FwdConn UserGuide 5.1.5.5973

SmartConnector Configuration Guide for
ArcSight Forwarding Connector v5.1.5.5973 for ArcSight ESM
August, 2011
SmartConnector Configuration Guide for ArcSight Forwarding Connector Copyright 2001-2011 ArcSight, LLC. All rights reserved. ArcSight and the ArcSight logo are registered trademarks of ArcSight in the United States and in some other countries. Where not registered, these marks and ArcSight Console, ArcSight ESM, ArcSight Express, ArcSight Manager, ArcSight Web, ArcSight Enterprise View, FlexConnector, ArcSight FraudView, ArcSight Identity View, ArcSight Interactive Discovery, ArcSight Logger, ArcSight NCM, SmartConnector, ArcSight Threat Detector, ArcSight TRM, and ArcSight Viewer, are trademarks of ArcSight, LLC. All other brands, products and company names used herein may be trademarks of their respective owners. Follow this link to see a complete statement of ArcSight's copyrights, trademarks, and acknowledgements: http://www.arcsight.com/copyrightnotice The network information used in the examples in this document (including IP addresses and hostnames) is for illustration purposes only. This document is ArcSight Confidential. Revision History
Date 09/27/2011 08/15/2011 06/2011 05/2011 Product Version 5.1.5.5973 5.1.5.5973 5.1.4.5941 Description Added support for McAfee ePO 4.6. Added support for JRE 1.6.0_26. Added support for HP OMi. Restructured guide to include multiple chapters, added instructions for using multiple destinations and added a chapter on HP OM configuration. Added supported versions for McAfee ePO (4.0 and 4.5), removed build number from the guide, and fixed reported document bugs. Updated information on upgrades and forwarding base events. Merged FIPS and non-FIPS information. Updated screen shots to reflect the current UI. Updated to include an enhanced McAfee ePO feature. The new EPO Version parameter allows users of newer versions of ePO to drill down and perform actions to the source or target from the ePO console. Updates published concurrently with ESM v.4.5 SP1 Release. Added fixes and EPO destination. Forwarding Connector build 5242. Added updates for Enhanced Forwarding Connector. Added new destination options. Added information about using the Forwarding Connector to send events to ArcSight Logger. Updated connector name and installer name. General content update. Added Manager version note.
12/2010
05/26/2010 01/18/2010 12/29/2009 11/03/2009
3/26/2009 02/23/2009 08/28/2008 09/12/2007 03/28/2007 01/31/2007 09/21/2004
Date 01/20/2003
Product Version
Description First release of connector documentation.
Document template version: 2.0
ArcSight Customer Support

Phone E-mail Support Web Site Protect 724 Community 1-866-535-3285 (North America) +44 (0)870 141 7487 (EMEA) [email protected] http://www.arcsight.com/supportportal/ https://protect724.arcsight.com
ArcSight Confidential
Contents
Chapter 1: Overview and Installation .................................................................................. 7 Product Overview ............................................................................................................ 7 The ArcSight ESM Source Manager .................................................................................... 7 Sending Events to an ArcSight ESM Destination Manager ................................................ 8 Sending Events to ArcSight Logger .............................................................................. 8 Sending Events to a Non-ESM Location ........................................................................ 9 Standard Installation Procedures ....................................................................................... 9 Verifying that ArcSight ESM is Correctly Installed .......................................................... 9 Assigning Privileges on the ESM Source Manager ................................................... 10 Forwarding Correlation Events ............................................................................ 11 Increasing the FileStore size (Enhanced version only) ............................................ 13 Installing the Forwarding Connector .......................................................................... 14 Uninstalling a Forwarding Connector ................................................................................ 15 Upgrading a Forwarding Connector .................................................................................. 16 Reverting to a Previous Version of the Forwarding Connector .............................................. 16 Chapter 2: Configuration for Forwarding Events ............................................................... 19 Forwarding Events to an ArcSight Manager ....................................................................... 19 Forwarding Events to ArcSight Logger .............................................................................. 23 Forwarding Events to NSP Device Poll Listener .................................................................. 24 Forwarding CEF Syslog Events ........................................................................................ 25 Forwarding Events to a CSV File ...................................................................................... 26 Forwarding Events to McAfee ePolicy Orchestrator ............................................................. 27 Installing the Microsoft SQL Server 2005 Driver for JDBC ............................................. 28 ArcSight Event to McAfee CEF Mappings ............................................................... 28 Configuring Multiple Destinations ..................................................................................... 30 Chapter 3: Configuration for HP Operations Manager and HP Operations Manager i ...................................................... 33 The ArcSight ESM Source Manager .................................................................................. 34 Supported Versions of HP OM and HP OMi ......................................................................... 34 HP OM and HP OMi and Correlation Events ................................................................. 34 Installing the Connector ................................................................................................. 34 Creating an SNMP Interceptor Policy for HP Operations Manager (HP OM) ............................. 38
SmartConnector Configuration Guide for ArcSight Forwarding Connector 5
Uploading Interceptor Template ................................................................................ 39 Using Operations Manager for Windows ...................................................................... 39 Using Operations Manager for UNIX or Linux ............................................................... 39 Deploying the Policy ................................................................................................ 39 Creating an SNMP Interceptor Policy for HP Operations Manager i (HP OMi) ........................... 40 Uploading Interceptor Template ................................................................................ 40 Using the HP BSM Adapter to Import and Activate Policies ............................................ 40 Troubleshooting Tips ..................................................................................................... 40 Duplicate Events (for HP OMi) ................................................................................... 40 Dropped Events ...................................................................................................... 41 Adjusting the Event Processing Rate for HP OM and HP OMi ................................................ 41 Appendix A: Using the Forwarding Connector in FIPS mode ................................................................................. 43 What is FIPS? ............................................................................................................... 43 ArcSight ESM Installation ............................................................................................... 43 FIPS-Enabled Forwarding Connector Installation ................................................................ 44 Enable FIPS Suite B Support ........................................................................................... 49 Using Logger in FIPS Mode ............................................................................................. 49
SmartConnector Configuration Guide for ArcSight Forwarding Connector
Overview and Installation

This chapter provides information for installing an ArcSight Forwarding Connector for event collection from an ArcSight Manager installation. The following topics are discussed. Product Overview on page 7 The ArcSight ESM Source Manager on page 7 The ArcSight ESM Source Manager on page 7 Standard Installation Procedures on page 9 Uninstalling a Forwarding Connector on page 15 Upgrading a Forwarding Connector on page 16 Reverting to a Previous Version of the Forwarding Connector on page 16 The ArcSight Forwarding Connector is supported on Windows, Linux, Solaris, and AIX platforms. ArcSight recommends using the Forwarding Connector installer included with the corresponding ESM release. The Forwarding Connector is released as part of the ESM release, however its build version might not match that of other ESM components within the release.
Chapter 1
Product Overview
The ArcSight Forwarding Connector lets you receive events from a source Manager installation and send them to a secondary destination Manager, a non-ESM location or to an ArcSight Logger.
The ArcSight ESM Source Manager

