ArcSight Event Broker 2.20 From The Ground Up Build Guide - V3a

Micro Focus Confidential—subject to use restriction
Event Broker 2.20
Build Guide
v3a – 07/12/2018
Contents
Contents ..................................................................................................................................................................... 2
Description ................................................................................................................................................................. 3
Versions ................................................................................................................................................................. 3
Scenario 1 .............................................................................................................................................................. 4
Scenario 2 .............................................................................................................................................................. 4
Scenario 3 .............................................................................................................................................................. 4
Physical Network ................................................................................................................................................... 5
DNS Configuration ...................................................................................................................................................... 5
Host Configuration ................................................................................................................................................. 5
BIND Configuration ................................................................................................................................................ 7
NFS Configuration ...................................................................................................................................................... 9
CentOS Configuration............................................................................................................................................... 10
ArcSight Installation ................................................................................................................................................. 13
ArcSight Installer and Event Broker Install .......................................................................................................... 13
Event Broker Deployment.................................................................................................................................... 16
Using MobaXterm to SSH tunnel to the Event Broker interface ......................................................................... 17
Shutting down and starting up the Event Broker Virtual Machines ........................................................................ 18
Configuring ArcMC to manage Event Broker ........................................................................................................... 20
Configuring SmartConnectors as an Event Broker Producer ................................................................................... 21
Configuring SmartConnectors as an Event Broker Producer using SSL/TLS ............................................................ 23
Configuring Logger as an Event Broker Consumer ................................................................................................... 26
Configuring Logger as an Event Broker Consumer using SSL/TLS ............................................................................ 28
Configuring ESM as an Event Broker Consumer ...................................................................................................... 29
Adding a license to Event Broker ............................................................................................................................. 31
BIND Files ................................................................................................................................................................. 33
named.conf .......................................................................................................................................................... 33
named.conf.local ................................................................................................................................................. 33
example.com........................................................................................................................................................ 35
0.168.192.in-addr.arpa ........................................................................................................................................ 35
Micro Focus Trademark Information ....................................................................................................................... 36
Company Details ...................................................................................................................................................... 36
2
Description
This guide shows how to install Event Broker in a lab environment. There are three deployment
scenarios, all of which use common steps. Scenario 1 uses 1 node (1 x Master/Worker node). Scenario
2 uses 4 nodes (1 x Master node; 3 x Worker nodes). Scenario 3 uses 6 nodes (3 x Master nodes; 3 x
Worker nodes). Where there are differences with the configuration, I have noted this. The guide
covers: setting up SmartConnectors as Producers; setting up Logger and ESM as Consumers; setting up
ArcMC for Event Broker management.
1. Scenario 1 (1 Node)
a. Master/Worker on 1 node
i. This scenario uses the internal NFS server. Use of the default internal NFS server
is only recommended for single-node and nonproduction deployment
environments.
2. Scenario 2 (4 Nodes)
a. Master on 1 node; Workers on 3 nodes
i. This scenario uses the internal NFS server. Use of the default internal NFS server
is only recommended for single-node and nonproduction deployment
environments.
3. Scenario 3 (6 Nodes)
a. Masters on 3 nodes; Workers on 3 nodes
i. This scenario uses an external NFS server.
This is an offline installation of Event Broker. The CentOS install is a minimal install, adding the
minimum number of required packages required for Event Broker. The Event Broker nodes are running
CentOS 7.4.1708.
Versions
• ArcSight Installer 1.40.13
o arcsight-installer-1.40.13.zip
• Event Broker 2.20
o arcsight-eventbroker-2.20.33.tar
• ArcMC 2.8
o ArcSight-ArcMC-2.8.0.2110.0.bin
• Logger 6.6
o ArcSight-logger-6.6.0.8204.0.bin
• ESM 7.0
o ArcSightESMSuite-7.0.0.2208.0.tar
• SmartConnector 7.8.0.8070
o ArcSight-7.8.0.8070.0-Connector-Win64.exe
3
Scenario 1
Scenario 2
Scenario 3
4
Physical Network
All nodes are on the same 1 GigE network segment. There are no firewalls between nodes and no
Internet proxy.
DNS Configuration
DNS is required with Event Broker and ArcMC. I am running BIND on CentOS. BIND is easy to install and
configure and I’ve put instructions on doing this below. All nodes must be able to forward and reverse
lookup by short names, full names, and IP addresses. See the mandatory steps below to verify proper
configuration.
Host Configuration
• /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.0.1 eb1.example.com eb1
• /etc/resolv.conf
# Generated by NetworkManager
search example.com
nameserver 192.168.0.53
• /etc/nsswitch.conf
hosts: files dns myhostname
• /etc/sysconfig/network
# Created by anaconda
HOSTNAME=eb1.example.com
• /etc/hostname
eb1
• nmtui
5
• Reboot and check that the host and network configuration was properly setup. You must run
these commands on every node in the cluster and on every Producer and Consumer. For
Scenario 1, you must run these commands on eb1.example.com, arcmc.example.com,
logger.example.com, and esm.example.com. For Scenario 2, you must run these commands on
eb1.example.com, eb2.example.com, eb3.example.com, arcmc.example.com,
logger.example.com, and esm.example.com. For Scenario 3, you must run these commands on
eb1.example.com, eb2.example.com, eb3.example.com, eb4.example.com, eb5.example.com,
eb6.example.com, nfs.example.com, arcmc.example.com, logger.example.com, and
esm.example.com. Do not use the ping command to verify your DNS configuration, use the nslookup
or host commands. You must run the nslookup commands on every server specified in your
6
/etc/resolv.conf file and every server must be able to forward and reverse lookup properly and return
the exact same results. If you have a public DNS server specified in your /etc/resolv.conf file (such as the
Google public DNS servers 8.8.8.8 or 8.8.4.4), you must remove this from the host configuration of all of
your nodes.
o hostname
eb1
o hostname -s
eb1
o hostname -f
eb1.example.com
o hostname -d
example.com
o nslookup eb1.example.com 192.168.0.53

