Académique Documents
Professionnel Documents
Culture Documents
Contents
Executive summary ................................................................................................................................................................................................................................................................................................................................ 4
Solution overview ..................................................................................................................................................................................................................................................................................................................................... 4
HPE ArcSight.........................................................................................................................................................................................................................................................................................................................................4
HPE ConvergedSystem 700 ................................................................................................................................................................................................................................................................................................... 5
HPE Helion CloudSystem .......................................................................................................................................................................................................................................................................................................... 6
Assumptions ................................................................................................................................................................................................................................................................................................................................................. 7
Overview: HPE ArcSight security solution for HPE ConvergedSystem 700...................................................................................................................................................................................... 7
Deploying the ArcSight Logger appliance ........................................................................................................................................................................................................................................................................ 7
Storage and server requirements ....................................................................................................................................................................................................................................................................................... 7
Create new datastore for HPE ArcSight Logger ................................................................................................................................................................................................................................................... 8
Importing the ArcSight Logger VMware virtual machine image .........................................................................................................................................................................................................10
Adding the second hard disk to the Logger VM .................................................................................................................................................................................................................................................11
Power on the Logger VM ......................................................................................................................................................................................................................................................................................................... 12
Configure the Logger VM .............................................................................................................................................................................................................................................................................................................. 13
Pre-installation steps.................................................................................................................................................................................................................................................................................................................... 13
Mount the second hard disk..................................................................................................................................................................................................................................................................................................14
Install ArcSight Logger ............................................................................................................................................................................................................................................................................................................... 15
Connect to Logger and change the admin user password ....................................................................................................................................................................................................................... 16
Configure Device Groups, Storage Groups, and Storage Rules............................................................................................................................................................................................................. 17
Create Device Groups.................................................................................................................................................................................................................................................................................................................. 17
Verify Storage Volume Size ...................................................................................................................................................................................................................................................................................................18
Create Storage Groups ...............................................................................................................................................................................................................................................................................................................19
Create Storage Rules...................................................................................................................................................................................................................................................................................................................20
Edit and create additional receivers ............................................................................................................................................................................................................................................................................... 21
Add DNS entries for ArcSight .................................................................................................................................................................................................................................................................................................... 22
About forwarding events to ArcSight Logger ............................................................................................................................................................................................................................................................ 23
Sending events to HPE ArcSight Logger without Connectors ............................................................................................................................................................................................................. 23
Sending events to HPE ArcSight Logger using Connectors ..................................................................................................................................................................................................................24
Forwarding ConvergedSystem 700 component events to ArcSight Logger ................................................................................................................................................................................24
Networking ........................................................................................................................................................................................................................................................................................................................................... 24
VMware.................................................................................................................................................................................................................................................................................................................................................... 26
HPE 3PAR .............................................................................................................................................................................................................................................................................................................................................30
HPE OneView ....................................................................................................................................................................................................................................................................................................................................30
HPE Insight Control Server Provisioning .................................................................................................................................................................................................................................................................. 33
HPE CS700 troubleshooting VMs (tsvm)................................................................................................................................................................................................................................................................ 33
HPE CloudSystem ..........................................................................................................................................................................................................................................................................................................................34
Viewing and editing devices in Logger ...................................................................................................................................................................................................................................................................... 36
Technical white paper
Executive summary
Organizations are faced with threats that could disrupt operations and critical IT services. HPE ArcSight products provide the required security
analytics to identify and prioritize threats in real time and remediate incidents early. This document describes how to configure an HPE ArcSight
Logger and HPE ArcSight Enterprise Security Manager to protect and monitor an HPE ConvergedSystem 700 (CS700) virtualized best-in-class
IT organization infrastructure. In addition, this document also shows how HPE ArcSight products can monitor HPE Helion CloudSystem (CS)
resources, which is an option for the CS700 platform.
Target audience: The intended audience of this white paper is system integrators, installers, and administrators who want to deploy cloud
environment security using HPE ArcSight on HPE ConvergedSystem 700 with HPE Helion CloudSystem.
Solution overview
This section provides an overview of the various software components of HPE ArcSight that are used to provide security and monitoring of an
HPE ConvergedSystem 700 with HPE Helion CloudSystem.
HPE ArcSight
HPE ArcSight is one of the pillars of the HPE enterprise software security portfolio along with HPE Fortify and HPE Data Security & Encryption
products such as HPE Voltage and HPE Enterprise Secure Key Manager (ESKM). The following is a brief overview of the different components of
the HPE ArcSight software offering: HPE ArcSight Logger (Logger), HPE ArcSight Enterprise Security Manager (ESM), and HPE ArcSight
Connector (Connector).
