SmartConnectorTM

User’s Guide
Topics Applicable to All ArcsightTM SmartConnectors

February 13, 2009

SmartConnectorTM User’s Guide

Copyright © 2003-2009 ArcSight, Inc. All rights reserved.

ArcSight, the ArcSight logo, ArcSight TRM, ArcSight NCM, ArcSight Enterprise Security Alliance, ArcSight
Enterprise Security Alliance logo, ArcSight Interactive Discovery, ArcSight Pattern Discovery, ArcSight Logger,
FlexConnector, SmartConnector, SmartStorage and CounterACT are trademarks of ArcSight, Inc. All other
brands, products and company names used herein may be trademarks of their respective owners.
Follow this link to see a complete statement of ArcSight's copyrights, trademarks, and acknowledgements:
http://www.arcsight.com/company/copyright/
The network information used in the examples in this document (including IP addresses and hostnames) is
for illustration purposes only.
This document is ArcSight Confidential.

Revision History

Date Description

02/13/2009 Added “Overview of SmartConnector Types” section.

11/17/2008 Added AUP and Connector Appliance sections. Updated for latest changes
within ESM. SmartConnector build #5177.

08/13/2008 Added CSV Import/export feature, and notation on using multiple connectors
within a single JVM.

07/01/2008 Update to SmartConnector installation procedure and updates to NSP

information.

02/14/2008 Update to SmartConnector installation procedure, and to syslog connector

installation parameters in "Using SmartConnectors with NCM."

12/18/2007 Two new parameters for the HTTP (ESM) destination type have been added to
allow non-ESM destinations to use the automatic updates (AUPs) pushed by
an ESM Manager. See revised installation chapter. Some organizational
changes for usability.

09/20/2007 Added “Using SmartConnectors with NCM.”

06/26/2007 Updated to comply with v4.0 ESM updates.

09/30/2006 First edition of this user’s guide. The former SmartConnector Installation
Guide has been revised and updated to become part of this new book.

Document template version: 1.0.2.4

ArcSight Customer Support

Phone 1-866-535-3285 (North America)

+44 (0)870 141 7487 (EMEA)

E-mail support@arcsight.com

Support Web Site https://support.arcsight.com

Customer Forum https://forum.arcsight.com

 Contents

About This Book ..................................................................................................................................... vii

Who Should Read this Book .............................................................................................vii

Related Documentation .................................................................................................. viii
ArcSight Customer Support ............................................................................................ viii

Chapter 1: Introduction to ArcSight Components ................................................................ 1

ArcSight Components ...................................................................................................... 2

ArcSight ESM ............................................................................................................ 2
SmartConnectors ................................................................................................ 3
Supported Data Sources ...................................................................................... 3
FlexConnectors ................................................................................................... 4
ESM Manager ..................................................................................................... 4
ESM Database .................................................................................................... 4
ESM Console ...................................................................................................... 4
ArcSight Web ..................................................................................................... 5
ArcSight NSP ............................................................................................................ 5
ArcSight Logger ........................................................................................................ 5
Connector Appliance .................................................................................................. 5
Event Severity ................................................................................................................ 6
Filter and Aggregate Events .............................................................................................. 6
Configurable Attributes .................................................................................................... 7

Chapter 2: SmartConnector Overview ................................................................................. 9

Understanding ArcSight SmartConnectors ........................................................................... 9

Features ...................................................................................................................... 10
Data Collection Methods ................................................................................................. 12
ArcSight Database Mapping to Vendor Events ................................................................... 12

Chapter 3: Planning for Deployment ................................................................................. 13

Overview ..................................................................................................................... 13
Supported Platforms ...................................................................................................... 14
Deployment Scenarios ................................................................................................... 14
Deployment Scenario One ........................................................................................ 15
Deployment Scenario Two ........................................................................................ 16

ArcSight Confidential SmartConnector User’s Guide iii

 Deployment Scenario Three ...................................................................................... 16
Estimating Storage Requirements .................................................................................... 17
Understanding ArcSight Turbo Modes ............................................................................... 17

Chapter 4: Installing and Configuring SmartConnectors ................................................... 19

Installing ArcSight ESM .................................................................................................. 19

Installing the SmartConnector ........................................................................................ 20
Using Table Parameters ........................................................................................... 29
Manually Entering Parameter Values .................................................................... 30
Importing and Exporting CSV Files ...................................................................... 30
Installing SmartConnectors from the Command Line .................................................... 31
Installing SmartConnectors in Silent Mode .................................................................. 31
Remotely Upgrading SmartConnectors ............................................................................ 34
Overview of the Upgrade Process .............................................................................. 34
Rolling Back to a Previous Version ............................................................................. 35
Troubleshooting ............................................................................................................ 35
Uninstalling a SmartConnector ........................................................................................ 35
Modifying SmartConnector Parameters after Installation ..................................................... 36
Running SmartConnectors .............................................................................................. 36
Standalone ............................................................................................................ 36
As a Windows Service .............................................................................................. 37
As a UNIX Daemon .................................................................................................. 37

Chapter 5: Using SmartConnectors with Connector Appliance .......................................... 39

Using SmartConnectors on the Connector Appliance ........................................................... 41

Local (on-board) SmartConnectors ............................................................................ 41
Remote Connector Appliance SmartConnectors ........................................................... 42
Software-Based SmartConnectors ............................................................................. 42
Supported SmartConnectors ..................................................................................... 42
Choosing an Event Destination ........................................................................................ 42
Manager ................................................................................................................ 42
Logger ................................................................................................................... 42
CEF Syslog ............................................................................................................. 42
Failover Destination ................................................................................................. 43
Alternate Configurations .......................................................................................... 43
Choosing a Deployment Scenario .................................................................................... 43
ArcSight Logger ...................................................................................................... 43
ArcSight ESM ......................................................................................................... 43
ESM and Logger ...................................................................................................... 43

Chapter 6: Using SmartConnectors with

ArcSight Logger ................................................................................................................ 45

Sending Events from Logger to an ArcSight ESM Manger .................................................... 45

Logger and SmartMessage ....................................................................................... 45

iv SmartConnector User’s Guide ArcSight Confidential

 Sending Events to Logger ............................................................................................... 46
Sending Events to Both Logger and an ESM Manager ......................................................... 48
Sending Events from ArcSight ESM to Logger .................................................................... 50
Configuring the Forwarding Connector to Send Events to Logger ................................... 50
Defining SmartConnector Settings in Logger ..................................................................... 52

Chapter 6: Using SmartConnectors with NSP .................................................................... 57

Deploying a Syslog SmartConnector with NCM/TRM ........................................................... 58

Configuring the Syslog SmartConnectors .......................................................................... 59
The Syslog Daemon SmartConnector ......................................................................... 60
The Syslog Pipe and File SmartConnectors .................................................................. 60
Configuring the Syslog Pipe or File SmartConnector ............................................... 60
Installing the SmartConnector ......................................................................................... 61

Chapter 7: Configuring SmartConnectors through the Console ......................................... 65

Overview ..................................................................................................................... 65
Obtaining SmartConnector Status .................................................................................... 66
Selecting and Setting SmartConnector Parameters ............................................................ 66
Connector Editor Option Tabs ................................................................................... 67
Configuration Fields ................................................................................................. 67
Default Content Tab Configuration Fields .................................................................... 69
SmartConnector Processing Categories ...................................................................... 81
Using Filters in the SmartConnector Configuration Wizard ................................................... 83
SmartConnector Time Interval Options ............................................................................. 85
Managing SmartConnector Filter Conditions ................................................................ 85
Setting Special Severity Levels ........................................................................................ 86
Sending Control Commands to SmartConnectors ............................................................... 87
Disabling Event Compression .......................................................................................... 89
Managing SmartConnector Groups ............................................................................ 90
Creating a SmartConnector Group ....................................................................... 90
Renaming a SmartConnector Group ..................................................................... 90
Editing a SmartConnector Group ......................................................................... 91
Moving or Linking a SmartConnector Group ......................................................... 91
Deleting a SmartConnector Group ....................................................................... 91

Chapter 8: Configuring Multiple Destinations .................................................................... 93

Additional Destinations .................................................................................................. 93

Failover Destinations ..................................................................................................... 93
Configuring Multiple Destinations ..................................................................................... 94
Adding a Failover Destination .......................................................................................... 96
Re-Registering a SmartConnector .................................................................................... 98

ArcSight Confidential SmartConnector User’s Guide v

Chapter 9: Overview of SmartConnector Types ............................................................... 101

File Connectors ............................................................................................................101

Database Connectors ....................................................................................................103
Scanner Connectors .....................................................................................................105
API Connectors ............................................................................................................105
SNMP Connectors .........................................................................................................106
Microsoft Windows Event Log Connectors ........................................................................107
Syslog Connectors ........................................................................................................108
Flex Connectors ...........................................................................................................109
Other Connectors .........................................................................................................110

Appendix A: Payload Support .......................................................................................... 111

Introduction ................................................................................................................111
Working with Payload Data ............................................................................................111

Appendix B: Capturing Events from SmartConnectors ..................................................... 113

Summary ....................................................................................................................113
Installation ..................................................................................................................113
Event Data Rotation .....................................................................................................114

Appendix C: ArcSight Update Packs (AUP) ...................................................................... 115

Defining an AUP ...........................................................................................................115

ArcSight Content AUPs .................................................................................................115
ArcSight ESM ..................................................................................................116
ESM/Logger ....................................................................................................116
Logger ...........................................................................................................116
Connector Appliance .........................................................................................116
ArcSight Connector Upgrade AUP ...................................................................................116
ArcSight ESM ........................................................................................................116
Connector Appliance ...............................................................................................117
ESM Generated AUPs ....................................................................................................118
User Categorization Updates ....................................................................................118
System Zones Updates ...........................................................................................118
User Zones Updates ...............................................................................................118

Appendix D: SmartConnector Frequently

Asked Questions ............................................................................................................. 119

vi SmartConnector User’s Guide ArcSight Confidential

 About This Book

ArcSight Enterprise Security Management (ESM) is a comprehensive software solution that

combines traditional security event monitoring with network intelligence, context
correlation, anomaly detection, historical analysis tools, and automated remediation.
ArcSight ESM is a multi-level solution that provides powerful tools for business users,
system administrators, and network security specialists.