The ESM Source Manager is the installation from which events originate on a network using the ArcSight Forwarding Connector. The Forwarding Connector sends on (or forwards) events to a destination Manager, a non-ESM location or a Logger appliance.
The ESM Source Manager must be of the same version as the ESM Destination Manager.
With data originating from an ArcSight ESM Source Manager, the ArcSight Forwarding Connector provides these destination options for forwarding events:
1 Overview and Installation
An ArcSight ESM destination Manager ArcSight Logger NSP Device Poll Listener CEF Syslog A CSV file McAfee ePolicy Orchestrator v4.0, v4.5, or v4.6 HP Operations Manager HP Operations Manager i
Sending Events to an ArcSight ESM Destination Manager

The ArcSight Forwarding Connector logs into the source Manager and then forwards events to a destination Manager. For configuration instructions, see Forwarding Events to an ArcSight Manager on page 19.
The ESM Destination Manager must be of the same version as the ESM Source Manager.
Sending Events to ArcSight Logger

ArcSight Logger is a hardware storage solution optimized for high event throughput. A typical use for Logger is to collect firewall data and then forward a subset of that data to an ArcSight Manager for realtime monitoring and correlation. Logger now supports the Federal Information Processing Standard 140-2 (FIPS 140-2). See Using Logger in FIPS Mode on page 49 for details. SmartMessage is an ArcSight technology that provides a secure channel between ArcSight SmartConnectors and Logger. SmartMessage provides an end-to-end encrypted secure channel. One end is an ArcSight SmartConnector that receives events from the many devices supported by ArcSight SmartConnectors, and the other is a SmartMessage Receiver housed on the Logger appliance. Before configuring the Forwarding Connector that sends events to the Receiver, you must create a Receiver of type SmartMessage. After you create this Receiver, you can configure the SmartConnector to send events to Logger. For information on configuring a Forwarding Connector to forward events to Logger, see Forwarding Events to ArcSight Logger on page 23. Refer to the ArcSight Logger Administrator's Guide for complete instructions about:

Receivers Configuring a SmartConnector to Send Events to Logger Configuring SmartConnectors to Send Events to Both Logger and a Manager Sending Events from ArcSight ESM to Logger Using Logger in FIPS mode
8 SmartConnector Configuration Guide for ArcSight Forwarding Connector
Sending Events to a Non-ESM Location

The ArcSight Forwarding Connector logs into the source Manager and then forwards events to a non-ESM location. When configuring the Forwarding Connector to send events to a non-ESM destination, you might encounter a problem with certificate validation during connector setup. Perform the following steps to ensure that the demo CA is added to the client trust store to validate the Manager's demo certificate.
To make sure the demo CA is added to the client trust store:

1 2 Install the connector as usual, but stop at the screen that prompts you to select a destination type. After the screen prompting you to select the destination type is displayed, run the following command from the $ARCSIGHT_HOME\current\bin directory arcsight connector tempca -ac 3 Return to the wizard and complete the installation.
For configuration instructions on forwarding events to NSP, see Chapter 2 Forwarding Events to NSP Device Poll Listener on page 24. For configuration instructions on forwarding CEF Syslog events, see Chapter 2 Forwarding CEF Syslog Events on page 25. For configuration instructions on forwarding events to a .csv file, see Chapter 2 Forwarding Events to a CSV File on page 26. For configuration instructions on forwarding events to McAfee ePolicy Orchestrator (ePO), see Chapter 2 Forwarding Events to McAfee ePolicy Orchestrator on page 27.
Use of ePO requires installation of MS SQL Server 2005 for JDBC driver. For downloading instructions, see Installing the Microsoft SQL Server 2005 Driver for JDBC on page 28.
For detailed configuration instructions on forwarding events to HP Operations Manager (HP OM) and HP Operations Manager i (HP OMi), see Chapter 3 Configuration for HP Operations Manager and HP Operations Manager i on page 33.
Standard Installation Procedures

This section describes the standard installation procedures for the ArcSight Forwarding Connector.
Verifying that ArcSight ESM is Correctly Installed

Before you install the ArcSight Forwarding Connector, make sure that ArcSight Manager and Console has already been installed correctly. Review the ArcSight Installation and Configuration Guide before attempting a new ArcSight Forwarding Connector installation.
To ensure a successful ArcSight ESM installation:

1 Make sure that the ArcSight Manager, Database, and Console are installed and functioning.
Run the ArcSight Manager; the ArcSight Manager command prompt window or terminal box displays a Ready message when the Manager has started successfully. You can also monitor the server.std.log file located in ARCSIGHT_HOME\current\logs. Run the ArcSight Console. Although not necessary, it is helpful to have the ArcSight Console running when installing the SmartConnector to verify successful installation.
Before you install the SmartConnector, ensure that you have:

Local access to the machine where the SmartConnector is to be installed Administrator passwords for this machine
Assigning Privileges on the ESM Source Manager

Before installing the ArcSight Forwarding Connector, you need to create a Forwarding Connector account on the source Manager. You can then assign filters for incoming events.
To assign privileges in the Manager:

1 2 3 4 Run the ArcSight Console and log in to the ArcSight Manager. From the Navigator Resources tab, choose Users. Create a user group under the Custom User Group. Under the group created in step 3, create a user account of user type Forwarding Connector, as shown below.
Return to the Navigator Resources tab and right-click your chosen user group.
From the menu, choose Edit Access Control.
From the Inspect/Edit window, click the Events tab under the new user type and assign the filters.
For detailed instructions on creating filters and users using ArcSight Console, refer to the ArcSight ESM Users Guide.
Forwarding Correlation Events

The ArcSight Forwarding Connector can forward events based upon the ACL assigned to the User Group on the source Manager. The connector can be configured to allow forwarding of ArcSight correlation events from the source Manager to the target (or
destination) Manager. The ACL can also be configured to allow for viewing of the detailed chain of the forwarded correlation event, including the original correlated event.
HP OM users commonly require only correlated events to be retrieved from ESM. In such cases, HP OM users can specify the selection of correlated events. To allow for only correlated events and restrict the retrieval of base events, configure ESM to retrieve correlated events, then allow the forwarding of correlated events, as described below. These steps should be performed in sequence, then restart the source Manager.
Perform the following steps to retrieve correlated events.
Configuring to Retrieve Correlated Events

To configure the source Manager to send both correlation events and on-demand correlated events to the destination Manager, the ACL must contain two separate filters: 1 Note Filter 1, which is provided with the latest version of ArcSight ESM: /All Filters/ArcSight System/Event Types/ArcSight Correlation Events 2 Create Filter 2, using the following conditions: a b Event Annotation Flags ContainsBits correlated Both filters need to be applied to the Event Permissions of the User Group ACL to be able to extract correlated events from the correlation events that are forwarded to the target Manager.
Correlated events retrieved on-demand are for viewing only. They do not persist in the destination Manager.
Restart the manager.
Configuring to Allow Forwarding of Correlated Events