HPE ArcSight Logger
With HPE ArcSight Logger you can improve everything from compliance and risk management, security intelligence and IT operations to efforts
that prevent insider and advanced persistent threats. This universal log management solution collects machine data from any log-generating
source and unifies the data for searching, indexing, reporting, analysis, and retention. In the age of Bring Your Own Device (BYOD) and mobility, it
enables you to comprehensively manage an increasing volume of log data from an increasing number of sources.
Key features
• Collect logs from any log generating source through 350+ connectors from any device and in any format
• Unify data across IT through normalization and categorization, into a Common Event Format (CEF registered)
• Search through millions of events using a text-based search tool with a simple interface
• Store years' worth of logs and events in a unified format through a high compression ratio at low cost
• Automate analysis, alerting, reporting, intelligence of logs and events for IT security, IT operations, IT Governance Risk Management and
Compliance (GRC), and log analytics
Key benefits:
• A cost-effective solution for all your regulatory compliance needs
• Automated log collection and archiving
• Fraud and real-time threat detection
• Forensic analysis capabilities for cyber security
Technical white paper Page 5
CS700 is designed to address these challenges through a portfolio of precision-tuned converged systems that help deliver the fastest path to
agile, efficient virtualized application solutions.
HPE ArcSight can protect CS700 components such as network switches, SAN switches, VMware® ESXi management hosts, HPE OneView, and
troubleshooting VMs. Figure 1 shows how system log events are forwarded to Logger via UDP, TCP or SmartMessage Connectors.
With the incorporation of HPE Helion OpenStack and the HPE Helion Development Platform (HDP) into the new HPE Helion CloudSystem 9.0.1
offering, we’ve integrated a more complete OpenStack based software offering directly into the product and added Cloud Foundry® technology
allowing you to create a modern developer environment in which to develop and deploy cloud native applications. HPE Helion CloudSystem
works in a heterogeneous environment and includes hybrid cloud management software, and based on the customer’s unique needs may also
include servers, storage and networking, combined with installation services, making it even more efficient to deploy a private cloud.
As shown on Figure 1, HPE ArcSight Connectors can be installed on HPE Helion CloudSystem infrastructure virtual machines such as cs9-mgmt
and cs-update1. The Connectors can then forward system logs and events to Logger for centralized monitoring.
cs9-mgmt.sdnsdomain.net
tsvm01.sdnsdomain.net win01.sdnsdomain.net
smgmt01.sdnsdomain.net
rhel01.sdnsdomain.net
ArcSight
Connector CSE-SC
(TCP/443)
scs01.sdnsdomain.net cs-update1.sdnsdomain.net
UDP Receiver 1
(UDP/514)
sms01.sdnsdomain.net svsr01.sdnsdomain.net
Speed: Green=1000Mbps, Yellow=10/100Mbps Duplex: Green=Full Duplex, Yellow=Half Duplex HP A5800 Series
Switch JG225A
Unit
Green = Simplex Mode
Yellow = Duplex
SYS
HP 5820X Series Switch 53 54
Speed: Green=1000Mbps, Yellow=10/100Mbps JG219A
Duplex: Green=Full Duplex, Yellow=Half Duplex
Management Console
LINK ACT Unit Mode
Green = Simplex
Yellow = Duplex 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52
10/100/1000Base-T SFP+ Green=10Gbps, Yellow=1Gbps
logger.sdnsdomain.net
SYS
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
Green=10Gbps, Yellow=1Gbps SFP+ 10/100/1000Base-T
Speed: Green=1000Mbps, Yellow=10/100Mbps Duplex: Green=Full Duplex, Yellow=Half Duplex HP A5800 Series
Switch JG225A
Unit
HP 5820X Series Switch Green = Simplex Mode
Speed: Green=1000Mbps, Yellow=10/100Mbps JG219A Yellow = Duplex
Duplex: Green=Full Duplex, Yellow=Half Duplex SYS
Management Console 53 54
LINK ACT Unit Mode
Green = Simplex
Yellow = Duplex
SYS 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 10/100/1000Base-T SFP+ Green=10Gbps, Yellow=1Gbps
Green=10Gbps, Yellow=1Gbps SFP+ 10/100/1000Base-T
Unit
Green = Simplex Mode
Yellow = Duplex
SYS
53 54
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52
10/100/1000Base-T SFP+ Green=10Gbps, Yellow=1Gbps
UID UID
iLO iLO Speed: Green=1000Mbps, Yellow=10/100Mbps Duplex: Green=Full Duplex, Yellow=Half Duplex HP A5800 Series
Switch JG225A
Reset Active Reset Active Unit
Green = Simplex Mode
Yellow = Duplex
SYS
53 54
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52
10/100/1000Base-T SFP+ Green=10Gbps, Yellow=1Gbps
se-oa1.sdnsdomain.net snet01.sdnsdomain.net
esm.sdnsdomain.net
Figure 1. HPE ArcSight Connectors and native connectors forwarding events to the HPE ArcSight Logger
Technical white paper Page 7
Assumptions
Security in any production environment is extremely important, especially in a cloud environment. However, the focus of this document is to
understand the fundamentals of deploying cloud security software to monitor an IT infrastructure. Basic security, credentials and security keys,
are touched upon but the reader is advised to seek other sources for security recommendations and details.