The following topics are discussed in this chapter:

“Who Should Read this Book” on page vii

“Related Documentation” on page viii
“ArcSight Customer Support” on page viii

Who Should Read this Book

This book contains information that applies to all SmartConnectors, including installation,
deployment, and management of SmartConnectors. Information about installing and
configuring individual SmartConnectors is provided in the ArcSight SmartConnector
Configuration Guides.

The audience for this book is primarily security administrators who install SmartConnectors
and ensure their connectivity to ArcSight ESM. This can include administrators for:

„ Networks
„ Security
„ Systems
„ Databases
If this is the first time you are installing an ArcSight component, ArcSight recommends that
you first read the latest ArcSight ESM Administrator’s Guide.

ArcSight Confidential SmartConnector User’s Guide vii

About This Book

Related Documentation
Document Title Description

Release Notes Describes new product features, latest updates, known

ArcSight™ product issues and work-arounds, and technical support
SmartConnectors information.

ArcSight™ ESM Explains how to install and configure ArcSight Enterprise

Installation and Security Management (ESM) components and tools
Configuration Guide including the ArcSight Database, Manager, Console, and
Web applications. Also provides general information about
how to plan for, install, and deploy ArcSight
SmartConnectors.

ArcSight™ ESM Describes how to configure ArcSight and its network

Administrator's Guide interfaces, and maintain ArcSight for ongoing operations.

ArcSight™ ESM Introduces major new features in the current version of

Reviewer’s Guide ArcSight ESM, including task walk-throughs and usage
guidance. The same information is highlighted in the
“What’s New” Console Help topics.

ArcSight™ ESM User’s Describes how to use the ArcSight Console. These are
Guide printable versions of the online Help topics and glossary.
ArcSight™ ESM
Reference Guide

ArcSight™ ESM Web Provides user and reference information from the ArcSight
User’s Guide Web online Help system.

ArcSight™ Provides vendor-specific instructions for how to install

SmartConnector individual SmartConnectors and configure their associated
Configuration Guides devices.

ArcSight FlexConnector Describes how to design, create, and install custom

Configuration Guide SmartConnectors.

ArcSight makes available the following ESM and SmartConnector product documentation.
Many of these documents are available for download from the ArcSight ESM Console by
choosing the menu option Help > Browse Documentation. The latest and most
complete set of documentation is always offered on the ArcSight Customer Support site
(https://support.arcsight.com) through the Product Documentation link in the Knowledge
Center section.

ArcSight Customer Support

You can obtain a log-in user name and password from your ArcSight Customer Support
representative. You can reach ArcSight Customer Support through the following resources:

Resource Description

Support website https://support.arcsight.com. Which provides access to

ArcSight incident reporting, knowledge base, software
downloads, help, and the new Customer Forum.

Customer Forum https://forum.arcsight.com, which offers a place for

customers to share ArcSight tips and tricks.

viii SmartConnector User’s Guide ArcSight Confidential

 Chapter 1
Introduction to ArcSight Components

ArcSight ESM collects, normalizes, aggregates, and filters millions of events from
thousands of assets across your network into a manageable stream prioritized according to
risk, exposed vulnerabilities, and the criticality of the assets involved.

ESM provides ready-made security solutions you can implement as-is, as well as powerful
tools you can use to build customized solutions.

The following topics are discussed in this chapter:

“ArcSight Components” on page 2

“Event Severity” on page 6
“Filter and Aggregate Events” on page 6
“Configurable Attributes” on page 7

As detailed below, prioritized events are correlated, investigated, analyzed, and

re-mediated using ESM tools, providing you with situational awareness and real-time
incident response time.

After collection, prioritized events are run through

„ Correlation. Often, interesting activities are represented by more than one event.
Correlation is a process that discovers the relationships between events, infers the
significance of those relationships, prioritizes them, and provides a framework for
taking action.
„ Monitoring. Once events have been processed and correlated to pinpoint the most
critical or potentially dangerous, ArcSight provides a variety of monitoring tools to
assist you in investigating and remediating potential threats before they can damage
your network.
„ Workflow. The workflow framework provides a customizable structure of escalation
levels to ensure that events of interest are escalated to the right people in the right
timeframe. This lets members of your team investigate immediately to make informed
decisions and take appropriate and timely action.
„ Analysis. When events occur that require investigation, ArcSight provides an array of
investigative tools that let your team members drill down into an event to discover its
details and connections, and to perform functions (such as nslookup, ping, portinfo,
traceroute, WebSearch, and whois).
„ Reporting. Briefing others on the status of your network security is vital to all who
have a stake in the health of your network, including IT and Security Managers,
executive management, and regulatory auditors. You can use ArcSight’s reporting

ArcSight Confidential SmartConnector User’s Guide 1

1 Introduction to ArcSight Components

tools to manually or automatically create versatile reports on a regular schedule,

allowing you to focus on narrow topics or report general system status.

ArcSight Components
ArcSight products comprise several separately installable components working together to
process event data from your network. These components connect to your network
through sensors that report to ArcSight SmartConnectors.

SmartConnectors translate device output into a normalized event schema that becomes the
starting point for ArcSight ESM correlation.

The following graphic illustrates ArcSight basic components. For complete descriptions of
these components, see ESM 101, Concepts for ArcSight ESM v4.0.

Figure 1-1 ArcSight Components

„ ArcSight SmartConnectors gather and process event data from network devices and
pass it to the ArcSight ESM Manager to be processed and stored in the database.
„ Users interact with ArcSight ESM using the ArcSight ESM Console or ArcSight Web.
„ ArcSight NSP uses NCM/TRM software to provide network device inventory,
configuration settings, and additional analysis features.
„ ArcSight Logger is a hardware storage solution optimized for extremely high event
throughput.

ArcSight ESM
ArcSight ESM consists of several separately installable components that work together to
process event data from your network. These components connect to your network via
sensors that report to ESM SmartConnectors. SmartConnectors translate a multitude of

2 SmartConnector User’s Guide ArcSight Confidential

 1 Introduction to ArcSight Components

device output into a normalized ESM schema that becomes the starting point for ESM
correlation capabilities. ArcSight ESM components are described in the following pages.

SmartConnectors
SmartConnectors are the interface between the ArcSight ESM Manager and the network
devices that generate ESM-relevant data on your network.

SmartConnectors collect event data from network devices, then normalize it in two ways.
First, they normalize values (such as severity, priority, and time zone) into a common
format. Then they normalize the data structure into a common schema. SmartConnectors
can filter and aggregate the events to reduce the volume sent to the Manager, which
increases ArcSight’s efficiency and reduces event processing time.

In brief, SmartConnectors:

„ Parse individual events and normalize them into a common schema (format) for use by
ArcSight ESM.
„ Collect all the data you need from a source device, which eliminates the need to return
to the device during an investigation or audit.
„ Filter out data you know is not needed for analysis, thus saving network bandwidth
and storage space.
„ Aggregate events to reduce the quantity of events sent to the Manager.
„ Pass processed events to the Manager.
„ Categorize events using a common, human-readable format, saving you time and
making it easier to use those event categories to build filters, rules, reports, and data
monitors.
„ Depending upon the network device, some SmartConnectors also can instruct the
device to issue commands to devices. These actions can be executed manually or
through automated actions from rules and some data monitors.
ArcSight releases new and updated SmartConnectors approximately every six weeks.

Supported Data Sources

ArcSight collects output from data sources with network devices, such as intrusion
detection and prevention systems, vulnerability assessment tools, firewalls, anti-virus and
anti-spam tools, encryption tools, application audit logs, and physical security logs.

SmartConnectors can be installed either directly on devices or separately on dedicated

servers, depending upon the network device reporting to them. The SmartConnector can
be co-hosted on the device if the device is a standard PC and its function is entirely
software-based, such as ISS RealSecure devices, Snort devices, and so on. For embedded
data sources (such as most Cisco devices and Check Point Firewall appliances), co-hosting
on the device is not an option.

During SmartConnector configuration, a SmartConnector is registered to your ArcSight ESM

Manager and configured with characteristics unique to the devices it reports on and the
business needs of your network.

By default, SmartConnectors maintain a heartbeat with the ESM Manager every 10

seconds. The Manager sends any Console commands or configuration updates to the
SmartConnector. The SmartConnector sends new event data to the Manager in batches of
100 events or once every second, whichever comes first. You can configure the time and
event count intervals.

