Professional Documents
Culture Documents
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Main Objectives
Upon successful completion of this Lab, you will be able to:
• Explain what is HP ArcSight Logger
• Describe Logger architecture
• Under stand the main features and functions of Logger
Graphical User Interface
Storage Group
Searches and Parameters
2 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP ArcSight Logger
(Universal Log Management)
ArcSight Logger is ‘borderless” Universal Log Management solution that can Collect
Everything, Analyze Anything and can be Used Anywhere.
It unifies searching, reporting, alerting and analysis across ANY type of enterprise log
data.
• Logger 2.x
• Reports are added
• No indexing yet, so reports are slow.
• Logger 3.x
• Field-based Indexing is added
• Reports and Field-based Searches are fast now!
• Logger 4.x
• Full-text Indexing is added
• Logger 5.x
• Reporting on unstructured (unparsed/non-normalized) data added through pipeline searches, charts, and dashboards.
• Bloom filters and SuperIndexes
• Logger 6.x
• Speed, Storage size, Map File, New Dashboards, Peering, …
4 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
10.4
Universal Log Management
HP ArcSight Logger
• Collect logs and events data from any log generating source and from anywhere
• Quick Searches + report on years’ of data to investigate outages and incidents quickly and easily
• Cut SAN/storage costs with cheap simple management of huge amounts of log data
5 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Form Factors
HP ArcSight Logger
• Available as a Software or Hardware Appliance
• Automated enforcement of multiple retention policies
• Static Correlation (LOOKUP file)
• Collection rate was 100k EPS in with small events & no indexing
• Now at least 10k eps in + indexing + searching + reporting
6 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Efficient and Intelligent Storage
HP ArcSight Logger
• Flexible storage
Up to 80 TB/local instance - RAID enabled onboard storage per appliance
Up to 40 Peer Logger instances configured
• Store years’ worth IT data through a high compression ratios
• Local and external event data archiving
DAS NAS SAN
ARCHIVING
LOCAL BUS
NETWORK
7 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Communications
HP ArcSight Logger
Up to 250 simultaneous HTTPS connections (Web browsers to the Logger Web UI,
Inbound Connections Connectors to SmartMessage receivers and from peer Loggers.
A named event source (IP address or hostname of the event sender + name of the
Devices receiver that receives the event)
Used to classify events received from devices. (e.g Device A and Device B events are
Device Groups stored in a group AB and Device C events are stored in group C. Including groups in
searches can limit the data set scanned, thus resulting in faster searches.
Syslog
Syslog
UDP or TCP
Smartconnector
Receiver
ESM
Forwarding
Connector ESM/Express
Smart
Messages
Security Network
Event Sources
Systems
LOGGER
Any Smart/Flex
Connector
Receiver types: Syslog, CEF, SmartMessages, File-based logs, Folder Follower (active text-based logs)
Different forwarder types target different destinations: UDP, TCP, Connector Forwarder, ESM Forwarder, One-time Forwarder with time range
9 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Storage Enforcement
HP ArcSight Logger
Each storage group has a
Event data CORRe retention period defined
and a customizable size
10 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
License Enforcement
Product: software version of Logger
11 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Universal Log Management that Scales
HP ArcSight Logger – Peer Networks
• Multiple Loggers work together to support high sustained input rates
Parallel queries can be distributed across Loggers configured in a peer relationship
PEER NETWORK
Logger 1
Logger 2
Reports
Security
Compliance
Logger 3
IT ops Logger 4
Apps
Logger N Searches
12 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Peer Networks Explained
HP ArcSight Logger
LOGGER PEER NETWORK
Events Connector Logger 1
Reports
Security
Events Connector Logger 2
Compliance
IT Opps
Apps
Searches
Events Connector Logger N
peering path
13 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
N Loggers is better than 1 Logger!
