cannot expand the hard disk
once created. The minimum size is 40 GB. Logger 6.2 supports up to 12 TB.

Select Thick Provision Lazy Zeroed.

Click Next.

7. The Advanced Options panel displays other options. Keep the default Virtual device Node and click
Next.
8. The Ready to complete panel displays options you selected. Click Finish to confirm your selections
and add the hard disk.
Once created, the new hard disk is displayed in the Hardware list.
9. Click OK and power on the new VM. The second hard disk is attached.
Caution: The VM has the default root password arcsight. A non-root user, arcsight, with
no password, is also included. For security reasons and so that you can SCP or SSH to your
machine, change the root password and add a password for the arcsight user as soon as
possible.

Prerequisites for Installation
The VM has the default root password arcsight. A non-root user, arcsight, with no password, is
also included. This user is required for installation.
Caution: For security reasons and so that you can SCP or SSH to your machine, change the root
password and add a password for the arcsight user as soon as possible.
Make sure these prerequisites are met before you install the Logger software on the VM:
l

Boot up the operating system on the VM, log in, set the timezone, and do any other necessary
configuration before proceeding with the installation.
Configure the network on the VM as appropriate for your environment. The hostname must be
resolvable, either by the DNS server or by settings in /etc/hosts.
SELinux and SSH are enabled on the OS, but the firewall is disabled. To ensure proper access to
Logger, enable a firewall and add your firewall policy to allow or deny devices as soon as possible.

HPE Logger 6.2

Page 38 of 54

Installation Guide

Before deploying in a production environment, get valid license file. If you do not have a license file,
see "Acquiring a License" on page 36. You need a separate license file for each instance of Logger. A
license file is uniquely generated for each download.
SCP the license to the VM and make a note of the file name and location; you will need them during
the installation process.
Decide whether to install Logger while logged in as root or as the preconfigured non-root user,
arcsight. Your installation options vary depending on which user you choose.
a. If you install as root, you can choose to configure Logger to start as a service and select the port
on which Logger listens for secure web connections.
b. If you install as the non-root user, Logger can only listen for connections on port 9000. You
cannot configure the port to a different value.
c. When upgrading, you cannot change a previous non-root installation to a root-user installation.
You will need to use the previously configured port 9000 for accessing Software Logger.

The hostname of the machine on which you are installing Logger cannot be “localhost”. If it is,
change the hostname before proceeding with the installation.
Install into an empty folder. If you have uninstalled Logger previously, and are installing into the
same location, be sure to remove any files that the uninstaller left in place.
You must not have an instance of MySQL installed on the machine on which you install Logger. If an
instance of MySQL exists on that machine, uninstall it before installing Logger.

Installing Logger on the Virtual Machine
Make sure the machine on which you will be installing Software Logger complies with the specifications
listed the Release Notes for your version, and that the prerequisites listed in "Prerequisites for
Installation" on the previous page are met.

Preinstallation:
You can verify that you have the correct installation file, as described in "Verifying the Downloaded
Installation Software" on page 34.
You can install Logger as a root user or as a non-root user. See "Prerequisites for Installation" on the
previous page for details and restrictions.
Note: You must install Logger in the /opt/arcsight/logger directory.

To install the Logger software:
1. Run these commands from the directory where you copied the logger installation file:
chmod +x ArcSight-logger-6.2.0.NNNN.0.bin

HPE Logger 6.2

Page 39 of 54

Installation Guide

./ArcSight-logger-6.2.0.NNNN.0.bin -i console

2. The installation wizard launches in command-line mode, as shown below. Press Enter to continue.
Introduction
-----------InstallAnywhere will guide you through the installation of ArcSight
Logger.
It is strongly recommended that you quit all programs before continuing
with this installation.
Respond to each prompt to proceed to the next step in the installation. If
you want to change something on a previous step, type 'back'.
You may cancel this installation at any time by typing 'quit'.
It is strongly recommended that you quit all programs before continuing
with this installation.
Respond to each prompt to proceed to the next step in the installation. If
you want to change something on a previous step, type 'back'.
You may cancel this installation at any time by typing 'quit'.
PRESS TO CONTINUE:

