4aa6 4436enw

HPE Integration Guide for ArcSight
Logger on ConvergedSystem 700 2.0

with Helion CloudSystem
Technical white paper

Contents
Executive summary ................................................................................................................................................................................................................................................................................................................................ 4
Solution overview ..................................................................................................................................................................................................................................................................................................................................... 4
HPE ArcSight.........................................................................................................................................................................................................................................................................................................................................4
HPE ConvergedSystem 700 ................................................................................................................................................................................................................................................................................................... 5
HPE Helion CloudSystem .......................................................................................................................................................................................................................................................................................................... 6
Assumptions ................................................................................................................................................................................................................................................................................................................................................. 7
Overview: HPE ArcSight security solution for HPE ConvergedSystem 700...................................................................................................................................................................................... 7
Deploying the ArcSight Logger appliance ........................................................................................................................................................................................................................................................................ 7
Storage and server requirements ....................................................................................................................................................................................................................................................................................... 7
Create new datastore for HPE ArcSight Logger ................................................................................................................................................................................................................................................... 8
Importing the ArcSight Logger VMware virtual machine image .........................................................................................................................................................................................................10
Adding the second hard disk to the Logger VM .................................................................................................................................................................................................................................................11
Power on the Logger VM ......................................................................................................................................................................................................................................................................................................... 12
Configure the Logger VM .............................................................................................................................................................................................................................................................................................................. 13
Pre-installation steps.................................................................................................................................................................................................................................................................................................................... 13
Mount the second hard disk..................................................................................................................................................................................................................................................................................................14
Install ArcSight Logger ............................................................................................................................................................................................................................................................................................................... 15
Connect to Logger and change the admin user password ....................................................................................................................................................................................................................... 16
Configure Device Groups, Storage Groups, and Storage Rules............................................................................................................................................................................................................. 17
Create Device Groups.................................................................................................................................................................................................................................................................................................................. 17
Verify Storage Volume Size ...................................................................................................................................................................................................................................................................................................18
Create Storage Groups ...............................................................................................................................................................................................................................................................................................................19
Create Storage Rules...................................................................................................................................................................................................................................................................................................................20
Edit and create additional receivers ............................................................................................................................................................................................................................................................................... 21
Add DNS entries for ArcSight .................................................................................................................................................................................................................................................................................................... 22
About forwarding events to ArcSight Logger ............................................................................................................................................................................................................................................................ 23
Sending events to HPE ArcSight Logger without Connectors ............................................................................................................................................................................................................. 23
Sending events to HPE ArcSight Logger using Connectors ..................................................................................................................................................................................................................24
Forwarding ConvergedSystem 700 component events to ArcSight Logger ................................................................................................................................................................................24
Networking ........................................................................................................................................................................................................................................................................................................................................... 24
VMware.................................................................................................................................................................................................................................................................................................................................................... 26
HPE 3PAR .............................................................................................................................................................................................................................................................................................................................................30
HPE OneView ....................................................................................................................................................................................................................................................................................................................................30
HPE Insight Control Server Provisioning .................................................................................................................................................................................................................................................................. 33
HPE CS700 troubleshooting VMs (tsvm)................................................................................................................................................................................................................................................................ 33
HPE CloudSystem ..........................................................................................................................................................................................................................................................................................................................34
Viewing and editing devices in Logger ...................................................................................................................................................................................................................................................................... 36
HPE ArcSight ESM integration ................................................................................................................................................................................................................................................................................................. 38

Deploying ArcSight ESM VM ............................................................................................................................................................................................................................................................................................... 39
HPE ArcSight ESM Console ...................................................................................................................................................................................................................................................................................................41
Forwarding events from Logger to ESM ................................................................................................................................................................................................................................................................... 42
Forwarding events from a client to ESM ................................................................................................................................................................................................................................................................... 47
Summary .......................................................................................................................................................................................................................................................................................................................................................49
Resources and additional links .................................................................................................................................................................................................................................................................................................50
Technical white paper Page 4
Executive summary
Organizations are faced with threats that could disrupt operations and critical IT services. HPE ArcSight products provide the required security
analytics to identify and prioritize threats in real time and remediate incidents early. This document describes how to configure an HPE ArcSight
Logger and HPE ArcSight Enterprise Security Manager to protect and monitor an HPE ConvergedSystem 700 (CS700) virtualized best-in-class
IT organization infrastructure. In addition, this document also shows how HPE ArcSight products can monitor HPE Helion CloudSystem (CS)
resources, which is an option for the CS700 platform.
Target audience: The intended audience of this white paper is system integrators, installers, and administrators who want to deploy cloud
environment security using HPE ArcSight on HPE ConvergedSystem 700 with HPE Helion CloudSystem.
Solution overview
This section provides an overview of the various software components of HPE ArcSight that are used to provide security and monitoring of an
HPE ConvergedSystem 700 with HPE Helion CloudSystem.
HPE ArcSight
HPE ArcSight is one of the pillars of the HPE enterprise software security portfolio along with HPE Fortify and HPE Data Security & Encryption
products such as HPE Voltage and HPE Enterprise Secure Key Manager (ESKM). The following is a brief overview of the different components of
the HPE ArcSight software offering: HPE ArcSight Logger (Logger), HPE ArcSight Enterprise Security Manager (ESM), and HPE ArcSight
Connector (Connector).
HPE ArcSight Logger
With HPE ArcSight Logger you can improve everything from compliance and risk management, security intelligence and IT operations to efforts
that prevent insider and advanced persistent threats. This universal log management solution collects machine data from any log-generating
source and unifies the data for searching, indexing, reporting, analysis, and retention. In the age of Bring Your Own Device (BYOD) and mobility, it
enables you to comprehensively manage an increasing volume of log data from an increasing number of sources.
Key features
• Collect logs from any log generating source through 350+ connectors from any device and in any format
• Unify data across IT through normalization and categorization, into a Common Event Format (CEF registered)
• Search through millions of events using a text-based search tool with a simple interface
• Store years' worth of logs and events in a unified format through a high compression ratio at low cost
• Automate analysis, alerting, reporting, intelligence of logs and events for IT security, IT operations, IT Governance Risk Management and
Compliance (GRC), and log analytics
HPE ArcSight Enterprise Security Manager

HPE ArcSight Enterprise Security Manager is the premiere security event manager that analyzes and correlates every operational event (login,
logoff, file access, database query), or other events in order to support your IT team in every aspect of security event monitoring, from
compliance and risk management to security intelligence and operations. The HPE ArcSight ESM event log monitor sifts through millions of log
records to find the targeted critical events, and presents them in real time via dashboards, notifications, and reports, so you can accurately
prioritize security risks and compliance violations.
Key benefits:
• A cost-effective solution for all your regulatory compliance needs
• Automated log collection and archiving
• Fraud and real-time threat detection
• Forensic analysis capabilities for cyber security
HPE ArcSight Connectors

HPE ArcSight Connectors solve the problem of managing log records in hundreds of different formats. While the HPE ArcSight Security
Information & Event Management (SIEM) platform can collect log records in native formats, HPE ArcSight Connectors provide normalization to a
common format, which greatly improves reporting and analysis. By normalizing all events into one common event taxonomy, HPE ArcSight
Connectors decouple analysis from vendor selection. This approach has four significant advantages:
• Centrally manage 350+ Connectors through HPE ArcSight Connector Appliance (ConApp)
HPE ArcSight Connector Appliance manages the ongoing updates, upgrades, configuration changes and administration of a distributed log
collection deployment through a simple and centralized web-based interface. ConApp can be deployed both as an appliance and software.
• Future proofing
If a Cisco router is swapped for an HPE router or if a new SQL database or Hadoop solution is added to a network that previously only had
Oracle, no reporting or rules changes are required and the organization retains continuous visibility into all activity.
• Ease of analysis
HPE ArcSight CEF eliminates the need for end users to be familiar with hundreds of different log syntaxes across products. As a result, non-
technical line of business users can easily conduct analysis on their own, reducing the burden on IT.
• Universal content relevance
With the HPE ArcSight normalized format, a report that shows “authentication failures” will cover every system automatically, even though one
application may refer to authentication failures with a specific event ID while a database refers to the same as an “unsuccessful login.”
This unique architecture is supported across hundreds of commercial products out-of-the-box as well as legacy systems. HPE ArcSight
Connectors also offer various audit quality controls including secure, reliable transmission and bandwidth controls. In addition to software-
based deployments, HPE ArcSight Connectors are available in a range of plug-and-play appliances that can cost-effectively scale from small
store or branch office locations to large data centers. ConApp enables rapid deployment and eliminates delays associated with hardware
selection, procurement and testing.
Sending events to HPE ArcSight Logger using Connectors

HPE ArcSight Connectors can be installed on CS700 and CS virtual machines to collect operating system event information. This information is
converted to the standard CEF format at each host by the HPE ArcSight Connector. Log events are collected by the HPE ArcSight Connectors
and sent to a SmartMessage Receiver configured on the Logger. Figure 1 illustrates log data being sent from the CS700 and CS nodes to TCP
and UDP.
HPE ConvergedSystem 700

While many data centers are using virtualization, decision-makers may still need to address a broad range of challenges, including the following:
• Time, resources, and effort required to deploy a complete solution
• Proliferation of management tools
• Security issues
• Difficulties scaling
• Difficulties extending to the cloud
CS700 is designed to address these challenges through a portfolio of precision-tuned converged systems that help deliver the fastest path to
agile, efficient virtualized application solutions.
Key benefits of CS700 include the following:

