Syslog SmartConnector Installation & Testing*

HP ArcSight Proof of Concept Boot Camp Training

TECHNICAL DAY-2
Philippe Jouvellier - HP ESP | Global Partner Enablement
philippe.jouvellier@hpe.com

© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
* Lab during this session
Lab Initial Architecture

ESM 6.8c Virtual Environnement

VM-1 VM-2
Windows 7 platform Linux Server
Virtual desktop ESM 6.8c platform
Console com
Console

Test Alert Connector

a.k.a. Replay Connector CORR engine

event files events

2 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Demo Replay Connector

Steps for Testing the Replay Connector

1. Click on Demo Replay Connector Desktop Icon
2. Select Test Alert tab
3. Chose number of “Test Alert Event” to send out
4. Click SEND
5. Toggle ESM Console and check if that same event(s)
number shows up accordingly in the Viewer Panel

Both the command window and the Connector

! dialog need to stay open to keep the replay
connector running and sending events.

3 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
ESM Console Log in

Username: admin
Password: password

4 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Test Alert Events
• After successful login
o Select Active Channel resource in the
Navigator panel
o Go to Shared folder
o Expand ArcNet Active Channels
o Double click “Demo Live”
o Test Alert Event(s) should display
o If so ESM 6.8C is up and running
o Demo/Test environment is ready

5 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Demo Replay Connector
Replay events for the Boot Camp
1. Back to the Desktop RDP
2. Select Replay Connector windows
3. Select REPLAY tab
4. During most of our labs we will select 4 event sets:
 arcexpressdemo.events
 demo.events
 demoexpress-sp1.events
 osLogging.events
5. Leave Max Rate Set to 50 events/mn
6. Click CONTINUE will start sending events to ESM
7. The event flow will start in few seconds
You have selected enough events for about 15 minutes
! Event sending does not ‘loop’ by default
Remember before each lab toL.P.
stop/start sending events
6 © Copyright 2014 Hewlett-Packard Development Company, The information contained herein is subject to change without notice.
7 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Lab: Installing Syslog SmartConnector
Alternative #1: local VM Alternative #2: CloudShare
• The source file is on the USB drive • The source file is in c:\arcsight
• Install in a new folder. Make sure you • Install in a new folder.
don’t overwrite an existing connector! • Make sure you don’t overwrite an existing
• Choose Syslog File and point it to connector!
/var/log/messages • Choose syslog daemon
• In the terminal window use Logger to • In the terminal window use Logger to type
type a message a message

8 © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Lab#1-a: local VM
Sending events to a Syslog File SmartConnector
Connector is installed on the same platform running Linux and ESM.
Linux Logger utility invoked as log feed ESM 6.5c VM
Linux ESM server
1. Logger utility invoked to type a small text message

/var/log/message Syslog File

2. Typed Message is written to /var/log/messages File Connector

3. Syslog File Connector collects the new log line and sends to
the ESM manager (which is running on the same machine…)

4. Message shows up in Active Channel on ArcSight Console

9 © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Lab#1-a: local VM
Sending events to a Syslog File SmartConnector
Connector is installed on the same platform running ESM server and
Linux. The Linux Logger utility invoked as log feed ESM 6.5c VM
Linux ESM server
1. Logger utility is being used to type a small text message

/var/log/message Syslog File

File Connector
2. Typed Message is written to /var/log/messages

3. Syslog File Connector collects the new log line and sends to
the ESM manager (which is running on the same machine…)

4. Message shows up in Active Channel on ArcSight Console

10 © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Lab#1-a: local VM
Sending events to a Syslog File SmartConnector
Connector is installed on the same platform running ESM server and
Linux. The Linux Logger utility invoked as log feed ESM 6.5c VM
Linux ESM server
1. Logger utility is being used to type a small text message

/var/log/message Syslog File

File Connector
2. Typed Message is written to /var/log/messages

3. Syslog File Connector collects the new log line and sends to
the ESM manager (which is running on the same machine…)

4. Message shows up in Active Channel on ArcSight Console

11 © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Lab#1-b: CloudShare VM
Sending events to Syslog Daemon SmartConnector
Connector installed as a service on Windows (VM-1) VM-2
VM-1
From Linux server (VM-2) Logger utility is invoked as log Linux with ESM
feed and Remote Syslog sends out the typed message to Windows machine
server 6.8c
Syslog connector on the Windows (VM-1) then
Port 8443
forwarded to ESM manager on Linux (VM-2)
1. From Linux server the Logger utility is being used Syslog Daemon
SmartConnector
to type a small text message Rsyslog
UDP port 514
2. Typed Message is then written onto to log file
/var/log/messages