Server: 192.168.0.53
Address: 192.168.0.53#53
Name: eb1.example.com
Address: 192.168.0.1
o nslookup eb1 192.168.0.53

Server: 192.168.0.53
Address: 192.168.0.53#53
Name: eb1.example.com
Address: 192.168.0.1
o nslookup 192.168.0.1 192.168.0.53

Server: 192.168.0.53
Address: 192.168.0.53#53
1.0.168.192.in-addr.arpa name = eb1.example.com.
BIND Configuration
• Install
7
o yum -y install bind bind-utils
• Create four files with the names shown below using Notepad++. At the end of this guide, I have
the contents you can copy and paste into each of these files (the font size is smaller to make it
easier to copy and paste). Make sure you save the files as Unix (LF). example.com and
0.168.192.in-addr.arpa need to have a blank line at the end of the file. Backup the existing
/etc/named.conf file and create /etc/named/zones. Copy these files to the following
directories.
o named.conf
/etc/named.conf
o named.conf.local
/etc/named/named.conf.local
o example.com
/etc/named/zones/example.com
o 0.168.192.in-addr.arpa
/etc/named/zones/0.168.192.in-addr.arpa
• Modify the files based on your IP address space

o The forward and reverse zones are based on the 192.168.0.X Class C private address
space. You’ll need to modify them based on the IP address space and hostnames you
are using.
• Check the syntax of files and check the output
o named-checkconf
 If there are no errors then there should be no output from this command.
o named-checkzone example.com /etc/named/zones/example.com
zone example.com/IN: loaded serial 0

OK
o named-checkzone 0.168.192.in-addr.arpa /etc/named/zones/0.168.192.in-addr.arpa
zone 0.168.192.in-addr.arpa/IN: loaded serial 0