HPE Logger 6.2

Page 40 of 54

Installation Guide

Once all checks complete, the installation continues, and the Choose Install Folder screen is
displayed.
6. From the Choose Install Folder screen, type the installation path for Logger and then press Enter.
The default installation path is /opt. You can install into this location or another location of your
choice.
Note: The user you are installing with must have access to the parent directory of the install
directory. Otherwise, users will not be able to connect to the Logger UI and will see the
following error message when they try to connect, “Error 403 Forbidden. You don't
have permission to access / on this server”.

Notes

User Name

This non-root user must already exist on the system.
When installing Logger on VMWare VM, use the non-root user arcsight that
comes preconfigured on your system.

HTTPS Port

The port number to use when accessing the Logger UI.
You can keep the default HTTPS port (443) or enter any other port that
suits your needs. If you specify any port except 443, users will need to enter
that port number in the URL they use to access the Logger UI.

Choose if you
want to run
Logger as a
system service.

HPE Logger 6.2

Page 41 of 54

Installation Guide

Field

Notes
If you do not enable Logger to start as service during the installation
process, you still do so later. For instructions on how to enable Logger to
start as a service after installation, refer to the Logger Administrator’s Guide.

13. Type the number that describes the desired locale, and press Enter.
14. Press Enter again to initialize Logger components.
Initialization may take a few minutes. Please wait. Once initialization is complete, the next screen is
displayed.
15. Press Enter to configure storage groups and storage volume and restart Logger automatically.
Configuration may take a few minutes. Please wait. Once configuration is complete, Logger starts
up and the next screen is displays the URL you should use to connect to Logger.
16. Make a note of the URL and then press Enter to exit the installer.
Now that you are finished installing and initializing your Logger, you can use the URL you noted during
the installation to connect to Logger. For instructions and information, see "Connecting to Logger" on
page 31.

Chrome (current)

Edge (on Windows 10)

Internet Explorer 11

Firefox ESR 38.3.0, Release 41

Safari 9.0.1 (on OS X 10.9)

Ensure that Logger’s publicly-accessible ports are allowed through any firewall rules that you have
configured.
l

JavaScript and cookies must be enabled.

HPE Logger 6.2

Page 42 of 54

Installation Guide

Connecting to Logger:
Use the URL configured during Logger installation to connect to Logger through a supported browser.
For Software Logger: https://:
For Logger Appliance: https://
where the hostname or IP address is that of the system on which the Logger software is installed, and
configured_port is the port set up during the Logger installation, if applicable.

Logging into Logger
When the Login dialog is displayed, enter your user name and password, and click Login.
Use the following default credentials if you are connecting for the first time:
Username: admin
Password: password
Note: After logging in for the first time with the default user name and password, you will be
prompted to change the password to a more secure one. Follow the prompts to enter and verify a
more secure password.
For more information about the Login screen and connecting to Logger, refer to the User Interface and
Dashboards chapter of the Logger Administrator's Guide.
Once you have logged in successfully, you can enable the preconfigured receivers and configure
devices, device groups, and storage groups necessary to implement your retention policy. See
"Configuring Logger" on page 46 and refer to the Configuration chapter of the Logger Administrator's
Guide for information on how to set up your Logger to start receiving events.

HPE Logger 6.2

Page 43 of 54

Installation Guide

Purpose

loggerd start

Start all processes listed under the System and Process sections in the figure
above. Use this command to launch Logger.

loggerd stop

Stop processes listed under the Process section only. Use this command
when you want to leave loggerd running but all other processes stopped.

loggerd restart

After a few seconds, the message changes to:
Process ‘aps’ running
loggerd status

Display the status of all processes.

loggerd quit

Stops all processes listed under the System and Process sections in the figure
above. Use this command to stop Logger.

loggerd start

Start the named process. For example, loggerd start apache.

loggerd stop

Stop the named process. For example, loggerd stop apache.