• Provides a pre-engineered and validated system that is optimized for today’s most challenging workloads
• One infrastructure management platform to simplify everyday tasks and free up IT resources
• Pre-integrated and tested system to reduce onsite deployment activities and free up IT admin resources
• Reduces risk by proactively preventing issues and maintaining peak performance
• Cloud compatibility allows customers to upgrade easily to cloud with confidence
HPE ArcSight can protect CS700 components such as network switches, SAN switches, VMware® ESXi management hosts, HPE OneView, and
troubleshooting VMs. Figure 1 shows how system log events are forwarded to Logger via UDP, TCP or SmartMessage Connectors.
HPE Helion CloudSystem

HPE Helion CloudSystem is the industry’s most complete, fully-integrated, end-to-end private cloud solution, delivering automation,
orchestration, and control across multiple clouds. Over 3,000 customers, worldwide, are using HPE Helion CloudSystem today for quickly
deploying IT services, managing or developing applications, streamlining operations, and more. From basic infrastructure cloud services to the
most advanced application cloud services, HPE Helion CloudSystem offers enterprises and service providers a clear path to hybrid cloud.
With the incorporation of HPE Helion OpenStack and the HPE Helion Development Platform (HDP) into the new HPE Helion CloudSystem 9.0.1
offering, we’ve integrated a more complete OpenStack based software offering directly into the product and added Cloud Foundry® technology
allowing you to create a modern developer environment in which to develop and deploy cloud native applications. HPE Helion CloudSystem
works in a heterogeneous environment and includes hybrid cloud management software, and based on the customer’s unique needs may also
include servers, storage and networking, combined with installation services, making it even more efficient to deploy a private cloud.
As shown on Figure 1, HPE ArcSight Connectors can be installed on HPE Helion CloudSystem infrastructure virtual machines such as cs9-mgmt
and cs-update1. The Connectors can then forward system logs and events to Logger for centralized monitoring.
cs9-mgmt.sdnsdomain.net
tsvm01.sdnsdomain.net win01.sdnsdomain.net
smgmt01.sdnsdomain.net
rhel01.sdnsdomain.net
ArcSight
Connector CSE-SC
(TCP/443)
scs01.sdnsdomain.net cs-update1.sdnsdomain.net
UDP Receiver 1
(UDP/514)
sms01.sdnsdomain.net svsr01.sdnsdomain.net
Speed: Green=1000Mbps, Yellow=10/100Mbps Duplex: Green=Full Duplex, Yellow=Half Duplex HP A5800 Series
Switch JG225A
Unit
Green = Simplex Mode
Yellow = Duplex
SYS
HP 5820X Series Switch 53 54
Speed: Green=1000Mbps, Yellow=10/100Mbps JG219A
Duplex: Green=Full Duplex, Yellow=Half Duplex
Management Console
LINK ACT Unit Mode
Green = Simplex
Yellow = Duplex 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52
10/100/1000Base-T SFP+ Green=10Gbps, Yellow=1Gbps
logger.sdnsdomain.net
SYS
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
Green=10Gbps, Yellow=1Gbps SFP+ 10/100/1000Base-T
Switch JG225A
Unit
HP 5820X Series Switch Green = Simplex Mode
Speed: Green=1000Mbps, Yellow=10/100Mbps JG219A Yellow = Duplex
Duplex: Green=Full Duplex, Yellow=Half Duplex SYS
Management Console 53 54
LINK ACT Unit Mode
Green = Simplex
Yellow = Duplex
SYS 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 10/100/1000Base-T SFP+ Green=10Gbps, Yellow=1Gbps
Green=10Gbps, Yellow=1Gbps SFP+ 10/100/1000Base-T
ssan01.sdnsdomain.net Logger2ESM (TCP/8443) snoobm01.sdnsdomain.net

Switch JG225A
Unit
Yellow = Duplex
SYS
53 54
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52
UID UID
iLO iLO Speed: Green=1000Mbps, Yellow=10/100Mbps Duplex: Green=Full Duplex, Yellow=Half Duplex HP A5800 Series
Switch JG225A
Reset Active Reset Active Unit
Yellow = Duplex
SYS
53 54
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52
se-oa1.sdnsdomain.net snet01.sdnsdomain.net
esm.sdnsdomain.net
Figure 1. HPE ArcSight Connectors and native connectors forwarding events to the HPE ArcSight Logger
Assumptions
Security in any production environment is extremely important, especially in a cloud environment. However, the focus of this document is to
understand the fundamentals of deploying cloud security software to monitor an IT infrastructure. Basic security, credentials and security keys,
are touched upon but the reader is advised to seek other sources for security recommendations and details.
Error handling, like security, is another important topic in any cloud deployment. This integration guide does not implement extensive error
handling in order to focus on the solution, rather than protect from the variety of failure modes. A production deployment should consider
implementing additional error handling to ensure a robust solution.
This implementation assumes that the reader has a general understanding of a CS700 environment and its key components such as HPE
OneView, VMware vSphere Web Client, HPE networking, Cisco networking and HPE 3PAR.
Familiarity with the basics of CS if installed on a CS700 is also necessary. Forwarding event logs of CS management virtual machines are covered
in this integration guide. Configuring CS components such as Cloud Service Automation, Operations Orchestration, and CloudSystem Foundation
to forward event logs are not in the scope of the document.
It is assumed that a CS700 solution has been deployed, configured, and is working. The same goes for CS if it is part of the CS700 delivery. Table
1 lists the software version configured for this integration guide.
Table 1. Software components version used in this implementation
COMPONENT VERSION
HPE ArcSight Logger HPE ArcSight Logger 6.1

HPE ArcSight Enterprise Security Manager HPE ArcSight ESM 6.8c
HPE ArcSight Console HPE ArcSight Console 6.8 (Microsoft® Windows® or Linux®)
HPE ArcSight SmartConnector HPE ArcSight Connector 7.1.7 (Windows or Linux)
HPE ConvergedSystem 700 HPE CS700 2.0
HPE CloudSystem HPE CS 9.0.1
Overview: HPE ArcSight security solution for HPE ConvergedSystem 700

This document describes how to deploy Logger and ESM to monitor CS700 with CS. The following are the topics covered for the
implementation.
1. Deploy the Logger appliance VM on the CS700 management host cluster.
2. Set up Logger’s device groups, storage groups, and rules based on the CS700 configuration, i.e., number of enclosures, switches, and compute
hosts, etc.
3. Configure CS700 and CS components to forward system log events to Logger via UDP, TCP, and ArcSight SmartMessage Connector.
4. Integrate ESM into the solution for Logger to forward aggregated events and logs
After these steps are complete, the application will be available for business users to monitor CS700 and CS using the HPE ArcSight Console or
HPE ArcSight Command Center.
Deploying the ArcSight Logger appliance

There are different ways to create an HPE ArcSight Logger appliance. This integration guide provides the steps required to create the necessary
components for deploying using the VMware OVA template.
Storage and server requirements

The information below defines the requirements for HPE ArcSight Logger 6.1. If you plan to use a different version, refer to the HPE ArcSight
Logger Administrators Guide or Release Notes for the supported OS types and system configurations for the version of Logger you need to
deploy.
Supported operating systems:

1. For Logger appliances:
a. Red Hat® Enterprise Linux® (RHEL) version 6.6
b. For older LX400 series models only, RHEL 5.5
2. For Software Loggers:
a. Red Hat Enterprise Linux (RHEL) versions 6.6 and 7.1 (64-bit)
b. CentOS version 7.1 (64-bit)
3. For Logger on VMware VM:
a. CentOS version 7.1 (64-bit)
CPU, memory, and disk space:
1. Downloadable Version and VM instances:
a. CPU: 1 or 2 x Intel® Xeon® Quad Core or equivalent
b. Memory: 4 - 12 GB (12 GB is recommended)
c. Free Disk Space: 10 GB:
I. Minimum free space for the Logger installation directory
II. Temp directory: 1GB
III. For example, if using RHEL 6.6, allocate at least 16GB total disk space with the OS.
2. For the Enterprise Version:
a. CPU: 2 x Intel Xeon Quad Core or equivalent
b. Memory: 12 - 24 GB (24 GB is recommended)
c. Disk Space: 65 GB (minimum):
I. Root partition: 40 GB (minimum)
II. Temp directory: 1GB
Notes
1. The disk space needs to be on the partition where you will install the Logger software.
2. Using NFS as primary storage for events on the software Logger is not recommended.
3. Make sure no other applications are running on the system on which you install Logger.
Create new datastore for HPE ArcSight Logger

