Professional Documents
Culture Documents
Build Guide
v3a – 07/12/2018
Contents
Contents ..................................................................................................................................................................... 2
Description ................................................................................................................................................................. 3
Versions ................................................................................................................................................................. 3
Scenario 1 .............................................................................................................................................................. 4
Scenario 2 .............................................................................................................................................................. 4
Scenario 3 .............................................................................................................................................................. 4
Physical Network ................................................................................................................................................... 5
DNS Configuration ...................................................................................................................................................... 5
Host Configuration ................................................................................................................................................. 5
BIND Configuration ................................................................................................................................................ 7
NFS Configuration ...................................................................................................................................................... 9
CentOS Configuration............................................................................................................................................... 10
ArcSight Installation ................................................................................................................................................. 13
ArcSight Installer and Event Broker Install .......................................................................................................... 13
Event Broker Deployment.................................................................................................................................... 16
Using MobaXterm to SSH tunnel to the Event Broker interface ......................................................................... 17
Shutting down and starting up the Event Broker Virtual Machines ........................................................................ 18
Configuring ArcMC to manage Event Broker ........................................................................................................... 20
Configuring SmartConnectors as an Event Broker Producer ................................................................................... 21
Configuring SmartConnectors as an Event Broker Producer using SSL/TLS ............................................................ 23
Configuring Logger as an Event Broker Consumer ................................................................................................... 26
Configuring Logger as an Event Broker Consumer using SSL/TLS ............................................................................ 28
Configuring ESM as an Event Broker Consumer ...................................................................................................... 29
Adding a license to Event Broker ............................................................................................................................. 31
BIND Files ................................................................................................................................................................. 33
named.conf .......................................................................................................................................................... 33
named.conf.local ................................................................................................................................................. 33
example.com........................................................................................................................................................ 35
0.168.192.in-addr.arpa ........................................................................................................................................ 35
Micro Focus Trademark Information ....................................................................................................................... 36
Company Details ...................................................................................................................................................... 36
2
Description
This guide shows how to install Event Broker in a lab environment. There are three deployment
scenarios, all of which use common steps. Scenario 1 uses 1 node (1 x Master/Worker node). Scenario
2 uses 4 nodes (1 x Master node; 3 x Worker nodes). Scenario 3 uses 6 nodes (3 x Master nodes; 3 x
Worker nodes). Where there are differences with the configuration, I have noted this. The guide
covers: setting up SmartConnectors as Producers; setting up Logger and ESM as Consumers; setting up
ArcMC for Event Broker management.
1. Scenario 1 (1 Node)
a. Master/Worker on 1 node
i. This scenario uses the internal NFS server. Use of the default internal NFS server
is only recommended for single-node and nonproduction deployment
environments.
2. Scenario 2 (4 Nodes)
a. Master on 1 node; Workers on 3 nodes
i. This scenario uses the internal NFS server. Use of the default internal NFS server
is only recommended for single-node and nonproduction deployment
environments.
3. Scenario 3 (6 Nodes)
a. Masters on 3 nodes; Workers on 3 nodes
i. This scenario uses an external NFS server.
This is an offline installation of Event Broker. The CentOS install is a minimal install, adding the
minimum number of required packages required for Event Broker. The Event Broker nodes are running
CentOS 7.4.1708.
Versions
• ArcSight Installer 1.40.13
o arcsight-installer-1.40.13.zip
• Event Broker 2.20
o arcsight-eventbroker-2.20.33.tar
• ArcMC 2.8
o ArcSight-ArcMC-2.8.0.2110.0.bin
• Logger 6.6
o ArcSight-logger-6.6.0.8204.0.bin
• ESM 7.0
o ArcSightESMSuite-7.0.0.2208.0.tar
• SmartConnector 7.8.0.8070
o ArcSight-7.8.0.8070.0-Connector-Win64.exe
3
Scenario 1
Scenario 2
Scenario 3
4
Physical Network
All nodes are on the same 1 GigE network segment. There are no firewalls between nodes and no
Internet proxy.