loggerd restart

Restart the named process. For example, loggerd restart apache

HPE Logger 6.2

Page 44 of 54

Installation Guide

Uninstalling Logger
To uninstall the Logger software, simply delete the VM. Alternatively, you can uninstall the software
Logger from the VM.
If you will be uninstalling the Software Logger over an SSH connection and want to use GUI mode,
make sure that you have enabled X window forwarding using the -X option, so that you can view the
screens of the uninstall wizard. If you will be using PuTTY, you will also need an X client on the machine
from which you are connecting to the Linux machine.
Before uninstalling Logger, stop the Logger processes by using the loggerd stop command, as
described in "Starting and Stopping Software Logger" on page 32.
To uninstall the Logger software, enter this command in the installation directory:
./UninstallerData/Uninstall_ArcSight_Logger_6.2

The uninstall wizard launches. Click Uninstall or press Enter to start uninstalling Logger.

HPE Logger 6.2

Page 45 of 54

Chapter 5: Configuring Logger
This chapter includes basic deployment and configuration information on the following topics. It is
applicable to all Logger types. If you have installed multiple Loggers, you must connect to each and
configure it separately or use ArcSight Management Center to make bulk configuration changes.

•
•
•
•
•
•

Receivers
Devices
Device Groups
Storage Rules
Using SmartConnectors to Collect Events
Sending Events from ArcSight ESM to Logger

46
48
48
48
49
52

For more information on directly configuring and administering your Logger, refer to the Logger
Administrator’s Guide. For more information on configuring and administering your Logger using
ArcMC, refer to the ArcSight Management Center Administrator’s Guide. For more information on
setting Connectors, refer to the documentation for each Connector.

Receivers
Now that you have finished installing Logger, you can set up receivers to listen for events. Logger
comes preconfigured with several receivers that are ready to receive events and log files directly from
devices and systems on your network, such as syslog servers, NFS, CIFS, or SAN systems. You can use
the preconfigured receivers or add your own. Receivers can be disabled and re-enabled later. You can
add, change, and delete them as needed.
The preconfigured receivers include a TCP receiver, a UDP Receiver, and a SmartMessage receiver
already enabled and ready to receive events. Logger also comes preconfigured with folder follower
receivers for Logger’s Apache Access Error Log, the system Messages Log, and the system Messages
Audit Log (if auditing is enabled on your Linux OS). You must enable these receivers in order to use
them. See "Enabling the Preconfigured Folder Follower Receivers" on the next page for instructions.
The preconfigured receivers are described more detail in "Receivers" on page 8. For further information
on receivers, refer to the Configuration chapter of the Logger Administrator’s Guide.
Logger can also receive events from ArcSight SmartConnectors that collect event data from sources on
your network. To learn more about ArcSight SmartConnectors, visit
https://www.hpe.com/us/en/solutions/security.html.

HPE Logger 6.2

Page 46 of 54

Installation Guide

Enabling the Preconfigured Folder Follower Receivers
The preconfigured receivers are described more detail in "Receivers" on page 8. For further information
on receivers, refer to the Configuration chapter of the Logger Administrator’s Guide.
When you first log in by using the URL you configured, the preconfigured folder follower receivers are
disabled. The Home page displays an Add Data button. Click Add Data (
) to open the Receivers
page and enable the receivers.
Tip: Before enabling these receivers, you must make /var/log/audit/audit.log and
/var/log/messages readable by the non-root user you installed with or specified during Logger
installation.

To enable a receiver, click the disabled icon ( ) at the end of the row.
Alternately, you can navigate to the Receivers page from the menu to enable the receivers.

To open the Receivers page from the menu and enable a receiver:
1. Open the Configuration > Data menu and click Receivers.
2. Identify the receiver you want to enable, and click the disabled icon ( ) at the end of that row.
For information on how to use the preconfigured SmartMessage receiver, see "Using SmartConnectors
to Collect Events" on page 49.