The instructions below describe how to create a new datastore to hold the Logger boot and data disk. It is important to note that this disk can be
as large as 8TB (maximum storage volume size) but cannot be expanded. Therefore you will want to ensure you make it as large as you think
you will need it. In the example below, we will create a 2.2TB datastore to house the data disk vdisk. We will allocate a Logger data virtual disk
itself of 1TB. In this configuration, the maximum size is 2TB for the Logger data disk and the minimum is 40GB.
Notes
1. Although there is free space on the MgmtTPVV1 and MgmtTPVV2 disks, it is reserved for the CS700 solution as well as if an additional HPE
Reference Architecture is deployed on the solution.
2. All instructions assume you have access to a jump station or installation computer with connectivity to the CS700 Solution Management
server (smgmt01).
1. Log into the VMware vSphere Web Client

a. Open a web browser on smgmt01 or a jump station that has connectivity to smgmt01. Point the browser to
https://smgmt01.sdnsdomain.net:9443
b. Log in with the username administrator@vsphere.local and the password as indicated on the Customer Intent Document (CID) or
what you have changed it to since the installation of your CS700. For the rest of the document, we will use the password Password!234
as the default password.
2. Select the Host and Clusters icon on the Home screen.
3. On the left navigation bar expand SMGMT01  sDatacenter, right-click sMgmtHosts and select All HP Management Actions  HP
Create Datastore.
a. Select sMgmtHosts on the Select location section of the HP Create Datastores window and select Next.
b. On the Select storage section perform the following:
I. Number of datastores: 1
II. Datastore capacity: 1.2 TB
III. Select storage Pool: CPG_MGT
IV. Copy space pool: CPG_MGT
V. Select Next
c. On the Specify names section enter the Datastore name as ArcSightLogger and select Next.
d. On the Validation section, wait for the validator to finish. Once complete it should look similar to Figure 2.
Figure 2. Example validation screen output when creating the new ArcSightLogger Datastore
e. Select Next.
f. Select Finish on the Ready to complete section.
4. It could take a couple of minutes for the task to complete. Once completed, you will see the datastore available for both sms01 and sms02. In
a CS700 with CS9.0.1 installed, you will see also see sms03 and/or sms04 as shown in Figure 3.
Figure 3. ArcSightLogger Datastore successfully added to sms01
Importing the ArcSight Logger VMware virtual machine image

The instructions below describe how to import the virtual machine image used for Logger on a CS700 for VMware solution. The steps below are
similar to what is in the HPE ArcSight Logger Installation Guide and just adapted for use on the CS700. Please refer to the HPE ArcSight Logger
Installation Guide for more information about the steps we are performing below.
Note
All instructions assume you have a Remote Desktop Connection to the Solution Management server (smgmt01).
1. Log into the VMware vSphere Web Client:

a. Open a web browser on smgmt01 or a jump station that has connectivity to smgmt01. Point the browser to
https://smgmt01.sdnsdomain.net:9443.
b. Log in with the username administrator@vsphere.local and the password as indicated on the CID or what you have changed it to
since the installation of your HPE CS700. For the rest of the document, we will use the password Password!234 as the default
password.
3. On the left navigation bar expand SMGMT01  sDatacenter, right-click sMgmtHosts and select Deploy OVF Template…
a. If you get a warning stating The Client Integration Plug-in must be installed to enable OVF functionality, download the Client
Integration Plug-in. Close the browser, run the executable and follow the instructions to install it.
b. Once finished, relaunch your web browser and repeat steps 1 through 3.
4. In the OVF Template Window perform the following steps:
a. In the Select source section, select Local file and select Browse…
I. Browse to the ArcSight Logger OVA, select it and select Open.
b. Select Next.
c. Select Next on the Review details section.
d. In the Select name and folder section, perform the following:

I. Name: logger
II. Select a folder or datacenter: SMGMT01  sDataCenter.
III. Select Next.
e. In the Select storage section, perform the following:
I. Select virtual disk format: Thick Provision Lazy Zeroed
II. Select ArcSightLogger datastore.
III. Select Next.
f. In the Setup networks section, select Solution Mgmt Net as the Destination and then select Next.
Note
If CS9 is deployed on the CS700, select DV_Solution_Mgmt_Net as the Destination.
g. Select Finish on the Ready to complete section. Ensure that Power on after deployment is Unchecked.
Figure 4. ArcSightLogger OVF template deployment
Adding the second hard disk to the Logger VM

When we imported the OVA, the virtual disk that was created was for the Logger software. We must now create another virtual disk to store the
Logger data as you cannot use the imported disk for both the Logger software and data.
1. On the left navigation bar right-click the logger VM and select Edit Settings…
2. On the Virtual Hardware tab, toward the bottom select the New Device dropdown and select New Hard Disk.
a. Select the Add button.
b. A New Hard disk option will appear in the hardware list. Set the size to 1 TB and select OK.
Figure 5. Adding a second disk to the ArcSightLogger VM
Power on the Logger VM

1. On the left navigation bar of the Hosts and Clusters view of the VMware vSphere Web Client, expand SMGMT01  sDatacenter 
sMgmtHosts and right-click logger and select Power On.
Note
If prompted to accept a Power On Recommendation, select the default option or change it to the host you want to power it up on, and select
OK.
2. Open a remote console session to the VM.

a. Go to the Summary tab of the logger VM.
b. Click Download VMRC and install the downloaded bits.
c. After VMRC has installed, click Open with VMRC. A VMware Remote Console session will launch for the logger VM.
Configure the Logger VM

In this section we will configure the Logger VM, install the ArcSight software, and get it ready to start accepting log data from all of the
components in the CS700 and CS. The steps below are similar to what is in the HPE ArcSight Logger Installation Guide and just adapted for use
on the HPE ConvergedSystem 700 2.0 for VMware. Please refer to the HPE ArcSight Logger Installation Guide for more information about the
steps we are performing below.
Pre-installation steps
All instructions assume you have a Remote Desktop Connection to the Solution Management server (smgmt01) or access to if from a jump
station.
1. From the VM console, log in with the username root and the password arcsight.
2. Change the root password to a desired password. We will use Password!234.
[root@logger ~]#passwd
Changing Password for user root.
New password: Password!234
Retype new password: Password!234
Passwd: all authentication tokens updated successfully.
3. Edit /etc/sysconfig/network and set the values to the following. Set the hostname as logger and the gateway that is applicable to your
solution management network configuration, the default is 172.28.15.254.
NETWORKING=YES
HOSTNAME=logger
GATEWAY=172.28.15.254
Notes
a. If changing from the default hostname of logger, execute hostname <new host name> where <new hostname> is the new hostname
of your server.
b. You will also need to update /etc/hosts to replace all occurrences of logger with your new hostname.
4. Edit /etc/resolv.conf with the domain name (default sdnsdomain.net) and solution management DNS server IP address (default
172.28.10.10) in your solution.
search sdnsdomain.net
nameserver 172.28.10.10
5. Edit /etc/sysconfig/network-scripts/ifcfg-ens32 and set the values to the following.
Notes
a. The ArcSight VM comes pre-built with the ifcfg-ens32 network interface pre-configured.
b. If you used the default IP address scheme of 172.28.x.x in your deployment, 172.28.8.0-255 are reserved for Reference Architectures. You
can pick any IP you want in that range given it is not already in use somewhere else. In this example we will use the IP of 172.28.8.1 and
netmask of 255.255.240.0 (which is the default netmask the solution is built with for this network).
NAME="ens32"
DEVICE="ens32"
ONBOOT=yes
NETBOOT=yes
UUID="xxxxxxxxxxxx"  DO NOT EDIT
IPV6INIT=no
BOOTPROTO=static
TYPE=Ethernet
DNS1=172.28.10.10
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPADDR=172.28.8.1
GATEWAY=172.28.15.254
NETMASK=255.255.240.0
NM_CONTROLLED=no
6. Restart the networking by executing the command /etc/init.d/network restart.

a. If there is an IP address conflict or another error starting with ens32, please resolve before continuing.
7. Connect via SSH to the logger VM with the IP you assigned above and the username root and the password you set.
8. Once logged in, edit the /etc/security/limits.d/20-nproc.conf file and set the following parameters.
Note
It is important that the four lines below are entered exactly as below and that all other content in the file is deleted. Any omission or error
can cause system runtime errors.
* soft nproc 10240

* hard nproc 10240
* soft nofile 65536
* hard nofile 65536
9. If you have a license file, transfer it to the system via an SCP program such as WinSCP and place it in /root and name it arcsight.lic.
10. Set your time zone by performing the following. In this example we will set the time to Central Standard Time using America/Chicago. You
will want to replace the zone information that is applicable to you.
[root@logger ~]# rm /etc/localtime
[root@logger ~]# ln -s /usr/share/zoneinfo/America/Chicago /etc/localtime
11. Set your NTP client to talk to the system management server (default smgmt01.sdnsdomain.net or 172.28.10.10).
If there is no /etc/ntp.conf file, create a new one with the line below. If there is an existing file, remove all lines that begin with server and
replace them with this line:
server smgmt01.sdnsdomain.net
12. Reboot the server.
Mount the second hard disk

ArcSight Logger and data go to the same place during software install. The second 1TB hard disk will be used for this case.
1. After reboot, connect via SSH to the logger VM with the IP you assigned in the Pre-installation steps section of this document and the
username root and the password you set.
2. Verify the presence of the directory /opt/arcsight/logger.
3. Verify the hard disk by running the command fdisk –l.
4. Assuming the 1TB disk shows up as /dev/sdb run the following command to mount the hard disk.
fdisk /dev/sdb
Select n for add a new partition.
Select p for primary partition.
Select the default first and last sectors to allocate the whole disk space.
Select w to write partition table to disk and exit.
mkfs –t ext3 /dev/sdb1
mount -t ext3 /dev/sdb1 /opt/arcsight/logger/
5. Verify the mounted disk by running df –h.
6. Edit the file /etc/fstab and add the following line:

/dev/sdb1 /opt/arcsight/logger ext3 defaults 0 0
7. Reboot.
Install ArcSight Logger

