Technical white paper

HP CloudSystem Enterprise
HP ArcSight Logger Service Design and Deployment

Table of contents
Executive summary ..............................................................................................................................................................2
HP CloudSystem Enterprise 8.1 overview .........................................................................................................................2
HP ArcSight overview............................................................................................................................................................3
HP ArcSight Enterprise Security Manager ......................................................................................................................3
HP ArcSight Logger ...........................................................................................................................................................3
HP ArcSight Connectors ...................................................................................................................................................4
Sending events to HP ArcSight Logger using Connectors ...........................................................................................4
Assumptions ..........................................................................................................................................................................5
Overview: HP ArcSight security solution for CloudSystem ..............................................................................................6
HP Cloud Server Automation and VMware vSphere .....................................................................................................6
Configuration process steps ............................................................................................................................................6
Storage and server requirements ...................................................................................................................................7
Configuring HP CloudSystem Enterprise............................................................................................................................7
Creating the virtual machine image required for ArcSight Logger deployment .......................................................7
Staging the required software packages and files .......................................................................................................8
Importing software and creating HP Server Automation policies ..............................................................................9
Configure Cloud Service Automation vCenter and SA Providers.............................................................................. 10
Creating the HP ArcSight Logger vCenter Service Design ......................................................................................... 11
Publish and create the service offering....................................................................................................................... 12
Creating and using the application service ..................................................................................................................... 13
Creating a subscription in HP Cloud Service Automation .......................................................................................... 13
Monitoring and troubleshooting a deployment ......................................................................................................... 13
Accessing the subscribed HP ArcSight Logger Service.............................................................................................. 14
Returning the resource.................................................................................................................................................. 14
Protecting CloudSystem Enterprise Services with HP ArcSight ................................................................................... 15
Sending events to HP ArcSight Logger using Connectors ........................................................................................ 15
Sending events to HP ArcSight Logger in RAW format ............................................................................................. 18
Summary ............................................................................................................................................................................. 19
Appendix A: HP ArcSight Logger installer.properties file .............................................................................................. 20
Appendix B: HP ArcSight Logger install scripts............................................................................................................... 21
Appendix C: HP ArcSight Connector properties file for silent install............................................................................ 22
Appendix D: Troubleshooting ........................................................................................................................................... 23
Appendix E: Server Automation setup for Windows deployment................................................................................ 24
For more information ........................................................................................................................................................ 25

Click here to verify the latest version of this document

Technical white paper | HP CloudSystem Enterprise

Executive summary
Organizations are faced with threats that could disrupt operations and critical IT services. HP CloudSystem Enterprise
provides automation to rapidly deliver compute resources to cloud consumers. Security must be a key consideration to
ensure availability of the components that deliver and provision cloud based services. This document describes how to
configure a Cloud Service Automation Service Design to deploy HP ArcSight Logger into your private cloud. This document
will also show how to configure services with HP ArcSight connector provisioned by an HP CloudSystem Enterprise service
design. An HP ArcSight connector automatically registers to an HP ArcSight Logger server in order for the client services to
forward system events and logs for monitoring.
Target audience: The intended audience of this white paper is system integrators, installers, and administrators who want
to deploy Security-as-a-Service (SecaaS) using HP CloudSystem Enterprise, HP Server Automation, and HP Cloud Service
Automation.

DISCLAIMER OF WARRANTY
This document may contain the following HP or other software: XML, CLI statements, scripts, parameter files. These are
provided as a courtesy, free of charge, AS-IS by Hewlett-Packard Company (HP). HP shall have no obligation to maintain
or support this software. HP MAKES NO EXPRESS OR IMPLIED WARRANTY OF ANY KIND REGARDING THIS SOFTWARE
INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE OR NON-
INFRINGEMENT. HP SHALL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL
DAMAGES, WHETHER BASED ON CONTRACT, TORT OR ANY OTHER LEGAL THEORY, IN CONNECTION WITH OR ARISING
OUT OF THE FURNISHING, PERFORMANCE OR USE OF THIS SOFTWARE.

HP CloudSystem Enterprise 8.1 overview

HP CloudSystem is a complete solution for building and managing cloud services in a private- or hybrid-cloud model on
and off premise, using a combination of private, managed, and public clouds. Get your cloud up and running quickly with
CloudSystem, and smoothly transition to the new style of IT with automated management of traditional and cloud-native
workloads.
HP CloudSystem Enterprise provides you:
Agility. Automate the infrastructure-to-application lifecycle, and manage cloud services throughout from provisioning,
to monitoring, to retirement. Powered by OpenStack technologies and enhanced by HP, it works out of the box, so you
can build quickly, even with multi-hypervisor, multi-OS, and heterogeneous infrastructures.
Openness. Powered by a version of OpenStack technologies that have been enhanced and extended for the needs of
enterprise customers, HP CloudSystem works out of the box, so you can build quickly, even with multi-hypervisor,
multi-OS, and heterogeneous infrastructures.
Security. HP CloudSystem provides capabilities to make sure services and ongoing operations are secure and resilient. All
products and services provide the visibility, control and governance you need across a hybrid IT environment.

HP CloudSystem Enterprise is offered as an HP ConvergedSystem solution pre-tested, pre-integrated, engineered, and

optimized for cloud so you can spend less time getting ready for cloud, and more time building new cloud services. You
can also turn your existing hardware assets into cloud infrastructure by adding CloudSystem software. Either way, HP
CloudSystem Enterprise gives you:
Essential cloud management capabilities
Automated delivery of advanced infrastructure and application services in minutes
Enterprise-class lifecycle management for cloud services from initial provisioning, through ongoing scaling, updating,
and monitoring, to final service retirement
Hybrid cloud management, with out-of-the box support for HP Helion Public Cloud, Amazon Web Services, Microsoft
Azure, and HPs global network of CloudAgile bursting partners
Customizable automation of approvals, service delivery and cloud administration tasks, delivered via the HP Operations
Orchestration workflow engine
Optional advanced service automation through HP CloudSystem Enterprise PAA (platform, applications and analytics)
add-on software, including automated patch and compliance management with HP Server Automation (SA) and
sophisticated database and middleware management with HP Database and Middleware Automation software
Integrated capacity planning and disaster recovery, delivered by HP Matrix OE software

2
Technical white paper | HP CloudSystem Enterprise

Advanced usability features

Fast and easy software installation, with appliance-based packaging
An administration console that aligns with HP OneView for management consistency and improved productivity across
the datacenter
A drag-and-drop designer for rapidly defining new multi-tier cloud services
A consumer-inspired self-service marketplace portal, powered by HP Cloud Service Automation, that makes it easy for
consumers to request cloud services

Business-friendly economics
An open architectural foundation, based on the HP implementation of OpenStack technology, that delivers innovation and
consistency across HPs cloud portfolio
Open programming interfaces, including OpenStack APIs, for integrating with other systems
Cloud-ready licensing, to support IT transformation at the business level
Investment protection for HP CloudSystem Matrix users

HP ArcSight overview
HP ArcSight is part of HPs enterprise software security portfolio along with HP TippingPoint and HP Fortify. The following is
a brief overview of the different components of the HP ArcSight software offerings HP ArcSight Enterprise Security
Manager (ESM), HP ArcSight Logger, and HP ArcSight Connectors.