HPE Logger 6.2

Page 47 of 54

Installation Guide

Devices
Logger begins storing events when an enabled receiver receives data or, in the case of a file receivers,
when the files become available. Using a process called autodiscovery, Logger automatically creates
resources called devices to keep track of source IP addresses and uses DNS to map them to hostnames.
Eventually, a device is created for each device from which Logger received events.
You can also create devices preemptively, by entering the IP addresses or hostnames of data sources
that you expect to be sending events to Logger. You might do this if you do not want to wait for
autodiscovery, or if you want to control the initial naming of each device. Discovered devices are named
for their host, or if the DNS lookup fails, for their IP address, and their receiver. For information about
creating devices, refer to the Configuration chapter of the Logger Administrator’s Guide.

Device Groups
Device groups are containers or logical groupings for devices, in the same way folders (or directories)
contain files. They are a name for a group of devices. A given device can be a member of several device
groups. Each device group can be associated with particular storage group, which would assign a
retention policy.
You can change and delete device groups freely as your needs change. Setting up device groups initially
is not critical; incoming events that are not assigned to a device group are automatically sent to the
Default Storage Group. For the details of setting up device groups, refer to the Configuration chapter
of the Logger Administrator’s Guide.

Storage Rules
Events are stored in the Default Storage Group unless otherwise specified. Storage rules are a way to
direct events from certain device groups to certain storage groups. You can use them to implement
additional retention policies.
If you created additional storage groups, and want to send events to them, you can do that with
storage rules. If you choose not to create storage rules, events from all devices will be sent to the
Default Storage Group and use its specified retention policy.
If you want to implement multiple retention policies, you can create storage rules that associate the
specific device groups with the storage groups that implement the desired retention policy.
For example, you could create one device group for each retention policy. However, for more control,
you could associate device groups with storage groups and storage rules and use them to categorize
events. For example, you could search for events that match a certain pattern and which belong to a
particular device group, and send them to a particular storage group for retention based on event
category.

HPE Logger 6.2

Page 48 of 54

Installation Guide

Storage rules are evaluated in order of priority; the first matching rule determines to which storage
group an event is sent. This approach means that a single device can belong to several device groups
without ambiguity about which storage group it will end up in.
Refer to the Configuration chapter of the Logger Administrator’s Guide for more information on
storage rules.

Using SmartConnectors to Collect Events
Similar to ArcSight Manager, Logger leverages the ArcSight SmartConnectors to collect events.
SmartConnectors can read security events from heterogeneous devices on a network (such as firewalls
and servers) and filter events of interest (and optionally aggregate them) and send them to a Logger
receiver. Logger can receive structured data in the form of normalized Common Event Format (CEF)
events from the SmartConnectors.
This section gives basic information on each of these topics. For details, refer to the documentation for
that Connector.

•
•
•
•
•

SmartMessage
Downloading SmartConnectors
Configuring a SmartConnector to Send Events to Logger
Configuring SmartConnectors to Send Events to Both Logger and an ArcSight Manager
Configuring SmartConnectors for Failover Destinations

49
50
50
51
51

SmartMessage
SmartMessage is an HPE ArcSight technology that provides an efficient secure channel for Common
Event Format (CEF) events between ArcSight SmartConnectors and Logger.
Caution: SmartMessage and FIPS require SmartConnector 4.7.5 or later. You can download the
latest version from the HPE ArcSight web site.
Older SmartConnectors will work with Logger, but may not support SmartMessage or FIPS.
SmartMessage provides an end-to-end encrypted secure channel using secure sockets layer (SSL). One
end is an ArcSight SmartConnector, receiving events from the many devices supported by ArcSight
SmartConnectors. The other end is a SmartMessage receiver on Logger.
Note: The SmartMessage secure channel uses SSL protocol to send encrypted events to Logger.
This is similar to, but different from, the encrypted binary protocol used between SmartConnectors
and ArcSight Manager.

HPE Logger 6.2

Page 49 of 54

Installation Guide

Downloading SmartConnectors
Contact your HPE ArcSight sales representative or customer support for the location to download the
supported SmartConnectors. To learn more about ArcSight SmartConnectors, visit
https://www.hpe.com/us/en/solutions/security.html.
Note: If you are using ArcSight Connectors to send events to Software Logger, make sure you are
running connector version 5.1.3.5870.0 or later on your connectors to ensure that event size is
accurately accounted on the Logger.