Now that the pre-requisite steps are completed, install ArcSight Logger.
1. SSH to the logger VM with the IP you assigned in the Pre-installation steps section of this document and the username root and the
password you set.
2. CD to the /opt/arcsight/installers directory and run the command ./ArcSight-logger-XXXX.bin (replace with the version of Logger you
are installing).
3. The installation wizard launches in command-line mode. Press Enter to continue when prompted.
4. The next several screens display the end user license agreement. Installation and use of Logger 6.1 requires acceptance of the license
agreement. Press Enter to display each part of the license agreement, until you reach the following prompt: DO YOU ACCEPT THE TERMS
OF THIS LICENSE AGREEMENT? (Y/N): Type Y and press Enter to accept the terms of the License Agreement.
5. The installer checks that installation prerequisites are met. If a check fails, it displays a message. You will need to fix the issue before
proceeding. For example, if Logger is currently running on this machine, an Intervention Required message is displayed. In that case,
type Y and press enter to stop all current Logger processes and proceed with the installation, or type quit and press Enter to exit the
installer. Once all checks are complete, the next screen is displayed.
6. The Choose Install Folder screen is displayed. Type the installation path of /opt/arcsight/logger and then press Enter. Do not specify a
different location.
7. Type Y and press Enter to confirm the installation location.
8. Type the absolute path to the license file and then press Enter. You should have placed the file in /root/arcsight.lic.
9. Review the pre-install summary and press Enter to install Logger.
10. Installation may take a few minutes. Please wait. Once installation is complete, the next screen is displayed.
11. We need to set a password for the arcsight user that is preloaded on the system. Enter the username arcsight and press Enter.
12. Press Enter to use the default HTTPS port.
13. Type 1 to configure Logger to run as a system service and press Enter.
14. Select your local language. This guide will use 1 for English. Press Enter.
15. Press Enter to begin the Logger initialization. This may take several minutes to complete.
16. Press Enter to begin configuration of the Logger. This may take several minutes to complete.
17. On the Configuration is Complete screen, note the URL and press Enter.
Connect to Logger and change the admin user password

1. Open Internet Explorer and navigate to https://172.28.8.1. Accept any certificate errors and warnings.
2. Log into the ArcSight Logger appliance with the username admin and the password password to take you to the ArcSight Logger main
menu as shown on Figure 6.
Figure 6. ArcSight Logger main menu
3. Once logged in, select System Admin on the top menu bar and select on the left panel Users/Groups  Change Password. Change the
password of the admin user to the password you would like. This example will change it to Password!234
a. Old Password: password.
b. New Password: Password!234.
c. New Password (confirm): Password!234.
d. Select the Change Password button and select OK on the Password changed successfully dialog.
e. Log out and log back in to verify the password change.
Configure Device Groups, Storage Groups, and Storage Rules

Storage groups are used to support multiple retention policies by defining a maximum size (Maximum Size) and number of days (Maximum Age)
to retain events. Once events are older than the specified Maximum Age or there are more events than the storage group will hold (as specified
by Maximum Size), the oldest events are deleted at the next retention cycle. Logger can have a maximum of 6 storage groups—two that pre-
exist on your Logger (Internal Storage Group and Default Storage Group) and four that you can create. You can add the additional storage
groups (up to the maximum of six) at any time.
Device groups allow you to categorize named source IP addresses called devices. For example, we can put network switches in one group, and
VMware ESXi hosts in another.
Device groups can be associated with storage rules that define which storage group events from specific devices are stored. Doing so enables
you to retain event data from different sources for different lengths of times (because you can define different retention policies on different
storage groups). For example, all events from VMware ESXi hosts can be subject to a short retention period. To accomplish this, you would
assign the VMware ESXi hosts to a device group and then create a storage rule that maps the device group to a storage group with the desired
short retention period.
The rest of this section will set up the device groups, storage groups and rules. Every implementation will be different as every company has
different requirements for retention periods of data. Use this section as a guide and implement to your needs as needed.
Create Device Groups

1. If needed, open a browser and navigate to https://172.28.8.1. Accept any certificate errors and warnings.
2. If needed, log into the ArcSight Logger appliance with the username admin and the password you set in the Connect to Logger and change
the admin user password section of this document, for example Password!234.
3. Once logged in, select Configuration on the top menu bar and select Data  Device Groups.
4. Select the Add button.
5. In the Name field, enter in Network Switches and select the Save button.
6. Add the following groups like you just did for network switches.
a. Storage Arrays
b. VMware ESXi Hosts
c. Management Systems
d. Power Devices
e. VMware Management
f. HPE CloudSystem (if installed and configured on the CS700)
Figure 7. ArcSight Device Groups
Verify Storage Volume Size

If the second hard disk was not mounted, the default allocated storage volume size would be 25GB. This storage path is configured to
/opt/arcsight/data/logger. Increase the volume size based on your configuration requirements. In our case, configure and mount a 1TB hard
disk.
Verify the allocated storage. Select Configuration  Storage  Storage Volume.
Figure 8. Allocated Storage Volume

Create Storage Groups

The following steps show how to configure the default storage group allocation.
1. Select Configuration on the top menu bar and select Storage  Storage Groups
2. Click on the text Default Storage Group. We will reduce the size of the group to 50GB with a maximum age of 30 days. We will not be using
this in this example deployment. It will however be the group that newly discovered devices’ logs are placed until assigned into a device
group (other than default) or pointed to a different storage group.
a. Maximum Age (Days): 30
b. Allocated (GB): 50
Note
This value depends on the environment. If you allocated more, you will get an error message as to what is the minimum and maximum
values allowed.
c. Select the Save button.

3. Select Configuration on the top menu bar and select Advanced  Maintenance Operations.
4. Select the Add Storage Groups option.
Note
You could get a warning that there is not sufficient space available to add another storage group. If so, either increase the storage volume
size or reduce the allocated space on step 2b above.
5. Select the Enter Maintenance button.

6. The first group we will create will be a group that keeps logs for 90 days.
a. Name: 90 Day Retention
b. Maximum Age (Days): 90
c. Maximum Size (GB): 200
Note
Once a storage group is created, it cannot be deleted. There is also a maximum of six storage groups you can create as well.
d. Select the Add button.
Figure 9. Adding a new Storage Group

7. Create a second group that keeps logs for 180 days.

a. Name: 180 Day Retention
8. Lastly, create a third group that keeps logs for 1 year.
a. Name: 1 Year Retention
9. You will now need to click on the restart link towards the top of the page. Figure 10 is an example of what that should look like.
Figure 10. Restart link text
10. The system will now reboot.
Create Storage Rules

The following steps show how to create the storage rules for storage group allocation and devices created.
1. Once the system is back up, we can create our storage rules to map device groups to storage groups.
the admin user password section of this document, for example Password!234
3. Select Configuration on the top menu bar and select Storage  Storage Rules
4. Select the Add button
5. We will create several storage rules to map all of the device groups we created to the storage groups we created. Priority is an integer that
indicates the new rule’s priority. Storage rules are ordered by priority, and the first matching rule determines to which storage group an
incoming event will be sent. The number must be unique for each storage rule. The smaller the number, the higher the rule’s priority.
6. The first one we will create is one mapping the VMware ESXi hosts to the 90 Day Retention Policy
a. Storage Group: 90 Day Retention
b. Device Group: VMware Management
c. Priority: 10
d. Select the Save button.
7. Select the Add button and create a Storage Rule for Network Switches
a. Storage Group: 1 Year Retention
b. Device Group: Network Switches
c. Priority: 20
8. Select the Add button and create a Storage Rule for Storage Arrays
b. Device Group: Storage Arrays
c. Priority: 30
9. Select the Add button and create a Storage Rule for Management Systems
b. Device Group: Management Systems
c. Priority: 40
10. Select the Add button and create a Storage Rule for VMware ESXi Hosts.
b. Device Group: VMware ESXi Hosts
c. Priority: 50
11. Select the Add button and create a Storage Rule for Power Devices.
b. Device Group: Power Devices
c. Priority: 60
12. (If installed with CS700) Select the Add button and create a Storage Rule for HPE CloudSystem.
b. Device Group: HPE CloudSystem
c. Priority: 70
Edit and create additional receivers

From the Receivers page, you can set up and configure the receivers that will capture event data, and populate each event with information
about its origin. Some receivers capture streaming events transmitted over the network by devices, applications, services, and so on. Other types
of receivers monitor individual files for events or monitor files selected from a directory tree, based on a pattern you specify. We will create the
receivers needed here for our use. We could just use the default receivers, however you will want to be able to parse the data so that it is easily
searchable and that is why we are creating additional receivers
UDP Receiver
1. If needed, open Internet Explorer and navigate to https://172.28.8.1. Accept any certificate errors and warnings.
3. Select Configuration on the top menu bar and select Data  Receivers.
4. Select the UDP Receiver entry in the table to edit it.
5. If needed, change the Source Type field to syslog

6. Select the Save button.
VMware TCP Receiver

a. Name: VMware_ESXi_Hosts
b. Type: TCP Receiver
5. Select the Next button.
a. Name: VMware_ESXi_Hosts
b. IP/Host: All
c. Port: 514
d. Encoding: UTF-8
e. Source Type: VMware_ESX
f. Select Save.
6. Back in the Receivers page, verify that the VMware_ESXi_Hosts row is enabled with the presence of the icon. Otherwise, enable the
receiver by clicking on the icon on the same row.
CloudSystem SmartMessage Receiver

a. Name: CloudSystem_SmartMessage
b. Type: SmartMessage Receiver
5. Select the Next button.
a. Encoding: UTF-8
b. Source Type: CEF
c. Select Save.
6. Back in the Receivers page, verify that the CloudSystem_SmartMessage row is enabled with the presence of the icon. Otherwise, enable
the receiver by clicking on the icon on the same row.
Add DNS entries for ArcSight