HP ArcSight Enterprise Security Manager

HP ArcSight Enterprise Security Manager (ESM) is the premiere security event manager that analyzes and correlates every
operational event (login, logoff, file access, database query), or other event in order to support your IT team in every aspect
of security event monitoring, from compliance and risk management to security intelligence and operations. The ArcSight
ESM event log monitor sifts through millions of log records to find the targeted critical events, and presents them in real
time via dashboards, notifications, and reports, so you can accurately prioritize security risks and compliance violations. By
adding HP Reputation Security Monitor (RepSM), vetted reputation-based threat intelligence can be correlated with security
events to identify threats earlier and to detect and avert even the most sophisticated attacks.
Key benefits:
A cost-effective solution for all your regulatory compliance needs
Automated log collection and archiving
Fraud and Real-time threat detection
Forensic analysis capabilities for cyber security
Detect threats early using timely reputation data with HP RepSM

HP ArcSight Logger
With HP ArcSight Logger you can improve everything from compliance and risk management, security intelligence and IT
operations to efforts that prevent insider and advanced persistent threats. This universal log management solution collects
machine data from any log-generating source and unifies the data for searching, indexing, reporting, analysis, and
retention. And in the age of Bring Your Own Device (BYOD) and mobility, it enables you to comprehensively manage an
increasing volume of log data from an increasing number of sources.
Key features:
Collect logs from any log generating source through 300+ connectors from any device and in any format
Unify data across IT through normalization and categorization, into a common event format (CEF registered)
Search through millions of events using a text-based search tool with a simple interface
Store years' worth of logs and events in a unified format through a high compression ratio at low cost
Automate analysis, alerting, reporting, intelligence of logs and events for IT security, IT operations, IT Governance Risk
Management and Compliance (GRC) , and log analytics

3
Technical white paper | HP CloudSystem Enterprise

HP ArcSight Connectors
HP ArcSight Connectors solve the problem of managing log records in hundreds of different formats. While the HP ArcSight
Security Information & Event Management (SIEM) Platform can collect log records in native formats, HP ArcSight Connectors
provide normalization to a common format, which greatly improves reporting and analysis. By normalizing all events into
one common event taxonomy, HP ArcSight Connectors decouple analysis from vendor selection. This approach has four
significant advantages:
Centrally manage 300+ connectors through HP ArcSight Connector Appliance (ConApp)
HP ArcSight Connector appliance manages the ongoing updates, upgrades, configuration changes and administration of a
distributed log collection deployment through a simple and centralized web-based interface. ConApp can be deployed
both as an appliance and software.
Future proofing
If a Cisco router is swapped for an HP Networking router or if a new SQL database or Hadoop solution is added to a
network that previously only had Oracle, no reporting or rules changes are required and the organization retains
continuous visibility into all activity.
Ease of analysis
The HP ArcSight common event format eliminates the need for end users to be familiar with hundreds of different log
syntaxes across products. As a result, non-technical line of business users can easily conduct analysis on their own,
reducing the burden on IT.
Universal content relevance
With the HP ArcSight normalized format, a report that shows authentication failures will cover every system
automatically, even though one application may refer to authentication failures with a specific event ID while a database
refers to the same as an unsuccessful login.

This unique architecture is supported across hundreds of commercial products out-of-the-box as well as legacy systems.
HP ArcSight Connectors also offer various audit quality controls including secure, reliable transmission and bandwidth
controls. In addition to software-based deployments, HP ArcSight Connectors are available in a range of plug-and-play
appliances that can cost-effectively scale from small store or branch office locations to large datacenters. Connector
appliances enable rapid deployment and eliminate delays associated with hardware selection, procurement and testing.

Sending events to HP ArcSight Logger using Connectors

HP ArcSight Connectors can be installed on host operating systems to collect operating system event information. This
information is converted to the standard CEF format at each host by the HP ArcSight Connector. Log events are collected by
the HP ArcSight Connectors and sent to a SmartMessage receiver configured on the HP ArcSight Logger. Figure 1 illustrates
log data being sent from the CloudSystem Enterprise nodes to the UDP and SmartMessage receivers on the ArcSight
Logger.

4
Technical white paper | HP CloudSystem Enterprise

Figure 1. HP ArcSight Connectors and logging to the HP ArcSight Logger

vcenter.cloud.internal
ArcSight Connector

rhel02.cloud.internal
win02.cloud.internal

SmartMessage Receiver
rhel01.cloud.internal win01.cloud.internal

as-logger.cloud.internal

Assumptions
This implementation assumes that the reader has a general understanding of the HP CloudSystem Enterprise 8.1
environment and is capable of creating and deploying subscription services, is comfortable with Red Hat Enterprise Linux
(RHEL) 6 distributions, and able to administer these environments. The reader should have basic knowledge about HP
CloudSystem Enterprise components including HP CloudSystem Foundation, HP Cloud Service Automation, and HP
Operations Orchestration as well as HP Server Automation. While knowledge about HP Helion Public Cloud and OpenStack
technologies are not required per se, a working understanding of these technologies will be helpful for debugging any
problems that may arise.
It is assumed that a CloudSystem Enterprise 8.1 solution has been deployed, configured and is working. It is also assumed
that HP Server Automation has been installed and configured before attempting to deploy this implementation. Links to the
documentation for installing, configuring, and verifying these components and their interoperability can be found in the For
more information section at the end of this document. Table 1 lists the versions used on this reference implementation.

Table 1. Software components versions used for this implementation

Component Version

HP CloudSystem Enterprise HP CS 8.1

HP Cloud Service Automation 4.1 (CSA)
HP Operations Orchestration 10.10 (OO)

HP Server Automation HP SA 10.10

HP OO-SA Content Pack 1.1.0

HP ArcSight Logger HP AS Logger 6.0

Finally, it is assumed that the reader is familiar with HP OneView or HP Virtual Connect Enterprise Manager and is
comfortable with configuring networking and server profile settings using these tools.

5
Technical white paper | HP CloudSystem Enterprise

Overview: HP ArcSight security solution for CloudSystem

HP CloudSystem Enterprise is the integrated bundle of HP CloudSystem Foundation, HP Cloud Service Automation, and HP
Operations Orchestration. HP Server Automation is included in HP CloudSystem Enterprise PAA (Platform, Applications, and
Analytics) add-on software. This document describes how to deploy an HP ArcSight Logger service using HP CSA with
VMware vSphere.
The implementation will show the Topology Design feature included in HP CSA 4.1 and how it can be used to automatically
deploy software components such as HP ArcSight on top of deployed virtual machine (VM) instances.

HP Cloud Server Automation and VMware vSphere

Deployment of an HP ArcSight Logger service using VMware vSphere as a compute provider in HP Cloud Server Automation
is shown in Figure 2 and is described in the steps below:
1. The User requests a service through the HP Cloud Service Automation Marketplace Portal.
2. HP Cloud Service Automation uses an HP Operations Orchestration workflow to make a request to deploy a virtual
machine to VMware vSphere vCenter.
3. VMware vSphere vCenter deploys a pre-created virtual machine template.
4. The virtual machine is deployed on a VMware Host.
5. When the creation request is complete, an Operations Orchestration workflow requests the HP ArcSight Logger
Application deployment using Server Automation.
6. Once the application deployment successfully completes, the user can access the HP ArcSight Logger application using
a web browser.

Figure 2. End to end deployment of HP ArcSight Logger

Deploying ArcSight Logger through HP CloudSystem Enterprise on VMware vSphere

HP CloudSystem Enterprise

Subscriber
Portal
HP Cloud
User HP Operations VMware
Service
Orchestration vCenter
Automation
Management
Console
Admin

VM VM VM
HP Server ESXi ESXi ESXi
Automation VM

HP BladeSystem

Configuration process steps

This reference implementation details the major steps required to install and configure the HP ArcSight Logger application.
They include the following:
1. Creating the scripts and staging the binaries required for the reference implementation.
2. Creating the base virtual machine image required for the HP ArcSight Logger application deployment.
3. Importing and customizing the HP Server Automation software policies.
4. Creating Service Designs and publishing Service Offerings in CSA.
5. Creating and using the application service.