DNS Configuration
DNS is required with Event Broker and ArcMC. I am running BIND on CentOS. BIND is easy to install and
configure and I’ve put instructions on doing this below. All nodes must be able to forward and reverse
lookup by short names, full names, and IP addresses. See the mandatory steps below to verify proper
configuration.
Host Configuration
• /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.0.1 eb1.example.com eb1
• /etc/resolv.conf
# Generated by NetworkManager
search example.com
nameserver 192.168.0.53
• /etc/nsswitch.conf
hosts: files dns myhostname
• /etc/sysconfig/network
# Created by anaconda
HOSTNAME=eb1.example.com
• /etc/hostname
eb1
• nmtui
5
• Reboot and check that the host and network configuration was properly setup. You must run
these commands on every node in the cluster and on every Producer and Consumer. For
Scenario 1, you must run these commands on eb1.example.com, arcmc.example.com,
logger.example.com, and esm.example.com. For Scenario 2, you must run these commands on
eb1.example.com, eb2.example.com, eb3.example.com, arcmc.example.com,
logger.example.com, and esm.example.com. For Scenario 3, you must run these commands on
eb1.example.com, eb2.example.com, eb3.example.com, eb4.example.com, eb5.example.com,
eb6.example.com, nfs.example.com, arcmc.example.com, logger.example.com, and
esm.example.com. Do not use the ping command to verify your DNS configuration, use the nslookup
or host commands. You must run the nslookup commands on every server specified in your
6
/etc/resolv.conf file and every server must be able to forward and reverse lookup properly and return
the exact same results. If you have a public DNS server specified in your /etc/resolv.conf file (such as the
Google public DNS servers 8.8.8.8 or 8.8.4.4), you must remove this from the host configuration of all of
your nodes.
o hostname
eb1
o hostname -s
eb1
o hostname -f
eb1.example.com
o hostname -d
example.com
Name: eb1.example.com
Address: 192.168.0.1
Name: eb1.example.com
Address: 192.168.0.1
BIND Configuration
• Install
7
o yum -y install bind bind-utils
• Create four files with the names shown below using Notepad++. At the end of this guide, I have
the contents you can copy and paste into each of these files (the font size is smaller to make it
easier to copy and paste). Make sure you save the files as Unix (LF). example.com and
0.168.192.in-addr.arpa need to have a blank line at the end of the file. Backup the existing
/etc/named.conf file and create /etc/named/zones. Copy these files to the following
directories.
o named.conf
/etc/named.conf
o named.conf.local
/etc/named/named.conf.local
o example.com
/etc/named/zones/example.com
o 0.168.192.in-addr.arpa
/etc/named/zones/0.168.192.in-addr.arpa
If there are no errors then there should be no output from this command.
8
o systemctl enable named
o systemctl start named
• If you need to add/change/remove hosts from the forward and reverse lookup zones, use this
command to do this without having to stop and start the named service. You should increment
the serial number in the example.com and 0.168.192.in-addr.arpa zone files before you run
this.
o rndc reload example.com
o rndc reload 0.168.192.in-addr.arpa
NFS Configuration
With a multi-master deployment with 3 Master nodes, NFS needs to run on an external server. Our NFS
server IP address is 192.168.0.111 and its FQDN is nfs.example.com. The directory for the NFS shares
will be /opt/arcsight/nfs/volumes. The /etc/exports file below has three lines, each line starts with
/opt/arcsight/nfs/volumes.