The last thing to do before we can start to forward logs to the logger is to add a DNS entry.
1. You should already be on the smgmt01 VM, but if not Remote Desktop to that VM – default solution management IP address is
172.28.10.10, and log in with the proper credentials (default username is Administrator and password Password!234).
2. Open Server Manager if it does not automatically open for you.
3. Select DNS from the left side navigation menu.
4. Select the DNS Server Name (default SMGMT01) right-click it and select DNS Manager.
5. Expand the DNS Server Name (default SMGMT01)  Forward Lookup Zones and select sdnsdomain.net.
6. Right-click sdnsdomain.net and select New Host (A or AAAA)…

7. In the new host window enter the following. You will have to adjust if you used different values.
a. Name: logger
b. IP Address: 172.28.8.1
c. Place a check mark in Create associated pointer (PTR) record
d. Select the Add Host button.
e. Select OK on the confirmation dialog that the DNS entry was created.
8. Repeat steps 6 and 7 for ESM:
a. Name: esm
b. IP Address: 172.28.8.2
c. Place a check mark in Create associated pointer (PTR) record.
d. Select the Add Host button.
e. Select OK on the confirmation dialog that the DNS entry was created.
9. Close the New Host dialog box as well as the DNS Manager.
About forwarding events to ArcSight Logger

There are two ways to forward Device Events to Logger, using a native or 3rd-party forwarder or using ArcSight Connectors.
Sending events to HPE ArcSight Logger without Connectors

In this scenario, the log information is sent directly to the Logger. Some network devices and systems that have not been configured to convert
log data into CEF will send log data in a RAW format. Figure 11 shows how a default Receiver is configured in Logger to accept RAW logs from
the CS700 infrastructure components: tsvm01 and smgmt01. Also shown in Figure 11 are CS Management and Compute VMs: cs9-mgmt, win01,
and rhel01.
native
or
3rd-party
native 3rd-party
cs9-mgmt.sdnsdomain.net
win01.sdnsdomain.net
3rd-party native
TCP Receiver (TCP/514)

tsvm01.sdnsdomain.net rhel01.sdnsdomain.net
Figure 11. RAW Log Events sent to HPE ArcSight Logger directly via UDP or TCP Receivers
Sending events to HPE ArcSight Logger using Connectors

Using an ArcSight Connector to forward syslog and event information is the recommended solution where possible. It has the advantage of not
only a common implementation in the data center but also a CEF format that the ArcSight Connector converts before forwarding to a
SmartMessage Receiver configured on the Logger. Figure 12 illustrates log data being sent from the CS700 infrastructure components to the
SmartMessage Receiver on the ArcSight Logger. The troubleshooting VM (tsvm01) and smgmt01 are from CS700 while cs9-mgmt, win01, and
rhel01 VMs are from CS.
ArcSight
Connector
cs9-mgmt.sdnsdomain.net win01.sdnsdomain.n
et
tsvm01.sdnsdomain.net SmartMessage Receiver rhel01.sdnsdomain.net
Figure 12. CEF Log Events sent to the HPE ArcSight Logger directly via TCP, UDP or SmartMessage Receiver
Forwarding ConvergedSystem 700 component events to ArcSight Logger

This section will demonstrate to you how you can send events to your Logger instance. We will use Connectors where possible as that enable us
to perform better searching.
Networking
Described here are sample configurations to forward system logs for HPE and Cisco networking.
HPE 5900 Series Switching
To enable the HPE 58x0 and 59x0 Series Switches to be monitored and viewed in Logger, you need to point the internal system log of the
switch to the Logger. To complete this action, perform the following steps on each of the HPE switches in your solution
1. Log into the switch and enter system view.
2. Enter in the following commands:
<snetsw> system-view
[snetsw] info-center loghost 172.28.8.1 port 514
[snetsw] info-center enable
Information center is enabled.
[snetsw] save
Note
Port 514 is the default UDP Receiver port configured in ArcSight. Verify under Configuration  Data  Receivers.
3. Upon completion of the save command, you should see the IP or hostname of the switch registered in Logger in the Configuration 
Devices page.
4. Change the name of the imported switch to the hostname of the device, for example snetsw or soobmsw. Please refer to the Viewing and
Editing Devices in Logger section for more information on how to do this.
HPE VSR1000 Virtual Service Router

The default configuration of a CS700 includes two HPE VSR1000 virtual machines. If you want to monitor these VMs, follow the same
instructions for the HPE 5900 Series Switching.
Cisco Nexus Series Switching
To enable the Cisco Nexus Series Switches to be monitored and viewed in Logger, you need to point the internal system log of the switch to the
Logger. To complete this action, perform the following steps on each of the Cisco Nexus switches in your solution
1. Log into the switch and enter configure terminal.
snet01# configure terminal
snet01(config)# logging server 172.28.8.1 6 use-vrf management vfacility syslog
3. Press Enter to save the changes.
4. Save the switch configuration by running the command.
snet01(config)# copy running-config startup-config
5. If you don’t see the switch show up as a device in Logger, verify that the switch can talk to Logger. If the command below says that the
server is temporarily available, reboot the switch.
snet01(config)# show logging server
6. Either upon completion of the save command or switch reboot, you should see the IP or hostname of the switch registered in Logger in the
Configuration  Device page. Change the name of the imported switch to the hostname of the device, for example snetsw or soobmsw.
Please refer to the Viewing and Editing Devices in Logger section for more information on how to do this.
HPE SN6000B SAN Switching

To enable the HPE SN6000B SAN Switch to be monitored and viewed in Logger, you need to point the internal system log of the switch to the
Logger. To complete this action, perform the following steps on each of the HPE SAN switches in your solution.
1. Log into the switch as the admin user.
ssan01:admin> syslogdipshow
syslog.1 172.28.10.10
ssan01:admin> syslogdipadd 172.28.8.1
Syslog IP address 172.28.8.1 added
ssan01:admin> syslogdipshow
syslog.1 172.28.10.10
syslog.2 172.28.8.1
3. It may take up to 15 minutes before the device registers in ArcSight Logger's list of devices upon completion of the command.
4. Change the name of the imported switch to the hostname of the device, for example ssansw. Please refer to the Viewing and Editing
Devices in Logger section for more information on how to do this.
VMware
Described here are sample configurations to forward system logs for VMware ESXi hosts and VMware vSphere.
VMware ESXi Host
To configure a VMware ESXi host to be monitored and viewed in Logger, you need to point the internal system log of the host to the Logger. To
complete this action, perform the following steps:
1. Log into the VMware vSphere Web Client.
a. Open web browser on smgmt01 to https://smgmt01.sdnsdomain.net:9443.
b. Log in with the username administrator@vsphere.local and the password as indicated on the CID or what you have changed it to
since the installation of your CS700. For the rest of the document, we will use the password Password!234 as the default password.
3. On the left navigation bar expand SMGMT01  sDatacenter  sMgmtHosts and select sms01.sdnsdomain.net.
4. Select the Manage tab, Settings on the top tool bar, then Security Profile.
5. Select Edit next to Firewall in the main part of the window.
6. In the Security Profile window, find syslog and place a checkmark next to the entry to enable it.
a. On the bottom of the window, deselect Allow connections from any IP address and enter in 172.28.8.1 in the text box.
Figure 13. Completed syslog firewall setup
7. Select the OK button to close the Edit Security Profile window.

8. On the Settings menu bar select Advanced System Settings.
9. Select the Syslog.global.logHost variable and select the pencil under the Advanced System Settings menu header to edit the variable
as shown on Figure 14.
a. Set the Syslog.global.logHost to tcp://172.28.8.1:514.
b. Click OK.
10. It might take a few minutes for the VMware ESXi Host to send its first event to the Logger, but you should see the IP or hostname of the
host registered in Logger in the Configuration  Data  Devices. Change the name of the imported VMware host to the hostname of the
device, for example sms01, sms01, scs01, scs09, etc. Please refer to the Viewing and Editing Devices in Logger section for more information
on how to do this.
11. You will need to repeat these steps for all of your VMware ESXi hosts (both Management and Compute).
Figure 14. Setting the ESXi Syslog.global.logHost variable.
VMware vSphere Web Services

VMware vSphere Web Services is a programming interface that exposes the functionality of VMware vSphere to customer-written or third party
applications. vSphere Web Services is part of vSphere. It is distributed and installed along with the rest of vSphere and there is no additional cost
or licensing required. With HPE ArcSight SmartConnector for Windows, you are able to monitor VMware vSphere Web Services. Perform the
following steps to configure monitoring of the VMware vSphere Web Services with ArcSight.
1. Copy ArcSight-xxxx-Connector-Win64.exe to the CS700 management VM, smgmt01.
2. Log into smgmt01 via Remote Desktop or vCenter console as Administrator user (default password is Password!234).
3. Create a ReadOnly user on vCenter.
Note
It is strongly recommended for security reasons to use or create a user in vCenter that only has Read-Only permissions to what you want
monitored. You could grant that user permissions to the entire vSphere Server instance, or just particular Data Centers, Clusters, Host, VMs,
etc.
4. Obtain Certificates using the vSphere Client on smgmt01.

a. Create a directory named c:\VMware-Certs
b. Open Internet Explorer and navigate to your vCenter Server instance, for example https://localhost.
c. Next to the address bar, select Certificate Error and select View Certificates (Figure 15).
Figure 15. Selection of “VMware vSphere Web Services”
d. Select the Details tab and select Copy to File…