ArcSight Confidential SmartConnector User’s Guide 3

1 Introduction to ArcSight Components

FlexConnectors
ArcSight’s FlexConnector framework is a software development kit (SDK) that lets you
create a SmartConnector tailored to the devices on your network and their specific event
data. The following ArcSight FlexConnectors types are available:

„ File
„ Regular Expression File
„ Time-Based Database
„ Key-Value File
„ SNMP
„ Multiple Database
„ ID-Based Database
„ Regular Expression Folder File
„ XML File
„ CounterACT
„ Regular Expression Multiple File
„ Multi-Folder File
„ Syslog
In addition, beta support is currently available for the following FlexConnectors:

„ Scanner Database
„ Scanner XML Reports
„ Scanner Text Reports
For complete information about these FlexConnectors and how to use them, contact your
ArcSight Customer Support representative or see the ArcSight FlexConnector Developer's
Guide.

ESM Manager
As events stream into the system, the ESM Manager writes them to the ArcSight database.
It simultaneously processes the events through the correlation engine, which evaluates
each event with network model and vulnerability information to develop real time threat
summaries.

ESM Database
As events stream into the ESM Manager from the SmartConnectors, they are written to the
ESM Database with a normalized schema. This lets ESM collect all events generated by the
devices on your network, which you can analyze and refer to at any time.

The ESM Database is based upon Oracle 9i. A typical installation retains active data online
from weeks to months.

ESM Console
The ArcSight ESM Console is a workstation-based interface intended for use by your
full-time security staff in a Security Operations Center (SOC) or similar security-monitoring
environment. The Console is the authoring tool for building ArcSight ESM filters, rules,

4 SmartConnector User’s Guide ArcSight Confidential

 1 Introduction to ArcSight Components

reports, Pattern Discovery, dashboards, and data monitors. It also is the interface for
administering users and resources.

The ArcSight ESM Console version should match the ArcSight ESM Manager
version to ensure that resources and schemas match.

ArcSight Web
ArcSight Web is an independent and remotely installable Web server that provides a secure
interface with the ArcSight ESM Manager for browser clients. ArcSight Web is intended for
use as a streamlined interface for customers of Managed Service Security Providers
(MSSPs), SOC operators, and business users who require access to ArcSight ESM to
investigate events from outside the protected network.

ArcSight NSP
ArcSight NSP is an appliance that consists of these two licensed software components.

„ Network Configuration Manager (NCM)

„ Threat Response Manager (TRM)
These components build and maintain a detailed understanding of your network’s topology,
letting you centrally manage your network infrastructure and rapidly respond to security
incidents.

The NCM/TRM solution lets you:

„ Locate and quarantine any device connected to the network instantly

„ Apply protocol filters to curb an intrusion attempt
„ Block specific IP ranges from communicating or block specific protocols
„ Disable individual user accounts
„ Manage configuration changes centrally on a single device or a group of devices
„ Audit the change control process granularity
„ Build wizards that let you to delegate routine network administration tasks to
lower-level administrators.

ArcSight Logger
ArcSight Logger is an event data storage appliance optimized for extremely high event
throughput. Logger stores security events onboard in compressed form, but can always
retrieve unmodified events on demand for forensics-quality litigation data.

Logger can be deployed stand-alone to receive events from syslog messages or log files, or
to receive events in Common Event Format from SmartConnectors. Logger can forward
selected events as syslog messages to ESM.

Multiple Loggers work together to support high sustained input rates. Event queries are
distributed across a peer network of Loggers.

Connector Appliance
ArcSight Connector Appliance is a hardware solution that incorporates a number of
onboard ArcSight SmartConnectors and a web-based user interface that provides
centralized management for SmartConnectors across a potentially large number of hosts.

ArcSight Confidential SmartConnector User’s Guide 5

1 Introduction to ArcSight Components

The Connector Appliance centralizes SmartConnector management and offers unified

control of SmartConnectors on

„ The Connector Appliance

„ Remote Connector Appliances
„ Software-based SmartConnectors (installed on remote hosts)
ArcSight Connector Appliance includes on-board SmartConnectors that connect event
sources to destinations such as ArcSight Logger and ArcSight ESM.

The Connector Appliance delivers the following features and benefits:

„ Supports bulk operations across all SmartConnectors and is particularly desirable in

ArcSight ESM deployments with a large number of SmartConnectors, such as a
Managed Security Services Provider (MSSP).
„ Provides an ArcSight ESM-like SmartConnector management facility in Logger-only
environments.
„ Provides a single interface through which to configure, monitor, tune, and update
SmartConnectors. The Connector Appliance does not receive events from the
SmartConnectors it manages, and this allows for management of many connectors at
one time. The Connector Appliance does not affect working SmartConnectors unless it
is used to change their configuration. In some cases, the SmartConnector is
commanded to restart.

Event Severity
During the normalization process, the SmartConnector collects data about the level of
danger associated with a particular event, as interpreted by the data source that reported
the event to the SmartConnector. These data points, device severity and
SmartConnector severity, become factors in calculating the event’s overall priority.

Device severity captures the language used by the data source to describe its
interpretation of the danger posed by a particular event. For example, if a network IDS
detects a DHCP packet that does not contain enough data to conform to the DHCP format,
the device flags this as a high-priority exploit.

SmartConnector severity is the translation of the device severity into

ArcSight-normalized values. For example, Snort uses a device severity scale of 1-10,
whereas Check Point uses a scale of high, medium, and low. ArcSight normalizes these
values into a single severity scale. The default ArcSight scale is Low, Medium, High, and
Very High.

For example, routine file access and successful authentications by authorized users would
be translated into the ArcSight-normalized values as very low severity, whereas a short
DHCP packet would be translated as very high severity.

Filter and Aggregate Events

During SmartConnector installation and configuration, you can configure the
SmartConnector to use filter conditions to focus the events passed to the ESM Manager
according to specific criteria. For example, you can use filters to sort out events with
certain characteristics, from specific network devices, or generated by vulnerability
scanners. Events that do not meet the SmartConnector filtering criteria are not forwarded
to the ESM Manager.

6 SmartConnector User’s Guide ArcSight Confidential

 1 Introduction to ArcSight Components

You can configure the SmartConnector to aggregate (summarize and merge) events that
have the same values in a specified set of fields, either for a specified number of times or
within a specified time limit.

SmartConnector aggregation compiles events with matching values into a single event. The
aggregated event contains only the values the events have in common plus the earliest
start time and latest end time. This reduces the number of individual events the Manager
must evaluate.

For example, suppose the SmartConnector is configured to aggregate events with a certain
Source IP and Port, Destination IP and Port, and Device Action whenever the events occur
10 times in 30 seconds. If ten events with these matching values are received by the
SmartConnector within that timeframe, they are grouped together into a single event with
an aggregated event count of 10.

If the 30-second timeframe expires and the SmartConnector has received only two
matching events, the SmartConnector creates a single aggregated event with an
aggregated event count of two. If 900 matching events were to come in during the 30
seconds, the SmartConnector would create 90 aggregated events, each with an
aggregated event count of 10.

Firewalls are a good candidate for aggregation because of the volume of events with
similar data coming in from multiple devices.

Configurable Attributes
All SmartConnector configurable attributes are set during the installation and configuration
process. The following attributes can be edited after installation by the ArcSight ESM
Administrator.

„ Connector name, location, owner, creation, and update information

„ The ArcSight network with which the SmartConnector is associated
„ The default behavior of the SmartConnector, such as batching, time correction, cache
size, Manager connection attributes, aggregation parameters, or filters
„ The SmartConnector's alternative behavior, which can be initiated to send events
based upon time requirements
For complete instructions about which SmartConnector attributes to configure and how,
see to the ArcSight ESM v4.0 Installation and Configuration Guide.

ArcSight Confidential SmartConnector User’s Guide 7

1 Introduction to ArcSight Components

8 SmartConnector User’s Guide ArcSight Confidential

 Chapter 2
SmartConnector Overview

This chapter provides an overview of ArcSight SmartConnectors and how they collect and
send events (generated by various vendor devices) to the ArcSight ESM Manager.

The following topics are included in this chapter:

“Understanding ArcSight SmartConnectors” on page 9

“Features” on page 10
“Data Collection Methods” on page 12
“ArcSight Database Mapping to Vendor Events” on page 12

Once SmartConnectors normalize and send events to the ArcSight Manager, the events are
stored in the centralized ESM Database. ArcSight ESM then filters and cross-correlates
these events with rules to generate meta-events. The meta-events then are automatically
sent to administrators with corresponding Knowledge Base articles which contain
information supporting their enterprise’s policies and procedures.

Understanding ArcSight SmartConnectors

SmartConnectors process raw data generated by various vendor devices throughout an
enterprise. Devices consist of routers, e-mail servers, anti-virus products, firewalls,
intrusion detection systems (IDS), access control servers, VPN systems, anti-DoS
appliances, operating system logs, and other sources that detect and report security or
audit information.

ArcSight SmartConnectors collect a vast amount of varying, heterogeneous information.

Due to this variety of information, SmartConnectors format each event into a consistent,
normalized ArcSight message, letting you find, sort, compare, and analyze all events using
the same event fields.

Specific SmartConnector Configuration Guides document device-to-ArcSight ESM event

mapping information for individual vendor devices, as well as specific installation
parameters and configuration information.

ArcSight Confidential SmartConnector User’s Guide 9

2 SmartConnector Overview

Features
For complete information about how the following features work, see the ArcSight ESM
v4.0 Administrator’s Guide and ArcSight ESM Console Help.