• Install
o yum install -y rpcbind nfs-utils
o systemctl enable rpcbind
o systemctl start rpcbind
o systemctl enable nfs-server
o systemctl start nfs-server
o systemctl disable firewalld
o systemctl mask firewalld
o systemctl stop firewalld
• Configure
o mkdir -p /opt/arcsight/nfs/volumes/itom/core
o mkdir -p /opt/arcsight/nfs/volumes/eventbroker
o mkdir -p /opt/arcsight/nfs/volumes/investigate
o groupadd -g 1999 eventbroker
o useradd -g 1999 -u 1999 eventbroker
o chown -R 1999:1999 /opt/arcsight
o vi /etc/exports
/opt/arcsight/nfs/volumes/itom/core 192.168.0.1(rw,sync,anonuid=1999,anongid=1999,all_squash)
192.168.0.2(rw,sync,anonuid=1999,anongid=1999,all_squash) 192.168.0.3(rw,sync,anonuid=1999,anongid=1999,all_squash)
192.168.0.4(rw,sync,anonuid=1999,anongid=1999,all_squash) 192.168.0.5(rw,sync,anonuid=1999,anongid=1999,all_squash)
192.168.0.6(rw,sync,anonuid=1999,anongid=1999,all_squash) 172.16.0.0/16(rw,sync,anonuid=1999,anongid=1999,all_squash)
/opt/arcsight/nfs/volumes/eventbroker 192.168.0.1(rw,sync,anonuid=1999,anongid=1999,all_squash)
192.168.0.2(rw,sync,anonuid=1999,anongid=1999,all_squash) 192.168.0.3(rw,sync,anonuid=1999,anongid=1999,all_squash)
192.168.0.4(rw,sync,anonuid=1999,anongid=1999,all_squash) 192.168.0.5(rw,sync,anonuid=1999,anongid=1999,all_squash)
192.168.0.6(rw,sync,anonuid=1999,anongid=1999,all_squash) 172.16.0.0/16(rw,sync,anonuid=1999,anongid=1999,all_squash)
/opt/arcsight/nfs/volumes/investigate 192.168.0.1(rw,sync,anonuid=1999,anongid=1999,all_squash)
192.168.0.2(rw,sync,anonuid=1999,anongid=1999,all_squash) 192.168.0.3(rw,sync,anonuid=1999,anongid=1999,all_squash)
192.168.0.4(rw,sync,anonuid=1999,anongid=1999,all_squash) 192.168.0.5(rw,sync,anonuid=1999,anongid=1999,all_squash)
192.168.0.6(rw,sync,anonuid=1999,anongid=1999,all_squash) 172.16.0.0/16(rw,sync,anonuid=1999,anongid=1999,all_squash)
9
o exportfs -ra
CentOS Configuration
• VMware
o Memory
eb1.example.com, eb2.example.com, eb3.example.com
• Master nodes – 8 GB
eb4.example.com, eb5.example.com, eb6.example.com
• Worker nodes – 8 GB
o Processors
8 (4 processors x 2 cores)
o Hard Disk
100 GB
o Network Adapter
Bridged (only a single Network Adapter is setup in the VM)
o Remove the following Devices
USB Controller
Sound Card
Printer
• Install CentOS
o Version
CentOS 7.4
• CentOS-7-x86_64-Minimal-1708.iso
• CentOS Linux release 7.4.1708 (Core)
All nodes are a Minimal Install.
This guide assumes you have access to yum repositories.
o Network Adapter
IPv4 manual
IPv6 ignore
o Disk partitions
Event Broker disk partitions need to be Standard Partition/ext4/ext.
o Shut down the VM and take a snapshot
• Once the OS is installed
o yum
yum install -y bind-utils unzip nfs-utils libseccomp libtool-ltdl chrony java-1.8.0-
openjdk-headless lsof net-tools
• java-1.8.0-openjdk-headless is required on the Master nodes but is not
required on the Worker nodes
10
o chrony
systemctl start chronyd
systemctl enable chronyd
chronyc tracking
o vi /etc/sysconfig/selinux
SELinux=disabled
o vi /etc/security/limits.d/20-nproc.conf
You will need to comment out the default soft nproc entry and add these entries
* soft nproc 10240
* hard nproc 10240
* soft nofile 65536
* hard nofile 65536
* soft core unlimited
* hard core unlimited
o Reboot
o Check that SELinux is disabled
sestatus
SELinux status: disabled
11
If I am following Scenario 3, I will copy the VM to 5 different directories, so I have 6 in total.