OK
• Enable BIND on boot and start it
8
o systemctl enable named
o systemctl start named
• If you need to add/change/remove hosts from the forward and reverse lookup zones, use this
command to do this without having to stop and start the named service. You should increment
the serial number in the example.com and 0.168.192.in-addr.arpa zone files before you run
this.
o rndc reload example.com
o rndc reload 0.168.192.in-addr.arpa
NFS Configuration
With a multi-master deployment with 3 Master nodes, NFS needs to run on an external server. Our NFS
server IP address is 192.168.0.111 and its FQDN is nfs.example.com. The directory for the NFS shares
will be /opt/arcsight/nfs/volumes. The /etc/exports file below has three lines, each line starts with
/opt/arcsight/nfs/volumes.
• Install
o yum install -y rpcbind nfs-utils
o systemctl enable rpcbind
o systemctl start rpcbind
o systemctl enable nfs-server
o systemctl start nfs-server
o systemctl disable firewalld
o systemctl mask firewalld
o systemctl stop firewalld
• Configure
o mkdir -p /opt/arcsight/nfs/volumes/itom/core
o mkdir -p /opt/arcsight/nfs/volumes/eventbroker
o mkdir -p /opt/arcsight/nfs/volumes/investigate
o groupadd -g 1999 eventbroker
o useradd -g 1999 -u 1999 eventbroker
o chown -R 1999:1999 /opt/arcsight
o vi /etc/exports
/opt/arcsight/nfs/volumes/itom/core 192.168.0.1(rw,sync,anonuid=1999,anongid=1999,all_squash)
192.168.0.2(rw,sync,anonuid=1999,anongid=1999,all_squash) 192.168.0.3(rw,sync,anonuid=1999,anongid=1999,all_squash)
192.168.0.6(rw,sync,anonuid=1999,anongid=1999,all_squash) 172.16.0.0/16(rw,sync,anonuid=1999,anongid=1999,all_squash)
/opt/arcsight/nfs/volumes/eventbroker 192.168.0.1(rw,sync,anonuid=1999,anongid=1999,all_squash)
/opt/arcsight/nfs/volumes/investigate 192.168.0.1(rw,sync,anonuid=1999,anongid=1999,all_squash)
9
o exportfs -ra
CentOS Configuration
• VMware
o Memory
 eb1.example.com, eb2.example.com, eb3.example.com
• Master nodes – 8 GB
 eb4.example.com, eb5.example.com, eb6.example.com
• Worker nodes – 8 GB
o Processors
 8 (4 processors x 2 cores)
o Hard Disk
 100 GB
o Network Adapter
 Bridged (only a single Network Adapter is setup in the VM)
o Remove the following Devices
 USB Controller
 Sound Card
 Printer
• Install CentOS
o Version
 CentOS 7.4
• CentOS-7-x86_64-Minimal-1708.iso
• CentOS Linux release 7.4.1708 (Core)
 All nodes are a Minimal Install.
 This guide assumes you have access to yum repositories.
o Network Adapter
 IPv4 manual
 IPv6 ignore
o Disk partitions
 Event Broker disk partitions need to be Standard Partition/ext4/ext.
o Shut down the VM and take a snapshot
• Once the OS is installed
o yum
 yum install -y bind-utils unzip nfs-utils libseccomp libtool-ltdl chrony java-1.8.0-
openjdk-headless lsof net-tools
• java-1.8.0-openjdk-headless is required on the Master nodes but is not
required on the Worker nodes
10
o chrony
 systemctl start chronyd
 systemctl enable chronyd
 chronyc tracking
o vi /etc/sysconfig/selinux
 SELinux=disabled
o vi /etc/security/limits.d/20-nproc.conf
 You will need to comment out the default soft nproc entry and add these entries
* soft nproc 10240
* hard nproc 10240
* soft nofile 65536
* hard nofile 65536
* soft core unlimited
* hard core unlimited
o Reboot
o Check that SELinux is disabled
 sestatus
SELinux status: disabled
o Check that 20-nproc.conf was properly modified

 ulimit -a
core file size (blocks, -c) unlimited
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 31152
max locked memory (kbytes, -l) 64
max memory size (kbytes, -m) unlimited
open files (-n) 65536
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 10240
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
o Shut down the VM and take a snapshot

• I use the VM up to this point as a base VM. If I am following Scenario 1, I can continue with this
VM. If I am following Scenario 2, I will copy the VM to 2 different directories, so I have 3 in total.
11
If I am following Scenario 3, I will copy the VM to 5 different directories, so I have 6 in total.
When I open the additional VMs in VMware Workstation, I get the prompt: “This virtual
machine might have been moved or copied.” I select “I Copied It” so VMware creates a new
MAC address for each VM. I then change the hostnames using nmtui and by modifying the
/etc/hosts and /etc/sysconfig/network files. Below are the DNS names and IP addresses I will be
using in the VMs. eb1.example.com, eb2.example.com, and eb3.example.com will be used as
Master nodes for all scenarios. eb4.example.com, eb5.example.com, and eb6.example.com will
be used as Worker nodes for all scenarios. For Scenario 3, we will use eb.example.com and
192.168.0.22 for the HA Virtual IP (VIP) address.
o eb1.example.com 192.168.0.1
o eb.example.com 192.168.0.22
o dns.example.com 192.168.0.53
o nfs.example.com 192.168.0.111
• ssh
o For Scenario 2 and Scenario 3, we need to generate an ssh key on the Master node we
are running the install from (eb1.example.com). Select the default file and no
passphrase.
 ssh-keygen -q -t rsa
o For Scenario 2 and Scenario 3, once the ssh key is generated, we need to copy it from
the Master node we are running the install from to the other Master and Worker nodes.
For Scenario 2, this needs to be copied from eb1.example to eb4.example.com,
eb5.example.com, and eb6.example.com. For Scenario 3, this needs to be copied from
eb1.example.com to eb2.example.com, eb3.example.com, eb4.example.com,
eb5.example.com, and eb6.example.com. If we don’t do this, we’ll get login prompts for
every step through the install. SSH access only needs to be enabled for installation (or
upgrade). If required by your security policy, you can disable SSH access after
installation or upgrade operations are complete. Below are the commands to run on
eb1.example.com.
 eb1.example.com
• ssh-copy-id -i ~/.ssh/id_rsa.pub root@eb2.example.com
12
o To verify this was setup properly, use the following commands on eb1.example.com.
You should be able to login with no password prompt.
 eb1.example.com
• ssh root@eb2.example.com
• At this point the VMs are ready for the Event Broker install.
• Shut down the VMs and take a snapshot.
ArcSight Installation
ArcSight Installer and Event Broker Install