Error handling, like security, is another important topic in any cloud deployment. This integration guide does not implement extensive error
handling in order to focus on the solution, rather than protect from the variety of failure modes. A production deployment should consider
implementing additional error handling to ensure a robust solution.
This implementation assumes that the reader has a general understanding of a CS700 environment and its key components such as HPE
OneView, VMware vSphere Web Client, HPE networking, Cisco networking and HPE 3PAR.
Familiarity with the basics of CS if installed on a CS700 is also necessary. Forwarding event logs of CS management virtual machines are covered
in this integration guide. Configuring CS components such as Cloud Service Automation, Operations Orchestration, and CloudSystem Foundation
to forward event logs are not in the scope of the document.
It is assumed that a CS700 solution has been deployed, configured, and is working. The same goes for CS if it is part of the CS700 delivery. Table
1 lists the software version configured for this integration guide.
Table 1. Software components version used in this implementation
COMPONENT VERSION
Notes
1. The disk space needs to be on the partition where you will install the Logger software.
2. Using NFS as primary storage for events on the software Logger is not recommended.
3. Make sure no other applications are running on the system on which you install Logger.
Notes
1. Although there is free space on the MgmtTPVV1 and MgmtTPVV2 disks, it is reserved for the CS700 solution as well as if an additional HPE
Reference Architecture is deployed on the solution.
2. All instructions assume you have access to a jump station or installation computer with connectivity to the CS700 Solution Management
server (smgmt01).
Technical white paper Page 9
Figure 2. Example validation screen output when creating the new ArcSightLogger Datastore
e. Select Next.
f. Select Finish on the Ready to complete section.
Technical white paper Page 10
4. It could take a couple of minutes for the task to complete. Once completed, you will see the datastore available for both sms01 and sms02. In
a CS700 with CS9.0.1 installed, you will see also see sms03 and/or sms04 as shown in Figure 3.
Note
All instructions assume you have a Remote Desktop Connection to the Solution Management server (smgmt01).
Note
If CS9 is deployed on the CS700, select DV_Solution_Mgmt_Net as the Destination.
g. Select Finish on the Ready to complete section. Ensure that Power on after deployment is Unchecked.
2. On the Virtual Hardware tab, toward the bottom select the New Device dropdown and select New Hard Disk.
a. Select the Add button.
b. A New Hard disk option will appear in the hardware list. Set the size to 1 TB and select OK.
Note
If prompted to accept a Power On Recommendation, select the default option or change it to the host you want to power it up on, and select
OK.
Pre-installation steps
All instructions assume you have a Remote Desktop Connection to the Solution Management server (smgmt01) or access to if from a jump
station.
1. From the VM console, log in with the username root and the password arcsight.
2. Change the root password to a desired password. We will use Password!234.
[root@logger ~]#passwd
Changing Password for user root.
New password: Password!234
Retype new password: Password!234
Passwd: all authentication tokens updated successfully.
3. Edit /etc/sysconfig/network and set the values to the following. Set the hostname as logger and the gateway that is applicable to your
solution management network configuration, the default is 172.28.15.254.
NETWORKING=YES
HOSTNAME=logger
GATEWAY=172.28.15.254
Notes
a. If changing from the default hostname of logger, execute hostname <new host name> where <new hostname> is the new hostname
of your server.
b. You will also need to update /etc/hosts to replace all occurrences of logger with your new hostname.
4. Edit /etc/resolv.conf with the domain name (default sdnsdomain.net) and solution management DNS server IP address (default
172.28.10.10) in your solution.
search sdnsdomain.net
nameserver 172.28.10.10
Notes
a. The ArcSight VM comes pre-built with the ifcfg-ens32 network interface pre-configured.
b. If you used the default IP address scheme of 172.28.x.x in your deployment, 172.28.8.0-255 are reserved for Reference Architectures. You
can pick any IP you want in that range given it is not already in use somewhere else. In this example we will use the IP of 172.28.8.1 and
netmask of 255.255.240.0 (which is the default netmask the solution is built with for this network).