The Forwarding Connector can also be configured to automatically forward correlated events irrespective of the User Group ACL. Only one Forwarding Connector per Manager can be configured to work in this mode. This configuration can aid in hierarchical deployment scenarios in which you need to automatically forward correlated events for further correlation and reporting on the destination Manager. The source Manager keeps track of the events that have been previously forwarded by using the Forwarded annotation, disallowing duplicates. To configure the source Manager to send both correlation events and correlated events automatically, you must specify the container ID. The container ID consists of two elements, the entityid and the userid. To begin the configuration, you must locate these two elements and combine them in the server.properties file.
To find the entityID, go to $AGENT_HOME/user/agent/agent.properties and search for agents[0].entityid. Copy the text string starting in 3w to a text editing program, such as Notepad. agents[0].entityid=3w+05uiYBABCCLKvzx0stdQ\==
To find the userid, go to the Console of the source Manager. a b c From to the Navigator panel, choose the Resources tab. Choose Users to find your Forwarding Connector user. Locate the Resource ID and copy the text string from the second column, as shown below.
In the $Arcsight_HOME/config/server.properties file on the source Manager, add the entityid and userid to the eventstream.cfc property, as shown below. eventstream.cfc=EntityID.UserID 3 Restart the source Manager and, if still running, the Forwarding Connector.
Increasing the FileStore size (Enhanced version only)

Installation of the ArcSight Forwarding Connector (Enhanced) option provides faulttolerance, enabling events to be saved in the event of a failure. The capacity of events that can be stored during a system failure is dependent on the amount of disk space the FileStore can use on the source Manager. Although the default size of 1024 MB (1 GB) is suitable for most installations, you can increase the size of your FileStore.
To increase the size of the FileStore:

1 Open the server.defaults.properties file, located under $ARCSIGHT_HOME\config. The file displays the default file size: filestore.disksize.max.megabytes.int=1024
Use this formula to determine appropriate rates for minutes of storage on your system: MinutesOfStorage = (((#MB / 1024) * 21,474,833) / EPS) / 60
Given the most typical event sizes, a FileStore of 1 GB can store approximately 21,474,833 events, and at a rate of 5000 events per second, the default size provides approximately 71 minutes of storage. When the FileStore fills up, the oldest events are purged to make room for recent ones.
Installing the Forwarding Connector

Before installing the Forwarding Connector, you need to assign privileges on your Manager. For instructions on how to do this, see Assigning Privileges on the ESM Source Manager on page 10.
For information regarding operating systems and platforms supported, refer to SmartConnector Product and Platform Support, available from ArcSight Technical Support with each SmartConnector release.
To install the Forwarding Connector:

1 Download the ArcSight executable for your operating system from the ArcSight Customer Support Site according to the instructions provided in the connector release notes. Start the installer by running the executable for your operating system, then follow the folder selection tasks and installation of the core SmartConnector software:

Introduction Choose Install Folder Choose Install Set Choose Shortcut Folder Pre-Installation Summary Installing...
When installation of the connector core component is complete, the following dialog is displayed:
Choose your ArcSight Forwarding Connector destination.
To forward events to an ArcSight ESM Manager, proceed with Forwarding Events to an ArcSight Manager on page 19. To forward events to an ArcSight Logger, proceed with Forwarding Events to ArcSight Logger on page 23. To forward events to an NSP appliance, proceed with Forwarding Events to NSP Device Poll Listener on page 24. To forward events to a CEF Syslog, proceed with Forwarding CEF Syslog Events on page 25. To forward events to a .csv file, proceed with Forwarding Events to a CSV File on page 26. To forward events to McAfee ePolicy Orchestrator (ePO), proceed with Forwarding Events to McAfee ePolicy Orchestrator on page 27.
Use of ePO requires installation of MS SQL Server 2005 for JDBC driver. For instructions on downloading, see Installing the Microsoft SQL Server 2005 Driver for JDBC on page 28.
For configuration instructions about forwarding events to HP Operations Manager (HP OM), see Chapter 3 Configuration for HP Operations Manager and HP Operations Manager i on page 33.
Uninstalling a Forwarding Connector

Before uninstalling a Forwarding Connector that is running as a service or daemon, first stop the service or daemon. To uninstall on Windows, open the Start menu. Run the Uninstall SmartConnectors program located under All Programs, ArcSight SmartConnectors. If Connectors are not installed on the Start menu, locate the $ARCSIGHT_HOME\UninstallerData folder and run: Uninstall ArcSightAgents.exe
To uninstall on UNIX hosts, open a command window on the $ARCSIGHT_HOME/UninstallerData directory and run the command: ./Uninstall_ArcSightAgents
The UninstallerData directory contains the file .com.zerog.registry.xml with Read, Write, and Execute permissions for all users. On Windows platforms, these permissions are required for the uninstaller to work. However, on UNIX platforms, you can change the permissions to Read and Write for everyone (that is, 666). The Uninstaller does not remove all the files and directories under the ArcSight SmartConnector home folder. After completing the uninstall procedure, delete these folders manually.
Upgrading a Forwarding Connector

To locally upgrade the Forwarding Connector:
1 2 3 Stop the running connector. Run the installer for the ArcSight Forwarding Connector, which prompts you for an installation location. Select the location of the Forwarding Connector you want to upgrade; you will receive the message Previous Version Found - Upgrade Possible. Select the option to continue and upgrade the connector. The original installation is renamed by prefacing characters to the original folder name; the upgraded connector is installed in the location $ARCSIGHT_HOME\current
During upgrade, the "Default User Groups" user group is updated and adds the /All Filters/ArcSight System/Core/No Events filter to the events ACL. If the Forwarding Connector user is in that group, the connector cannot send events to the destination Manager. To prevent this problem, edit the access control for the Forwarding Connector's parent user group and select a filter that gives permission to the subset of events for which the user has access. Alternatively, if the user has access to all the events, delete the /All Filters/ArcSight System/Core/No Events filter.
The ArcSight Forwarding Connectors must be the same version as the source ESM.
Reverting to a Previous Version of the Forwarding Connector

To revert to a previous version of the Forwarding Connector:
1 2 3 Stop the upgraded Forwarding Connector, which is in the folder named current. Rename the current folder to a name based on the build version of the upgraded connector. Rename the build folder that contains the previous version of the Forwarding Connector to current.
Start the Forwarding Connector.