• Copy these files to eb1.example.com to /root
o ArcSight Installer 1.40.13
 arcsight-installer-1.40.13.zip
o Event Broker 2.20
 arcsight-eventbroker-2.20.33.tar
• Unzip the ArcSight Installer and extract the Event Broker offline install tar files on
eb1.example.com
o unzip ./arcsight-installer-1.40.13.zip
o tar -xvf ./arcsight-eventbroker-2.20.33.tar
• Install the Master node on eb1.example.com
o Scenario 1 & Scenario 2
 cd /root/arcsight-installer-1.40.13
• ./arcsight-installer-master.sh --NFS_SERVER=internal
o Select your IP address, this should be option 1.
o Scenario 3
 cd /root/arcsight-installer-1.40.13
• ./arcsight-installer-master.sh --MASTER_NODES="192.168.0.1
192.168.0.2 192.168.0.3" --HA_VIRTUAL_IP=192.168.0.22 --
EXTERNAL_ACCESS_HOST=eb.example.com --
NFS_SERVER=192.168.0.111 --
NFS_FOLDER_ROOT=/opt/arcsight/nfs/volumes
• Install the additional Master and Worker node(s). You need to use the nodes IP addresses in the
command.
o Scenario 1
 This is not needed with a single node install.
o Scenario 2
13
 cd /opt/arcsight/kubernetes/scripts
• ./arcsight-installer-add-node.sh 192.168.0.4
o Scenario 3
 cd /opt/arcsight/kubernetes/scripts
• Login to the ArcSight Installer interface
 https://eb1.example.com:5443/
o Scenario 3
 https://eb.example.com:5443/
o Username: admin
o Password: cloud
 You will be forced to change this password on first login, we will change it to
wordpass
o Click Node Management
o Every node should be Ready and have a green check mark.
• vi /opt/arcsight/installer/arcsight-installer.properties
o Scenario 1
 I have a 1 node install, so I will uncomment and change the following settings.
eb-init-topicReplicationFactor=1
eb-init-kafkaRetentionHours=72
eb-init-kafkaOffsetsTopicReplicationFactor=1
eb-kafka-count=1
eb-zookeeper-count=1

 I will only change the retention hours to 3 days.
eb-init-kafkaRetentionHours=72
• Run this script after making any changes to arcsight-installer.properties

o /opt/arcsight/installer/update-arcsight-installer-properties.sh
• Label the nodes
o Scenario 1
14
 The 1 node will run Kafka and Zookeper. You need to use the node IP address in
the command.
• kubectl label --overwrite node 192.168.0.1 zk=yes kafka=yes
 The 3 nodes will be Worker nodes and run Kafka and Zookeper. You need to use
the nodes IP addresses in the command.
• Verify the labels
o kubectl get nodes -L=kafka,zk
• Upload the offline images to eb1.example.com
o cd /opt/arcsight/kubernetes/scripts
 ./uploadimages.sh -s eventbroker -d /root/eventbroker
o If you specify the wrong directory for where the offline images have been extracted to
you will see this message.
Which suite do you want to upload? (ITSMA, DCA, OpsBridge or HCM)
o If you run uploadimages.sh from the wrong directory (from the directory where you
unzipped the ArcSight Installer) you will see this message.
The suite-installer container is not running. Please make sure your suite-installer
pod status is "RUNNING"
Failed to upload the data of suite features.
o You should see the following message indicating the upload was successful (8 images for
Event Broker).
Upload completed in XXX seconds.