NAME="ens32"
DEVICE="ens32"
ONBOOT=yes
NETBOOT=yes
UUID="xxxxxxxxxxxx" DO NOT EDIT
IPV6INIT=no
BOOTPROTO=static
TYPE=Ethernet
DNS1=172.28.10.10
DEFROUTE=yes
Technical white paper Page 14
IPV4_FAILURE_FATAL=no
IPADDR=172.28.8.1
GATEWAY=172.28.15.254
NETMASK=255.255.240.0
NM_CONTROLLED=no
Note
It is important that the four lines below are entered exactly as below and that all other content in the file is deleted. Any omission or error
can cause system runtime errors.
9. If you have a license file, transfer it to the system via an SCP program such as WinSCP and place it in /root and name it arcsight.lic.
10. Set your time zone by performing the following. In this example we will set the time to Central Standard Time using America/Chicago. You
will want to replace the zone information that is applicable to you.
[root@logger ~]# rm /etc/localtime
[root@logger ~]# ln -s /usr/share/zoneinfo/America/Chicago /etc/localtime
11. Set your NTP client to talk to the system management server (default smgmt01.sdnsdomain.net or 172.28.10.10).
If there is no /etc/ntp.conf file, create a new one with the line below. If there is an existing file, remove all lines that begin with server and
replace them with this line:
server smgmt01.sdnsdomain.net
12. Reboot the server.
3. Once logged in, select System Admin on the top menu bar and select on the left panel Users/Groups Change Password. Change the
password of the admin user to the password you would like. This example will change it to Password!234
a. Old Password: password.
b. New Password: Password!234.
c. New Password (confirm): Password!234.
d. Select the Change Password button and select OK on the Password changed successfully dialog.
e. Log out and log back in to verify the password change.
Technical white paper Page 17
Device groups allow you to categorize named source IP addresses called devices. For example, we can put network switches in one group, and
VMware ESXi hosts in another.
Device groups can be associated with storage rules that define which storage group events from specific devices are stored. Doing so enables
you to retain event data from different sources for different lengths of times (because you can define different retention policies on different
storage groups). For example, all events from VMware ESXi hosts can be subject to a short retention period. To accomplish this, you would
assign the VMware ESXi hosts to a device group and then create a storage rule that maps the device group to a storage group with the desired
short retention period.
The rest of this section will set up the device groups, storage groups and rules. Every implementation will be different as every company has
different requirements for retention periods of data. Use this section as a guide and implement to your needs as needed.
Note
This value depends on the environment. If you allocated more, you will get an error message as to what is the minimum and maximum
values allowed.
Note
You could get a warning that there is not sufficient space available to add another storage group. If so, either increase the storage volume
size or reduce the allocated space on step 2b above.
Note
Once a storage group is created, it cannot be deleted. There is also a maximum of six storage groups you can create as well.
1. Once the system is back up, we can create our storage rules to map device groups to storage groups.
2. If needed, log into the ArcSight Logger appliance with the username admin and the password you set in the Connect to Logger and change
the admin user password section of this document, for example Password!234
3. Select Configuration on the top menu bar and select Storage Storage Rules
4. Select the Add button
5. We will create several storage rules to map all of the device groups we created to the storage groups we created. Priority is an integer that
indicates the new rule’s priority. Storage rules are ordered by priority, and the first matching rule determines to which storage group an
incoming event will be sent. The number must be unique for each storage rule. The smaller the number, the higher the rule’s priority.
6. The first one we will create is one mapping the VMware ESXi hosts to the 90 Day Retention Policy
a. Storage Group: 90 Day Retention
b. Device Group: VMware Management
c. Priority: 10
d. Select the Save button.
Technical white paper Page 21
7. Select the Add button and create a Storage Rule for Network Switches
a. Storage Group: 1 Year Retention
b. Device Group: Network Switches
c. Priority: 20
d. Select the Save button.
8. Select the Add button and create a Storage Rule for Storage Arrays
a. Storage Group: 180 Day Retention
b. Device Group: Storage Arrays
c. Priority: 30
d. Select the Save button.
9. Select the Add button and create a Storage Rule for Management Systems
a. Storage Group: 180 Day Retention
b. Device Group: Management Systems
c. Priority: 40
d. Select the Save button.
10. Select the Add button and create a Storage Rule for VMware ESXi Hosts.
a. Storage Group: 90 Day Retention
b. Device Group: VMware ESXi Hosts
c. Priority: 50
d. Select the Save button.
11. Select the Add button and create a Storage Rule for Power Devices.
a. Storage Group: 90 Day Retention
b. Device Group: Power Devices
c. Priority: 60
d. Select the Save button.