Rolling back the connector to build 5116 or earlier disallows use of the McAfee ePolicy Orchestrator destination.
Configuration for Forwarding Events

This chapter provides step-by-step instructions for configuring various Forwarding Connector destinations and contains these topics: Forwarding Events to an ArcSight Manager on page 19 Forwarding Events to ArcSight Logger on page 23 Forwarding Events to NSP Device Poll Listener on page 24 Forwarding CEF Syslog Events on page 25 Forwarding Events to a CSV File on page 26 Forwarding Events to McAfee ePolicy Orchestrator on page 27 Configuring Multiple Destinations on page 30
Chapter 2
Forwarding Events to an ArcSight Manager

To continue connector configuration for forwarding events to a Manager, follow the procedure below.
To continue connector configuration:

1 Select ArcSight Manager (encrypted), and click Next.
The Wizard first prompts you for Manager certificate information.
2 Configuration for Forwarding Events
Verify whether the Manager is using a demo certificate. Choose Yes, if it is; otherwise accept the default option of No. Then, click Next.
After completing the SmartConnector installation wizard, remember to configure the connector for the type of SSL certificate your Manager is using manually. Refer to the ArcSight ESM Administrator's Guide for instructions about configuring your SmartConnector when the Manager is using a self-signed or CA-signed certificate, and for instructions about enabling SSL client authentication on SmartConnectors so that the connectors and the Manager authenticate each other before sending data.
You are prompted for Manager Host Name and Manager Port. This is your destination Manager. Enter the information and click Next.
Enter a valid ArcSight User Name and Password and click Next.
This is the user name and password for the user account you created on the destination Manager.
You are given a choice of Forwarding Connector versions to install. If you are currently using ESM v4.0 SP3 or later, ArcSight recommends choosing the ArcSight Forwarding Connector (Enhanced) option. When choosing which version to use, note the following:
The ArcSight Forwarding Connector option supports the previous software version and does not include the increased event rate and recoverability features of ArcSight Forwarding Connector (Enhanced). ArcSight recommends using the older option only when communicating with a pre-v4.0 SP3 ESM installation. Neither Forwarding Connector release is FIPS compliant. If you require FIPS compliance, retain your current Forwarding Connector version. The capacity of events that can be stored during a system failure depends on the FileStore size of your source Manager. Choosing the ArcSight Forwarding Connector (Enhanced) version requires configuration adjustments on your source Manager.
For instructions about how to determine and change your source disk settings, see Increasing the FileStore size (Enhanced version only) on page 13. Click Next.
Enter the information to configure the Forwarding Connector, then click Next to continue. This is information about your source Manager, as described in the table below.
Parameter ArcSight Source Manager Host Name ArcSight Source Manager Port ArcSight Source Manager User Name ArcSight Source Manager Password
Description The hostname where the ArcSight ESM Source Manager is installed. The network port where the ArcSight ESM Source Manager is accepting requests. The ArcSight user name created with permissions for the Forwarding Connector on the ArcSight ESM Source Manager. The ArcSight password that will be used to log this Connector into the ArcSight ESM Source Manager.
7 8 9
Enter a name for the connector and provide other information identifying the connector's use in your environment. Click Next. Read the connector summary; if it is correct, click Next. If it is not correct, click Previous to make changes before continuing. When the connector completes its configuration, click Next. The wizard now prompts you to choose whether to run the connector as a process or as a service. If you choose to run the connector as a service, the wizard prompts you to define service parameters for the connector.
10 After making your selections, click Next. The wizard displays a dialog confirming the connector's setup and service configuration. 11 Click Finish. 12 Click Done.
Forwarding Events to ArcSight Logger

When configuring the Forwarding Connector to send events to a non-ESM destination, you might encounter problems with certificate validation during connector setup. See Sending Events to a Non-ESM Location on page 9 for information about certificate validation.
Before you continue connector configuration for forwarding events to an ArcSight Logger, ensure that a SmartMessage Receiver has been set up on ArcSight Logger for the Forwarding Connector (Refer to the ArcSight Logger Administrator's Guide for details).
To continue connector configuration:

1 Select ArcSight Logger SmartMessage (encrypted) from the following dialog and click Next:
Enter the Logger Host Name/IP address, leave the port number at the default value of 443, and enter the Receiver Name. This Receiver Name is the name of the SmartMessage Receiver you set up on ArcSight Logger for the Forwarding Connector. Click Next to continue.
Click Next and continue following steps 5 through 12 in the procedure Forwarding Events to an ArcSight Manager on page 19.
Forwarding Events to NSP Device Poll Listener

When configuring the Forwarding Connector to send events to a non-ESM destination, you might encounter problems with certificate validation during connector setup. See Sending Events to a Non-ESM Location on page 9 for information on certificate validation.
To continue connector configuration for forwarding events to NSP:

1 Select NSP Device Poll Listener from the selections and click Next.
Provide the NCM/TRM Host name or IP address, and login credentials for the NCM/TRM that will interact with the Syslog Connector.
For more information about NSP, refer to the ArcSight NSP Installation and Administration
Guide.
Forwarding CEF Syslog Events

You can configure the ArcSight Forwarding Connector to send CEF Syslog events to any Syslog receiver (including ArcSight Logger).
To configure the connector to send CEF Syslog events:

1 Select CEF Syslog from the following dialog:
Enter the Logger hostname or IP address, the desired port, and choose UDP, TLS, or TCP output. Click Next to continue.
Forwarding Events to a CSV File

You can capture events a SmartConnector would normally send to the ArcSight Manager and write them to a .csv file. The Excel-compatible comma-separated values (CSV) format allows for comments prefixed by #.
To forward events to a .csv file:

1 Select CSV File and click Next.
Enter values as described in the table below.
Parameter CSV Path
Description The path to the output folder. If one does not exist, a folder is created.
Parameter Fields
Description A comma-delimited string of field names to be sent to the .csv file. Field names are in the form event.<FieldName>. The desired file rotation interval, in seconds. The default is 3,600 seconds (one hour). Select true to send a header row with labels for each column, as described above.
File rotation interval Write format header
For more information about capturing events and .csv files, refer to the section titled Capturing Events from SmartConnectors in the SmartConnector Users Guide.
Forwarding Events to McAfee ePolicy Orchestrator

This option allows you to forward events to McAfee ePolicy Orchestrator (ePO), a scalable tool for centralized anti-virus and security policy management and enforcement. ePO leverages ESM event filtering/correlation and auditing capabilities to create a single view into security events within ePO. McAfee ePO v4.0, v4.5, and v.4.6 are currently supported.
Use of ePO requires installation of MS SQL Server 2005 for JDBC driver. For instructions on downloading, see Installing the Microsoft SQL Server 2005 Driver for JDBC on page 28.
To forward events to McAfee ePO:

1 In the destination selection dialog, select McAfee ePolicy Orchestrator and click Next.
When using this transport, the Forwarding Connector is automatically configured to limit the outgoing event rate to 10 events per minute. This is due to a limitation on McAfee ePOs database as specified by McAfee.
Enter or select values for the ePO database connectivity:
To log on to the database at this point, only Microsoft SQL Server authentication is supported (Windows authentication is not). ArcSight recommends that you create a user dedicated to ArcSight with permissions to execute the stored procedure.
Installing the Microsoft SQL Server 2005 Driver for JDBC

To download and install a JDBC driver:
1 Download the MS SQL Server 2005 JDBC Driver 1.2 from Microsoft at: http://www.microsoft.com/downloads/details.aspx?FamilyId= C47053EB-3B64-4794-950D-81E1EC91C1BA&displaylang=en 2 3 Install the driver. Copy the sqljdbc.jar file from the folder C:\Program Files\Microsoft SQL Server 2005 JDBC Driver\sqljdbc_1.2\enu to $ARCSIGHT_HOME/current/user/agent/lib, where $ARCSIGHT_HOME refers to the connector install folder, such as c:\ArcSight\SmartConnectors. From $ARCSIGHT_HOME/current/bin, double-click runagentsetup to return to the SmartConnector Configuration Wizard.
ArcSight Event to McAfee CEF Mappings

The Forwarding Connector translates ArcSight events into McAfees Common Event Format.
The McAfee CEF field column shown in the following table does not represent fields seen in the Console GUI of McAfee ePolicy Orchestrator. This column represents fields within the database.
The following table lists the field mappings.