When I open the additional VMs in VMware Workstation, I get the prompt: “This virtual
machine might have been moved or copied.” I select “I Copied It” so VMware creates a new
MAC address for each VM. I then change the hostnames using nmtui and by modifying the
/etc/hosts and /etc/sysconfig/network files. Below are the DNS names and IP addresses I will be
using in the VMs. eb1.example.com, eb2.example.com, and eb3.example.com will be used as
Master nodes for all scenarios. eb4.example.com, eb5.example.com, and eb6.example.com will
be used as Worker nodes for all scenarios. For Scenario 3, we will use eb.example.com and
192.168.0.22 for the HA Virtual IP (VIP) address.
o eb1.example.com 192.168.0.1
o eb2.example.com 192.168.0.2
o eb3.example.com 192.168.0.3
o eb4.example.com 192.168.0.4
o eb5.example.com 192.168.0.5
o eb6.example.com 192.168.0.6
o eb.example.com 192.168.0.22
o dns.example.com 192.168.0.53
o nfs.example.com 192.168.0.111
• ssh
o For Scenario 2 and Scenario 3, we need to generate an ssh key on the Master node we
are running the install from (eb1.example.com). Select the default file and no
passphrase.
ssh-keygen -q -t rsa
o For Scenario 2 and Scenario 3, once the ssh key is generated, we need to copy it from
the Master node we are running the install from to the other Master and Worker nodes.
For Scenario 2, this needs to be copied from eb1.example to eb4.example.com,
eb5.example.com, and eb6.example.com. For Scenario 3, this needs to be copied from
eb1.example.com to eb2.example.com, eb3.example.com, eb4.example.com,
eb5.example.com, and eb6.example.com. If we don’t do this, we’ll get login prompts for
every step through the install. SSH access only needs to be enabled for installation (or
upgrade). If required by your security policy, you can disable SSH access after
installation or upgrade operations are complete. Below are the commands to run on
eb1.example.com.
eb1.example.com
• ssh-copy-id -i ~/.ssh/id_rsa.pub root@eb2.example.com
• ssh-copy-id -i ~/.ssh/id_rsa.pub root@eb3.example.com
• ssh-copy-id -i ~/.ssh/id_rsa.pub root@eb4.example.com
• ssh-copy-id -i ~/.ssh/id_rsa.pub root@eb5.example.com
• ssh-copy-id -i ~/.ssh/id_rsa.pub root@eb6.example.com
12
o To verify this was setup properly, use the following commands on eb1.example.com.
You should be able to login with no password prompt.
eb1.example.com
• ssh root@eb2.example.com
• ssh root@eb3.example.com
• ssh root@eb4.example.com
• ssh root@eb5.example.com
• ssh root@eb6.example.com
• At this point the VMs are ready for the Event Broker install.
• Shut down the VMs and take a snapshot.
ArcSight Installation
13
cd /opt/arcsight/kubernetes/scripts
• ./arcsight-installer-add-node.sh 192.168.0.4
• ./arcsight-installer-add-node.sh 192.168.0.5
• ./arcsight-installer-add-node.sh 192.168.0.6
o Scenario 3
cd /opt/arcsight/kubernetes/scripts
• ./arcsight-installer-add-node.sh 192.168.0.2
• ./arcsight-installer-add-node.sh 192.168.0.3
• ./arcsight-installer-add-node.sh 192.168.0.4
• ./arcsight-installer-add-node.sh 192.168.0.5
• ./arcsight-installer-add-node.sh 192.168.0.6
• Login to the ArcSight Installer interface
o Scenario 1 & Scenario 2
https://eb1.example.com:5443/
o Scenario 3
https://eb.example.com:5443/
o Username: admin
o Password: cloud
You will be forced to change this password on first login, we will change it to
wordpass
o Click Node Management
o Every node should be Ready and have a green check mark.