Uploading suite feature data ...
Upload suite feature data completed.
o Event Broker has not been deployed yet, but we can check the pod status with this
command. These are pods for the ArcSight Installer.
[root@eb1 ~]# watch -n 15 kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
core apiserver-eb.example.com 1/1 Running 1 13h
core arcsight-installer-5fc6888f8b-vksxd 2/2 Running 0 11h
core cdf-apiserver-7bc784886f-9jd7l 2/2 Running 0 11h
core controller-eb.example.com 1/1 Running 1 13h
15
core idm-7c9bb76c6d-q5tb8 2/2 Running 0 11h
core idm-7c9bb76c6d-q87hm 2/2 Running 0 11h
core itom-cdf-ingress-frontend-mpkj9 1/1 Running 0 46m
core itom-postgresql-default-5f5b5548bd-lr98n 2/2 Running 0 11h
core kube-dns-rmzv7 3/3 Running 0 46m
core kube-registry-pqz2z 1/1 Running 0 46m
core kube-registry-proxy-skl7f 2/2 Running 2 13h
core kubernetes-vault-xcrkc 1/1 Running 3 46m
core mng-portal-568477475f-56s89 2/2 Running 0 11h
core nginx-ingress-controller-29lq4 1/1 Running 0 46m
core scheduler-eb.example.com 1/1 Running 1 13h
core suite-db-69b8c84bb8-8bdrp 2/2 Running 0 11h
core suite-installer-frontend-7cf88c9f56-4lfnt 2/2 Running 0 11h
kube-system heapster-apiserver-88f47fcbc-hffxc 1/1 Running 0 11h
• Shut down the VMs and take a snapshot before deploying Event Broker.
o Please see the Shutting down the Event Broker Virtual Machines section for steps on
how to do this.
Event Broker Deployment

• Deploy ArcSight Event Broker in the ArcSight Installer interface
o Scenario 3
o Click Node Management
 Every node should be Ready and have a green check mark.
o Click Deployment
 Click Deploy to the right of ArcSight Event Broker and then select 2.20.
o Verify deployment
 To verify deployment, check the ArcSight Installer interface. ArcSight Event
Broker should have a green check mark under Status.
 You can check the pod status with this command.
[root@eb1 ~]# watch -n 15 kubectl get pods -n arcsighteventbroker1
NAME READY STATUS RESTARTS AGE
eb-kafka-0 1/1 Running 0 4m
eb-kafka-manager-3844815475-nrp67 1/1 Running 0 4m
eb-routing-processor-0 1/1 Running 0 4m
eb-schemaregistry-3778870599-9rk4p 1/1 Running 0 4m
eb-web-service-1470603869-nmrjc 2/2 Running 0 4m
eb-zookeeper-0 1/1 Running 0 4m
16
suite-reconf-pod-eventbroker-lz85n 2/2 Running 0 4m
 To connect to the Event Broker interface, see the instructions in the next section.
Using MobaXterm to SSH tunnel to the Event Broker interface

When Event Broker is finally installed, the port for the web interface is bound to a Docker interface
that is not exposed to the network. From the console of the Event Broker node, you can connect locally
to that IP address and port if you have X Windows and a browser installed on the node. But we did a
minimal CentOS install, so the appropriate packages are not installed.
The best option is to use an SSH tunnel to tunnel the traffic through the Event Broker node to the web
interface. First, we need to find out the IP address that the Event Broker web interface is listening on.
The port is going to be 9000 and we can find the IP address by running the following command and
identifying the IP that 9000 is bound to. In this case, it is 172.30.78.65. Remember, this is not exposed
to the network. This IP address will change if Event Broker is undeployed or restarted.
[root@eb1 ~]# kubectl get service -n arcsighteventbroker1 | grep 9000

eb-kafkamgr-svc ClusterIP 172.30.78.65 <none> 9000/TCP 3m
I’m using MobaXterm and the instructions to setup SSH tunnelling are here: SSH tunnels and port
forwarding. Once I’ve setup the SSH tunnel, when I start it, I can use my local browser and connect
to http://127.0.0.1:9000/ to connect to the Event Broker web interface. Two things to note, this
connection is not https and there is no authentication. We’re tunnelling the insecure traffic through an
SSH session, so that risk is partially mitigated, but there is no authentication. This is why the Event
Broker web interface is not publically exposed. Below are screenshots of the SSH tunnel.
17
Shutting down and starting up the Event Broker Virtual Machines
• Shutting down
o Scenario 1
 kubectl get nodes
 kubectl drain 192.168.0.1 --delete-local-data --ignore-daemonsets --force
18
 /opt/arcsight/kubernetes/bin/kube-stop.sh
 sync;sync
 shutdown -h now
o Scenario 2
 Run these commands in this order (Master then Workers)
• kubectl get nodes
• kubectl drain 192.168.0.1 --delete-local-data --ignore-daemonsets --force
 On the Worker nodes
• /opt/arcsight/kubernetes/bin/kube-stop.sh
• sync;sync
 On the Master node
• sync;sync
 On all nodes
• shutdown -h now
o Scenario 3
 Run these commands in this order (Masters then Workers)
• kubectl get nodes
 On the Worker nodes
• sync;sync
 On the Master node
• sync;sync
 On all nodes
• shutdown -h now
• Starting up
o Scenario 1
 kubectl uncordon 192.168.0.1
o Scenario 2
19
o Scenario 3
Configuring ArcMC to manage Event Broker