Feature Description

Filtering and Data Uses AND/OR based Boolean logic to determine what data
Reduction is to be included from the device and what data is filtered
out when the event is sent to the ESM Manager.

Aggregation Compiles events with matching values into a single event,

reducing the number of individual events the ESM Manager
must evaluate.

Batching Improves ESM Manager performance by sending a

collection of events at one time (rather than after each
occurrence).

Time Error Synchronizes the time between the device and the
Correction SmartConnector, and between the SmartConnector and the
ESM Manager.

Time Zone Correction Corrects the local time zone, as necessary, to support
device-time queries, correlation, and filters.

Categorizer Assigns ArcSight ESM categories to an event.

Resolver Attempts to resolve and reverse-resolve host names and

addresses reported by a device.

Data Normalization Converts each event produced by devices to an ArcSight

ESM common event format message (or ArcSight
message).

The following illustration shows the communication between network devices and ArcSight
SmartConnectors, and between ArcSight SmartConnectors and ArcSight ESM Manager.

10 SmartConnector User’s Guide ArcSight Confidential

 2 SmartConnector Overview

Figure 2-1 ArcSight SmartConnector Event Collection and Processing

You can deploy SmartConnectors on a device, on a separate host machine,

or on the host machine where the ArcSight ESM Manager system resides.

SmartConnectors both receive and retrieve information from network devices. If the device
sends information, the SmartConnector becomes a receiver; if the device does not send
information, the SmartConnector retrieves it.

An ArcSight message is created for each event the devices collect. Once an event is
received, the SmartConnector adds device and event information to the event to complete
the message, which is then sent to the ESM Manager.

ArcSight Confidential SmartConnector User’s Guide 11

2 SmartConnector Overview

Data Collection Methods

ArcSight SmartConnectors are specifically developed to interoperate with network and
security products using multiple techniques, including simple log forwarding and parsing,
direct installation on native devices, SNMP, and syslog.

Data collection and event reporting formats for various SmartConnectors include:

„ Log File Readers (including text and log file)

„ Syslog
„ SNMP
„ Database
„ XML
„ Proprietary protocols, such as OPSEC or Cisco PostOffice
The ArcSight Console, Manager, and SmartConnectors communicate using HTTP
(HyperText Transfer Protocol) over SSL (Secure Sockets Layer; also referred to as HTTPS).

Vendor device types for which SmartConnectors are available include:

„ Network and host-based IDS and IPS

„ VPN, Firewall, router, and switch devices
„ Vulnerability management and reporting systems
„ Access and identity management
„ Operating systems, Web servers, content delivery, log consolidators, and aggregators
For more information about the latest ArcSight SmartConnectors available, visit our website
at http://www.arcsight.com and click the Support link.

ArcSight Database Mapping to Vendor Events

ArcSight SmartConnectors collect the vendor-specific event definitions contained within a
network device. This information is mapped to the data fields within the SmartConnector,
then sent to the ArcSight ESM Manager.

For specific mappings between the SmartConnector data fields and supported vendor-
specific event definitions, see the configuration guide for the device-specific
SmartConnector. For example, for mappings for the SmartConnector for Cisco PIX Syslog,
refer to the SmartConnector for Cisco PIX Syslog Configuration Guide.

For additional information about mappings and parsing information from third-party
devices, see “Advanced Topics” in the FlexConnector Developer’s Guide.

12 SmartConnector User’s Guide ArcSight Confidential

 Chapter 3
Planning for Deployment

Deployment of an ArcSight SmartConnector is based upon the requirements of your

network security enterprise. This section outlines possible ArcSight deployments based
upon different scenarios.

The following topics are discussed in this chapter:

“Overview” on page 13
“Supported Platforms” on page 14
“Deployment Scenarios” on page 14
“Estimating Storage Requirements” on page 17
“Understanding ArcSight Turbo Modes” on page 17

The scenarios and deployments shown here are only examples of how you might introduce
ArcSight ESM into your enterprise. ArcSight ESM is not limited to just these scenarios and
deployments.

Overview
ArcSight components install consistently across UNIX, Windows, and Macintosh platforms.
Whether a host is dedicated to the ArcSight ESM Database, Manager, Console, or other
component, ArcSight ESM software is installed in a directory tree under a single root
directory on each host (DBMS and other third-party software is not necessarily installed
under this directory, however.) The path to this root directory is called $ARCSIGHT_HOME.

In SmartConnector documentation, the 'current' directory is specified rather than presumed

to be part of the $ARCSIGHT_HOME location, and the path separator is a backslash (\) (for
example, $ARCSIGHT_HOME\current). This is consistent with SmartConnector
configuration guide information, and also underscores the fact that ArcSight
SmartConnectors are not installed on the same machine as the remaining ArcSight ESM
components. Rather, they are typically installed on the same machine as the device whose
activity will be monitored.

The directory structure below $ARCSIGHT_HOME is standardized across components and

platforms. ArcSight software is generally available in the
$ARCSIGHT_HOME\current\bin directory, and documentation is found in
$ARCSIGHT_HOME\current\doc. Properties files, which control the ArcSight
configuration, are found in $ARCSIGHT_HOME\config, and log files are written to
$ARCSIGHT_HOME\logs.

ArcSight Confidential SmartConnector User’s Guide 13

3 Planning for Deployment

ArcSight SmartConnectors collect and process the data generated by various vendor
devices throughout your enterprise. Devices consist of routers, email logs, anti-virus
products, firewalls, intrusion prevention systems (IPS), access control servers, VPN
systems, antiDoS appliances, operating system logs, and other sources where information
about security threats are detected and reported.

ArcSight SmartConnectors collect a vast amount of varying, heterogeneous information.

SmartConnectors format every raw security event into a consistent, normalized ArcSight
event. By creating a consistent message format, you can find, sort, compare, and analyze
all events using the same event fields.

When a SmartConnector receives an event, it completes the message by adding device

information, then forwarding the event to various components throughout ArcSight ESM.

Supported Platforms
For information about supported platforms, see the ArcSight SmartConnector Product and
Platform Support document that is shipped with each SmartConnector release. Only
differences to the support detailed in that document are specified in the device's
SmartConnector Configuration Guide.

Deployment Scenarios
You can install SmartConnectors on the ArcSight ESM Manager, a host machine, or a
device. Based upon configuration, they also can receive events over the network using
SNMP, HTTP, syslog, proprietary protocols (such as OPSEC), or direct database connections
to the device's repository (such as ODBC or proprietary database connections).

The best deployment scenario for your system depends upon the SmartConnector type,
your network architecture, and your operating system.

„ Scenarios for syslog deployment are documented in the SmartConnector for UNIX OS
Syslog Configuration Guide.
„ Scenarios for deploying Windows Event Log connectors are documented in the
SmartConnector for Microsoft Windows Event Log Configuration Guide.

14 SmartConnector User’s Guide ArcSight Confidential

 3 Planning for Deployment

Deployment Scenario One

In this scenario, there are three ArcSight SmartConnectors residing on three different
devices: a firewall, an IPS, and a UNIX operating system. These SmartConnectors receive
information from the devices or their logs, and send captured events to the ESM Manager
based upon the SmartConnector configuration.

Once events are received by the Manager, it cross-correlates the events using rules and
sends meta-events to the ESM Database and to any ESM Consoles that access the
Database.

The ESM Manager also can perform preset actions. Events and meta-events within the ESM
Database can be played back using the Replay channel to investigate, analyze, or create a
report about event history.

Figure 3-1 Three ArcSight SmartConnectors Residing on Three Devices

ArcSight Confidential SmartConnector User’s Guide 15

3 Planning for Deployment

Deployment Scenario Two

This scenario is the same as the first, except that the three SmartConnectors reside on a
host machine rather than the device itself. The ArcSight SmartConnector need not reside
on the device in order to retrieve information from that device. The SmartConnector
functions as before, and the ArcSight ESM Manager and Database perform the same
functions.

Figure 3-2 Three ArcSight SmartConnectors Residing on a Host Machine

Deployment Scenario Three

In this scenario, the ArcSight SmartConnectors reside on the ESM Manager itself, not on a
host machine, but still retrieve events from devices in the network. The processing
performed by the ArcSight SmartConnector, Manager, and Consoles are identical to the
other scenarios.

Figure 3-3 Three ArcSight SmartConnectors Residing on an ESM Manager

16 SmartConnector User’s Guide ArcSight Confidential

 3 Planning for Deployment

Estimating Storage Requirements

Understanding the range of devices and SmartConnectors you want to deploy helps in
estimating your daily event volume. Log file size is not accurate enough; you need to know
how many events are generated during an average day. This varies by the type of device,
firewall, IDS, vulnerability management, and so on. Not only do different devices generate
different event volumes, they also respond differently to various event aggregation policies.

The average size of the data stored for each event depends upon the turbo mode
(Fastest, Faster, or Complete) specified for a particular SmartConnector. For detailed
information on turbo modes, see the following section, “Understanding ArcSight Turbo
Modes”.

SmartConnectors can aggregate events to reduce event traffic. An event that repeats every
500 ms, for example, can be represented by a single event that fires every ten seconds,
producing a 20:1 event compression. Individual SmartConnectors can be configured to
aggregate events in this manner, reducing event traffic to the ESM Manager and the
storage requirements in the Database.

In a distributed environment with multiple ESM Managers, the event volume metric must
consider both the SmartConnector feeds to the Manager and the event forwarding from
other Managers.