• vi /opt/arcsight/installer/arcsight-installer.properties
o Scenario 1
I have a 1 node install, so I will uncomment and change the following settings.
eb-init-topicReplicationFactor=1
eb-init-kafkaRetentionHours=72
eb-init-kafkaOffsetsTopicReplicationFactor=1
eb-kafka-count=1
eb-zookeeper-count=1
14
The 1 node will run Kafka and Zookeper. You need to use the node IP address in
the command.
• kubectl label --overwrite node 192.168.0.1 zk=yes kafka=yes
o Scenario 2 & Scenario 3
The 3 nodes will be Worker nodes and run Kafka and Zookeper. You need to use
the nodes IP addresses in the command.
• kubectl label --overwrite node 192.168.0.4 zk=yes kafka=yes
• kubectl label --overwrite node 192.168.0.5 zk=yes kafka=yes
• kubectl label --overwrite node 192.168.0.6 zk=yes kafka=yes
• Verify the labels
o kubectl get nodes -L=kafka,zk
• Upload the offline images to eb1.example.com
o cd /opt/arcsight/kubernetes/scripts
./uploadimages.sh -s eventbroker -d /root/eventbroker
o If you specify the wrong directory for where the offline images have been extracted to
you will see this message.
o If you run uploadimages.sh from the wrong directory (from the directory where you
unzipped the ArcSight Installer) you will see this message.
The suite-installer container is not running. Please make sure your suite-installer
pod status is "RUNNING"
Failed to upload the data of suite features.
o You should see the following message indicating the upload was successful (8 images for
Event Broker).
o Event Broker has not been deployed yet, but we can check the pod status with this
command. These are pods for the ArcSight Installer.
[root@eb1 ~]# watch -n 15 kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
core apiserver-eb.example.com 1/1 Running 1 13h
core arcsight-installer-5fc6888f8b-vksxd 2/2 Running 0 11h
core cdf-apiserver-7bc784886f-9jd7l 2/2 Running 0 11h
core controller-eb.example.com 1/1 Running 1 13h
15
core idm-7c9bb76c6d-q5tb8 2/2 Running 0 11h
core idm-7c9bb76c6d-q87hm 2/2 Running 0 11h
core itom-cdf-ingress-frontend-mpkj9 1/1 Running 0 46m
core itom-postgresql-default-5f5b5548bd-lr98n 2/2 Running 0 11h
core kube-dns-rmzv7 3/3 Running 0 46m
core kube-registry-pqz2z 1/1 Running 0 46m
core kube-registry-proxy-skl7f 2/2 Running 2 13h
core kubernetes-vault-xcrkc 1/1 Running 3 46m
core mng-portal-568477475f-56s89 2/2 Running 0 11h
core nginx-ingress-controller-29lq4 1/1 Running 0 46m
core scheduler-eb.example.com 1/1 Running 1 13h
core suite-db-69b8c84bb8-8bdrp 2/2 Running 0 11h
core suite-installer-frontend-7cf88c9f56-4lfnt 2/2 Running 0 11h
kube-system heapster-apiserver-88f47fcbc-hffxc 1/1 Running 0 11h
• Shut down the VMs and take a snapshot before deploying Event Broker.
o Please see the Shutting down the Event Broker Virtual Machines section for steps on
how to do this.
16
eb-zookeeper-2 1/1 Running 0 2m
suite-reconf-pod-eventbroker-lz85n 2/2 Running 0 4m
To connect to the Event Broker interface, see the instructions in the next section.