• In the ArcMC interface
o https://arcmc.example.com/
o Click Administration -> System Admin -> SSL Server Certificate -> Generate Certificate
 The Hostname in your certificate settings must match the FQDN of ArcMC.
• Click Administration -> System Admin -> SSL Server Certificate -> View Certificate
o Copy the Server Certificate, this will be pasted in the ArcSight Installer interface
• In the ArcSight Installer interface
o Scenario 3
o Click Configuration -> ArcSight Event Broker
20
 ArcMC hostname
• arcmc.example.com:443
o If ArcMC was installed as a non-root user use
 arcmc.example.com:9000
 Username/Password
• Do not change these from the default of admin/atlas
o ArcMC certificates
 Paste the Server Certificate from the ArcMC interface
o Click Save
• In the ArcMC interface
o Click Node Management -> View All Nodes
 Default -> Add Host
• Hostname/IP:
 eb1.example.com
o Scenario 3
 eb.example.com
• Type: Event Broker 2.02 or later
• Port: 38080
• Cluster Port: 5443
• Cluster Username: admin
• Cluster Password: wordpass
• Cluster Certificate:
o Copy and paste the contents of this file from eb1.example.com:
 /opt/arcsight/kubernetes/ssl/ca.crt
• Click Add, Import
Configuring SmartConnectors as an Event Broker Producer

• Destination Parameters
o Initial Host:Ports(s)
 192.168.0.4:9092,192.168.0.5:9092,192.168.0.6:9092
o Content type (see below)
 Logger/Investigate/Hadoop/3rd parties
• eb-cef
o This is cef 0.1
o Only one topic can be set
 ESM
• eb-esm
 Logger 6.4 or higher/IPv6/investigate
• eb-other
o This is cef 1.0
21
o Acknowledgement mode
 Default is leader, other options are all and none
o Use SSL/TLS
 false
o Use SSL/TLS Authentication
 False
• SmartConnector Recommended Topics

o The SmartConnector shows the following recommended topics.
• Errors
o If the SmartConnector can’t resolve the short or full hostname of the Event Broker
node(s), you will see the following error.
[16:Unable to test connection to Kafka server: [Failed to construct kafka producer]]
22
o If the SmartConnector can resolve the short or full hostname of the Event Broker
node(s) but can’t communicate with them because of routing or network issues, you will
see the following error. Note the higher ms value.
[16:Unable to test connection to Kafka server: [Failed to update metadata after 30000 ms.]
o If you mistype the topic name, you will see the following error. Note the lower ms value.
[16:Unable to test connection to Kafka server: [Failed to update metadata after 40 ms.]
Configuring SmartConnectors as an Event Broker Producer using SSL/TLS