I. Select Next > on the Welcome screen.
II. Select DER encoded binary X.509 (.CER) and select Next >.
III. Select Browse and save the file to a location on your local disk, i.e., c:\VMware-Certs\smgmt01.cer, and select Next >.
IV. Select Finish.
5. Run the ArcSight installer executable you uploaded on step 1 and use the defaults.
6. The installer will automatically launch the Connector Setup. Before moving forward, export the authentication certificate
a. Open a command window and Run as administrator.
b. Change directory to C:\Program Files\ArcSightSmartConnectors\current\bin.
c. Run the following command, setting the parameter after “-file” with the location of your saved certificate.
arcsight agent keytool -import -trustcacerts -alias vmware -file c:\VMware-Certs\smgmt01.cer -
store clientcerts
d. Type yes when asked Trust this certificate?
6. On the Connector Setup
a. Select Add a Connector.
b. Type = VMware Web Services
c. Validate Certificate = true (if successful you will go the device details)
d. Select Add on the Enter the device details window and enter the following:
I. Host = localhost
II. User = Read-Only user name for accessing VMware Web Services.
III. Password = Password for the VMware Web Services Read-Only user.
Note
Ignore the "Information" popup message regarding an SSL HandShake Exception. Click "Yes" to continue.
Figure 16. Connector Setup using Read-Only VMware user
e. Destination = ArcSight Logger SmartMessage (encrypted)

f. On the destination parameters
Hostname/IP = 172.28.8.1
Port = 443
Receiver Name = CloudSystem_SmartMessage
Compressed = Disabled
g. On the connector details, provide the Name Windows-Connector and leave the rest of the fields blank if using defaults.
h. Import the certificate of the destination to the connector. It may take around 3 minutes to complete.
i. Install the connector as a service.
j. On the service parameters
Service Internal Name = as_vmware_webservice
Service Display Name = ArcSight VMware Web Services
Start the service automatically = Yes
k. Exit the installer when finished.
l. Click Done on the ArcSight SmartConnector installer dialog.
7. Run ArcSight SmartConnectors to register. There are two ways to run the command:
a. Using the Windows shortcut:
I. Click the Windows Start button.
II. Type arc to search for Run ArcSight SmartConnectors. Click it to execute when found. A command prompt window will launch
b. From the command prompt:
I. Open a command prompt as administrator user.
II. Change directory to C:\Program Files\ArcSightSmartConnectors\current\bin.
III. Run the command arcsight connectors.
8. After a minute, verify in ArcSight Logger's Devices list that smgmt01 shows up.
VMware vCenter
There is currently no option for VMware vCenter to forward syslog to HPE ArcSight Logger.
HPE 3PAR
Described here are sample configurations to forward system logs for HPE 3PAR components of CS700.
HPE 3PAR StoreServ
To configure the HPE 3PAR StoreServ 7000 array to send its logs to ArcSight, perform the following.
1. SSH to the HPE 3PAR StoreServ storage system (sstor01-n00). The default IP address is 172.28.6.80.
2. Log in as 3paradm and your password (default 3pardata).
3. Run the following commands to start to send events to the Logger
sstor01 cli% setsys RemoteSyslog 1
sstor01 cli% setsys RemoteSyslogHost 172.28.8.1
4. It might take a few minutes for the storage array to send its first event to the HPE ArcSight Logger, but you should see the IP or hostname or
the host registered in Logger in Configuration  Devices. Change the name of the imported VMware host to the hostname of the device,
for example sstor01 and add it to the appropriate device group. Please refer to the Viewing and Editing Devices in Logger section for more
information on how to do this.
HPE 3PAR Service Processor
There is currently no option on the HPE 3PAR Service Processor to forward syslog to Logger.
HPE OneView
To configure HPE OneView to send log messages to Logger, you will have to do it via its REST API. Perform the following steps:
1. Install a REST client on a jump station or installation computer. In this sample Google Chrome's Postman is used.
2. Generate a sessionID to OneView.
a. Select POST and enter https://oneview.sdnsdomain.net/rest/login-sessions.
b. Set Authorization to No Auth.
c. On the Headers, create:
Accept = application/json
Content-Type = application/json
d. On the Body, select raw and enter the value for the OneView administrator login:
{"userName":"administrator",
"password":"Password!234"}
e. Click Send to generate the sessionID.

Figure 17. Generating a sessionID to OneView using a REST client
3. Set the remote syslog configuration of OneView.

a. Open a new REST call tab.
b. Select PUT and enter https://oneview.sdnsdomain.net/rest/logs/remoteSyslog.
c. Set Authorization to no Auth.
d. Add two headers:
Auth = cut and paste the sessionID generated from step 2 above
X-Api-Version = 120
e. On the Body, select raw and enter the following:

{
"type": "RemoteSyslog",
"sendTestLog": false,
"remoteSyslogPort": "514",
"remoteSyslogDestination": "172.28.8.1",
"enabled": true
}
f. Click Send to update the syslog configuration.
Figure 18. Updating OneView’s remote syslog settings
4. To verify the update, repeat step 3. Use GET instead of PUT.

5. It might take a few minutes for the storage array to send its first event to Logger, but you should see the IP or hostname or the compute
hosts iLO, management hosts and Onboard Administrator of the enclosure(s) managed by OneView in Logger under Configuration 
Devices. Change the name of the imported devices to the hostname of the device with the OneView designation, for example scs01-ilo
[OneView] and add it to the appropriate device group. Please refer to the Viewing and Editing Devices in Logger section for more
information on how to do this.
Figure 19. OneView devices registered in Logger
HPE Insight Control Server Provisioning

There is currently no option on HPE Insight Control Server Provisioning (ICsp) version 7.5 to forward syslog to Logger.
HPE CS700 troubleshooting VMs (tsvm)

The default configuration of a CS700 includes two troubleshooting virtual machines. These VMs are configured with the Microsoft Windows
Server® 2012 R2 operating systems. If you want to monitor these VMs, perform the following instructions to install and configure ArcSight
SmartConnector for Windows.
1. Copy ArcSight-xxxx-Connector-Win64.exe to the VM.
2. Log into one of the troubleshooting VMs, tsvm01, via Remote Desktop or vCenter console as Administrator user (default password is
Password!234).
3. Run the installer executable and use the defaults.
a. Select Add a Connector
b. Type = Microsoft Windows Event Log – Native
c. Keep the default values for Configure Parameters, Security, System, and Application logs selected.
d. Destination = ArcSight Logger SmartMessage (encrypted)
e. On the destination parameters

Port = 443
Receiver Name = SmartMessage Receiver
f. On the connector details, provide the Name Windows-Connector and leave the rest of the fields blank if using defaults.
g. Import the certificate of the destination to the connector. It may take around 3 minutes to complete.
h. Install the connector as a service.
i. On the service parameters
Service Internal Name = arc_winc
Service Display Name = ArcSight Microsoft Windows Event Log – Native
j. Exit the installer when finished.
5. Run ArcSight SmartConnectors to register. There are two ways to run the commands:
a. Using the Windows shortcut:
I. Click the Windows Start button.
II. Type arc to search for Run ArcSight SmartConnectors. Click it to execute when found. A command prompt window will launch.
b. From the command prompt:
I. Open a command prompt as administrator user
II. Change directory to C:\Program Files\ArcSightSmartConnectors\current\bin.
III. Run the command arcsight connectors
6. After a minute, verify in ArcSight Logger's Devices list that tsvm01 shows up.
HPE CloudSystem
Described here are sample configurations to forward system logs for VMware ESXi hosts and VMware vSphere.
HPE CloudSystem Virtual Machines (Native Syslog Forwarder)
HPE CloudSystem is comprised of 13 VMs. All VMs are running with the hLinux operating system. The following steps configure the primary
management server, cs9-mgmt (ma1), to send log messages to Logger.
1. Log into the VM as the cloudadmin user, default password is also cloudadmin.
2. Enter in the following commands
cloudadmin@ma1:~$ sudo -i
root@ma1:~# vi /etc/rsyslog.conf
At the end of the file add the line to send the logs to the ArcSight Logger host using the default ArcSight Logger TCP Receiver port of 515.
Provide the IP address of the ArcSight logger VM.
*.* @@172.28.8.1:515
Restart the rsyslog service
root@ma1:~# service rsyslog restart
3. Verify that you can see the IP or hostname or the cs9-mgmt (ma1) host registered in Logger in the Configuration  Devices. Add the
newly added device to the appropriate device group. Keep the default name because renaming the TCP Receiver device might cause
problems with ArcSight receiving log data.
HPE CloudSystem Virtual Machines (ArcSight Connector)

If you want to send structured data into Logger, the use of ArcSight SmartConnectors is recommended. In this example, you will configure the cs-
update1 (ua1) VM to use a SmartConnector.
1. Log into the VM as the cloudadmin user, default password is also cloudadmin.
2. Upload to /tmp directory ArcSight-xxxx-Connector-Linux64.exe installer.
3. Run the installer as root user:
cloudadmin@ua1:~$ sudo -i
root@ua1:~# cd /tmp
root@ua1:~# chmod +x ./ArcSight- x.x.x.xxxx.x-Connector-Linux64.bin
root@ua1:/tmp# ./ArcSight- x.x.x.xxxx.x-Connector-Linux64.bin
4. On the installer, use the defaults.
5. Configure the SmartAgent by running runagentsetup.sh
root@ua1:~# cd /root/ArcSightSmartConnectors/current/bin
root@ua1:~/ArcSightSmartConnectors/current/bin# ./runagentsetup.sh
a. Select 0 – Add a Connector
b. Type = 128 – Syslog File (Enter N to scroll on the menu selection)
File Absolute Path Name = /var/log/syslog
Reading Events = 0 – batch
Action Upon Reaching EOF = 0 – None
File Extension If Rename Action = processed
c. Destination = 1- ArcSight Logger SmartMessage (encrypted)
d. On the destination parameters
Port = 443
Receiver Name = SmartMessage Receiver
e. On the connector details, provide the Name “Linux-Connector” and leave the rest of the fields blank if using defaults.
f. Import the certificate of the destination to the connector. It may take around 2-3 minutes to complete.
g. Install the connector as a service.
h. On the service parameters
Service Internal Name = arc_linux
Service Display Name = ArcSight Linux Syslog Service
i. Exit the installer.
7. Run ArcSight SmartConnectors to register.
root@ua1:~# cd /root/ArcSightSmartConnectors/current/bin
root@ua1:~/ArcSightSmartConnectors/current/bin# ./arcsight -quiet agents
8. After a minute, verify in the ArcSight Logger's Devices list that you can see the IP or hostname of the cs-update1 host. Change the name of
the imported VMware host to the hostname of the device and add it to the appropriate device group. Please refer to the Viewing and
Editing Devices in Logger section for more information on how to do this.
HPE CloudSystem Compute VMs