12. (If installed with CS700) Select the Add button and create a Storage Rule for HPE CloudSystem.
a. Storage Group: 90 Day Retention
b. Device Group: HPE CloudSystem
c. Priority: 70
d. Select the Save button.
native
or
3rd-party
smgmt01.sdnsdomain.net
native 3rd-party
cs9-mgmt.sdnsdomain.net
win01.sdnsdomain.net
3rd-party native
logger.sdnsdomain.net
Figure 11. RAW Log Events sent to HPE ArcSight Logger directly via UDP or TCP Receivers
Technical white paper Page 24
smgmt01.sdnsdomain.net
ArcSight
Connector
cs9-mgmt.sdnsdomain.net win01.sdnsdomain.n
et
logger.sdnsdomain.net
Figure 12. CEF Log Events sent to the HPE ArcSight Logger directly via TCP, UDP or SmartMessage Receiver
Networking
Described here are sample configurations to forward system logs for HPE and Cisco networking.
HPE 5900 Series Switching
To enable the HPE 58x0 and 59x0 Series Switches to be monitored and viewed in Logger, you need to point the internal system log of the
switch to the Logger. To complete this action, perform the following steps on each of the HPE switches in your solution
1. Log into the switch and enter system view.
2. Enter in the following commands:
<snetsw> system-view
[snetsw] info-center loghost 172.28.8.1 port 514
[snetsw] info-center enable
Information center is enabled.
[snetsw] save
Technical white paper Page 25
Note
Port 514 is the default UDP Receiver port configured in ArcSight. Verify under Configuration Data Receivers.
3. Upon completion of the save command, you should see the IP or hostname of the switch registered in Logger in the Configuration
Devices page.
4. Change the name of the imported switch to the hostname of the device, for example snetsw or soobmsw. Please refer to the Viewing and
Editing Devices in Logger section for more information on how to do this.
VMware
Described here are sample configurations to forward system logs for VMware ESXi hosts and VMware vSphere.
VMware ESXi Host
To configure a VMware ESXi host to be monitored and viewed in Logger, you need to point the internal system log of the host to the Logger. To
complete this action, perform the following steps:
1. Log into the VMware vSphere Web Client.
a. Open web browser on smgmt01 to https://smgmt01.sdnsdomain.net:9443.
b. Log in with the username administrator@vsphere.local and the password as indicated on the CID or what you have changed it to
since the installation of your CS700. For the rest of the document, we will use the password Password!234 as the default password.
2. Select the Host and Clusters icon on the Home screen.
3. On the left navigation bar expand SMGMT01 sDatacenter sMgmtHosts and select sms01.sdnsdomain.net.
4. Select the Manage tab, Settings on the top tool bar, then Security Profile.
5. Select Edit next to Firewall in the main part of the window.
6. In the Security Profile window, find syslog and place a checkmark next to the entry to enable it.
a. On the bottom of the window, deselect Allow connections from any IP address and enter in 172.28.8.1 in the text box.
9. Select the Syslog.global.logHost variable and select the pencil under the Advanced System Settings menu header to edit the variable
as shown on Figure 14.
a. Set the Syslog.global.logHost to tcp://172.28.8.1:514.
b. Click OK.
10. It might take a few minutes for the VMware ESXi Host to send its first event to the Logger, but you should see the IP or hostname of the
host registered in Logger in the Configuration Data Devices. Change the name of the imported VMware host to the hostname of the
device, for example sms01, sms01, scs01, scs09, etc. Please refer to the Viewing and Editing Devices in Logger section for more information
on how to do this.
11. You will need to repeat these steps for all of your VMware ESXi hosts (both Management and Compute).
Note
It is strongly recommended for security reasons to use or create a user in vCenter that only has Read-Only permissions to what you want
monitored. You could grant that user permissions to the entire vSphere Server instance, or just particular Data Centers, Clusters, Host, VMs,
etc.
Technical white paper Page 28
d. Select Add on the Enter the device details window and enter the following:
I. Host = localhost
II. User = Read-Only user name for accessing VMware Web Services.
III. Password = Password for the VMware Web Services Read-Only user.
Note
Ignore the "Information" popup message regarding an SSL HandShake Exception. Click "Yes" to continue.
7. Run ArcSight SmartConnectors to register. There are two ways to run the command:
a. Using the Windows shortcut:
I. Click the Windows Start button.
II. Type arc to search for Run ArcSight SmartConnectors. Click it to execute when found. A command prompt window will launch
b. From the command prompt:
I. Open a command prompt as administrator user.
II. Change directory to C:\Program Files\ArcSightSmartConnectors\current\bin.
III. Run the command arcsight connectors.
8. After a minute, verify in ArcSight Logger's Devices list that smgmt01 shows up.
VMware vCenter
There is currently no option for VMware vCenter to forward syslog to HPE ArcSight Logger.
HPE 3PAR
Described here are sample configurations to forward system logs for HPE 3PAR components of CS700.