• Before you install the SmartConnector you need to have an SSL/TLS trust store file that contains
the Event Broker certificate. We will use the existing cacerts file on the SmartConnector and will
add the Event Broker certificate to it. First, download the Event Broker certificate to C:\Temp:
/opt/arcsight/kubernetes/ssl/ca.crt. Then, during the installation of the SmartConnector, run
this command before the Add a Connector / Set Global Parameters screen and before you add
the Event Broker destination.
o cd C:\ArcSightSmartConnectors\current\bin
o arcsight agent keytool -importcert -alias eventbrokercaroot -file C:\Temp\ca.crt -
keystore C:\ArcSightSmartConnectors\current\jre\lib\security\cacerts -storepass
changeit -store agentcerts
o Answer yes when asked if you want to trust the certificate.
• Destination Parameters
o Initial Host:Ports(s)
 192.168.0.4:9093,192.168.0.5:9093,192.168.0.6:9093
o Content type (see below)
 Logger/Investigate/Hadoop/3rd parties
• eb-cef
o This is cef 0.1
 ESM
• eb-esm
23
Logger 6.4 or higher/IPv6/investigate
• eb-other
o This is cef 1.0
o Acknowledgement mode
 Default is leader, other options are all and none
o Use SSL/TLS
 SSL/TLS Trust Store file
• C:\ArcSightSmartConnectors\current\jre\lib\security\cacerts
 SSL/TLS Trust Store password
• changeit
o Use SSL/TLS Authentication
 SSL/TLS Trust Store file
• C:\ArcSightSmartConnectors\current\jre\lib\security\cacerts
 SSL/TLS Trust Store password
• changeit
 SSL/TLS Key password
• Leave Blank
• If you did not configure the SSL/TLS parameters you will get the following message.
Information
Destination parameters did not pass the verification with error [; nested exception is:
java.net.SocketException: Connection reset]. Do you still want to continue?
24
• We can view the Event Broker certificate by running arcsight keytoolgui and opening
C:\ArcSightSmartConnectors\current\jre\lib\security\cacerts.
25
Configuring Logger as an Event Broker Consumer
• In the Logger interface
o https://logger.example.com/
o Configuration -> Receivers -> Add
 Name: Event Broker Receiver
 Type: Event Broker Receiver
o Edit Receiver
 Event broker host(s) and port:
• 192.168.0.4:9092,192.168.0.5:9092,192.168.0.6:9092
 Event Topic List: eb-cef
• If you have multiple topics, separate them with a comma
 Retrieve event from earliest offset: true
 Consumer Group (Logger Pool): Logger Pool
 Use SSL/TLS: false
 Use Client Authentication: false
 Enable: Checked
26
• You have to use IP addresses in the Receiver configuration. If you try to use host names, you
will get the following message.
Error:
IP Address eb1.example.com is not a valid address
• If Logger can’t communicate with Event Broker because of routing or network issues, you will
see the following error.
Error:
There was a problem contacting Event Broker: Timeout expired while fetching topic metadata, please
check the receiver configuration
• If you mistype the topic name, you will see the following error.
Error:
27
The specified Event Topic (eb-other123) is not valid
• You can see Logger listed as a Consumer in the Event Broker interface. You will not see this
under Consumers if you have no events from Producers in Event Broker.
Configuring Logger as an Event Broker Consumer using SSL/TLS

• In the Logger interface
o https://logger.example.com/
o Configuration -> Receivers -> Add
 Type: Event Broker Receiver
o Edit Receiver
 Event broker host(s) and port:
• 192.168.0.4:9093,192.168.0.5:9093,192.168.0.6:9093
 Event Topic List: eb-cef
• If you have multiple topics, separate them with a comma
 Retrieve event from earliest offset: true
 Consumer Group (Logger Pool): Logger Pool
 Use SSL/TLS: true
 Use Client Authentication: true
 Enable: Checked
28
Configuring ESM as an Event Broker Consumer
• Copy /opt/arcsight/kubernetes/ssl/ca.crt from eb1.example.com to /home/arcsight/ca.crt on
the ESM Manager.
• On the ESM Manager
o /opt/arcsight/manager/bin/arcsight managersetup
 “ESM can consume events from an Event Broker…”
• Yes
 Host:Port(s)
• 192.168.0.4:9093,192.168.0.5:9093,192.168.0.6:9093
 Topic to read from
• eb-esm
 Path to Event Broker root cert
• /home/arcsight/ca.crt
o This will put an entry in the Manager cacerts file displayed as
ebcaroot
29
• Restart the ESM Manager
o /etc/init.d/arcsight_services stop manager
o /etc/init.d/arcsight_services start manager
• Here is a SmartConnector that is configured as a Producer, sending events to the eb-esm Topic.
30
• You can see ESM listed as a Consumer in the Event Broker interface. You will not see this under
Consumers if you have no events from Producers in Event Broker.
Adding a license to Event Broker

Event Broker uses Autopass for licensing. The Autopass license is the ArcMC ADP license renamed to
LicFile.txt. When you first install Event Broker, it will have a 90-day Instant-on license. Follow this
process to install a valid license.
• Rename your ArcMC ADP license to LicFile.txt
31
• On each Worker node, place LicFile.txt in this directory
o /opt/arcsight/k8s-hostpath-volume/eb/autopass/userdata/autopass/data
• Delete the Kafka pods on all nodes; this will re-create the pods
o kubectl delete pod eb-kafka-0 -n arcsighteventbroker1
• To view your license status, run these commands
o kubectl logs eb-kafka-0 -n arcsighteventbroker1 | more
• If you have an Instant-on license, you will see this:
ArcSight Data Platform Event Broker License Check
WARN: license file not found
Jul 06, 2018 12:52:45 PM java.util.prefs.FileSystemPreferences$1 run
INFO: Created user preferences directory.
Autopass license is valid
date.expiration=2018/10/04
software.model=ArcMC Software
arcmc.feature.adp.managed=false
arcmc.limit.daily.data=0GB
component.name=arcmc
license.trial=true
arcmc.enabled=true
eb.license.enabled=true
• If you have a valid license , you will see this:
ArcSight Data Platform Event Broker License Check
WARN: license file not found