After these steps are complete, the application will be available for business users to automatically deploy using the CSA
Marketplace Portal (MPP).
A final step is also included that will decommission the service and return the resources to the HP CloudSystem Enterprise
environment.

6
Technical white paper | HP CloudSystem Enterprise

Storage and server requirements

The information below defines the requirements for HP ArcSight Logger 6.0 used in this reference implementation. If you
plan to use a different version, refer to the HP ArcSight Logger Administrators Guide or Release Notes for the supported OS
types and system configurations for the version of Logger you need to deploy.
1. Operating system: Red Hat Enterprise Linux (RHEL) version 6.5
2. CPU, memory, and disk space:
A. Downloadable Version and VM Instances (option used in the reference implementation)
i. CPU: 1 or 2 x Intel Xeon Quad Core or equivalent
ii. Memory: 12 GB
iii. Minimum disk space: 18 GB (free disk space for the Logger installation directory is 10 GB minimum)
B. For the Enterprise Version of HP ArcSight Logger
i. CPU: 2 x Intel Xeon Quad Core or equivalent
ii. Memory: 12 - 24 GB (24 GB is recommended)
iii. Disk space: 65 GB (minimum)
Notes:
1. The disk space needs to be on the partition where you will install the Logger software.
2. Using NFS as primary storage for events on the HP ArcSight Logger is not recommended.
3. Make sure no other applications are running on the system on which you install HP ArcSight Logger.

Configuring HP CloudSystem Enterprise

This reference implementation provides the steps required to create the necessary components for deploying HP ArcSight
Logger using HP CloudSystem Enterprise.

Creating the virtual machine image required for ArcSight Logger deployment
The instructions below describe how to create the virtual machine image used for ArcSight Logger deployment. The image
can be created on the VMware vSphere host through VMware vCenter. The virtual machine image must include the Server
Automation agent (SA Agent) in order for application installation to succeed.
1. Create a base Red Hat Enterprise Linux (RHEL) 6.5 Virtual Machine:
A. Configure RHEL as a Basic Server, using DHCP network and include the management network connected to your
SA server. Specify a hostname, i.e. as-logger, instead of the default localhost.
B. Install VMware tools on the VM, reboot afterwards.
C. After the Linux installation completes and the VM boots, obtain the IP address of your virtual machine.
2. Configure the RHEL VM network and security settings:
A. Change the IPv4 firewall, if enabled, to allow management using Server Automation and ArcSight access by
editing the /etc/sysconfig/iptables file and adding the following entries after A INPUT i lo j ACCEPT:
i. -A INPUT m state -state NEW m tcp p tcp -dport 1002 j ACCEPT
ii. -A INPUT m state -state NEW m tcp p tcp -dport 9000 j ACCEPT
B. Disable SELinux in your VM template. Edit /etc/selinux/config:
i. Change SELINUX=enforcing to SELINUX=disabled
C. Change the networking to allow deployment of virtual machines using this VM image:
i. Edit /etc/sysconfig/network-scripts/ifcfg-eth0:
Remove the HWADDR= line.
Verify the setting onboot=yes.
ii. Delete /etc/udev/rules.d/70-persistent-net.rules.
D. Edit /etc/security/limits.d/90-nproc.conf file. If the file and limits.d directory are missing, create
them. If the file already exists, delete all entries and add the following lines:
i. * soft nproc 10240
ii. * hard nproc 10240
iii. * soft nofile 65536
iv. * hard nofile 65536

7
Technical white paper | HP CloudSystem Enterprise

E. Edit /etc/sudoers file. Comment the line for #Defaults requiretty by appending a hashtag. This is
required for running installation script as a non-root user in SA.
F. Create a non-root user, i.e. arcsight, and assign a password. ArcSight Logger requires a non-root user to be
installed.
i. useradd arcsight
ii. passwd arcsight
G. Reboot the VM.
3. Install the HP SA Agent on the VM:
A. From Server Automation Java Client, choose the Devices tab, then Servers SA Agent Installation.
B. In the dropdown box, select Explicit IPs/Hostnames. Enter the IP address of your virtual machine and click on the
Scan button.
C. Right-click on the discovered server and select the Install SA Agent option. Enter the Username and password.
Under Actions select Verify prerequisites, copy installer and install agent.
D. Click on Start Job to copy the agent files to the VM. Click Close once the job is completed.
E. Click on the All Managed Servers option to open the All Managed Servers window.
F. Click on the View dropdown menu and select Properties.
G. Click on the virtual machine on which the agent was installed.
H. Record the Object ID of the virtual machine, which can be found in the Management Information section of the
Properties panel.
4. Sanitize the SA Agent installed on the VM:
A. Go to the Library tab and then By Type.
B. Expand the Extensions folder.
C. Select Program.
D. Locate the BRDC HPSA agent sanitizer.
E. Execute the BRDC HPSA agent sanitizer APX:
i. Right-click the APX and select Run...
ii. Select the Options tab in the Run Program Extension dialog.
iii. In the Specify any needed parameters for this program execution field, enter the Object ID, which you
previously obtained in Step 3H.
F. Click Start Job when the sanitation completes, click Close.
5. Edit networking then gracefully shut down the virtual machine.
A. Delete /etc/udev/rules.d/70-persistent-net.rules.
B. Run shutdown h now from the command line or shutdown Guest OS of the VM from vCenter.
6. Convert the image to a VMware VM template. In the vSphere Client, right-click the VM, expand the Template dropdown,
and select Convert to Template.
7. Remove the server entry in SA:
A. Go to Devices Servers All Managed Servers.
B. Locate the server whose SA agent you just sanitized on step 4.
C. Right-click on the server and select Deactivate SA Agent.
D. Click the Deactivate confirm button.
E. Right-click on the server again and select Remove from SA.
F. Click the Remove from SA button.
8. (OPTIONAL) Verify if the SA agent installs.
A. Deploy a VM from the template.
B. If the SA agent and changes were done correctly, the VM should automatically register its SA agent after boot up.
C. You can verify it from the Devices tab of SA. Go to Servers All Managed Servers. On the toolbar, click View
Refresh. It takes about 3 to 5 minutes after booting for the server to show up. If the server does not automatically
register after 5 minutes, verify steps 3 and 4 above.

Staging the required software packages and files

There are five files required to create an ArcSight Logger software package. A valid license file is required to install the
ArcSight Logger binaries. The installer.properties file is an unattended answer file for ArcSight Logger. Two shell scripts
need to be created and customized to ones target environment for installation and uninstall.

8
Technical white paper | HP CloudSystem Enterprise

Create a temporary folder on your central management station (CMS) and stage the following files in that folder.
1. ArcSight Logger install file (ArcSight-logger-6.0.0.xxxx.x.bin):
A. The software could either be ordered through an HP Sales representative or downloaded as a trial version from
the HP ArcSight website, hp.com/go/arcsight.
2. License file for ArcSight Logger:
A. The file is REQUIRED when creating the installer.properties file. Contact your HP Sales representative in obtaining
a license to be used for the unattended (silent) installation.
3. installer.properties file:
A. See Appendix A: HP ArcSight Logger installer.properties file for information on generating the installer.properties
file
4. install.sh and uninstall.sh scripts:
A. Scripts required to install Logger as a non-root user.
B. See Appendix B: HP ArcSight Logger install scripts for samples.