I’m using MobaXterm and the instructions to setup SSH tunnelling are here: SSH tunnels and port
forwarding. Once I’ve setup the SSH tunnel, when I start it, I can use my local browser and connect
to http://127.0.0.1:9000/ to connect to the Event Broker web interface. Two things to note, this
connection is not https and there is no authentication. We’re tunnelling the insecure traffic through an
SSH session, so that risk is partially mitigated, but there is no authentication. This is why the Event
Broker web interface is not publically exposed. Below are screenshots of the SSH tunnel.
17
Shutting down and starting up the Event Broker Virtual Machines
• Shutting down
o Scenario 1
kubectl get nodes
kubectl drain 192.168.0.1 --delete-local-data --ignore-daemonsets --force
18
/opt/arcsight/kubernetes/bin/kube-stop.sh
sync;sync
shutdown -h now
o Scenario 2
Run these commands in this order (Master then Workers)
• kubectl get nodes
• kubectl drain 192.168.0.1 --delete-local-data --ignore-daemonsets --force
• kubectl drain 192.168.0.4 --delete-local-data --ignore-daemonsets --force
• kubectl drain 192.168.0.5 --delete-local-data --ignore-daemonsets --force
• kubectl drain 192.168.0.6 --delete-local-data --ignore-daemonsets --force
On the Worker nodes
• /opt/arcsight/kubernetes/bin/kube-stop.sh
• sync;sync
On the Master node
• /opt/arcsight/kubernetes/bin/kube-stop.sh
• sync;sync
On all nodes
• shutdown -h now
o Scenario 3
Run these commands in this order (Masters then Workers)
• kubectl get nodes
• kubectl drain 192.168.0.3 --delete-local-data --ignore-daemonsets --force
• kubectl drain 192.168.0.2 --delete-local-data --ignore-daemonsets --force
• kubectl drain 192.168.0.1 --delete-local-data --ignore-daemonsets --force
• kubectl drain 192.168.0.4 --delete-local-data --ignore-daemonsets --force
• kubectl drain 192.168.0.5 --delete-local-data --ignore-daemonsets --force
• kubectl drain 192.168.0.6 --delete-local-data --ignore-daemonsets --force
On the Worker nodes
• /opt/arcsight/kubernetes/bin/kube-stop.sh
• sync;sync
On the Master node
• /opt/arcsight/kubernetes/bin/kube-stop.sh
• sync;sync
On all nodes
• shutdown -h now
• Starting up
o Scenario 1
kubectl uncordon 192.168.0.1
o Scenario 2
kubectl uncordon 192.168.0.1
19
kubectl uncordon 192.168.0.4
kubectl uncordon 192.168.0.5
kubectl uncordon 192.168.0.6
o Scenario 3
kubectl uncordon 192.168.0.1
kubectl uncordon 192.168.0.2
kubectl uncordon 192.168.0.3
kubectl uncordon 192.168.0.4
kubectl uncordon 192.168.0.5
kubectl uncordon 192.168.0.6
• Click Administration -> System Admin -> SSL Server Certificate -> View Certificate
o Copy the Server Certificate, this will be pasted in the ArcSight Installer interface
• In the ArcSight Installer interface
o Scenario 1 & Scenario 2
https://eb1.example.com:5443/
o Scenario 3
https://eb.example.com:5443/
o Click Configuration -> ArcSight Event Broker
20
ArcMC hostname
• arcmc.example.com:443
o If ArcMC was installed as a non-root user use
arcmc.example.com:9000
Username/Password
• Do not change these from the default of admin/atlas
o ArcMC certificates
Paste the Server Certificate from the ArcMC interface
o Click Save
• In the ArcMC interface
o Click Node Management -> View All Nodes
Default -> Add Host
• Hostname/IP:
o Scenario 1 & Scenario 2
eb1.example.com
o Scenario 3
eb.example.com
• Type: Event Broker 2.02 or later
• Port: 38080
• Cluster Port: 5443
• Cluster Username: admin
• Cluster Password: wordpass
• Cluster Certificate:
o Copy and paste the contents of this file from eb1.example.com:
/opt/arcsight/kubernetes/ssl/ca.crt
• Click Add, Import
21
o Acknowledgement mode
Default is leader, other options are all and none
o Use SSL/TLS
false
o Use SSL/TLS Authentication
False
• Errors
o If the SmartConnector can’t resolve the short or full hostname of the Event Broker
node(s), you will see the following error.