Understanding ArcSight Turbo Modes

You can accelerate the transfer of sensor information through SmartConnectors by
choosing one of three turbo modes (Fastest, Faster, or Complete).

The Fastest mode requires the fewest bytes and is most suited to devices such as
firewalls, which have relatively little event data. The Faster mode is the Manager default,
and requires less storage space. Rich event data sources, such as a network operating
system, might use Complete mode, the SmartConnector default. The Complete mode
passes all the data arriving from the device, including any custom or vendor-specific (for
example, "additional") data.

You can configure SmartConnectors to send more or less event data on a per-
SmartConnector basis, and the ESM Manager can be set to read and maintain more or less
event data, independent of the SmartConnector setting.

Some events require more data than others. For example, operating system syslogs often
capture a considerable amount of environmental data that may not be relevant to a
particular security event. Firewalls, on the other hand, typically report only basic
information.

ArcSight defines turbo modes as follows:

Mode Description

Fastest (Mode 1) Recommended for simpler devices, such as firewalls.

Faster (Mode 2) ESM Manager default. Eliminates all but a core set of event
attributes to achieve the best throughput. Because the
event data is smaller, it requires less storage space and
provides the best performance.

Complete (Mode 3) SmartConnector default. All event data arriving at the

SmartConnector, including additional data, is maintained.

ArcSight Confidential SmartConnector User’s Guide 17

3 Planning for Deployment

When a turbo mode is not specified, Mode 3, Complete, is the default. Versions of ArcSight
ESM prior to v3.0 run in turbo mode Complete.

The ESM Manager uses its own turbo mode setting when processing event data. If a
SmartConnector is set at a higher turbo mode than the Manager, it reports more event data
than the Manager requires. The Manager ignores these extra fields.

However, if a Manager is set at a higher turbo mode than the SmartConnector, the
SmartConnector has less event data to report to the Manager. The Manager maintains
fields that remain empty of event data.

Both situations are normal in real-world scenarios because the Manager configuration must
reflect the requirements of a diverse set of SmartConnectors.

Possible Manager-SmartConnector configurations are as follows:

1-1 Manager and SmartConnector in Fastest Mode.

1-2 SmartConnector sending more sensor data than Manager requires.

1-3 SmartConnector sending more sensor data than Manager requires.

2-1 SmartConnector not sending all data that Manager is storing.

2-2 Manager and SmartConnector in Faster mode.

2-3 Default: Manager does not process additional data sent by SmartConnector.

3-1 Manager maintains Complete data; SmartConnector sends minimum.

3-2 Manager maintains additional data, but SmartConnector does not send it.

3-3 Manager and SmartConnector in Complete mode.

18 SmartConnector User’s Guide ArcSight Confidential

 Chapter 4
Installing and Configuring
SmartConnectors

When you have purchased and are ready to install an ArcSight SmartConnector, see the
configuration guide of the individual connector for customized information for the device
the connector is monitoring. (For example, when installing a SmartConnector for Windows
Event Log, refer to the SmartConnector for Microsoft Windows Event Log Configuration
Guide.)

The following topics are discussed in this chapter:

“Installing ArcSight ESM” on page 19

“Installing the SmartConnector” on page 20
“Remotely Upgrading SmartConnectors” on page 34
“Troubleshooting” on page 35
“Uninstalling a SmartConnector” on page 35
“Modifying SmartConnector Parameters after Installation” on page 36
“Running SmartConnectors” on page 36

Individual configuration guides contain installation parameters to enter, how to configure

the particular device to enable SmartConnector event collection, and customized device
event mappings to ArcSight ESM fields.

Installing ArcSight ESM

Before you install any ArcSight SmartConnectors, make sure that ArcSight ESM has already
been installed correctly. Also, ArcSight recommends reading the ArcSight Installation and
Configuration Guide before attempting to install a new ArcSight SmartConnector. For a
successful installation of ArcSight ESM, follow this order:

1 Ensure that the ArcSight ESM Manager, Database, and Console are installed correctly.

2 Run the ArcSight ESM Manager. The command prompt window or terminal box
displays a "Ready" message when the ESM Manager has started successfully. If the
ArcSight ESM Manager is running as a Windows NT/2000 Service, monitor the
server.std.log file located in ARCSIGHT_HOME\current\logs\default.

3 Run the ArcSight ESM Console. Although not required, it is helpful to have the Console
running when installing the SmartConnector to verify successful installation.

ArcSight Confidential SmartConnector User’s Guide 19

4 Installing and Configuring SmartConnectors

Before installing the SmartConnector, be sure the following are available:

„ Local access to the machine where the SmartConnector is to be installed

„ Administrator privilege

At a minimum, SmartConnectors must be running version 4021 to

communicate with a version 4.0 Manager.

Installing the SmartConnector

For information regarding operating systems and platforms supported, refer to the
SmartConnector Product and Platform Support. For complete installation instructions for a
particular SmartConnector, see the configuration guide for that connector. The product-
specific configuration guide provides device configuration information, installation
parameters, and device event mappings to ArcSight ESM fields.

1 Insert the ArcSight Installation CD into your CD-ROM drive or navigate to the location
of the ArcSight SmartConnector Installer directory.

2 Start the ArcSight SmartConnector Installer by double-clicking on the executable file

for your operating system. Installation files follow the format:

Linux ArcSight-4.0.x.nnnn.y-Connector-Linux.bin

Solaris ArcSight-4.0.x.nnnn.y-Connector-Solaris.bin

Windows ArcSight-4.0.x.nnnn.y-Connector-Windows.exe

A window such as the following is displayed; once you have verified that the ESM
Database, Manager, and Console are installed and operating, click Next.

20 SmartConnector User’s Guide ArcSight Confidential

 4 Installing and Configuring SmartConnectors

3 When the Introduction window is displayed, read the information and click Next when
ready.

4 Next, accept the default location for "Where Would You Like to Install?," or click
Choose… to select another folder for installation. Click Next when ready.

It is a good practice to develop and use a standard naming convention to specify

directory locations, file names, and menu option names for the SmartConnectors you
install. Typically, if you install multiple connectors on a particular machine, you should
install each SmartConnector in a separate directory.

ArcSight Confidential SmartConnector User’s Guide 21

4 Installing and Configuring SmartConnectors

5 Choose from the following types installation; for most connectors, Typical is the
appropriate selection. Click Next.

6 On the following window, accept the default shortcut folder location or select a new or
existing Program Group. (You can also create icons for all users accessing ArcSight
SmartConnector by selecting the Create Icons for All Users check box.) Click Next
when you have finished making your selections.

22 SmartConnector User’s Guide ArcSight Confidential

 4 Installing and Configuring SmartConnectors

7 Verify your selections on the Pre-Installation Summary window; click Install to

begin installation of the SmartConnector core component software.

If the summary is incorrect, click Previous to make changes.

8 An installation process window is displayed during installation of core connector

software (click Cancel if you want to cancel the installation).

9 When the installation of ArcSight SmartConnector core component software is

finished, the following window is displayed:

10 Make sure ArcSight Manager (encrypted) is selected and click Next.

For information about the ArcSight Logger SmartMessage (encrypted)

destination, see Chapter 6‚ Using SmartConnectors with ArcSight Logger‚ on page 45.

For information about NSP Device Poll Listener, see Chapter 6‚ Deploying a Syslog
SmartConnector with NCM/TRM‚ on page 58. The SmartConnector Configuration
Wizard prompts you to specify whether the ArcSight ESM Manager to which you are
going to connect uses a demo certificate to authenticate SmartConnector requests.

11 The Wizard first prompts you for Manager certificate information. The default selection
is No, the ArcSight Manager is not using a demo certificate. Choose Yes if ArcSight
Manager is using a demo certificate. (Before selecting this option, make sure the

ArcSight Confidential SmartConnector User’s Guide 23

4 Installing and Configuring SmartConnectors

Manager is, in fact, using a demo SSL certificate. If you are not certain, select No or
consult your system administrator.). If your ArcSight Manager is using a self-signed or
CA-signed SSL certificate, select No, the ArcSight Manager is not using a demo
certificate and click Next.

After completing the SmartConnector installation wizard, remember to

manually configure the connector for the type of SSL certificate your Manager
is using. Refer to the ArcSight ESM v4.0 Administrator's Guide for instructions
about configuring your SmartConnector when the Manager is using a self-
signed or CA-signed certificate and for instructions about enabling SSL client
authentication on SmartConnectors so that the Connectors and the Manager
authenticate each other before sending data.

12 On the next window, replace localhost with the host name of the Manager with
which the SmartConnector is to communicate (localhost is appropriate only when
the SmartConnector is installed on the same host as the Manager, which is not
recommended in a production environment). This name must match the host name in
the Manager’s certificate, which is usually the fully-qualified name. For example,
instead of gabriel, specify gabriel.sales.mycompany.com.

For Manager Port, leave the default value of 8443.

For AUP Master Destination, generally leave this false. If, however, you will have
one or more non-ESM destinations, and you want to share this ESM destination's AUP
configuration (such as zones) with those destinations, select true. Only do so for one
primary destination; if you select true for more than one primary destination or any
failover destination, the setting is ignored for all but the first such primary destination.

For Filter Out All Events, select true if you want a ll events filtered out. This means
the connector sends no events to this destination. This is useful when an ESM
destination is added solely for the purpose of being the AUP master; this value is
usually false unless the AUP Master Destination parameter is set to true.