McAfee CEF Field AgentGUID Analyzer AnalyzerDATVersion AnalyzerHostName AnalyzerIPV4 AnalyzerMAC AnalyzerName AnalyzerVersion DetectedUTC SourceHostName SourceIPV4 SourceMAC SourceProcessName SourceURL SourceUserName TargetFileName TargetHostName TargetIPV4 TargetMAC TargetPort TargetProcessName TargetProtocol TargetUserName ThreatActionTaken ThreatCategory ThreatEventID ArcSight Field agented (converted to match the AgentGUID format; guaranteed to be unique ONLY within ArcSight) Fixed value: S_ARST__1000 deviceCustomString6 deviceHostName deviceAddress deviceMacAddress deviceProduct deviceVersion deviceReceiptTime sourceHostName sourceAddress sourceMacAddress sourceProcessName requestUrl sourceUserName fileName destinationHostName destinationAddress destinationMacAddress destinationPort destinationProcessName applicationProtocol destinationUserName deviceAction deviceEventCategory agentSeverity 200300 Unknown 200301 Low 200302 Medium 200303 High 200304 Very High ThreatName ThreatType name deviceEventClassId
For more details regarding McAfee ePolicy Orchestrator, refer to the SmartConnector
Configuration Guide for McAfee ePolicy Orchestrator DB.
Configuring Multiple Destinations

It is also possible to configure multiple destinations, after installation of the Forwarding Connector, using the ArcSight SmartConnector Configuration Wizard.
To configure multiple destinations:

1 To start the wizard, execute the following command:
$ARCSIGHT_HOME\current\bin\runagentsetup You can either modify the existing destination or add a new destination. The following example shows how to add a second ArcSight Manager. 2 Select I want to add/remove/modify ArcSight Manager destinations and click Next.
Select the destination type. Click ArcSight Manager (encrypted), then Next.
4 5
Choose Add new destination to add a new SmartConnector destination and click Next. Enter or select in the parameters for the destination being added and click Next.
To apply your changes, restart the SmartConnector.
Configuration for HP Operations Manager and HP Operations Manager i

This guide provides information on installing and configuring the ArcSight Forwarding Connector. The ArcSight ESM Source Manager on page 34 Supported Versions of HP OM and HP OMi on page 34 Installing the Connector on page 34 Creating an SNMP Interceptor Policy for HP Operations Manager (HP OM) on page 38 Creating an SNMP Interceptor Policy for HP Operations Manager i (HP OMi) on page 40 Troubleshooting Tips on page 40 Adjusting the Event Processing Rate for HP OM and HP OMi on page 41 ArcSight ESM sends correlated security events to IT operation teams to investigate and take remediation measures to reduce or eliminate security risks. The ArcSight Forwarding Connector logs into the source manager, then sends system events and network health information to HP OM from non-SNMP event sources. The ArcSight Forwarding Connector can be used to collect from event sources that support syslog, file, database, API, and other collection methods through ESM. HP Operations Manager (HP OM) provides comprehensive event management, proactive performance monitoring, and automated alerting, reporting, and graphing for operating systems, middleware, and applications. It is designed to provide service-driven event and performance management of business-critical enterprise systems, applications, and services. The following topics are described. HP Operations Manager i (HP OMi) enables the HP BSM Operations Management component in BSM. BSM Operations Management provides a complete monitoring solution, consolidating all IT infrastructure monitoring in a central event console, and relating the events to the IT services that depend on that infrastructure. See the HP Business Service Management Operations Manager i Concepts Guide for details on BSM. HP BSM Integration Adapter is an integration solution that enables you to monitor event sources, and, if certain conditions apply, to forward the detected events as HP Business Service Management (BSM) events directly to BSM Operations Management. See the Using HP BSM Integration Adapter Guide for details on HP BSM Integration Adapter.
Chapter 3
3 Configuration for HP Operations Manager and HP Operations Manager i
The ArcSight ESM Source Manager

Before installing the Forwarding Connector, create a Forwarding Connector account on the Manager. For instructions, see Chapter 1 Assigning Privileges on the ESM Source Manager on page 10.
Supported Versions of HP OM and HP OMi

The supported versions of HP OM and HP OMi include:

HP OM for Windows v9.0 and 8.16 (patch level 90) HP OM for UNIX v9.10 HP OM for Linux v9.10 HP OMi v9.0.1.
OMi users are strongly encouraged to apply the latest patch, OMI_00005 (build 09.01.210), to obtain critical fixes before running this integration.
HP OM and HP OMi and Correlation Events

When all rule conditions and thresholds are met, ESM generates an internal event called a correlation event. A correlation event represents the events that contributed to the rule being triggered and the relevant data contained in them. Although most ESM users can use the default settings available for retrieving events, HP OM and HP OMi users commonly require only correlated events to be retrieved from ESM. In such cases, HP OM and HP OMi users can select correlated events. To allow for only correlated events and restrict the retrieval of base events, configure ESM to retrieve correlated events, then allow the forwarding of correlated events, in that order. For instructions, see Chapter 1 Forwarding Correlation Events on page 11. HP OM and HP OMi use a SNPM trap policy to allow ArcSight events to be accepted within the HP OM or HP OMi environment. For instructions on how to create an SNMP interceptor, see Creating an SNMP Interceptor Policy for HP Operations Manager (HP OM) on page 38 or Creating an SNMP Interceptor Policy for HP Operations Manager i (HP OMi) on page 40.
Installing the Connector

Before you install the connector, make sure that the ArcSight products with which the connectors will communicate have already been installed correctly and you have assigned appropriate privileges. For data security, ArcSight recommends that you install the connector and the HP Operations Agent on the same system.
To install the Forwarding Connector