22
o If the SmartConnector can resolve the short or full hostname of the Event Broker
node(s) but can’t communicate with them because of routing or network issues, you will
see the following error. Note the higher ms value.
[16:Unable to test connection to Kafka server: [Failed to update metadata after 30000 ms.]
o If you mistype the topic name, you will see the following error. Note the lower ms value.
[16:Unable to test connection to Kafka server: [Failed to update metadata after 40 ms.]
23
Logger 6.4 or higher/IPv6/investigate
• eb-other
o This is cef 1.0
o Only one topic can be set
o Acknowledgement mode
Default is leader, other options are all and none
o Use SSL/TLS
SSL/TLS Trust Store file
• C:\ArcSightSmartConnectors\current\jre\lib\security\cacerts
SSL/TLS Trust Store password
• changeit
o Use SSL/TLS Authentication
SSL/TLS Trust Store file
• C:\ArcSightSmartConnectors\current\jre\lib\security\cacerts
SSL/TLS Trust Store password
• changeit
SSL/TLS Key password
• Leave Blank
• If you did not configure the SSL/TLS parameters you will get the following message.
Information
Destination parameters did not pass the verification with error [; nested exception is:
java.net.SocketException: Connection reset]. Do you still want to continue?
24
• We can view the Event Broker certificate by running arcsight keytoolgui and opening
C:\ArcSightSmartConnectors\current\jre\lib\security\cacerts.
25
Configuring Logger as an Event Broker Consumer
• In the Logger interface
o https://logger.example.com/
o Configuration -> Receivers -> Add
Name: Event Broker Receiver
Type: Event Broker Receiver
o Edit Receiver
Name: Event Broker Receiver
Event broker host(s) and port:
• 192.168.0.4:9092,192.168.0.5:9092,192.168.0.6:9092
Event Topic List: eb-cef
• If you have multiple topics, separate them with a comma
Retrieve event from earliest offset: true
Consumer Group (Logger Pool): Logger Pool
Use SSL/TLS: false
Use Client Authentication: false
Enable: Checked
26
• You have to use IP addresses in the Receiver configuration. If you try to use host names, you
will get the following message.
Error:
IP Address eb1.example.com is not a valid address
• If Logger can’t communicate with Event Broker because of routing or network issues, you will
see the following error.
Error:
There was a problem contacting Event Broker: Timeout expired while fetching topic metadata, please
check the receiver configuration
• If you mistype the topic name, you will see the following error.
Error:
27
The specified Event Topic (eb-other123) is not valid
• You can see Logger listed as a Consumer in the Event Broker interface. You will not see this
under Consumers if you have no events from Producers in Event Broker.
28
Configuring ESM as an Event Broker Consumer
• Copy /opt/arcsight/kubernetes/ssl/ca.crt from eb1.example.com to /home/arcsight/ca.crt on
the ESM Manager.
• On the ESM Manager
o /opt/arcsight/manager/bin/arcsight managersetup
“ESM can consume events from an Event Broker…”
• Yes
Host:Port(s)
• 192.168.0.4:9093,192.168.0.5:9093,192.168.0.6:9093
Topic to read from
• eb-esm
Path to Event Broker root cert
• /home/arcsight/ca.crt
o This will put an entry in the Manager cacerts file displayed as
ebcaroot
29
• Restart the ESM Manager
o /etc/init.d/arcsight_services stop manager
o /etc/init.d/arcsight_services start manager
• Here is a SmartConnector that is configured as a Producer, sending events to the eb-esm Topic.