The items listed above were used to develop and test the reference implementation. Newer versions of ArcSight Logger
may be available and supersede what was used here. If you are unable to obtain the listed version, be sure that the new
version is compatible, and includes all the necessary dependencies. Also note that the installer.properties file syntax varies
between versions of ArcSight Logger. Refer to the Administrators Guide for ArcSight Logger for the proper syntax or steps
to create the installer.properties file for your version.

Importing software and creating HP Server Automation policies

HP Server Automation policies are used to deploy and configure the ArcSight Logger application. The required files staged
earlier will now be imported into HP Server Automation and used in software policies.
Importing the packages
To import software into HP Server Automation, complete the following steps:
1. Create the ArcSight Logger install bundle:
A. Place the files from the previous section (ArcSight Logger installer, installer.properties, install.sh, uninstall.sh and
the license file) into a folder called asloggersd.
B. Compress the folder into a ZIP archive file named asloggersd.zip. You can do this with programs like WinZip
or 7-Zip on Windows, or using the zip command on a Linux system.
2. Log in to HP Server Automation Java Client as an administrative user.
Note: You can download the Server Automation Java client from the Server Automation web client accessible at
https://<SA Core IP address>. The link to download the Java client is on the login page. Click on Download
Hewlett-Packard Launcher to install the application. The installer has an option to create a shortcut on your desktop.
You dont need to log in to the web client.
3. Select Library from the button on the bottom left. Click on the By Folder tab and right-click on the Library folder then
select Import Software.
4. Click Browse to the right of the File(s) field and select the asloggersd.zip file created in step 1. The Type field
should be automatically set to ZIP Archive (.zip).
5. Change the value for Folder to /Package Repository/All Red Hat Linux/Red Hat Enterprise
Linux Server 6 X86_64. Click Select.
6. Change the value for Platforms to Red Hat Enterprise Linux Server 6 X86_64.
7. Click Import.
8. Browse to Library/Package Repository/All Red Hat Linux/Red Hat Enterprise Linux
Server 6 X86_64.
9. Right-click the asloggersd.zip package and select Open.
A. In the Views tree select Properties and set Default Install Path to /tmp.
B. Select the Install Scripts.
C. In the Post-Install Script tab, enter in the two lines of code:
chmod -R 777 /tmp/asloggersd
/tmp/asloggersd/install.sh
i. The first line allows for a non-root user to read/write/execute access to the install files.
ii. The second line executes the install script as a non-root user. The script restores the permissions of /tmp
directory to 755.

9
Technical white paper | HP CloudSystem Enterprise

10. Go to File Save to save your changes. Close the window.

Creating the ArcSight Logger software policy

1. Right-click the Library folder and select New Software Policy.
2. Set the following values:
A. Set Name to ArcSight Logger.
B. Click Select and set the Location to /Package Repository/All Red Hat Linux/Red Hat
Enterprise Linux Server 6 X86_64.
C. Set the OS to Red Hat Enterprise Linux Server 6 X86_64.
3. Select Policy Items in the Views panel.
4. Click Add in the toolbar. Click on the Browse Folders tab.
5. Expand the Package Repository/All Red Hat Linux/Red Hat Enterprise Linux Server 6
X86_64 folder.
6. Select the asloggersd.zip file.
7. Click Select.
8. On the File menu, click Save to save the ArcSight Logger software policy.
9. Close the window.

Configure Cloud Service Automation vCenter and SA Providers

The key requirements prior to importing the sample service design for HP ArcSight Logger for vCenter are to configure the
resource providers for VMware vCenter and HP Service Automation. To configure the resource providers, run the following
steps:
1. Launch HP Cloud Service Automation:
A. Enter the URL for the HP CloudSystem Console in a web browser and log in as an administrator user.
B. The default URL is https://<HP CloudSystem Foundation Server IP or hostname>.
C. On the CloudSystem dropdown menu, go to Enterprise.
D. Under Tools, click Cloud Service Management Console to launch the HP Cloud Service Automation (CSA)
Administrator portal.
E. Bookmark this webpage URL for CSA so that you can go directly to the shortcut instead of going through the link
from CloudSystem Console.
2. Log on to the CSA Administrator portal using an account with administrator privileges, i.e. admin.
3. Select the Providers tile.
4. Create the provider for VMware vCenter provider.
A. Select VMware vCenter on the list of providers on the left panel.
B. Click the Create button on the main panel.
C. Provider the entries for the required fields.
i. Display Name = VMware vCenter for HP CloudSystem
ii. User ID = administrator
iii. Password = administrator password used to log in on the vCenter client
iv. Service Access Point = https://vcenter.cloud.internal:443
D. Click Create to save the settings.
E. Select the Properties tab:
i. Click on DATACENTERNAME to launch the Edit Property dialog.
ii. Enter the Datacenter Name configured in vCenter on the Property Value field.
iii. Click Save on the Edit Property dialog.
5. Open the newly created vCenter provider then go to the Components tab.
A. Verify the presence of the vCenter Server and vCenter Network Interface components.
6. Create the provider for the HP Server Automation provider:
A. Select HP Server Automation on the list of providers on the left panel.
B. Click the Create button on the main panel.

10
Technical white paper | HP CloudSystem Enterprise

C. Provider the entries for the required fields.

i. Display Name = SA for HP CloudSystem
ii. User ID = hpsa_admin (administrator user pre-configured in HPSA)
iii. Password = hpsa_admin user password
iv. Service Access Point = https://<SA server IP address>:443
D. Click Create to save the settings.
7. Open the newly created Server Automation provider then go to the Components tab. Import the SA software policy
called ArcSight Logger created in the previous section as a component:
A. Click the Manage button to go to the Topology Components list.
B. Click the Import button.
C. Select HP Server Automation for the Import Source and leave Source Type as Live instance then click Next.
D. Select ArcSight Logger from the list of HPSA Software Policies then click Finish.

Creating the HP ArcSight Logger vCenter Service Design

The following are the steps to create a service design that will deploy an instance of ArcSight Logger in a VM using vCenter.
1. Log on to the HP Cloud Service Automation Administrator portal using an account with administrator privileges.
2. Go to Designs Topology Designer.
3. Click the Create button.
4. On the Create Design dialog enter the following field values then click Finish:
A. Name = ArcSight Logger for vCenter
B. Description = [OPTIONAL]
C. Version = 1.0.0 (this is the version of the service design not for ArcSight Logger)
D. Palette = none
5. Create the topology layout on the Editor tab.
A. Create vCenter and ArcSight Logger server components:
i. Mouse over on the white canvass and left-click when you see a grey square.
ii. Select vCenter Server. Optional to change the server label to something else.
iii. Mouse over on the canvass next to the vCenter Server component and left-click when you see a grey square.
iv. Select ArcSight Logger. Optional to change the server label to something else.
B. Connect the server components as shown in Figure 3:
i. Mouse over to the vCenter server until you see a connector represented by a hollow circle on its border.
ii. Click on the connector and drag it to the ArcSight Logger server.

Figure 3. Connecting server components in CSA Designer

C. Provide server properties for the vCenter Server component:

i. Click on the vCenter server component.
ii. Provide the pre-defined values specified in Table 2 that match your environment.
D. There are no server properties for the ArcSight Logger server component. Click Save.