24 SmartConnector User’s Guide ArcSight Confidential

 4 Installing and Configuring SmartConnectors

13 Enter a valid ArcSight user name and password for the ArcSight ESM Manager. This is
the same user name and password you created during ESM Manager installation.

14 Select one of the possible SmartConnectors from the window displayed. Scroll down to
find the appropriate SmartConnector. If you are installing a syslog SmartConnector,
select the Syslog Pipe, File, or Daemon SmartConnector.

The SmartConnectors that appear in the list are those that can be installed on the
same platform from which you are running the installation program. For example, if
you are running on Windows, the list contains a list of those SmartConnectors that are
supported on Windows. Similarly, if you are running the installer on a Linux or Solaris-
based system, the installer displays a list of SmartConnectors supported on those
platforms.

15 After selecting the connector you want to install from the list of SmartConnectors, in
this example, Symantec Gateway Security/Enterprise Firewall NG File, click
Next.

ArcSight Confidential SmartConnector User’s Guide 25

4 Installing and Configuring SmartConnectors

16 The next window requests specific parameters for the particular SmartConnector you
selected. These parameters vary depending upon the device and are described and
explained in the SmartConnector Configuration Guide for the selected SmartConnector.

There are some SmartConnector types (such as Symantec Gateway

Security/Enterprise Firewall NG, shown in the following example) that require
parameter values to be entered into a table format. You can add this information
manually or import multiple hosts. See “Using Table Parameters” on page 29 for
detailed information.

To manually enter parameter values, click the Add button. See “Manually Entering
Parameter Values” on page 30 for details.

Click the Import button to locate the .csv file you want to import. Click the Export
button to create a .csv file containing the values you have entered in the parameter
table. See “Importing and Exporting CSV Files” on page 30 for details.

If there are no Import and Export buttons on the parameter entry window
for the connector you’ve selected, the parameters are not entered into a table
format and this feature does not apply.

17 Click Next when you have completed entering data.

26 SmartConnector User’s Guide ArcSight Confidential

 4 Installing and Configuring SmartConnectors

18 Give your new SmartConnector a descriptive name to identify it for ArcSight Console
users. You also can specify optional location information and add any appropriate
comments.

In this context, SmartConnector Location refers to the host where you are
installing the SmartConnector and Device Location describes the host on which the
IDS, syslog, or other software is running. If the device is physical hardware, the
Device Location is particularly useful for specifying, for example, a certain position
within a specific rack.

19 Click Next when you have finished entering data.

20 Review the summary of data and click Next.

21 Most SmartConnectors can be installed as a Windows service (or Linux/UNIX daemon)

so that the SmartConnector runs automatically when the host is restarted. If the
SmartConnector is not configured as a service, it must be started manually whenever

ArcSight Confidential SmartConnector User’s Guide 27

4 Installing and Configuring SmartConnectors

it is not running. (For more information about running a SmartConnector as a service,

see “As a Windows Service” on page 37.) Select Yes or No and click Next.

If you choose to configure the SmartConnector to run as a service, the wizard prompts
you for the service’s internal and display names.

If you choose not to run the SmartConnector as a service, a window such as the
following is displayed.

22 Click Finish to complete connector configuration.

For some SmartConnectors, a system restart is required before the configuration settings
you made can take effect. If a System Restart window is displayed, read the information
and initiate the system restart operation.

Save any work on your computer or desktop and shut down any other running applications,
including the ArcSight Console, if it is running; then shut down the system.

28 SmartConnector User’s Guide ArcSight Confidential

 4 Installing and Configuring SmartConnectors

Using Table Parameters

During SmartConnector installation, a connector using table parameters will show the
following type of window for entering parameter data.

The parameters for this type of SmartConnector can be entered manually for a few lines of
data, or, for a larger number of entries, you can import a .csv file. You can also create a
.csv file by exporting data you’ve already entered. See “Importing and Exporting CSV Files”
on page 30 for specific steps.

Please note the following when using this feature:

„ Columns that contain private data (shown as asterisks), such as passwords, will not
appear in exported files after using the Export button.
„ After importing a .csv file (using the Import button), data in private columns remain
hidden (shown as asterisks).
„ While you can manually enter a private column (either by adding the column to your
CSV within a spreadsheet program or by filling it in through the Configuration Wizard),
it still will not appear in any exported files. This is a precautionary measure.
„ Importing data from a .csv file (using the Import button) causes all existing data in
the table to be removed and replaced by the incoming data.

ArcSight Confidential SmartConnector User’s Guide 29

4 Installing and Configuring SmartConnectors

Manually Entering Parameter Values

To enter parameters manually, use the Add button to create fields and enter the data, as
shown below.

If needed, use the Export button to export your parameter table data into an external .csv
file to save for later use.

Importing and Exporting CSV Files

An easy way to quickly populate many lines of parameter data is to create a .csv file, then
use the Import button to fill the parameter entry table of the SmartConnector
Configuration Wizard.

To use the Import feature:

1 Using a spreadsheet program (such as Microsoft Excel), enter the parameter data into
a table and save it as a .csv file.

2 During SmartConnector installation, click the Import button to locate the .csv file you
created. The window provides a preview of the CSV’s contents.

30 SmartConnector User’s Guide ArcSight Confidential

 4 Installing and Configuring SmartConnectors

3 Click the Import button on the Import window. This populates the SmartConnector
parameters fields, as shown below.

4 If you wish, you can add more rows manually (using the Add button) and then export
the resulting table (using the Export button) to an external .csv file for later use.

The example above shows a “Password” column within the Configuration

Wizard that does not appear in the original .csv file. This private column
does not contain actual password data and will not be included in an
exported file.

5 Click Next if you are finished entering data.

Installing SmartConnectors from the Command Line

To install ArcSight SmartConnectors without using the graphical user interface wizard,
enter –i console on the command line when you invoke the self-extracting archive.
Follow the instructions in the command window.

When the installation has successfully completed, manually run the configuration program
by executing runagentsetup.

Installing SmartConnectors in Silent Mode

You can run the ArcSight SmartConnector installation program in silent mode, in which
answers to wizard questions are provided by a Properties file. This feature is useful for
deploying a large number of identical SmartConnectors.

To use this feature, first install and configure one SmartConnector using the graphical-user
interface or the command line. While configuring the first SmartConnector, record its
configuration parameters in a Properties file. To install all other SmartConnectors in silent
mode, use the Properties file you created to provide configuration information.

ArcSight recommends creating and testing the properties file on a system

other than your in-service, production environment. Recording from such a
SmartConnector requires removal.

ArcSight Confidential SmartConnector User’s Guide 31

4 Installing and Configuring SmartConnectors

To record the configuration of a SmartConnector to a Properties file:

1 Run the SmartConnector Configuration Wizard to extract and install the

SmartConnector files. When the wizard asks you to click Done to run the wizard, click
Cancel. Confirm your choice to run the SmartConnector Configuration Wizard
manually.

2 From a command prompt window (from the ARCSIGHT_HOME\current\bin

directory), enter the following command to launch the SmartConnector
Configuration Wizard in record mode:

On Unix and Linux: ./runagentsetup.sh –i recorderui

On Windows: runagentsetup.bat -i recorderui

3 On the window displayed, enter the Silent Properties File Name to select an
existing file. Enter the name of the Installation Target Folder to select a location.

4 Continue through all SmartConnector Configuration Wizard windows. The wizard

creates a Properties file using the name and location you specified.

Perform the remaining steps on the system on which you want to install the
SmartConnector in silent mode:

5 Copy the Properties file from the other system to your current system, preferably to
the same directory where you downloaded the installation file.

6 Open the Properties file in an editor of your choice.

7 Find the ARCSIGHT_AGENTSETUP_PROPERTIES property in the file and make sure

that the path value is the absolute path to the location where you copied the
properties file on this system.

For example, if you copied the properties file to C:\Program

Files\ArcSightSmartConnectors, the path value should be as follows:

ARCSIGHT_AGENTSETUP_PROPERTIES=C\:\\Program
Files\\ArcSightSmartSmartConnectors\\silent_properties

The equal (=) and backslash (\) characters must be preceded by a backslash
(\).

32 SmartConnector User’s Guide ArcSight Confidential

 4 Installing and Configuring SmartConnectors

8 Find the AgentDetailsPanel.smartConnectorname property in the file and

change its value to the name of the SmartConnector you are going to install in silent
mode, as shown in the following example:

#======================================================
# Panel 'AgentDetailsPanel'
#======================================================

# Select a name for your SmartConnector and specify location

parameters.

# SmartConnector Name
SmartConnectorDetailsPanel.smartConnectorname=SF_SmartConnector1

# Agent Location
AgentDetailsPanel.agentlocation=San Francisco

# Device Location
AgentDetailsPanel.devicelocation=Site_2.2.223

# Comment
AgentDetailsPanel.comment=

#===============================================

9 If appropriate, edit the following properties:

AgentDetailsPanel.agentlocation
AgentDetailsPanel.devicelocation
AgentDetailsPanel.comment

You can edit any property (Manager Information, user credentials) in the properties file to
suit your needs.

10 Save the properties file.

11 Download the SmartConnector installation file appropriate for your platform.

12 Run the following command to install the new SmartConnector in silent mode:

ArcSight_Agent_install_file -i silent –f properties_filename

The command launches the InstallShield program and installs the SmartConnector silently.