Configuring a SmartConnector to Send Events to Logger
Logger comes pre-configured with a SmartMessage Receiver. To use it to receive events from a
SmartConnector, you must configure the SmartConnector as described below. You can also create new
SmartMessage receivers and configure the SmartConnectors with these newly created receivers. When
configuring a SmartConnector, be sure to specify the correct receiver name.

To configure a SmartConnector to send events to Logger:
1. Install the SmartConnector component using the SmartConnector User’s Guide as a reference.
Specify Logger as the destination instead of ArcSightESM or a CEF file.
Note: Refer to the documentation that came with your SmartConnector for instructions.
2. Specify the required parameters. Enter the Logger hostname or IP address and the name of the
SmartMessage receiver. These settings must match the receiver in Logger that listen for events
from this connector.
l

To use the preconfigured receiver, specify “SmartMessage Receiver” as the Receiver Name.
To use SmartMessage to communicate between an ArcSightSmartConnector and a Logger
Appliance, configure the SmartConnector to use port 443.
To communicate between an ArcSightSmartConnector and Software Logger, configure the
SmartConnector to use the port configured for the Software Logger.
For unencrypted CEF syslog, enter the Logger hostname or IP address, the desired port, and
choose UDP or TCP output.

HPE Logger 6.2

Page 50 of 54

Installation Guide

Configuring SmartConnectors to Send Events to Both Logger and an
ArcSight Manager
You can configure a SmartConnector to send CEF syslog output to Logger and send events to an
ArcSight Manager at the same time.
For more information about the Common Event Format (CEF), refer to Implementing ArcSight CEF. For
a downloadable a copy of this guide, search for “ArcSight Common Event Format (CEF) Guide” on the
ArcSight Product Documentation Community on Protect 724.
1. Install the SmartConnector normally. Register the SmartConnector with a running ArcSight
Manager and test that the SmartConnector is up and running.
2. Start the SmartConnector configuration program again using the $ARCSIGHT_
HOME/current/bin/runagentsetup script (or arcsight agentsetup -w).
3. Select I want to add/remove/modify ArcSight Manager destinations, then choose Add new
destination.
4. Choose Logger and specify the requested parameters. Restart the SmartConnector for changes to
take effect.

Configuring SmartConnectors for Failover Destinations
SmartConnectors can be configured to send events to a secondary, failover, destination when a primary
connection fails.

To configure a failover destination, follow these steps:
1. Configure the SmartConnector for the primary Logger as described above. The transport must be
raw TCP in order to detect the transmission errors that trigger failover.
2. Edit the agent.properties file in the directory $ARCSIGHT_HOME/current/user/agent, where
$ARCSIGHT_HOME is the root directory where the SmartConnector component was installed.
a. Add this property: transport.types=http,file,cefsyslog
b. Delete this property: transport.default.type
3. Start the SmartConnector configuration program again using the $ARCSIGHT_
HOME/current/bin/runagentsetup script (or arcsight agentsetup -w).
4. Choose I want to add/remove/modify and, with the primary Logger selected, choose Modify.
Then select Add failover destination.
5. Enter information for the secondary Logger.
6. Restart the SmartConnector for the changes to take effect.

HPE Logger 6.2

Page 51 of 54

Installation Guide

7. For more information about installing and configuring ArcSight SmartConnectors, refer to the
ArcSight SmartConnector User's Guide, or specific SmartConnector Configuration Guides, available
from the ArcSight Product Documentation Community on Protect 724.

Sending Events from ArcSight ESM to Logger
The ArcSight Forwarding SmartConnector can read events from an ArcSight Manager and forward
them to Logger as CEF-formatted syslog messages.
Note: The Forwarding SmartConnector is a separate installable file, named similar to this:
ArcSight-4.x.x..x-SuperConnector-.exe

Use build 4810 or later for compatibility with Logger.