3. Syslog File Connector picks the new log line, then

sends it to ESM manager (which is running on the
same machine…)

4. Message shows up in Active Channel on ArcSight

12 Console
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Lab alternative 2 in details-Syslog on CloudShare VM-1
Sending events to Syslog Daemon SmartConnector
Connector installed as a service on Windows (VM-1) VM-2
VM-1
From Linux server (VM-2) Logger utility is invoked as log Linux with ESM
feed and Remote Syslog sends out the typed message to Windows machine
server 6.8c
Syslog connector on the Windows (VM-1) then
Port 8443
forwarded to ESM manager on Linux (VM-2)
1. From Linux server the Logger utility is being used Syslog Daemon
SmartConnector
to type a small text message Rsyslog
UDP port 514
2. Typed Message is then written onto to log file
/var/log/messages

3. Syslog File Connector picks the new log line, then

sends it to ESM manager (which is running on the
same machine…)

4. Message shows up in Active Channel on ArcSight

13 Console
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Lab1-b: Walkthrough steps
Sending events to Syslog Daemon SmartConnector
Connector installed as a service on Windows (VM-1) VM-2
VM-1
From Linux server (VM-2) Logger utility is invoked as log Linux with ESM
feed and Remote Syslog sends out the typed message to Windows machine
server 6.8c
Syslog connector on the Windows (VM-1) then
Port 8443
forwarded to ESM manager on Linux (VM-2)
1. From Linux server the Logger utility is being used Syslog Daemon
SmartConnector
to type a small text message Rsyslog
UDP port 514
2. Typed Message is then written onto to log file
/var/log/messages

3. Syslog File Connector picks the new log line, then

sends it to ESM manager (which is running on the
same machine…)

4. Message shows up in Active Channel on ArcSight

14 Console
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Lab1-b: Walkthrough steps
Sending events to Syslog Daemon SmartConnector
Connector installed as a service on Windows (VM-1) VM-2
VM-1
From Linux server (VM-2) Logger utility is invoked as log Linux with ESM
feed and Remote Syslog sends out the typed message to Windows machine
server 6.8c
Syslog connector on the Windows (VM-1) then
Port 8443
forwarded to ESM manager on Linux (VM-2)
1. From Linux server the Logger utility is being used Syslog Daemon
SmartConnector
to type a small text message Rsyslog
UDP port 514
2. Typed Message is then written onto to log file
/var/log/messages

3. Syslog File Connector picks the new log line, then

sends it to ESM manager (which is running on the
same machine…)

4. Message shows up in Active Channel on ArcSight

15 Console
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Lab1-b: Walkthrough steps
Sending events to Syslog Daemon SmartConnector

Port 8443

Syslog Daemon
SmartConnector
Rsyslog
UDP port 514

16 © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
 Installing Syslog Daemon SmartConnector on Windows

Manager name is: vm-esm68c

1st VM with Windows Virtual Desktop Machine IP address is : 10.160.0.210

2nd VM with Linux server and ESM 6.8c IP address is : 10.160.0.200
17 © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Installing Syslog File SmartConnector on Linux

18 © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Installing as a standalone Application

Requires Connector started manually

Go to the connector bin directory:
<Home>\current\bin
Following command will start the connector:
./arcsight connectors

Leave the window open otherwise connector will

shutdown (remember it’s a standalone
application, not a service)

19 © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
20 © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Sending events to the Syslog Connector
Modifying Rsyslog on ESM server 1/2
From Windows Virtual Desktop open an SSH session on ESM server with Putty
Machine Name is: vm-esm68c (ESM server)
User is root
Password: ******** (arcsight!23)
Go to /etc directory
Edit Rsyslog.conf file with file editor (VI or any utility available)
Insert the following line at the end of file: @IP address(1) of SmartConnector:port 514
*.*@10.160.0.210:514
Save change and exit editor
(1) VM-1 Windows IP address is : 10.160.0.210 and VM-2 Linux ESM
Restart Rsyslog service server ip address is : 10.160.0.200

Type any word/phrase with Logger(2) utility (2) A Linux utility. Not to be confused with ArcSight Logger
21 © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use
Thank You

Questions ?

© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.