Windows or Linux compute VMs deployed via CS can be monitored by Logger. Follow the steps for HPE CS700 Troubleshooting VMs to
configure Windows compute VMs. For Linux, follow the steps for HPE CloudSystem Virtual Machines (ArcSight Connector).
Viewing and editing devices in Logger

Once a component is discovered, whether with or without ArcSight Connectors, it will show up based on IP or hostname address in Logger unless
you manually added it before it started to send logs to the Logger. In the example below we will rename a device, to a network switch, as well as
put it in the proper device group instead of the default device group and storage group.
2. If needed, log into the ArcSight Logger appliance with the username admin and the password you set in Connect to Logger and change the
admin user password section of this document, for example Password!234.
3. Once logged in, select Configuration on the top menu bar and select Data Devices.
4. Click on the Name of the device you are looking to edit. As in Figure 20, we will be editing both snet01.sdnsdomain.net and
ssan01.sdnsdomain.net.
Figure 20. Example of a device automatically added to Logger

5. Change the Name field to the name you would like, in this example we will change it to snetsw and select Save. Do the same name change
of ssan01 to ssansw. The sample shown in Figure 21, has edited both snet Ethernet and ssan Fibre Channel switches.
Figure 21. Edited example of device names
6. If the devices are configured correctly to forward their events to ArcSight Logger, the device IP addresses will show up on the Summary tab
as shown on Figure 22.
Figure 22. ArcSight Logger summary tab of devices that are forwarding events
HPE ArcSight ESM integration

The Logger implementation can be expanded to a more comprehensive and higher level by using HPE ArcSight Enterprise Security Manager
(ESM). The sample implementation described earlier, where a Connector was installed on a RHEL or Windows client to forward logs to a Logger,
can apply to an organization. Multiple loggers can then be deployed within a company as shown in Figure 23.
ESM is used to selectively aggregate logger data from each organization as well as monitor a high valued client not belonging to any
organization. Logger can forward all or selectively choose particular clients to a centralized ESM server. In addition, the use of Logger could be
by-passed particularly for high valued hosts being monitored such as WIN-A and RHEL-B servers shown in Figure 23.
Logger accepts log entries forwarded via UDP, TCP, and SmartMessage ESM on the other hand is limited to TCP. In this implementation, we will
configure a simple implementation of Logger forwarding selected event logs to ESM as well as a high-value client that forwards directly to ESM
instead of Logger.
ORGANIZATION A ORGANIZATION B
ArcSight ArcSight
Connector Connector
smgmt01-A smgmt01-B
scs01-A cs9-mgmt-A WIN-A RHEL-B scs01-B cs9-mgmt-B
sms01-A cmc-A sms01-B cmc-B
logger-A.sdnsdomain.net logger-B.sdnsdomain.net
esm.sdnsdomain.net
Figure 23. Aggregating logs and events via ArcSight ESM

Deploying ArcSight ESM VM

The following are the key steps to deploy ESM on a CS700.
1. Create a 2TB datastore for ESM. Follow the same procedure as for ArcSight Logger to create a datastore called ArcSightESM.
2. Upload to one of the management host local datastore the RHEL 6.6 ISO image file.
Note
The usual location for uploading ISO images and files on CS700 is on the sms01-localdatastore under the HPCS_Software folder. You
could upload the RHEL 6.6 ISO image to the same location.
3. Create a RHEL 6.6 VM with the following specifications (minimum required for ESM).
a. Assign 100GB for the OS out of the 2TB datastore.
b. 8 cores of CPU and 36GB RAM
c. Mount the ISO image from the datastore to the CD-ROM drive.
4. Power on the VM and install with the following configurations:
a. Configure the networking during the installation.
IP address = 172.28.8.2
Netmask = 255.255.240.0
Gateway = 172.28.15.254
Primary DNS = 172.28.10.10
b. Install with the Basic Server option. Include the X Window system package on the custom options.
5. (OPTIONAL) Install VMware Tools.
6. Shut down the VM and add a second 1TB hard disk mounted to /opt/arcsight. Follow the same steps for mounting a second hard disk
performed on Logger.
7. Follow the steps in the ESM install guide for installing from the console.
a. Upload the following files to the /tmp directory
ArcSightESMSuite-6.8.0.xxxx.x.tar file,
ArcSight ESM license ZIP
Time zone package file tzdata-2015f-1.el6.noarch.rpm (or newer version if available)
b. Verify that that TCP ports 8443, 9443, and 9000 are open. Run the command:
grep –w <PORT_NUMBER> /etc/services
c. Install the time zone package rpm file and set up /etc/localtime to link to the valid time zone.
rpm –Uhv /tmp/tzdata-2015f-1.el6.noarch.rpm
d. Create the arcsight user and assign the password Password!234.
e. Increase the user process limit by editing the /etc/security/limits.d/90-nproc.conf file.
f. Untar the ESM file and run the installer as the arcsight user. Select the defaults on the installer options.
8. After a successful install, run the First Boot Wizard.
a. Run the command:
/opt/arcsight/manager/bin/arcsight firstbootsetup -boxster -soft -i console
b. You will provide the Language Options, CORR-Engine Password, storage sizes (use defaults), notification emails, filename and location
of the license ZIP file on /tmp, ESM IP instead of hostname.
c. Once you reached the option to install additional foundation packages, you can select your preferred options. In our case, select options
4, 6, 9, 10.
4- Configuration Monitoring
6- Intrusion Monitoring
9- Network Monitoring
10- Workflow
9. After a successful first boot wizard, start ESM as root user by running the command:
[root@esm tmp]# /opt/arcsight/manager/bin/setup_services.sh
10. Open a browser from the installation computer and point it to the ArcSight ESM command center URL of https://172.28.8.2:8443 as shown
on Figure 24.
Note
If the page does not load, you may need to either disable the firewall or provide access to port 8443 on the iptables configuration.
Figure 24. Initial screen of ArcSight Command Center

HPE ArcSight ESM Console

The preferred tool to configure and monitor via ESM is to use the ArcSight ESM Console. The console has more capabilities and features not
found on the Command Center. With the console, you can create rules and perform other tasks such as deleting invalid Connectors that you
cannot do in the Command Center.
The ESM console is a thick client in a separate exe or bin file from the ESM Suite tar file deployed earlier. In our case install the Windows
executable ArcSight-xxxx-Console-Win.exe on the installation computer of the CS700. During the installation:
1. Use the recommended defaults.

2. Connect to the ESM IP address of 172.28.8.2 and admin user and password configured. Figure 25 shows the initial screen of the ESM
console.
Figure 25. ArcSight ESM console GUI for Windows

Forwarding events from Logger to ESM

Described earlier were the ways of Forwarding ConvergedSystem 700 Component Events to ArcSight Logger. In this part of the document, you
will configure Logger to forward events it has collected, to ESM, as shown on Figure 26.
Figure 26. Receiving and Forwarding events on Logger
Upload ESM certificate to Logger

The first step to allow Logger to forward events to ESM is to upload the ESM certificate to Logger.
1. Get the ESM web certificate by following the same steps used on the VMware vSphere Web Services.
a. On the installation computer of the CS700, point the browser to the ESM URL of https://172.28.8.2
b. Get the ESM web certificate and save it locally with the filename of esmcert.cer
2. Point the browser to Logger’s URL of https://172.28.8.1
3. Go to Configuration  Data  Certificates.
5. Specify a Certificate Alias of cs700-esm
6. Select Choose File and browse for the ESM certificate file
7. Select Save.
Figure 27. Adding the ESM certificate to Logger

Create an ESM Destination

The next step to allow Logger to forward logs to ESM is to create and configure an ESM Destination in Logger.
1. In Logger, go to Configuration  Data  ESM Destinations.
3. Provide the required fields.
Name = CS700 ESM
Connector Name = ESMconnector
Connector Location = Houston
Logger Location = Palo-Alto
IP/Host = 172.28.8.2
Port = 8443
User Name = admin
Password = Password!234
4. Select Save.
Figure 28. Adding an ESM Destination in Logger
Verify Logger Connector with ESM Console

The next step is to verify that the Logger connector has successfully registered in ESM.
1. Launch the ESM Console application from the CS700 installation computer.
2. Log in as admin user and the Manager field has the ESM IP address of 172.28.8.2 selected
3. After creating the destination, log in to the ESM Console and verify that ESMconnector is registered. Figure 29 shows the running
ESMconnector that was just created.
Figure 29. Verifying Logger connector’s registration in ESM
Create a Logger Forwarder