HPE 3PAR StoreServ
To configure the HPE 3PAR StoreServ 7000 array to send its logs to ArcSight, perform the following.
1. SSH to the HPE 3PAR StoreServ storage system (sstor01-n00). The default IP address is 172.28.6.80.
2. Log in as 3paradm and your password (default 3pardata).
3. Run the following commands to start to send events to the Logger
sstor01 cli% setsys RemoteSyslog 1
sstor01 cli% setsys RemoteSyslogHost 172.28.8.1
4. It might take a few minutes for the storage array to send its first event to the HPE ArcSight Logger, but you should see the IP or hostname or
the host registered in Logger in Configuration Devices. Change the name of the imported VMware host to the hostname of the device,
for example sstor01 and add it to the appropriate device group. Please refer to the Viewing and Editing Devices in Logger section for more
information on how to do this.
HPE 3PAR Service Processor
There is currently no option on the HPE 3PAR Service Processor to forward syslog to Logger.
HPE OneView
To configure HPE OneView to send log messages to Logger, you will have to do it via its REST API. Perform the following steps:
1. Install a REST client on a jump station or installation computer. In this sample Google Chrome's Postman is used.
2. Generate a sessionID to OneView.
a. Select POST and enter https://oneview.sdnsdomain.net/rest/login-sessions.
b. Set Authorization to No Auth.
c. On the Headers, create:
Accept = application/json
Content-Type = application/json
d. On the Body, select raw and enter the value for the OneView administrator login:
{"userName":"administrator",
"password":"Password!234"}
HPE CloudSystem
Described here are sample configurations to forward system logs for VMware ESXi hosts and VMware vSphere.
HPE CloudSystem Virtual Machines (Native Syslog Forwarder)
HPE CloudSystem is comprised of 13 VMs. All VMs are running with the hLinux operating system. The following steps configure the primary
management server, cs9-mgmt (ma1), to send log messages to Logger.
1. Log into the VM as the cloudadmin user, default password is also cloudadmin.
2. Enter in the following commands
cloudadmin@ma1:~$ sudo -i
root@ma1:~# vi /etc/rsyslog.conf
At the end of the file add the line to send the logs to the ArcSight Logger host using the default ArcSight Logger TCP Receiver port of 515.
Provide the IP address of the ArcSight logger VM.
*.* @@172.28.8.1:515
Restart the rsyslog service
root@ma1:~# service rsyslog restart
3. Verify that you can see the IP or hostname or the cs9-mgmt (ma1) host registered in Logger in the Configuration Devices. Add the
newly added device to the appropriate device group. Keep the default name because renaming the TCP Receiver device might cause
problems with ArcSight receiving log data.
Technical white paper Page 35
1. Log into the VM as the cloudadmin user, default password is also cloudadmin.
2. Upload to /tmp directory ArcSight-xxxx-Connector-Linux64.exe installer.
3. Run the installer as root user:
cloudadmin@ua1:~$ sudo -i
root@ua1:~# cd /tmp
root@ua1:~# chmod +x ./ArcSight- x.x.x.xxxx.x-Connector-Linux64.bin
root@ua1:/tmp# ./ArcSight- x.x.x.xxxx.x-Connector-Linux64.bin
4. On the installer, use the defaults.
5. Configure the SmartAgent by running runagentsetup.sh
root@ua1:~# cd /root/ArcSightSmartConnectors/current/bin
root@ua1:~/ArcSightSmartConnectors/current/bin# ./runagentsetup.sh
6. On the Connector Setup
a. Select 0 – Add a Connector
b. Type = 128 – Syslog File (Enter N to scroll on the menu selection)
File Absolute Path Name = /var/log/syslog
Reading Events = 0 – batch
Action Upon Reaching EOF = 0 – None
File Extension If Rename Action = processed
c. Destination = 1- ArcSight Logger SmartMessage (encrypted)
d. On the destination parameters
Hostname/IP = 172.28.8.1
Port = 443
Receiver Name = SmartMessage Receiver
Compressed = Disabled
e. On the connector details, provide the Name “Linux-Connector” and leave the rest of the fields blank if using defaults.
f. Import the certificate of the destination to the connector. It may take around 2-3 minutes to complete.
g. Install the connector as a service.
h. On the service parameters
Service Internal Name = arc_linux
Service Display Name = ArcSight Linux Syslog Service
Start the service automatically = Yes
i. Exit the installer.
7. Run ArcSight SmartConnectors to register.
root@ua1:~# cd /root/ArcSightSmartConnectors/current/bin
root@ua1:~/ArcSightSmartConnectors/current/bin# ./arcsight -quiet agents
8. After a minute, verify in the ArcSight Logger's Devices list that you can see the IP or hostname of the cs-update1 host. Change the name of
the imported VMware host to the hostname of the device and add it to the appropriate device group. Please refer to the Viewing and
Editing Devices in Logger section for more information on how to do this.