1 2 Download the ArcSight executable for your operating system from the ArcSight Customer Support Site. Start the ArcSight Installer by running the executable. Follow the installation wizard through the following folder selection tasks and installation of the core connector software:
Introduction Choose Install Folder Choose Install Set Choose Shortcut Folder Pre-Installation Summary Installing... 3 The destination selection window is displayed. If you are using the Manager Demo License, continue with steps A through C below. Otherwise, click Next and continue with step 4. When configuring the connector to send events to a non-ESM destination, you could encounter a problem with certificate validation during connector setup when using the Manager Demo certificate. 4 To verify that the demo CA is added to the client trust store: a b Click Cancel to exit the configuration wizard. From the $ARCSIGHT_HOME\current\bin directory, run the following command: arcsight connector tempca ac n <1.1.1.1> where <1.1.1.1> is the IP address of the ArcSight Manager. c Enter the following command from the same location to return to the wizard: arcsight connectorsetup 5 Choose HP Operations Manager or HP Operations Manager i. Click Next to continue.
Fill in the parameter information required for connector configuration. Click Next to continue.
Parameter Host
Description For HP OM, enter the Host name or IP address of the HP OM device. This is the HP OM managed node (the system where the HP Operations Agent is installed, and to which the SNMP interceptor policy is deployed). For HP OMI, enter the Host name or IP address of the HP BSM Integration Adapter. For HP OM and HP OMI, enter the port to be used by the device to monitor for events by the HP Operations Agent or by the BSM Integration Adapter monitoring for SNMP traps from the ArcSight Logger. Accept the default value of SNMP_VERSION_2. SNMP_VERSION_3 is not currently available. Enter the SNMP Read Community name. Enter the SNMP Write Community name. For use with SNMP v3. Not currently available. Authentication Password(v3) Security Level(v3) Authentication Scheme(v3) Privacy Password(v3) Context Engine Id(v3) Context name(v3)
Port
Version Read Community(v2) Write Community(v2 Authentication Username(v3)
Choose ArcSight Forwarding Connector (Enhanced). Click Next.
Enter the Source Manager information. Click Next.
Parameter ArcSight Source Manager Host Name ArcSight Source Manager Port ArcSight Source Manager User Name ArcSight Source Manager Password
Description Enter the name of the host on which the ESM Source Manager is installed. Enter the network port from which the ESM Source manager is accepting requests. The default port is 8443. Enter the ArcSight user name created with permissions for the adaptor on the ArcSight ESM Source Manager. Enter the ArcSight password that will be used to log this adaptor into the ArcSight ESM Source Manager.
Enter a name for the connector and provide other information identifying the connector's use in your environment. Click Next.
10 Read the installation summary and click Next. If it is incorrect, click Previous to make changes. 11 When the connector completes its configuration, click Next. The Wizard prompts you to choose whether to run the connector as a process or as a service. If you run the connector as a service, the Wizard prompts you to define service parameters for the connector. 12 After making your selections, click Next. The Wizard displays a dialog confirming the connector's setup and service configuration. 13 Click Finish. For some connectors, a system restart is required before the configuration settings take effect. If a System Restart window is displayed, read the information and restart the system. 14 Click Done.
Creating an SNMP Interceptor Policy for HP Operations Manager (HP OM)

An SNMP interceptor policy is a type of HP OM policy, with rules, conditions, and actions. Rules define what a policy should do in response to a specific type of event. Each rule consists of a condition and an action. SNMP interceptor policies monitor SNMP events, and can start actions when an SNMP event contains a specified character pattern. The Logger Forwarding Connector sends security events as SNMP traps to an HP OM SNMP interceptor policy that you will create. SNMP interceptor policies can be configured on either HP OM UI, HP OM for Windows, or HP OM for UNIX or Linux. ArcSight provides a template interceptor policy for use in creating your own customized SNMP interceptor policy. This template policy should be customized and enhanced to satisfy different needs and requirements with HP OM's powerful policy edit features. You can upload the ArcSight SNMP interceptor policy template to HP OM for Windows (using the ovpmutil command line tool) and to HP OM for UNIX or Linux (using the opcpolicy command line tool).
See Troubleshooting Tips on page 40 for details if you encounter duplicate or dropped events.
Uploading Interceptor Template

After you have completed the connector installation, navigate to $ARCSIGHT_HOME\current\user\agent\hpompolicy. This folder provides policy files as a basic SNMP interceptor template.
Using Operations Manager for Windows

Copy the hpompolicy folder from $ARCSIGHT_HOME\current\user\agent\hpompolicy to the destination HP OM for Windows machine's C:\temp directory. Then use the following command to upload the policy: "%OvBinDir%\ovpmutil" CFG POL UPL "C:\temp\hpompolicy" You should receive the following messages: Root policy group "for ArcSight Integration" uploading: Policies upload completed successfully.
For descriptions of specific HP OM commands, refer to the HP Operations Manager online help and documentation.
Using Operations Manager for UNIX or Linux

Copy the hpompolicy folder from $ARCSIGHT_HOME\current\user\agent\hpompolicy to the destination HP OM machine's /tmp directory. Then use the following command to upload the policy: /opt/OV/bin/OpC/utils/opcpolicy -upload dir=/tmp/hpompolicy/"ArcSight Events" You should receive the following message: Operation successfully completed.
For descriptions of specific HP OM commands, refer to the HP Operations Manager online help and documentation.
Deploying the Policy

Once you have created your customized SNMP interceptor policy, deploy or assign the policy through the HP OM for Windows or HP OM for UNIX or Linux Administration UI. For details, refer to the HP Operations Manager online help and documentation. The systems that send the SNMP traps to the logger must also be set up as nodes in HP OM, because HP OM discards messages from unknown systems. Set up an external node or an SNMP node. For details, refer to the HP Operations Manager online help and documentation.
Also, configure the HP Operations Agent for SNMPv2 by setting the SNMP_SESSION_MODE variable using the ovconfchg command line tool. Refer to the HP Operations Manager or HP Operations Agent online help and documentation for more information.
Creating an SNMP Interceptor Policy for HP Operations Manager i (HP OMi)

HP BSM Integration Adapter SNMP interceptor policies monitor SNMP events, and respond when a character pattern that you choose is found in an SNMP trap. ArcSight provides a template SNMP interceptor policy for use in creating your own customized SNMP interceptor policy. This template policy should be customized and enhanced to satisfy different needs and requirements with HP BSM Integration Adapter's powerful policy edit features. See Troubleshooting Tips on page 40 for details if you encounter duplicate or dropped events.
Uploading Interceptor Template

After you have completed connector installation, navigate to $ARCSIGHT_HOME\current\system\agent\config\snmp-policies\hpom. This folder provides policy files as a basic SNMP interceptor template. Copy or provide network access to this folder.
Using the HP BSM Adapter to Import and Activate Policies