Example: To install a SmartConnector on Windows platform with the property file name
silent_properties, enter:

ArcSight-3.5.x.nnnn.y-Agent-Win.exe –i silent –f silent_properties

After installing ArcSight SmartConnectors, configure your system’s default

file permissions so that files created by ArcSight (events, log files, and so on)
are reasonably secure.

On UNIX systems, file permissions typically are set by adding the umask
command to your shell profile. An umask setting of 077, for example, would
deny read or write file access to any but the current user. An umask setting of
000 creates an unnecessary security hole.

ArcSight Confidential SmartConnector User’s Guide 33

4 Installing and Configuring SmartConnectors

Remotely Upgrading SmartConnectors

Only Windows, Linux, and Solaris platforms are supported for
SmartConnector remote upgrade from the ArcSight ESM Console.

ArcSight ESM now provides the ability to not only centrally manage and configure
SmartConnectors, but also to update them remotely. You can use the Upgrade command
on the ArcSight ESM Console to upgrade to newer versions of ArcSight SmartConnector
software for managed devices. (You also can use the Rollback command to revert to a
previous version of an upgraded SmartConnector.)

The Upgrade command lets you launch, manage, and review the status of upgrades for all
SmartConnectors. A failover mechanism launches SmartConnectors with previous versions
if upgrades fail. All communication and upgrade processes between components (Console,
Manager, and SmartConnectors) take place over secure connections.

The ArcSight ESM Console reflects current version information for all of your ArcSight
SmartConnectors.

Overview of the Upgrade Process

1 You will receive an e-mail notification about new SmartConnector releases from
ArcSight Customer Support.

2 Download the latest releases to the ArcSight ESM Manager available for
SmartConnector upgrades. Upgrade version files are delivered as .aup files (a
compressed file set).

3 Copy the .aup file to ARCSIGHT_HOME\updates\ onto a running ArcSight ESM

Manager. The Manager automatically unzips the .aup file and copies its content to
ARCSIGHT_HOME\repository\.)

4 From the ArcSight ESM Console, select SmartConnectors to be upgraded (one at a

time) and launch the upgrade command for each of them.

• If you have installed multiple SmartConnectors in a single JVM, select the

first connector installed in the JVM (if you select any other connector the
upgrade fails) and launch the upgrade command; this action upgrades all
connectors in the JVM.
• If your SmartConnector has multiple ESM Manger destinations, you must
perform this process from the primary ESM Console. Any attempt to
upgrade from a secondary or non-primary ESM Console destination will
fail.

5 Upon receipt of the upgrade command, the selected SmartConnectors upgrade

themselves, restart, and send upgrade results (success or failure) back to the ArcSight
ESM Console through the ESM Manager.

„ If the upgrade is successful, the new SmartConnector starts and reports successful
upgrade status.
„ If the upgraded SmartConnector fails to start, the original SmartConnector restarts
automatically as a failover measure.
For details about how to upgrade SmartConnectors from the Console, refer to the ArcSight
Console Help.

SmartConnectors automatically determine their upgrade status when they start.

34 SmartConnector User’s Guide ArcSight Confidential

 4 Installing and Configuring SmartConnectors

„ When upgrading SmartConnectors, be sure to download current versions of the

SmartConnector Configuration Guides from the ArcSight Customer Support website.
These are the most current configuration guides available and contain information
specific to the connector device.
„ Administrative permission is required to upgrade Connectors.
„ Versions of the Connectors you want to upgrade must be available on the Manager to
which you are connected.
„ The option for remote upgrade is available only in ArcSight ESM v4.0 Console and only
for version 4.0.2.xxxx.0 or newer SmartConnectors. Earlier versions of connectors
(formerly known as SmartAgents) must be upgraded manually per the original process
by installing a newer version of the SmartConnector.
„ As a prerequisite to upgrading Connectors, both the ArcSight ESM Manager and the
SmartConnector you want to upgrade must be running.

Rolling Back to a Previous Version

You can roll back an upgraded SmartConnector to the previous version with the Rollback
command. Refer to the ArcSight Console online Help for details on how to use the Rollback
command.

Administrative permission is required to roll back SmartConnectors.

The option for SmartConnector rollback is available only in ArcSight Console v4.0 and only
on previously upgraded SmartConnector versions 4.0.2.xxxx.0 or newer.

Rollback automatically reinstates the most recent version prior to the currently installed
version. You cannot do a remote rollback on a SmartConnector other than the previously
installed version.

For example, if you start with a SmartConnector of version 4.0.2.4793, upgrade to

4.0.2.4794, then upgrade again to 4.0.2.4795, a remote rollback at this point
re-installs/starts SmartConnector version 4.0.2.4794. You can only roll back to an earlier
version manually.

Troubleshooting
If an upgrade or rollback fails, you can review the related logs. Choose Send Command
-> Tech Support -> Get Upgrade Logs from the ArcSight Console menus.

You can also use the Send Logs Wizard to collect and send logs, including upgrade logs, to
ArcSight for support help.

Uninstalling a SmartConnector
Before uninstalling a SmartConnector that is running as a service or daemon, first stop the
service or daemon.

To uninstall on Windows platforms, open the Start menu. Run the Uninstall
SmartConnectors program found under All Programs -> ArcSight
SmartConnectors. If SmartConnectors were not installed on the Start menu, locate the
ARCSIGHT_HOME\current\UninstallerData folder and run:

Uninstall_ArcSight_Agents.exe

ArcSight Confidential SmartConnector User’s Guide 35

4 Installing and Configuring SmartConnectors

To uninstall on UNIX platform, open a command window on the

ARCSIGHT_HOME\current\UninstallerData directory and run the command:

./Uninstall_ArcSight_Agents

The UninstallerData directory contains a file .com.zerog.registry.xml with

Read, Write, and Execute permissions for everyone. On Windows platforms,
these permissions are required for the uninstaller to work. However, on UNIX
platforms, you can change the permissions to Read and Write for everyone
(that is, 666).
The Uninstaller does not remove all the files and directories under the
ArcSight SmartConnector home folder. After completing the uninstall
procedure, manually delete these folders.

Modifying SmartConnector Parameters after

Installation
If you want to modify any of the ArcSight SmartConnector parameters after installation,
including configuring the SmartConnector to run as a service or standalone application, you
can run the SmartConnector Configuration Wizard again after completing the initial
installation and configuration.

The SmartConnector must be installed on the computer, server, or

workstation on which it was originally installed.

Stop the ArcSight SmartConnector and execute the following command from the
$ARCSIGHT_HOME\current\bin directory:

For UNIX platforms:

./runagentsetup.sh

For Windows platforms:

runagentsetup

Running SmartConnectors
SmartConnectors can be installed and run in standalone mode, as a Windows service, or
as a UNIX daemon. If installed standalone, the SmartConnector must be started manually,
and is not automatically active when a host is re-started. If installed as a Windows service
or UNIX daemon, the SmartConnector runs automatically when the host is re-started.

Some SmartConnectors require that you restart your system before

configuration changes take effect.
SmartConnectors for scanners present a special case. To run a scanner
SmartConnector in interactive mode, run in standalone and not as a Windows
service or Linux/UNIX daemon.

Standalone
To run all installed SmartConnectors on a particular host, open a command window, go to
ARCSIGHT_HOME\current\bin and run:

36 SmartConnector User’s Guide ArcSight Confidential

 4 Installing and Configuring SmartConnectors

arcsight connectors

To view the SmartConnector log, read the file:

ARCSIGHT_HOME\current\logs\agent.log

To stop all SmartConnectors, enter Ctrl+C in the command window.

On Windows platforms, SmartConnectors also can be run using shortcuts and

optional Start Menu entries.

As a Windows Service
SmartConnectors installed as a service can be started and stopped manually using
platform-specific procedures.

To start or stop SmartConnectors installed as services on Windows platforms:

1 Right-click on My Computer, then select Manage from the Context menu.

2 Expand the Services and Applications folder and select Services.

3 Right-click on the ArcSight SmartConnector service name and select Start to begin
running the SmartConnector or Stop to stop running the service.

To verify that a SmartConnector service has started, view the file:

ARCSIGHT_HOME\logs\agent.out.wrapper.log

To reconfigure a SmartConnector as a service, run the SmartConnector Configuration

Wizard again. Open a command window on $ARCSIGHT_HOME\current\bin and run:

runagentsetup

As a UNIX Daemon
SmartConnectors installed as a daemon can be started and stopped manually using
platform-specific procedures.

On UNIX systems, when you configure a SmartConnector to run automatically, ArcSight

creates a control script in the /etc/init.d directory. To start or stop a particular
SmartConnector, find the control script and run it with either a start or stop command
parameter.

For example:

/etc/init.d/arc_serviceName {start|stop}

To verify that a SmartConnector service has started, view the file:

ARCSIGHT_HOME/logs/agent.out.wrapper.log

To reconfigure SmartConnectors as a daemon, run the SmartConnector Configuration

Wizard again. Open a command window on $ARCSIGHT_HOME/current/bin and enter:

runagentsetup

ArcSight Confidential SmartConnector User’s Guide 37

4 Installing and Configuring SmartConnectors

38 SmartConnector User’s Guide ArcSight Confidential

 Chapter 5
Using SmartConnectors with
Connector Appliance

The following topics are covered in this chapter:

“Using SmartConnectors on the Connector Appliance” on page 41

“Choosing an Event Destination” on page 42
“Choosing a Deployment Scenario” on page 43

ArcSight Connector Appliance is a hardware solution that incorporates a number of

onboard ArcSight SmartConnectors and a web-based user interface that provides
centralized management for SmartConnectors across a potentially large number of hosts.