11
Technical white paper | HP CloudSystem Enterprise

Table 2. ArcSight Logger Server Properties

Property Value Description

vmTemplateReference String Name of the OS Template in VMware vCenter to use for the ArcSight Logger instance.

customizationSpec String VM Template Customization Specification. Customization Specifications are defined in VMware
vCenter in Home Custom Specifications Manager.

vmNamePrefix String Prefix to the ArcSight Logger VM hostname.

username String The username used for the root user configured on the ArcSight Logger VM.

password String The password used for the root user configured on the ArcSight Logger VM.

6. (OPTIONAL) Test your service design.

A. Go to the Overview tab of the Design Details page.
B. Click the Test Run button.
C. Provide the Name of the Test Run. The rest of the fields are optional. Click Finish.
D. Click View to check the status. You may need to refresh the page to reflect the current status.
E. If the test run failed, troubleshoot the issue by following the steps described in the section called Monitoring and
troubleshooting a deployment.

Publish and create the service offering

A service offering must be published and created in HP Cloud Service Automation before subscribers can request services
based on this service design.
To publish a service offering, complete the following steps:
1. Log on to the HP Cloud Service Automation Administrator portal using an account with administrator privileges.
2. Go to Designs Topology Designer.
3. Select the service design called ArcSight Logger for vCenter created from the earlier step.
4. On the Overview tab, click the Publish button.
5. Click Yes to the Confirm Publishing pop-up.

To create a service offering in the default catalog, complete the following steps:
1. Go to Offerings.
2. In the All Offerings panel, click Create.
3. On the Create Offering dialog:
A. Select the Service Design by clicking the ellipsis button .
B. Select the Topology Design named ArcSight Logger for vCenter then click the Select button.
C. Enter ArcSight Logger 6.0.0 for vCenter on the Display Name.
D. [OPTIONAL] Description and Image for the offering.
E. Click the Create button.

HP Cloud Service Automation is installed with a default global catalog named Global Shared Catalog. When you publish a
service offering in this global catalog, that service offering will be visible in every organizations Cloud Subscriber Portal.
1. On the Offerings details page:
A. Go to the Publishing tab.
B. Click Publish to launch the Publish Service Offering dialog.
C. Select Global Shared Catalog.
D. Expand the In Category dropdown and select a category, i.e. Application Services.
E. Click Publish on the Publish Service Offering dialog.
F. Click Close on the Success message box.

12
Technical white paper | HP CloudSystem Enterprise

Verify the published service offering:

1. Go back to the main page of HP Cloud Service Automation.
2. Go to Catalog.
3. Select the Global Shared Catalog.
4. Go to the Offerings tab and you should see the offering for ArcSight Logger.

Creating and using the application service

This section gives examples of how a subscriber can order the HP ArcSight Logger service using HP Cloud Service
Automation. It does not give a complete list of what the subscriber can do.

Creating a subscription in HP Cloud Service Automation

You can order the HP ArcSight Logger service from the HP Cloud Service Automation Marketplace Portal (MPP).
1. Launch HP Cloud Service Automation Marketplace Portal:
A. Enter the URL for the HP CloudSystem Console in a web browser and log in as an administrator user.
B. The default URL is https://<HP CloudSystem Foundation Server IP or hostname>.
C. On the CloudSystem dropdown menu, go to Enterprise.
D. Under Tools, click Marketplace Portal to launch HP Cloud Service Automation Marketplace Portal.
E. Bookmark this webpage URL for MPP so that you can go directly to the shortcut instead of going through the link
from CloudSystem Console.
2. Click Log In and enter the following information:
A. User Name: Your HP Cloud Service Automation Consumer Portal user name, i.e. consumer.
B. Password: Your HP Cloud Service Automation Consumer Portal password.

3. Expand the Sidebar Menu by clicking on the icon shortcut and select Browse Catalog.
4. Select the service offering called ArcSight Logger 6.0.0 for vCenter.
5. Click the Checkout button.
6. Provide a Subscription Name of your choice, i.e. ArcSight Logger 6.0.0 Subscription. Description is optional.
7. Click the Submit Request button to deploy the service offering request.
8. You can monitor the progress of the request by clicking the View Requests button on the Request Confirmation
details.
9. The status of your subscription can be monitored on the subscriptions panel by clicking Subscriptions on the Sidebar
Menu. A typical end-to-end deployment takes 15 to 20 minutes to complete.

Note: This reference implementation uses the default MPP. If your environment is set up for a different consumer
organization, the unique URL for the MPP organization could be found on the organization page in the CSA Administrator
portal.

Monitoring and troubleshooting a deployment

If you wish to follow the service deployment process more closely, you can do so through the various provider interfaces.
Refer to Appendix D: Troubleshooting for solutions to some of the possible issues you may encounter during deployment.

VMware vCenter
The first part of the service deployment process is the creation of the virtual machine through VMware vCenter.
1. Log in to VMware vCenter and navigate to Home Inventory Hosts and Clusters and you can see the virtual
machine being created.
2. You can view the progress by viewing the Recent Tasks section of the interface or going to Home Management
Events and you can track the progress of the deployment request in progress.

HP Server Automation
Once the virtual machine is deployed, you can check the progress of the service deployment process in HP SA.
1. Launch the HP Server Automation Java Client.
2. Click View Jobs and Sessions Job Logs in the main menu.

13
Technical white paper | HP CloudSystem Enterprise

3. Double-click the Job Status associated with the deployment.

4. You can track the progress by clicking on the currently running Action.

HP Operations Orchestration Central

In the event of an error during deployment, you can verify the details of the error via HP OO.
1. From the HP CloudSystem Consoles main menu, go to Integrated Tools Integrated UIs HP Operations
Orchestration Central.
2. In HP OO, go to Run Management and double-click the Run Name associated with the deployment.
3. Expand details by viewing at Table View .

If running multiple deployments, you can go directly to the HP OO job status from the CSA Management Console Operations
tile.
1. On the CSA Management Console Operations main page, click the User Name associated with the deployment being
monitored.
2. On the Subscriptions tab, select the Subscription Details row associated with the deployment.
3. Go to the Events tab. Click the row associated with the deployment Event.
4. Click the Process ID hyperlink to automatically launch HP OO.
5. After logging in as an HP OO administrator user, you will be redirected to the appropriate Run Management location.
You can expand the details by viewing at Table View.

Accessing the subscribed HP ArcSight Logger Service

The HP ArcSight Logger application is configured from a web browser interface to the application tier of your deployed
service.
1. Log on to the HP Cloud Service Automation Marketplace Portal (MPP) using your consumer user account (or the same
account you used to deploy the service).
2. On the main page of the MPP, expand the Sidebar Menu and select My Services.
3. Select the ArcSight Logger service. If it successfully deployed from the previous step, the service will have a green
Online Services banner.
4. On the My Service Details for the deployed service, scroll down to the ArcSight Logger Server. Take note of the
ipAddress value.
5. Using the web server IP address, open the following URL in a web browser:
https://<web server ip address>:9000
Note: Port 9000 is the default port assigned for non-root ArcSight Logger users. If a different port was used on the
installer.properties installation file, use that instead.
6. Log in with the HP ArcSight Logger default username (admin) and password (password).

Returning the resource

If you no longer need the deployed HP ArcSight Logger service, this section describes the steps to return the resources used.
Do not run these steps if you want to launch further deployment tests using HP ArcSight Connectors for Windows and Linux
described in detail on the next section.
To conclude the subscription, we will cancel the subscription to return the resources to our pool. Cancel a subscription by
going through the following steps:
1. Log on to the HP Cloud Service Automation Marketplace Portal using your consumer user account (or the same account
you used to deploy the service).
2. On the main page of the MPP, expand the Sidebar Menu and select My Services.
3. Select the ArcSight Logger service subscription.
4. On the My Service Details view, click the grey Managed Subscription button.
5. Click on the red Cancel Subscription button.
6. Click Yes on the message box pop-up.
7. The Subscription Status is updated to Cancelled Subscription.
Note: Your cancellation time may vary depending on the hardware in your environment. If configured, you will be notified by
email that the service has been cancelled.