To configure the ArcSight Forwarding SmartConnector to send events to Logger:
1. Install the SmartConnector component normally, but cancel the installation when the
SmartConnector Wizard asks whether the target Manager uses a demo certificate.
When the first screen of the SmartConnector Configuration Wizard appears, asking about a demo
certificate, click Cancel.
2. Confirm that you want to exit, then click Done to dismiss the Install Wizard. This will install the
SmartConnector, but leave it un-configured.
3. Create a file called agent.properties in the directory $ARCSIGHT_HOME/current/user/agent,
where $ARCSIGHT_HOME is the root directory where the SmartConnector component was installed.
This file should contain a single line:
transport.default.type=cefsyslog

4. Start the SmartConnector configuration program again using the $ARCSIGHT_
HOME/current/bin/runagentsetup script (or arcsight agentsetup -w).
5. Specify the required parameters for CEF output. Enter the desired port for UDP or TCP output.
These settings will need to match the receiver you create in Logger to listen for events from
ArcSight ESM.
Parameter

Description

IP/Host

IP or host name of the Logger

Port

514 or another port that matches the receiver

Protocol

UDP or Raw TCP

ArcSight Source Manager

IP or host name of the source ArcSight Manager

HPE Logger 6.2

Page 52 of 54

Installation Guide

Parameter

Description

Host Name
ArcSight Source Manager
Port

8443 (default)

ArcSight Source Manager
User Name

A user account on the source Manager with sufficient privileges
to read events

ArcSight Source Manager
Password

Password for the specified Manager user account

SmartConnector Name

A name for the ESM to Logger connector (visible in the
Manager)

SmartConnector Location

Notation of where this connector is installed

Device Location

Notation of where the source Manager is installed

Comment

Optional comments

To configure the Forwarding SmartConnector to send CEF output to Logger and send events to
another ArcSight Manager at the same time, see "Configuring SmartConnectors to Send Events to Both
Logger and an ArcSight Manager" on page 51.
For more information about the Common Event Format (CEF), refer to Implementing ArcSight CEF. For
a downloadable copy of this guide, search for “ArcSight Common Event Format (CEF) Guide” in the
ArcSight Product Documentation Community on Protect 724.

HPE Logger 6.2

Page 53 of 54

Send Documentation Feedback
If you have comments about this document, you can contact the documentation team by email. If an
email client is configured on this system, click the link above and an email window opens with the
following information in the subject line:
Feedback on Installation Guide (Logger 6.2)
Just add your feedback to the email and click send.
If no email client is available, copy the information above to a new message in a web mail client, and send
your feedback to arc-doc@hpe.com.
We appreciate your feedback!

HPE Logger 6.2

Page 54 of 54

Source Exif Data:

File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.4
Linearized                      : Yes
Author                          : Hewlett Package Enterprise Development LP
Create Date                     : 2016:03:11 12:20:58-08:00
Keywords                        : Logger Appliance, Logger Software, Logger on VMWare VM
Modify Date                     : 2016:03:11 12:23:13-08:00
Subject                         : Installation and Initial Configuration of ArcSight Logger
Language                        : en-us
XMP Toolkit                     : Adobe XMP Core 5.4-c005 78.147326, 2012/08/23-13:03:03
Format                          : application/pdf
Creator                         : Hewlett Package Enterprise Development LP
Description                     : Installation and Initial Configuration of ArcSight Logger
Title                           : Logger Installation Guide
Metadata Date                   : 2016:03:11 12:23:13-08:00
Producer                        : madbuild
Document ID                     : uuid:d8e38e63-7224-4a18-90c3-a14d9ab9fe10
Instance ID                     : uuid:02a21134-6652-4654-8a3e-c98d0bb58a3d
Page Layout                     : SinglePage
Page Mode                       : UseOutlines
Page Count                      : 54

EXIF Metadata provided by EXIF.tools

Logger Installation Guide Install 6.2

Navigation menu

Versions of this User Manual:

Views

Navigation