Technical white paper Page 36
5. Change the Name field to the name you would like, in this example we will change it to snetsw and select Save. Do the same name change
of ssan01 to ssansw. The sample shown in Figure 21, has edited both snet Ethernet and ssan Fibre Channel switches.
6. If the devices are configured correctly to forward their events to ArcSight Logger, the device IP addresses will show up on the Summary tab
as shown on Figure 22.
Figure 22. ArcSight Logger summary tab of devices that are forwarding events
Technical white paper Page 38
ESM is used to selectively aggregate logger data from each organization as well as monitor a high valued client not belonging to any
organization. Logger can forward all or selectively choose particular clients to a centralized ESM server. In addition, the use of Logger could be
by-passed particularly for high valued hosts being monitored such as WIN-A and RHEL-B servers shown in Figure 23.
Logger accepts log entries forwarded via UDP, TCP, and SmartMessage ESM on the other hand is limited to TCP. In this implementation, we will
configure a simple implementation of Logger forwarding selected event logs to ESM as well as a high-value client that forwards directly to ESM
instead of Logger.
ORGANIZATION A ORGANIZATION B
ArcSight ArcSight
Connector Connector
smgmt01-A smgmt01-B
scs01-A cs9-mgmt-A WIN-A RHEL-B scs01-B cs9-mgmt-B
logger-A.sdnsdomain.net logger-B.sdnsdomain.net
esm.sdnsdomain.net
Note
The usual location for uploading ISO images and files on CS700 is on the sms01-localdatastore under the HPCS_Software folder. You
could upload the RHEL 6.6 ISO image to the same location.
3. Create a RHEL 6.6 VM with the following specifications (minimum required for ESM).
a. Assign 100GB for the OS out of the 2TB datastore.
b. 8 cores of CPU and 36GB RAM
c. Mount the ISO image from the datastore to the CD-ROM drive.
4. Power on the VM and install with the following configurations:
a. Configure the networking during the installation.
IP address = 172.28.8.2
Netmask = 255.255.240.0
Gateway = 172.28.15.254
Primary DNS = 172.28.10.10
b. Install with the Basic Server option. Include the X Window system package on the custom options.
5. (OPTIONAL) Install VMware Tools.
6. Shut down the VM and add a second 1TB hard disk mounted to /opt/arcsight. Follow the same steps for mounting a second hard disk
performed on Logger.
7. Follow the steps in the ESM install guide for installing from the console.
a. Upload the following files to the /tmp directory
ArcSightESMSuite-6.8.0.xxxx.x.tar file,
ArcSight ESM license ZIP
Time zone package file tzdata-2015f-1.el6.noarch.rpm (or newer version if available)
b. Verify that that TCP ports 8443, 9443, and 9000 are open. Run the command:
grep –w <PORT_NUMBER> /etc/services
c. Install the time zone package rpm file and set up /etc/localtime to link to the valid time zone.
rpm –Uhv /tmp/tzdata-2015f-1.el6.noarch.rpm
d. Create the arcsight user and assign the password Password!234.
e. Increase the user process limit by editing the /etc/security/limits.d/90-nproc.conf file.
f. Untar the ESM file and run the installer as the arcsight user. Select the defaults on the installer options.
8. After a successful install, run the First Boot Wizard.
a. Run the command:
/opt/arcsight/manager/bin/arcsight firstbootsetup -boxster -soft -i console
b. You will provide the Language Options, CORR-Engine Password, storage sizes (use defaults), notification emails, filename and location
of the license ZIP file on /tmp, ESM IP instead of hostname.
Technical white paper Page 40
c. Once you reached the option to install additional foundation packages, you can select your preferred options. In our case, select options
4, 6, 9, 10.
4- Configuration Monitoring
6- Intrusion Monitoring
9- Network Monitoring
10- Workflow
9. After a successful first boot wizard, start ESM as root user by running the command:
[root@esm tmp]# /opt/arcsight/manager/bin/setup_services.sh
10. Open a browser from the installation computer and point it to the ArcSight ESM command center URL of https://172.28.8.2:8443 as shown
on Figure 24.
Note
If the page does not load, you may need to either disable the firewall or provide access to port 8443 on the iptables configuration.