14
Technical white paper | HP CloudSystem Enterprise

Protecting CloudSystem Enterprise Services with HP ArcSight

This section demonstrates the two ways that cloud architects can design HP CloudSystem service offerings to incorporate
logging to the HP ArcSight Logger using ArcSight Connectors or raw syslog data.

Sending events to HP ArcSight Logger using Connectors

Using an ArcSight Connector to forward syslog and event information shown earlier in Figure 1 is the recommended solution
that applies to both Linux and Windows cloud services. It has the advantage of not only a common implementation in the
datacenter but also a standard Common Event Format (CEF) that the ArcSight Connector converts before forwarding to a
SmartMessage receiver configured on the HP ArcSight Logger. Figure 1 illustrates log data being sent from the Linux and
Windows nodes using an ArcSight Connector to the SmartMessage receiver on the ArcSight Logger.
The ArcSight connector could also be installed silently as a software policy in Server Automation to the Windows or Linux VM
via HP CloudSystem Service Design. Such implementation for Linux and Windows is described next. The software could
either be ordered through an HP Sales representative or downloaded as a trial version from the HP ArcSight website,
hp.com/go/arcsight.

Deploying HP ArcSight Connector on Linux

The following are the steps to implement the deployment of the HP ArcSight Connector for Linux via HP CloudSystem
Enterprise using Server Automation policies. This procedure is similar to the one used for deploying the ArcSight Logger
using HP SA and CSA described in the section Importing software and creating HP Server Automation policies.
1. Create the ASconnector-Linux.properties file. (See Appendix C: HP ArcSight Connector Properties file for silent install for
more information.)
Note: The installer.properties file syntax may vary between versions of the ArcSight Connector. Refer to the
documentation included with your ArcSight Connector for the proper syntax or the steps to create the
installer.properties file for your version.

2. Create a RHEL 6 VM template with the same specifications as the ArcSight Logger VM. Repeat steps specified in the
section called Creating the virtual machine image required for ArcSight Logger deployment to create the VM including
the SA agent.
3. Compress in a ZIP file called ASconnectorLinux.zip the executable for ArcSight connector and properties file for
silent installation.
A. ArcSight-x.x.x.xxxx.x-Connector-Linux64.bin
B. ASconnector-Linux.properties
4. Import the ZIP file into Server Automation. Import it to the appropriate Linux OS package repository, i.e. Red Hat
Enterprise Linux Server 6 x86_64.
5. Double-click on the imported ZIP file, edit its Properties, and Save the changes.
A. Default Install Path = /tmp
B. Enter the four lines of commands to the Install Scripts Post-Install Script tab:
cd /tmp
chmod +x ArcSight*.bin
./ArcSight-x.x.x.xxxx.x-Connector-Linux64.bin -i silent -f /tmp/ASconnector-
Linux.properties
service arc_linux_cef start

Note: The service name, arc_linux_cef, is a concatenation of the arc_ prefix with the name specified
during the creation of the silent install properties file.

6. Create a Server Automation software policy called ArcSightConnectorLinux:

A. Set OS to the same Linux OS used on Step 4.
B. Add the ZIP file created in Step 3 as a policy item.
C. Select the appropriate Linux OS Package Repository as specified in Step 4 and create the policy on it.
7. Create the ArcSight Connector for Linux component in CSA:
A. Import the SA software policy called ArcSightConnectorLinux from the Server Automation providers
component list.

15
Technical white paper | HP CloudSystem Enterprise

8. Create the Service Design in CSA:

A. Follow the same instructions specified in Creating the HP ArcSight Logger vCenter Service Design.
B. Assign a service design name of ArcSight Logger Connector for Linux.
C. Create a simple topology layout similar to ArcSight Logger, using the vCenter Server with the ArcSight Connector
instead of the ArcSight Loggers.
D. Provide a different hostname prefix.
9. Publish and create the service offering:
A. Follow the same instructions specified in Publish and create the service offering section.
B. Assign an offering name of ArcSight Connector for Linux 6.0.0.
C. Publish it to the Global Shared Catalog.
10. Deploy the service offering from the MPP:
A. Follow the same instructions in Creating a subscription in HP Cloud Service Automation section.
B. It takes about 5 minutes to deploy the connector and the server to register in ArcSight Logger server.
C. The server automatically registers as one of the devices via the SmartMessage Receiver.

Figure 4. CEF Log Events sent to the HP ArcSight Logger directly via TCP, UDP or SmartMessage Receiver

D. Once registered, logs will show on the Summary tab.

Figure 5. Summary of captured CEF log events

16
Technical white paper | HP CloudSystem Enterprise

Deploying HP ArcSight Connector on Windows

The following are the steps to implement the deployment of the HP ArcSight Connector for Windows via HP CloudSystem
Enterprise using Server Automation policies.
1. Create the ASconnector-Windows.properties file (See Appendix C: HP ArcSight Connector properties file for silent install
for more information).
Note: The installer.properties file syntax may vary between versions of the ArcSight Connector. Refer to the
documentation included with your ArcSight Connector for the proper syntax or the steps to create the
installer.properties file for your version.

2. Create a Windows Server 2008 R2 x64 VM template with the following customizations:
A. At least 1 network set to DHCP and it should be the same one used by Server Automation.
B. Create C:\Temp directory. It will be used for the silent installer.
C. Install VMware Tools.
D. Set-ExecutionPolicy RemoteSigned
E. Private and Public Firewalls turned off. (Domain is OK turned on).
Note: A customization spec should be created for Windows similar to Linux. CSA requires a customization spec on the
service design for the deployment to work properly.

3. Deploy and install the SA agent then convert the VM to a template:

A. Follow steps 3 to 7 on the section called Creating the virtual machine image required for ArcSight Logger
deployment to create the VM including the SA agent.
4. Compress in a ZIP file called ASconnectorWindows.zip the executable ArcSight connector and properties file for
silent installation:
A. ArcSight-x.x.x.xxxx.x-Connector-Win64.exe
B. ASconnector-Windows.properties
5. Import the ZIP file into Server Automation. Import it to the appropriate Windows OS package repository, i.e. Windows
2008 R2 x64.
6. Double-click on the imported ZIP file, edit its Properties, and Save the changes:
A. Default Install Path = C:\Temp
B. Enter the two lines of commands to the Install Scripts Post-Install Script tab:
c:\temp\ArcSight-x.x.x.xxxx.x-Connector-Win64.exe -i silent -f
c:\temp\ASconnector-Windows.properties
net start arc_windows_cef
7. Create a Server Automation software policy called ArcSightConnectorWindows:
A. Set OS to the same Windows OS used on Step 5.
B. Add the ZIP file created in Step 4 as a policy item.
C. Select the appropriate Windows OS Package Repository as specified in Step 5 and create the policy on it.
8. Create the ArcSight Connector for Windows component in CSA:
A. Import the SA software policy called ArcSightConnectorWindows from the Server Automation providers
component list.
9. Create the Service Design in CSA:
A. Follow the same instructions specified in Creating the HP ArcSight Logger vCenter Service Design.
B. Assign a service design name of ArcSight Logger Connector for Windows.
C. Create a simple topology layout similar to ArcSight Logger, using the vCenter Server with the ArcSight Connector
instead of the ArcSight Loggers.
D. Provide a different hostname prefix.
10. Publish and create the service offering:
A. Follow the same instructions specified in the Publish and create the service offering section.
B. Assign an offering name of ArcSight Connector for Windows 6.0.0.
C. Publish it to the Global Shared Catalog.