In the BSM Integration Adapter, you must import and activate the policy. To do so: 1 2 3 Click the Import icon in the BSM Integration Adapter UI. Browse to find the policy files. Select the header and data files and click Open to import the files. The files will resolve into a policy listed in the BSM Integration Adapter UI. You must import both files for the policy to function correctly. Select the policy and click the Activate icon. Configure the HP Operations Agent to receive SNMPv2 traps by setting the SNMP_SESSION_MODE variable. Refer to the Using HP BSM Integration Adapter Guide for details on the HP BSM Adapter.
4 5
Troubleshooting Tips
Duplicate Events (for HP OMi)
If there appear to be duplicate events forwarded to the HP OMi console: 1 2 Check and adjust deduplication options as needed. If, after modifying deduplication options, there still appear to be duplicate events, check the Custom Message Attributes (event details and data), and apply rules to differentiate the events. For HP OMi, Refer to the HP Business Service Management Using Operations Management Guide and help for details.
For HP OM, refer to the HP Operations Manager online help for details.
Dropped Events
If you notice that some events forwarded from ArcSight ESM/Logger are dropped, verify whether the Agent Severity is set correctly in those events. The default SNMP interceptor policy provided by ArcSight in the connector distribution has rules to pick up and forward SNMP Traps from ArcSight ESM/Logger based on the Agent Severity. Events that do not have Agent Severity set are dropped and not forwarded by the SNMP interceptor policy. If the dropped events are correlated events from ESM, make sure that the rules on ESM are set for the correct Agent Severity in the correlated events they generate. If the dropped events are normalized events from devices, then verify that the originating connector that has normalized the event has mapped the Agent Severity correctly from the Device Severity. If the originating connector (that is not setting the Agent Severity) is a FlexConnector, review the mappings and map all of the device severities to one of these Agent Severity values: Low, Medium, High, or Very-High. If the connector is a supported connector, contact customer support.
Adjusting the Event Processing Rate for HP OM and HP OMi

The default event processing rate for forwarding events from ESM to HP OM is 50 eps. For HP OMi, the default processing rate is 10 eps. If this rate proves excessive for your system, HP OM or HP OMi might drop some incoming events. If events are being dropped, decrease the event processing rate until you find that all events have arrived. If this occurs, you can adjust the rate at which events are forwarded to HP OM or HP OMi. To do so, you will need to change the event processing rate within your XML properties file. To adjust the event processing rate, 1 2 Stop the currently running SmartConnector from operating. From a Windows command line, access your XML properties file using the command cd %ARCSIGHT_HOME%/current/user/agent 3 Use WordPad or any XML Editor to open the .xml file for your HP OM or HP OMi destination, similar to the example below: 0Ajv5S8BABCAAeabNXP5Rw==.xml 4 From within the .xml file, search for the following for HP OM: ProcessingSettings.ThrottleRate="50" or, for HP OMi: ProcessingSettings.ThrottleRate="10" This value controls the current processing event rate. 5 Change this value to the desired rate of events per second. For example, to lower the rate of events to 5 eps, change the value after the string to 5:
ProcessingSettings.ThrottleRate="5"
If there are multiple destinations, repeat the steps above to change the rate for each destination, as required.
6 7
Save the .xml file and exit the XML editor. Restart the SmartConnector.
Using the Forwarding Connector in FIPS mode

The following topics provide information and instructions for enabling FIPS compliance in the use of the Forwarding Connector. What is FIPS? on page 43 ArcSight ESM Installation on page 43 FIPS-Enabled Forwarding Connector Installation on page 44 Enable FIPS Suite B Support on page 49 Using Logger in FIPS Mode on page 49
Appendix A
What is FIPS?
Under the Information Technology Management Reform Act (Public Law 104-106), the Secretary of Commerce approves standards and guidelines that are developed by the National Institute of Standards and Technology (NIST) for Federal computer systems. These standards and guidelines are issued by NIST as Federal Information Processing Standards (FIPS) for use government-wide. NIST develops FIPS when there are compelling Federal government requirements such as for security and interoperability and there are no acceptable industry standards or solutions.
FIPS compatibility applies only to standard ESM and Logger destinations.
ArcSight ESM Installation

Before you install an ArcSight Forwarding Connector, make sure that ArcSight ESM has already been installed correctly for FIPS compliance. See Standard Installation Procedures on page 9 for instructions. Also, ArcSight recommends reading the ArcSight ESM Installation and Configuration Guide before attempting to install a new Forwarding Connector. For information regarding operating systems and platforms supported, see SmartConnector Product and Platform Support, available from ArcSight Technical Support with each SmartConnector release.
A Using the Forwarding Connector in FIPS mode
FIPS-Enabled Forwarding Connector Installation

After completion of ArcSight ESM installation (which includes assigning privileges on the ESM source manager, allowing the forwarding of correlation events, and so on), follow the instructions under Installing the Forwarding Connector on page 14 up to and including step 2. When the installation is complete after step 2, the following dialog is displayed:
To install a FIPS-enabled Forwarding connector:

1 Click Cancel to exit connector setup in order to perform configuration of the NSS DB, a necessary step for installing the connector in FIPS-compliant mode. (You will return to the wizard after performing these configuration steps.) Create a properties file using the following location: $ARCSIGHT_HOME/user/agent/agent.properties 3 4 Add the following line within the file: fips.enabled=true Copy your key files for source and destination Managers (in this example, srcmgrkey.cert and destmgrkey.cert) into the $ARCSIGHT_HOME\current\bin directory. Turn off FIPS enablement on the new installation using the following command: arcsight runmodutil fips false dbdir user/agent/nssdb.client 6 Import the certificates for the source and destination Managers. Where srcmgrkey and destmgrkey are alias names and srcmgrkey.cert and destmgrkey.cert are the names with which the certificates from the Managers were saved, import the certificates for the source and destination Managers, using the following commands: This command imports the source Managers certificate: arcsight runcertutil A n srcmgrkey t "CT,C,C" d user/agent/nssdb.client i bin/srcmgrkey.cert This command will display, in plain text (as shown below), the contents of the source Managers certificate and can be used to determine the name put into the connector
44
configuration for the source Manager: arcsight runcertutil L n srcmgrkey t "CT,C,C" d user/agent/nssdb.client
To confirm the Managers certificate name, look under Subject: CN=*, as shown in the following example.
This command imports the destination Managers certificate: arcsight runcertutil A n destmgrkey t "CT,C,C" d user/agent/nssdb.client i bin/destmgrkey.cert This command displays, in plain text, the contents of the destination Managers certificate and can be used to determine the name put into the connector configuration for the destination manager: arcsight runcertutil L n destmgrkey t "CT,C,C" d user/agent/nssdb.client
Your host name must match the Managers certificate name (circled above as an example) and must be DNS resolvable. If these fields do not match, the connection will fail.
Re-enable FIPS using the following command: arcsight runmodutil fips true dbdir user/agent/nssdb.client
Return to connector setup by entering the following command from the $ARCSIGHT_HOME\current\bin directory: arcsight connectorsetup
When prompted to start in Wizard Mode, click Yes.
10 The Destination selection dialog displays. Make sure ArcSight Manager (encrypted) is selected and click Next.
You are prompted for Manager Host Name and Manager Port.
The host name and managers certificate name must match and must be DNS resolvable. If these fields do not match, the connection will fail.
11 Enter the information and click Next.
46
12 Enter a valid ArcSight User Name and Password, and click Next. This should be the user name and password for the user account you created on the destination ArcSight Manager.
13 You are given a choice of Forwarding Connector versions to install. If you are currently using ESM v4.0 SP3 or later, ArcSight recommends choosing the ArcSight Forwarding Connector (Enhanced) option. When choosing which version to use, note:
The ArcSight Forwarding Connector option supports the previous software version and does not include the increased event rate and recoverability features of ArcSight Forwarding Connector (Enhanced). ArcSight recommends using the older option only when communicating with a pre-v4.0 SP3 ESM installation. The capacity of events that can be stored during a system failure is dependent on the FileStore size of your source ArcSight Manager. Choosing the ArcSight Forwarding Connector (Enhanced) version requires configuration adjustments on your source Manager.
For instructions on how to determine and change your source disk settings, see Increasing the FileStore size (Enhanced version only) on page 13. Click Next.
14 Enter the information to configure the Forwarding Connector.