The ESM console is a thick client in a separate exe or bin file from the ESM Suite tar file deployed earlier. In our case install the Windows
executable ArcSight-xxxx-Console-Win.exe on the installation computer of the CS700. During the installation:
1. Get the ESM web certificate by following the same steps used on the VMware vSphere Web Services.
a. On the installation computer of the CS700, point the browser to the ESM URL of https://172.28.8.2
b. Get the ESM web certificate and save it locally with the filename of esmcert.cer
2. Point the browser to Logger’s URL of https://172.28.8.1
3. Go to Configuration Data Certificates.
4. Select the Add button.
5. Specify a Certificate Alias of cs700-esm
6. Select Choose File and browse for the ESM certificate file
7. Select Save.
1. Launch the ESM Console application from the CS700 installation computer.
2. Log in as admin user and the Manager field has the ESM IP address of 172.28.8.2 selected
Technical white paper Page 44
3. After creating the destination, log in to the ESM Console and verify that ESMconnector is registered. Figure 29 shows the running
ESMconnector that was just created.
2. Look for ESMconnector, right-click on it, and select Create Channel with Filter as shown on Figure 32.
3. After you have created the channel, the page will refresh and show the new active channel as shown on Figure 33.
The following are the steps to forward event log entries directly to ESM using SmartConnector.
1. Copy ArcSight-xxxx-Connector-Win64.exe to the VM.
2. Log into one of the troubleshooting VMs, tsvm02, via Remote Desktop or vCenter console as Administrator user (default password is
Password!234).
3. Run the installer executable and use the defaults.
4. On the Connector Setup.
a. Select Add a Connector
b. Type = Microsoft Windows Event Log – Native
c. Keep the default values for Configure Parameters, Security, System, and Application logs selected.
d. Destination = ArcSight Manager (encrypted)
e. On the destination parameters.
Manager Hostname = 172.28.8.2
Port = 8443
User = admin
Password = Password!234
AUP Master Destination = False
Filter Out All Events = False
Enable Demo CA = False
f. On the connector details, provide the Name tsvm02-Connector and leave the rest of the fields blank if using defaults.
g. Import the certificate of the destination to the connector. It may take around 3 minutes to complete.
h. Install the connector as a service.
i. On the service parameters.
Service Internal Name = arc_winc
Service Display Name = ArcSight Microsoft Windows Event Log – Native
Start the service automatically = Yes
j. Exit the installer when finished.
Technical white paper Page 48
5. Log into the ESM Console. You should be able to see tsvm02-Connector show up in the list of active Connectors.
Note
If you don’t see the connector registered on ESM, manually restart the connector from the client. Follow the same steps for restarting as
described on Step 5 of the HPE CS700 Troubleshooting VMs section.
Technical white paper Page 49
Summary
HPE ArcSight Logger is an event data storage appliance that is optimized for extremely high event throughput. Logger stores security events
onboard in compressed form, but can always retrieve unmodified events on demand for forensics-quality litigation data. Logger can be deployed
stand-alone to receive events from syslog messages or log files, or to receive events in Common Event Format from SmartConnectors. Logger
can forward selected events as syslog messages to Enterprise Security Manager (ESM). Multiple Loggers work together to scale up to support
high-sustained input rates. Event queries are distributed across a peer network of Loggers.
HPE ConvergedSystem 700 (CS700) is a blade based scalable virtualization solution for enterprise organizations. CS700 is designed for ease of
use and simplicity to help businesses quickly harness the full potential of virtualization. It is a pre-integrated, pre-configured and modular system
providing a secure and reliable turn-key data center in a box experience. HPE Helion CloudSystem (CS) is an open, fully integrated, IaaS and
PaaS enterprise cloud offering. It delivers an enterprise private cloud in HPE Converged Infrastructure environments such as the CS700.
In this document we have shown how to deploy HPE ArcSight Logger on a CS700 environment with CloudSystem software. HPE ArcSight
Logger provides the required security analytics to identify and prioritize threats in real time and remediate incidents early. Using HPE ArcSight
Logger creates a central repository for security and event logging of customer cloud environments. Multiple organizations can attach their
respective ArcSight Logger instances to a higher level using HPE ArcSight ESM or a centralized ArcSight Logger instance. This type of security
offering enables shared responsibility and ownership of SIEM solutions between the cloud consumer and cloud provider on a CS700 with
CloudSystem software.
Technical white paper Page 50
HPE Servers
hpe.com/servers
HPE Storage
hpe.com/storage
HPE Networking
hpe.com/networking
Learn more at
http://www8.hp.com/us/en/software-solutions/enterprise-security.html
Cloud Foundry is a trademark and/or registered trademark of Pivotal Software, Inc. in the United States and/or other countries. Microsoft,
Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries. Red Hat is a registered trademark of Red Hat, Inc. in the United States and other countries. Linux is the registered trademark of
Linus Torvalds in the U.S. and other countries. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or
other jurisdictions. Intel and Xeon are trademarks of Intel Corporation in the U.S. and other countries. Oracle is a registered trademark of
Oracle and/or its affiliates.