17
Technical white paper | HP CloudSystem Enterprise

11. Deploy the service offering from the MPP:

Note: Before deploying, verify that the Microsoft Patch Database is pre-configured in Server Automation. The
deployment will fail if this is not set up. Refer to Appendix E: Server Automation setup for Windows deployment for
details.
A. Follow the same instructions in the Creating a subscription in HP Cloud Service Automation section.
B. It takes about 10 minutes to deploy the connector and the server to register in ArcSight Logger server.

Sending events to HP ArcSight Logger in RAW format

In this scenario, the log information is sent directly to the HP ArcSight Logger in raw format. In some cases, devices and
systems have not been configured to convert log data into the standard ArcSight Common Event Format. The device,
system, or application may not have an ArcSight Connector or the organization may choose not to install an ArcSight
Connector. In these instances, the system can be configured to send log data in a RAW format. Figure 6 shows how a default
receiver is configured in ArcSight Logger to accept RAW logs from a deployed Linux or Windows cloud service.

Figure 6. RAW Log Events sent to the HP ArcSight Logger directly via UDP or TCP Receivers

native
or
3rd-party

vcenter.cloud.internal
native 3rd-party

rhel02.cloud.internal
win02.cloud.internal

3rd-party
native

TCP Receiver (TCP/8514)

rhel01.cloud.internal win01.cloud.internal

as-logger.cloud.internal

Forwarding RAW log events to HP ArcSight Logger in Linux

Linux has a native syslog forwarder that could be utilize to send logs to HP ArcSight Logger. The following example is the
steps to configure a Red Hat 6.5 server to forward logs directly to the ArcSight Logger TCP receiver (UDP receiver can also
be used, depending on the OS).
1. Log in to the server as root user.
2. Disable SELinux in your VM template. Edit /etc/selinux/config:
A. Change SELINUX=enforcing to SELINUX=disabled
3. Edit rsyslog.conf file. At the end of the file add the line to send the logs to the ArcSight Logger host (remote-host)
using the default ArcSight Logger TCP Receiver port of 8515. Provide the IP address of the ArcSight Logger VM as
shown below:
A. vi /etc/rsyslog.conf
B. *.* @@<IP-address-of-VM>:8515

18
Technical white paper | HP CloudSystem Enterprise

4. Restart the rsyslog service:

A. service rsyslog restart
5. Launch HP ArcSight Logger from the browser via the URL Error! Hyperlink reference not valid. and you should see the
RHEL VM device logs show up as shown in Figure 7. You could also verify by checking under Configuration Devices.

Figure 7. Log Events sent to the HP ArcSight Logger

Note: The steps above could be pre-configured on the VM template prior to deployment of a Service Design via HP
CloudSystem Enterprise if you know the IP address of the HP ArcSight Logger server.

Forwarding RAW log events to HP ArcSight Logger in Windows

The use of a native syslog forwarder only applies to Linux. A third-party software application needs to be installed to
implement for Windows. Below are the steps to illustrate using an open-source software application called nxlog.
1. Download the installer file from http://nxlog-ce.sourceforge.net/download to the Windows server you want to monitor
with ArcSight Logger.
2. Launch the installer and follow through the prompts.
3. Edit the configuration file, nxlog.conf:
A. Open the c:\Program Files (x86)\nxlog\conf\nxlog.conf file with a text editor.
B. Under the <Output out> group:
i. Replace the IP address for Host with the IP of ArcSight Logger.
ii. If the Module says om_tcp, replace the TCP Receiver port configured in ArcSight Logger. You could also use
the UDP Receiver port by replacing Module to om_udp.
4. Restart the nxlog service.
5. You should see the host register in ArcSight Logger using the TCP or UDP Receiver configured on the nxlog.conf file. It
will show up on the Summary page like the sample shown for Linux or under Configuration Devices.

Summary
HP ArcSight Logger is an event data storage appliance that is optimized for extremely high event throughput. Logger stores
security events onboard in compressed form, but can always retrieve unmodified events on demand for forensics-quality
litigation data. Logger can be deployed stand-alone to receive events from syslog messages or log files, or to receive events
in Common Event Format from SmartConnectors. Logger can forward selected events as syslog messages to ESM. Multiple
Loggers work together to scale up to support high sustained input rates. Event queries are distributed across a peer
network of Loggers.
In this document we have shown how to create and deploy an HP ArcSight Logger with an HP Cloud Service Automation
(CSA) Service Design to enable enhanced security and centralized logging for HP CloudSystem Enterprise consumers and
their subscription based services. Using HP ArcSight Logger as a Security as a Service offering to create a central repository
for security and event logging, organizations can attach their ArcSight Logger subscription to an HP ArcSight ESM, or a
centralized ArcSight Logger instance, to monitor and react to security related events in their cloud environments. Also
leveraging this CSA Service Design provides cloud consumers with an event logging service design where the cloud
consumer can implement application and event logging of cloud provisioned resources during the deployment phase. This
type of security offering enables shared responsibility and ownership of SIEM solutions between the cloud consumer and
cloud provider.

19
Technical white paper | HP CloudSystem Enterprise

Appendix A: HP ArcSight Logger installer.properties file

The installer.properties file in the Server Automation Package asloggersd.zip is used for automated (silent mode)
deployment of the ArcSight Logger 6.0 for Linux. This file was generated by running ./ArcSight-logger-6.0.0.XXXX.0.bin -r
<directory_location> where <directory_location> is the location of the directory where the generated
installer.properties file will be placed. You will need to install Logger in console mode to get the correct format for the silent
installation. For more information refer to the Admin Guide for the software logger.

# Thu Oct 02 14:02:41 CDT 2014

# Replay feature output
# ---------------------
# This file was built by the Replay feature of InstallAnywhere.
# It contains variables that were set by Panels, Consoles or Custom Code.

#Choose Install Folder

#---------------------
USER_INSTALL_DIR=/opt/ArcSight

#License Information
#-------------------
LICENSE_LOCATION=\"/tmp/Logger/arcsight.lic\"

#Install
#-------
-fileOverwrite_/opt/ArcSight/UninstallerData/Uninstall_ArcSight_Logger_6.0.lax=Yes

#User Settings
#-------------
USER_AND_PORT=\"arcsight\",\"9000\"
LOGGER_SERVICE_CHOICES=\"Configure as a service\",\"\"

#Locale Setting
#--------------
LOCALE_RESULTS=\"English (United States)\",\"\",\"\",\"\",\"\",\"\",\"\",\"\"

20
Technical white paper | HP CloudSystem Enterprise

Appendix B: HP ArcSight Logger install scripts

The installation of HP ArcSight Logger requires a non-root user, i.e. arcsight, to run the installer. Below are samples of the
installation and uninstall scripts used on this reference implementation.