Math explained
User Interface
Local or external Authentication
16 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
17 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
ArcSight Logger GUI
18 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Monitoring Logger Processes
19 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Storage Groups Storage Policy
20 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Devices
21 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Device Groups
22 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Storage Rules (up to 40)
23 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Searching All Types of Data
• Example: Internal espionage has been discovered
• Information needs to be gathered quickly to understand what happened, who was
involved, and what the exposure is
• Logger can quickly search both Structured and Unstructured data
24 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
9.24
25 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Google like searches
26 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Search Results
Appear in a table with self-ranging histogram
• Default: 25 events displayed per page
• Expand/collapse raw event data
27 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
9.27
Logger Search Types
Indexed
• Keyword search: Search for full-text keywords (CEF or raw data)
• Field search: Search for specified fields (CEF data only)
• Enable Keyword indexing and/or field indexing for optimum performance
Regex
• Search for regular expression-defined patterns (CEF or raw data)
Pipeline Operators ( | )
• Match patterns of data within search results
• Contain functions that work with either CEF or raw data or both
• Apply additional constraints to narrow search and/or format event display
Boolean Operators (AND, OR, and NOT) are used to connect one or more keyword, field,
and/or regex conditions
28 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
9.28
Live Event Viewer
Simple Controls
Adjustable display buffer 20 - 5000 events
(1000 default)
15 minute session limit counter (click to reset)
29 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Reports
Logger Out-Of-the-Box has :
dozens of reports
a slew of filters, some field sets
a few system dashboards
30 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Reports
• Repeatable, Structured Reporting
• Logger Reporting works on Structured data only
NAVIGATION
• A Report is built upon a Report Query Allow users to browse and selected
reports they are interested in
– A Query can contain a Parameter (at run-time, specify
a value)
• Compute the hash value for the data files in the specified time range and compares it to the pre-
computed value to determine the integrity of the data file.
• Each data file contains up to 1 GB of data; the hash value is computed once the data file is full.
• If a data file is not full yet, its validation result cannot be computed.
(1)
32 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP andavailable to administrators
Partner Internal Use only
Data Validation
!
data validation process can take a long time for large
amounts of data. Therefore you should schedule the process
to run during off-peak hours, and narrow down the time
range to include only the data you are interested in.
! data validation hash value was stored when the data was
created. However, in the case of future upgrades, hash
validation data will be kept, and you will be able to validate
the data after an upgrade.
Displayed Value in
Description
Value Exported File
The hashes match
Intact True
Data is intact
The hashes do not match
Corrupt False
Data has been changed or become corrupt
The file has no hash
Hash Data could not be validated
N/A
unavailable Most likely because data file is not yet full or the data file was
created by an older version of Logger.
Alerts
Alerts (Real Time / Scheduled) Notification: via e-mail,
SNMP or Syslog, or send to
HP ArcSight Logger ESM/Express
RECEIVERS
Syslog Syslog
Scheduled alerts
Log files Files Database searches
- 50 concurrent max
37 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Real time alert name
Regex query
38 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Scheduled alert name
Query (not on internal events, success on
Authorization/Authentication delete operations)
39 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP ArcSight Logger
Installation
Preparing for the Logger Implementation
• Pre-engagement call with the customer.
• Discuss network settings required for Logger
• IP Address, Hostname, DNS
• Duplex settings
• Internal SMTP Mail Relay
• Required ports for access to Logger and Integration with ESM (if needed)
• Use cases for Logger (why did the customer buy Logger?)
• CIPs
• Customization
• Storage Groups
41 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
10.41
Initializing Logger Appliance on Network
• Logger requires at least 1 valid IP address - change default using either
• CLI
• Web browser
• Loggers have at least two Network Interface Cards (NICs), identified as eth0 and eth1, that can be
linked to different subnets
• Most Logger appliances have 4 NICs: eth0, eth1, eth2, and eth3
• Configure at least 1 NIC to begin using Logger
42 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
2.42
Using the CLI for initial access to Logger Appliance
43 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Using a Web Browser for initial access to Logger
Appliance
• Use a flash-enabled browser (IE 8 or later, or
Firefox 12 or later)
• Login to https://192.168.35.35/
• Default user name: admin
• Default password: password
44 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
2.44
Logger Initialization & Configuration Process
• Initialization:
• License
• SAN and SAN Multipathing Configuration (SAN model Loggers only)
• Storage Volume - establish where Logger stores event data
• Storage Groups - apply retention policies to the Storage Volume
• Time Zone, Date and Time Settings
• Index Fields and Full-text Indexing
• System Locale Setting
• Reboot - commit the changes made in previous steps
• Configuration:
• Receivers
• Devices
• Device Groups
• Storage Rules
• Forwarders (if needed)
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
45
2.45
SDK API with the HP ArcSigh Logger
46 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank You
Questions ?
philippe.jouvellier@hpe.com
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use