The host name and manager certificate name must match and must be DNS resolvable. If these fields do not match, the connection will fail.
This is information about your source Manager, as described in the table below.
Click Next to continue.

Parameter ArcSight Source Manager Host Name ArcSight Source Manager Port ArcSight Source Manager User Name ArcSight Source Manager Password Fips Cipher Suites Description Hostname where the ArcSight ESM Source Manager is installed. Network Port where the ArcSight ESM Source Manager is accepting requests. The ArcSight user name created with permissions for the Forwarding Connector on the ArcSight ESM Source Manager. ArcSight's password that will be used to log this Connector into the ArcSight ESM Source Manager. fipsDefault: Standard Fips SuiteB 128: Fips Suite B with 128Bit encryption SuiteB 192: Fips Suite B with 192Bit encryption
15 Enter a name for the connector and provide other information identifying the connector's use in your environment. Click Next. 16 Read the connector summary; if it is correct, click Next. If it is not correct, click Previous to make changes before continuing. 17 When the connector completes its configuration, click Next. The wizard now prompts you to run the connector as a process or as a service. If you choose to run the connector as a service, the wizard prompts you to define service parameters for the connector.
48
18 After making your selections, click Next. The wizard displays a dialog confirming the connector's setup and service configuration. 19 Click Finish.
Enable FIPS Suite B Support

If you have installed a SmartConnector in FIPS-compliant mode, you can enable FIPS Suite B support by modifying the ESM destination parameters.
The ArcSight Manager must also be installed in FIPS Suite B mode.
To enable FIPS Suite B support:

1 2 From $ARCSIGHT_HOME\current\user\agent, open the agent.properties file. Locate the following property for ESM destination parameters (approximately, line 10 in the file): agents[0].destination[0].params=<?xml version\="1.0" encoding\="UTF-8"?>\n<ParameterValues>\n <Parameter Name\="port" Value\="8443"/>\n <Parameter Name\="filterevents" Value\="false"/>\n <Parameter Name\="host" Value\="samplehost.sv.arcsight.com"/>\n <Parameter Name\="aupmaster" Value\="false"/>\n <Parameter Name\="fipsciphers" Value\="fipsDefault"/>\n</ParameterValues>\n The destination parameters are specified here as an XML string where each element is one parameter. Based on the Suite B mode of the Manager, change fipsDefault to suiteb128 (for 128-bit security) or suiteb192 (for 192-bit security). 3 Save and exit the agent.properties file.
Using Logger in FIPS Mode

ArcSight Logger supports the Federal Information Processing Standard 140-2 (FIPS 140-2). To use Logger in the FIPS mode, refer to the ArcSight Logger Administrator's Guide and see Installing or Updating a SmartConnector to be FIPS-compliant in Chapter 7, System Admin for instructions.
50

FwdConn UserGuide 5.1.5.5973

Uploaded by

Copyright:

Available Formats

FwdConn UserGuide 5.1.5.5973

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FwdConn UserGuide 5.1.5.5973

Uploaded by

Copyright:

Available Formats

SmartConnector Configuration Guide for

ArcSight Forwarding Connector v5.1.5.5973 for ArcSight ESM

05/26/2010 01/18/2010 12/29/2009 11/03/2009

3/26/2009 02/23/2009 08/28/2008 09/12/2007 03/28/2007 01/31/2007 09/21/2004

Description First release of connector documentation.

Document template version: 2.0

ArcSight Customer Support

SmartConnector Configuration Guide for ArcSight Forwarding Connector 5

SmartConnector Configuration Guide for ArcSight Forwarding Connector

Overview and Installation

The ArcSight ESM Source Manager

SmartConnector Configuration Guide for ArcSight Forwarding Connector 7

1 Overview and Installation

Sending Events to an ArcSight ESM Destination Manager

Sending Events to ArcSight Logger

8 SmartConnector Configuration Guide for ArcSight Forwarding Connector

1 Overview and Installation

Sending Events to a Non-ESM Location

To make sure the demo CA is added to the client trust store:

Standard Installation Procedures

Verifying that ArcSight ESM is Correctly Installed

To ensure a successful ArcSight ESM installation:

SmartConnector Configuration Guide for ArcSight Forwarding Connector 9

1 Overview and Installation

Before you install the SmartConnector, ensure that you have:

Assigning Privileges on the ESM Source Manager

To assign privileges in the Manager:

10 SmartConnector Configuration Guide for ArcSight Forwarding Connector

1 Overview and Installation

From the menu, choose Edit Access Control.

Forwarding Correlation Events

SmartConnector Configuration Guide for ArcSight Forwarding Connector 11

1 Overview and Installation

Perform the following steps to retrieve correlated events.

Configuring to Retrieve Correlated Events

Restart the manager.

Configuring to Allow Forwarding of Correlated Events

12 SmartConnector Configuration Guide for ArcSight Forwarding Connector

1 Overview and Installation

Increasing the FileStore size (Enhanced version only)

To increase the size of the FileStore:

SmartConnector Configuration Guide for ArcSight Forwarding Connector 13

1 Overview and Installation

Installing the Forwarding Connector

To install the Forwarding Connector:

14 SmartConnector Configuration Guide for ArcSight Forwarding Connector

1 Overview and Installation

Choose your ArcSight Forwarding Connector destination.

Uninstalling a Forwarding Connector

SmartConnector Configuration Guide for ArcSight Forwarding Connector 15

1 Overview and Installation

Upgrading a Forwarding Connector

Reverting to a Previous Version of the Forwarding Connector

16 SmartConnector Configuration Guide for ArcSight Forwarding Connector

1 Overview and Installation

Start the Forwarding Connector.

SmartConnector Configuration Guide for ArcSight Forwarding Connector 17

1 Overview and Installation

18 SmartConnector Configuration Guide for ArcSight Forwarding Connector