install.sh

#!/bin/bash

/bin/sed -i.bak s/^127.0.0.1.*/"127.0.0.1 localhost localhost.localdomain localhost4

localhost4.localdomain4"/g /etc/hosts

/sbin/ifconfig eth0 | grep "inet addr" | awk -F: '{print $2}' | awk '{print $1}' | xargs -
I ip echo "ip $HOSTNAME" >> /etc/hosts

mkdir /opt/ArcSight

chmod 777 /tmp

chmod 777 /opt/ArcSight

sudo -u arcsight /tmp/asloggersd/ArcSight-logger-6.x.x.xxxx.x.bin -i silent -f

/tmp/asloggersd/installer.properties

chmod 755 /opt/ArcSight

chmod 755 /tmp

uninstall.sh

#!/bin/bash

/opt/ArcSight/UninstallerData/Uninstall_ArcSight_Logger_6.0

rm -rf /opt/ArcSight/

21
Technical white paper | HP CloudSystem Enterprise

Appendix C: HP ArcSight Connector properties file for silent install

When installing the HP ArcSight Connector in silent mode, a properties file needs to be generated first. This file has the same
function as the installer.properties file used on the HP ArcSight Loggers silent install. Below are sample connector
properties for Windows and Linux deployments.
The basic steps for creating the connector properties file for silent install are:
1. From the desktop as root (Linux) or Administrator (Windows) user, run the ArcSight SmartConnector Installer wizard
(bin or exe file) to install the SmartConnector core files. Use all default settings. Take note of the installation directory
for you will use that in Step 3. When the wizard asks you to choose Add a Connector or Enable FIPS mode, click
Cancel and exit the installer.
2. Launch the Smart Connector configuration installer in record mode.
Linux:
A. cd /root/ArcSightSmartConnectors/current/bin/
B. runagentsetup.sh i recorderui
Windows:
A. runagentsetup.bat i recorderui
3. Provide the location of the properties file and Installation (default)Target folder:
Linux:
A. /tmp/ASconnector-Linux.properties
B. /root/ArcSightSmartConnectors
Windows:
A. C:\Temp\ASconnector-Windows.properties
B. C:\Program Files\ArcSightSmartConnectors
4. Select Add a Connector.
5. Select ArcSight Common Event Format Multiple File.
6. Click Next on the device details. Leave it empty.
7. Select ArcSight Logger SmartMessage radio button.
8. Provide the information for the ArcSight Logger host. You will get a connection error message if any of the parameters
is wrong or if loggerd service is not running.
A. Hostname or IP
B. Port =9000
C. Receiver Name = SmartMessage Receiver
D. Compression = Disabled
9. On the connector details, provide only the name, i.e., Linux-Connector or Windows-Connector, and leave the rest of
the fields blank. Click Next to continue.
10. Click Next on the Add connector Summary.
11. Select Install as a service.
12. On the Connector Setup:
A. Take note of the Service Internal Name. Replace the default as shown below then click Next:
Linux: linux_cef (the service name will be called arc_linux_cef)
Windows: windows_cef (the service name will be called arc_windows_cef)
B. Take note of the Service Display Name, default is ArcSight Common Event Format Multiple File.
C. Select Yes to start the service automatically.
13. Click Next on the Install Service Summary.
14. Select Exit then Next to close the application. The properties file should be saved on the path specified on step 3A.

22
Technical white paper | HP CloudSystem Enterprise

Appendix D: Troubleshooting
The following are some of the issues you may encounter during the deployment of the service design reference
implementation.

Problem: No IP address assigned to the deployed VM. Instead of an IPv4, vCenter generated an IPv6.
Resolution: An IPv4 address is required for the SA agent to register to HP SA. Run the following steps to recover
from this issue.
1. Rebooting the VM usually generates an IPv4 address. If there is none, verify the address pool of
your DHCP server.
2. The SA agent deployed on the template was not sanitized. Deploy a VM directly from the vCenter
template. If there is no IPv4 address, re-run the steps to install the SA agent, sanitize and then
create a new VM template.

Problem: The deployment was successful but ArcSight Logger did not install. There is no page loading from the
browser using the ArcSight server URL.
Resolution: Server Automation is the tool that installs ArcSight Logger once a VM is created and the SA agent
registers the VM. Verify the Job Status associated with the deployment in SA. Click each Action to view
the details. In the sample below, it shows that ArcSight did not install because there was not enough
free disk space.

23
Technical white paper | HP CloudSystem Enterprise

Appendix E: Server Automation setup for Windows deployment

Unlike Linux, Server Automation requires that the Microsoft Patch Database be configured before deploying policies to a
Windows-based server. The following are the steps to configure in HP Server Automation with no external/Internet access.
1. Launch the SA Java client as an administrator user, i.e., hpsa_admin, with the following options:
A. On the client login window, click More.
B. Click Advanced Settings.
C. Select the None radio button for the Proxies.
2. Verify that the SA administrator user you used has Read/Write permission for managing patches:
A. Go to the Administration tab.
B. Select Users and Groups Users.
C. Right-click on the administrator user then click Open.
D. Go to Views Action Permissions
i. Category: Package Management Manage Package = Read & Write
ii. Category: Patch Management Manage Patch = Read & Write
iii. Allow Install Patch, All Uninstall Patch, and Manage Patch Compliance Rules = Yes
3. Download to the server with the SA Java client, the Microsoft Patch Database and Windows Update files.
Note: The links below are for SA 10.10. To determine the required files, go to the Administration tab then Patch
Settings. The pop-up message will say the required file if the patch database is not configured.
A. Microsoft Patch Database:
http://go.microsoft.com/fwlink/?LinkId=76054
B. Windows Update Agent files for x64 and x86:
http://download.windowsupdate.com/windowsupdate/redist/standalone/7.4.7600.226/WindowsUpdateAgent30
-x64.exe
http://download.windowsupdate.com/windowsupdate/redist/standalone/7.4.7600.226/WindowsUpdateAgent30
-x86.exe
4. Import the Microsoft Patch Database file:
A. Go to the Administration tab then Patch Settings.
B. Under Patch Downloads, select Patch Database.
C. Click Import From File and point to the Microsoft Patch Database file saved locally.
D. This process could take up to 2 hours to complete.
5. Import the Windows Update files:
A. Go to the Administration tab then Patch Settings.
B. Under Windows Patch Utilities, click Import from File each one of the files listed.

24
Technical white paper | HP CloudSystem Enterprise

For more information

Learn more at
hp.com/go/enterprisesecurity
To read more about CloudSystem Enterprise go to
hp.com/go/cloudsystementerprise
CloudSystem user documentation and technical white papers
hp.com/go/cloudsystem/docs
HP ArcSight ESM
http://www8.hp.com/us/en/software-solutions/arcsight-esm-enterprise-security-management/index.html
HP ArcSight Logger
http://www8.hp.com/us/en/software-solutions/arcsight-logger-log-management/index.html
HP software product manuals and documentation for the following products can be found at:
https://softwaresupport.hp.com/group/softwaresupport/home. You will need an HP Passport to sign in and gain access.
HP CloudSystem
HP Cloud Service Automation
HP Server Automation
HP Operations Orchestration

To help us improve our documents, please provide feedback at hp.com/solutions/feedback.

Sign up for updates

hp.com/go/getupdated

Copyright 2013-2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only
warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should
be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

Microsoft and Windows are trademarks of the Microsoft Group of companies. Intel and Xeon are trademarks of Intel Corporation in the U.S. and other
countries. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Linux is the registered trademark of Linus Torvalds in the U.S. and other
countries. Red Hat is a registered trademark of Red Hat, Inc. in the United States and other countries. VMware and vSphere are registered trademarks or
trademarks of VMware, Inc. in the United States and/or other jurisdictions.

The OpenStack Word Mark and OpenStack Logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in
the United States and other countries and are used with the OpenStack Foundations permission. We are not affiliated with, endorsed, or sponsored by the
OpenStack Foundation, or the OpenStack community.

4AA4-7746ENW, November 2014, Rev. 1