Jul 06, 2018 2:34:41 PM java.util.prefs.FileSystemPreferences$1 run
INFO: Created user preferences directory.
Autopass license is valid
date.expiration=2019/01/23
software.model=ArcMC Software
arcmc.feature.adp.managed=true
arcmc.limit.daily.data=0GB
component.name=arcmc
license.trial=false
arcmc.enabled=true
Autopass license is valid and for ArcMC ADP
32
eb.license.enabled=true
BIND Files
named.conf
options {
listen-on port 53 { any; };
# listen-on-v6 port 53 { any; };
forwarders { 192.168.0.254; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
allow-transfer { none; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside auto;
/* Path to ISC DLV key */

bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/named/named.conf.local";
named.conf.local
zone "example.com" IN {
type master;
file "/etc/named/zones/example.com";
allow-transfer { 192.168.0.254; };
};
zone "0.168.192.in-addr.arpa" IN {
type master;
33
file "/etc/named/zones/0.168.192.in-addr.arpa";
allow-transfer { 192.168.0.254; };
};
34
example.com
$TTL 3H
@ IN SOA @ hostmaster.example.com. (
0 ; serial
3H ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS dns.example.com.
@ IN A 192.168.0.53
dns IN A 192.168.0.53
eb1 IN A 192.168.0.1
eb2 IN A 192.168.0.2
eb3 IN A 192.168.0.3
eb4 IN A 192.168.0.4
eb5 IN A 192.168.0.5
eb6 IN A 192.168.0.6
eb IN A 192.168.0.22
vertica1 IN A 192.168.0.11
vertica2 IN A 192.168.0.12
vertica3 IN A 192.168.0.13
arcmc IN A 192.168.0.26
esm IN A 192.168.0.61
logger IN A 192.168.0.65
nfs IN A 192.168.0.111
0.168.192.in-addr.arpa
$TTL 3H
@ IN SOA @ hostmaster.example.com. (
0 ; serial
3H ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS dns.example.com.
53 IN PTR dns.example.com.
1 IN PTR eb1.example.com.
22 IN PTR eb.example.com.
11 IN PTR vertica1.example.com.
26 IN PTR arcmc.example.com.
61 IN PTR esm.example.com.
65 IN PTR logger.example.com.
111 IN PTR nfs.example.com.
35
Micro Focus Trademark Information
MICRO FOCUS and the Micro Focus logo, among others, are trademarks or registered trademarks of Micro Focus
(IP) Limited or its subsidiaries in the United Kingdom, United States and other countries. All other marks are the
property of their respective owners.
Company Details
Company name: Micro Focus International plc
Place of registration: England and Wales
Registered number: 5134647
Registered address: The Lawn, 22-30 Old Bath Road, Berkshire, RG14 1Q
36

ArcSight Event Broker 2.20 From The Ground Up Build Guide - V3a

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ArcSight Event Broker 2.20 From The Ground Up Build Guide - V3a

Uploaded by

Copyright:

Available Formats

Micro Focus Confidential—subject to use restriction

Event Broker 2.20

o nslookup eb1.example.com 192.168.0.53

o nslookup eb1 192.168.0.53

o nslookup 192.168.0.1 192.168.0.53

1.0.168.192.in-addr.arpa name = eb1.example.com.

• Modify the files based on your IP address space

o named-checkzone example.com /etc/named/zones/example.com

zone example.com/IN: loaded serial 0

o named-checkzone 0.168.192.in-addr.arpa /etc/named/zones/0.168.192.in-addr.arpa

zone 0.168.192.in-addr.arpa/IN: loaded serial 0

• Enable BIND on boot and start it

o Check that 20-nproc.conf was properly modified

o Shut down the VM and take a snapshot

ArcSight Installer and Event Broker Install

o Scenario 2 & Scenario 3

• Run this script after making any changes to arcsight-installer.properties

Which suite do you want to upload? (ITSMA, DCA, OpsBridge or HCM)

Upload completed in XXX seconds.

Event Broker Deployment

Using MobaXterm to SSH tunnel to the Event Broker interface

[root@eb1 ~]# kubectl get service -n arcsighteventbroker1 | grep 9000

Configuring ArcMC to manage Event Broker

Configuring SmartConnectors as an Event Broker Producer

• SmartConnector Recommended Topics

[16:Unable to test connection to Kafka server: [Failed to construct kafka producer]]

Configuring SmartConnectors as an Event Broker Producer using SSL/TLS

Configuring Logger as an Event Broker Consumer using SSL/TLS

Adding a license to Event Broker

• If you have a valid license , you will see this:

ArcSight Data Platform Event Broker License Check

WARN: license file not found

/* Path to ISC DLV key */

You might also like