The next step after registering a connector from Logger to ESM is to create a forwarder.
1. In Logger, go to Configuration  Data  Forwarders.
3. On the Add Forwarder, create a forwarder for CS700.
Name = CS700 ESM Forwarder
Type = ArcSight ESM (CEF) Forwarder
Type of Filter = Unified Query
4. Select Next.
5. Select Advanced on the Query field to open the Advanced Search dialog.
a. Click the edit (pencil icon) on Device Groups.
b. Select HPE CloudSystem, Network Switches, and VMware ESXi Hosts.
c. Select Save to close the Advanced Search.
6. Select Save again on the Edit Forwarder. Verify the Enable checkbox is selected.
7. You could try creating additional forwarders. Refer to the ArcSight Logger Administration Guide for further details.
Figure 30. Creating custom Logger forwarders to ESM
Monitor Forwarded Events on ESM Console

The final step is to view the forwarded events on the ESM Console.
1. In ESM Console’s Navigator, go to the Resources tab dropdown list and select Connectors.
Figure 31. ESM Console Resources dropdown options

2. Look for ESMconnector, right-click on it, and select Create Channel with Filter as shown on Figure 32.
Figure 32. Creating Channel with Filter to a Logger connector
3. After you have created the channel, the page will refresh and show the new active channel as shown on Figure 33.
Figure 33. Active Channel of the Logger connector on ESM Console

Forwarding events from a client to ESM

In the example earlier, Logger acted like a central repository for aggregating event logs of CS700 and CS components before forwarding events
to ESM. There could be situations where a high-valued client does not need to go to Logger but directly to ESM using a SmartConnector. In this
example, we will use one of the CS700 troubleshooting VMs, tsvm02, to illustrate this feature. In the earlier section called HPE CS700
Troubleshooting VMs, we forwarded event logs of tsvm01 to Logger which in turn forwarded it to ESM.
The following are the steps to forward event log entries directly to ESM using SmartConnector.
1. Copy ArcSight-xxxx-Connector-Win64.exe to the VM.
2. Log into one of the troubleshooting VMs, tsvm02, via Remote Desktop or vCenter console as Administrator user (default password is
Password!234).
3. Run the installer executable and use the defaults.
4. On the Connector Setup.
a. Select Add a Connector
b. Type = Microsoft Windows Event Log – Native
c. Keep the default values for Configure Parameters, Security, System, and Application logs selected.
d. Destination = ArcSight Manager (encrypted)
e. On the destination parameters.
Manager Hostname = 172.28.8.2
Port = 8443
User = admin
Password = Password!234
AUP Master Destination = False
Filter Out All Events = False
Enable Demo CA = False
f. On the connector details, provide the Name tsvm02-Connector and leave the rest of the fields blank if using defaults.
g. Import the certificate of the destination to the connector. It may take around 3 minutes to complete.
h. Install the connector as a service.
i. On the service parameters.
Service Internal Name = arc_winc
Service Display Name = ArcSight Microsoft Windows Event Log – Native
j. Exit the installer when finished.
5. Log into the ESM Console. You should be able to see tsvm02-Connector show up in the list of active Connectors.
Figure 34. The tsvm02 VM forwarding event logs directly to ESM.
Note
If you don’t see the connector registered on ESM, manually restart the connector from the client. Follow the same steps for restarting as
described on Step 5 of the HPE CS700 Troubleshooting VMs section.
Summary
HPE ArcSight Logger is an event data storage appliance that is optimized for extremely high event throughput. Logger stores security events
onboard in compressed form, but can always retrieve unmodified events on demand for forensics-quality litigation data. Logger can be deployed
stand-alone to receive events from syslog messages or log files, or to receive events in Common Event Format from SmartConnectors. Logger
can forward selected events as syslog messages to Enterprise Security Manager (ESM). Multiple Loggers work together to scale up to support
high-sustained input rates. Event queries are distributed across a peer network of Loggers.
HPE ConvergedSystem 700 (CS700) is a blade based scalable virtualization solution for enterprise organizations. CS700 is designed for ease of
use and simplicity to help businesses quickly harness the full potential of virtualization. It is a pre-integrated, pre-configured and modular system
providing a secure and reliable turn-key data center in a box experience. HPE Helion CloudSystem (CS) is an open, fully integrated, IaaS and
PaaS enterprise cloud offering. It delivers an enterprise private cloud in HPE Converged Infrastructure environments such as the CS700.
In this document we have shown how to deploy HPE ArcSight Logger on a CS700 environment with CloudSystem software. HPE ArcSight
Logger provides the required security analytics to identify and prioritize threats in real time and remediate incidents early. Using HPE ArcSight
Logger creates a central repository for security and event logging of customer cloud environments. Multiple organizations can attach their
respective ArcSight Logger instances to a higher level using HPE ArcSight ESM or a centralized ArcSight Logger instance. This type of security
offering enables shared responsibility and ownership of SIEM solutions between the cloud consumer and cloud provider on a CS700 with
CloudSystem software.
Resources and additional links

HPE ArcSight Logger
http://www8.hp.com/us/en/software-solutions/arcsight-logger-log-management/index.html
HPE ArcSight ESM
http://www8.hp.com/us/en/software-solutions/arcsight-esm-enterprise-security-management/index.html
HPE ConvergedSystem
hpe.com/info/convergedsystem
HPE Helion CloudSystem Enterprise
http://www8.hp.com/us/en/cloud/cloudsystem-enterprise.html
HPE Converged Infrastructure Library

hpe.com/info/convergedinfrastructure
HPE Servers
hpe.com/servers
HPE Storage
hpe.com/storage
HPE Networking
hpe.com/networking
HPE Technology Consulting Services

hpe.com/us/en/services/consulting.html
To help us improve our documents, please provide feedback at hpe.com/contact/feedback.
Learn more at
http://www8.hp.com/us/en/software-solutions/enterprise-security.html
Sign up for updates
Rate this document

© Copyright 2016 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice.
The only warranties for HPE products and services are set forth in the express warranty statements accompanying such products and
services. Nothing herein should be construed as constituting an additional warranty. HPE shall not be liable for technical or editorial errors
or omissions contained herein.
Cloud Foundry is a trademark and/or registered trademark of Pivotal Software, Inc. in the United States and/or other countries. Microsoft,
Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries. Red Hat is a registered trademark of Red Hat, Inc. in the United States and other countries. Linux is the registered trademark of
Linus Torvalds in the U.S. and other countries. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or
other jurisdictions. Intel and Xeon are trademarks of Intel Corporation in the U.S. and other countries. Oracle is a registered trademark of
Oracle and/or its affiliates.
4AA6-4436ENW, February 2016

4aa6 4436enw

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

4aa6 4436enw

Transféré par

Droits d'auteur :

Formats disponibles

HPE Integration Guide for ArcSight

Logger on ConvergedSystem 700 2.0

Technical white paper

HPE ArcSight Enterprise Security Manager

HPE ArcSight Connectors

Sending events to HPE ArcSight Logger using Connectors

HPE ConvergedSystem 700

Key benefits of CS700 include the following:

• Cloud compatibility allows customers to upgrade easily to cloud with confidence

HPE Helion CloudSystem

ssan01.sdnsdomain.net Logger2ESM (TCP/8443) snoobm01.sdnsdomain.net

HPE ArcSight Logger HPE ArcSight Logger 6.1

Overview: HPE ArcSight security solution for HPE ConvergedSystem 700

Deploying the ArcSight Logger appliance

Storage and server requirements

Supported operating systems:

Create new datastore for HPE ArcSight Logger

1. Log into the VMware vSphere Web Client

Figure 3. ArcSightLogger Datastore successfully added to sms01

Importing the ArcSight Logger VMware virtual machine image

1. Log into the VMware vSphere Web Client:

d. In the Select name and folder section, perform the following:

Figure 4. ArcSightLogger OVF template deployment

Adding the second hard disk to the Logger VM

Figure 5. Adding a second disk to the ArcSightLogger VM

Power on the Logger VM

2. Open a remote console session to the VM.

Configure the Logger VM

5. Edit /etc/sysconfig/network-scripts/ifcfg-ens32 and set the values to the following.

6. Restart the networking by executing the command /etc/init.d/network restart.

* soft nproc 10240

Mount the second hard disk

6. Edit the file /etc/fstab and add the following line:

Install ArcSight Logger

Connect to Logger and change the admin user password

Figure 6. ArcSight Logger main menu

Configure Device Groups, Storage Groups, and Storage Rules

Create Device Groups

Figure 7. ArcSight Device Groups

Verify Storage Volume Size

Figure 8. Allocated Storage Volume

Create Storage Groups

c. Select the Save button.

5. Select the Enter Maintenance button.

d. Select the Add button.

Figure 9. Adding a new Storage Group

7. Create a second group that keeps logs for 180 days.

Figure 10. Restart link text

10. The system will now reboot.

Create Storage Rules

Edit and create additional receivers

5. If needed, change the Source Type field to syslog

VMware TCP Receiver

CloudSystem SmartMessage Receiver

Add DNS entries for ArcSight

6. Right-click sdnsdomain.net and select New Host (A or AAAA)…

About forwarding events to ArcSight Logger

Sending events to HPE ArcSight Logger without Connectors

TCP Receiver (TCP/514)

Sending events to HPE ArcSight Logger using Connectors

tsvm01.sdnsdomain.net SmartMessage Receiver rhel01.sdnsdomain.net

Forwarding ConvergedSystem 700 component events to ArcSight Logger

HPE VSR1000 Virtual Service Router