30
• You can see ESM listed as a Consumer in the Event Broker interface. You will not see this under
Consumers if you have no events from Producers in Event Broker.
31
• On each Worker node, place LicFile.txt in this directory
o /opt/arcsight/k8s-hostpath-volume/eb/autopass/userdata/autopass/data
• Delete the Kafka pods on all nodes; this will re-create the pods
o kubectl delete pod eb-kafka-0 -n arcsighteventbroker1
o kubectl delete pod eb-kafka-1 -n arcsighteventbroker1
o kubectl delete pod eb-kafka-2 -n arcsighteventbroker1
• To view your license status, run these commands
o kubectl logs eb-kafka-0 -n arcsighteventbroker1 | more
o kubectl logs eb-kafka-1 -n arcsighteventbroker1 | more
o kubectl logs eb-kafka-2 -n arcsighteventbroker1 | more
• If you have an Instant-on license, you will see this:
ArcSight Data Platform Event Broker License Check
WARN: license file not found
Jul 06, 2018 12:52:45 PM java.util.prefs.FileSystemPreferences$1 run
INFO: Created user preferences directory.
Autopass license is valid
date.expiration=2018/10/04
software.model=ArcMC Software
arcmc.feature.adp.managed=false
arcmc.limit.daily.data=0GB
component.name=arcmc
license.trial=true
arcmc.enabled=true
eb.license.enabled=true
32
eb.license.enabled=true
BIND Files
named.conf
options {
listen-on port 53 { any; };
# listen-on-v6 port 53 { any; };
forwarders { 192.168.0.254; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
allow-transfer { none; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside auto;
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/named/named.conf.local";
named.conf.local
zone "example.com" IN {
type master;
file "/etc/named/zones/example.com";
allow-transfer { 192.168.0.254; };
};
zone "0.168.192.in-addr.arpa" IN {
type master;
33
file "/etc/named/zones/0.168.192.in-addr.arpa";
allow-transfer { 192.168.0.254; };
};
34
example.com
$TTL 3H
@ IN SOA @ hostmaster.example.com. (
0 ; serial
3H ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS dns.example.com.
@ IN A 192.168.0.53
dns IN A 192.168.0.53
eb1 IN A 192.168.0.1
eb2 IN A 192.168.0.2
eb3 IN A 192.168.0.3
eb4 IN A 192.168.0.4
eb5 IN A 192.168.0.5
eb6 IN A 192.168.0.6
eb IN A 192.168.0.22
vertica1 IN A 192.168.0.11
vertica2 IN A 192.168.0.12
vertica3 IN A 192.168.0.13
arcmc IN A 192.168.0.26
esm IN A 192.168.0.61
logger IN A 192.168.0.65
nfs IN A 192.168.0.111
0.168.192.in-addr.arpa
$TTL 3H
@ IN SOA @ hostmaster.example.com. (
0 ; serial
3H ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS dns.example.com.
53 IN PTR dns.example.com.
1 IN PTR eb1.example.com.
2 IN PTR eb2.example.com.
3 IN PTR eb3.example.com.
4 IN PTR eb4.example.com.
5 IN PTR eb5.example.com.
6 IN PTR eb6.example.com.
22 IN PTR eb.example.com.
11 IN PTR vertica1.example.com.
12 IN PTR vertica2.example.com.
13 IN PTR vertica3.example.com.
26 IN PTR arcmc.example.com.
61 IN PTR esm.example.com.
65 IN PTR logger.example.com.
111 IN PTR nfs.example.com.
35
Micro Focus Trademark Information
MICRO FOCUS and the Micro Focus logo, among others, are trademarks or registered trademarks of Micro Focus
(IP) Limited or its subsidiaries in the United Kingdom, United States and other countries. All other marks are the
property of their respective owners.
Company Details
Company name: Micro Focus International plc
Place of registration: England and Wales
Registered number: 5134647
Registered address: The Lawn, 22-30 Old Bath Road, Berkshire, RG14 1Q
36