The Connector Appliance centralizes SmartConnector management and offers unified

control of SmartConnectors on

„ The Connector Appliance

„ Remote Connector Appliances
„ Software-based SmartConnectors (installed on remote hosts)

ArcSight Confidential SmartConnector User’s Guide 39

5 Using SmartConnectors with Connector Appliance

Figure 5-1 ArcSight Connector Appliance includes on-board SmartConnectors that connect
event sources to destinations such as ArcSight Logger and ArcSight ESM.

The benefits of Connector Appliance include the following:

„ Supports bulk operations across all SmartConnectors and is particularly desirable in

ArcSight ESM deployments with a large number of SmartConnectors, such as a
Managed Security Services Provider (MSSP).
„ Provides an ArcSight ESM-like SmartConnector management facility in Logger-only
environments.
„ Provides a single interface through which to configure, monitor, tune, and update
SmartConnectors. The Connector Appliance does not receive events from the
SmartConnectors it manages, and this allows for management of many connectors at
one time. The Connector Appliance does not affect working SmartConnectors unless it
is used to change their configuration. In some cases, the SmartConnector is
commanded to restart.

40 SmartConnector User’s Guide ArcSight Confidential

 5 Using SmartConnectors with Connector Appliance

Figure 5-2 Connector Appliance manages all your SmartConnectors

SmartConnectors that forward events to ArcSight ESM can be managed using the ESM
Console, so the Connector Appliance is not required if all SmartConnectors have ESM as
their only destination. However, the Connector Appliance is very useful when connectors
target multiple heterogeneous destinations (for example, when ArcSight Logger is
deployed along with ESM), in a Logger-only environment, or when a large number of
SmartConnectors are involved, such as in a MSSP deployment.

Connector Appliance SmartConnectors operate within Containers. Each Container runs its
own Java Virtual Machine (JVM). Containers contain one or more SmartConnectors.

Using SmartConnectors on the Connector Appliance

The Connector Appliance manages three types of SmartConnector:

„ Local (on-board) SmartConnectors

„ Remote Connector Appliance SmartConnectors
„ Software-based SmartConnectors

Local (on-board) SmartConnectors

The Connector Appliance includes multiple Containers and on-board SmartConnectors. The
manager interface can be used to manage these local SmartConnectors as well as remote
connectors.

High load on on-board connectors may impact performance of the Connector

Appliance’s web-based interface.

ArcSight Confidential SmartConnector User’s Guide 41

5 Using SmartConnectors with Connector Appliance

Remote Connector Appliance SmartConnectors

The Connector Appliance can manage SmartConnectors on remote Connector Appliances,
as well as other ArcSight hardware solutions such as ArcSight Logger.

Software-Based SmartConnectors
The Connector Appliance can remotely manage SmartConnectors running on any network-
accessible host. These SmartConnectors must be configured for remote management.

Only fifth-generation SmartConnectors support remote management, so

you'll need connector build 4855 (4.0.5.4878.0) or higher to use this
feature.
If you install software SmartConnectors on your own hardware, you will need
to edit the agent.properties file to allow for remote management.
Remote management is turned off by default.

Multiple software-based SmartConnectors installed on the same host require

a separate port assignment. The default port for ArcSight SmartConnectors is
9001, so the second SmartConnector installed on the same host should use
an alternate port. ArcSight recommends using port 9002, 9003, 9004, and so
on.

Supported SmartConnectors
For a complete list of all SmartConnectors supported by the Connector Appliance, see the
Connector Appliance Release Notes or visit the ArcSight Customer Support website. New
SmartConnectors are added on a regular basis.

Choosing an Event Destination

Event destinations may include ArcSight ESM (or ArcSight Manager), ArcSight Logger,
CEF syslog, or a log file.

Manager
When SmartConnectors send events to an ArcSight ESM Manager, the Manager stores the
events in a relational database, processes them using its correlation engine, and makes
them visible to the ArcSight Console or ArcSight Web interfaces.

Logger
SmartConnectors can send CEF events to ArcSight Logger using an encrypted, optionally
compressed, channel called SmartMessage. Logger can also receive CEF Syslog events
from SmartConnectors.

For more detailed information about Logger, see Chapter 6‚ Using SmartConnectors with
ArcSight Logger‚ on page 45

CEF Syslog
SmartConnectors can forward events as syslog messages. In this case, the normalized
event is sent using Common Event Format (CEF) which uses name/value pairs. The
Connector Appliance can send syslog over UDP or TCP.

42 SmartConnector User’s Guide ArcSight Confidential

 5 Using SmartConnectors with Connector Appliance

Failover Destination
Each SmartConnector destination can have a failover destination. When communication
with the primary destination fails, the SmartConnector automatically begins sending events
to the designated failover. Failover only works with communication protocols that can
detect transmission failure, such as TCP.

For steps to create a failover destination, see Chapter 8‚ Failover Destinations‚ on page 93.

Alternate Configurations
You can define alternate configurations for SmartConnectors and specify when the
alternate should be active. For example, aggregation might be specified during peak times
to reduce the number of events moving on the network, and disabled during other times.

Choosing a Deployment Scenario

The Connector Appliance can be deployed wherever ArcSight SmartConnectors are needed
and provides the following benefits:

„ SmartConnector management without ArcSight ESM (that is, Logger-only

environments)
„ Remote control of runtime parameters, such as bandwidth control
„ Centralized SmartConnector upgrade management and control
„ Central troubleshooting of specific SmartConnectors

ArcSight Logger
ArcSight Logger receives and sends events from and to ArcSight SmartConnectors, but
lacks the depth of SmartConnector management found in ArcSight ESM.

A Logger-only deployment benefits from the Connector Appliance in many capacities, and
provides most of ESM’s management functionality, but not all (it does not contain the filter
designer, for example). The Connector Appliance also offers new features, such as bulk
operations (enabling control of many Smartconnectors at one time), that ESM does not.

Connector Appliance can also configure SmartConnectors with failover destinations,

providing central failover control when redundant Loggers are deployed for this purpose.
All or some SmartConnectors can be configured to send events to a second Logger or to an
event file in the case of communication failure with the primary destination.

For more detailed information about Logger, see Chapter 6‚ Using SmartConnectors with
ArcSight Logger‚ on page 45

ArcSight ESM
Deploying the Connector Appliance in an ArcSight ESM environment centralizes
SmartConnector upgrade, log management, and other configuration issues. For more
information, see Chapter 7‚ Configuring SmartConnectors through the Console‚ on page 65.

ESM and Logger

Connector Appliance centralizes control when events are sent to ESM and Logger
simultaneously. In one scenario, all events are sent to Logger while only high-value events

ArcSight Confidential SmartConnector User’s Guide 43

5 Using SmartConnectors with Connector Appliance

are sent to ESM (for further analysis, for example). In another scenario, all events are sent
to both, but Logger implements a longer retention policy.

Although each SmartConnector has specific destination parameters, the Connector

Appliance allows for “bulk” management, removing the need to manually access each
remote SmartConnector host to add or change destinations.

For more detailed information and instructions for using Connector Appliance, refer to the
Connector Appliance Administrator’s Guide.

44 SmartConnector User’s Guide ArcSight Confidential

 Chapter 6
Using SmartConnectors with
ArcSight Logger

The following topics are covered in this chapter:

“Sending Events from Logger to an ArcSight ESM Manger” on page 45

“Logger and SmartMessage” on page 45
“Sending Events to Logger” on page 46
“Sending Events to Both Logger and an ESM Manager” on page 48
“Sending Events from ArcSight ESM to Logger” on page 50
“Defining SmartConnector Settings in Logger” on page 52

ArcSight Logger is a hardware storage solution optimized for extremely high event
throughput. Logger logs (or stores) time-stamped text messages, called events, at high
sustained input rates. Events consist of a receipt time, a source (host name or IP address),
and an un-parsed message portion. Logger compresses raw data, but also can retrieve it in
an unmodified form for forensics-quality litigation reporting. Unlike ArcSight ESM, Logger
does not "normalize" events.

Multiple Loggers can work together to support an extremely high event volume. Logger can
be configured as a peer network with queries distributed across all peer Loggers.

Sending Events from Logger to an ArcSight ESM

Manger
Logger’s most basic function is to store a large volume of security events. Logger can send
a subset of these events to an ArcSight ESM Manager. It sends syslog and/or common
event format (CEF) events directly to ArcSight ESM through a built-in SmartConnector
called an ESM Destination. An ESM Destination appears as a SmartConnector to an ESM
Console. For more information about ESM Destinations, refer to the ArcSight Logger
Administrator’s Guide.

Logger and SmartMessage

SmartMessage is ArcSight technology used by Logger to provide a secure channel between
SmartConnectors and ArcSight Logger. SmartMessage provides an end-to-end encrypted

ArcSight Confidential SmartConnector User’s Guide 45

6 Using SmartConnectors with ArcSight Logger

secure channel. At one end is an ArcSight SmartConnector, receiving events from the many
devices it supports; on the other end is SmartMessage Receiver on Logger.

The SmartMessage secure channel uses HTTPS (secure sockets layer

protocol) to send encrypted events to Logger. This is similar to, but different
from, the encrypted binary protocol used between SmartConnectors and
ArcSight ESM Manager.
Use port 443 (rather than ArcSight's traditional port 8443) because the
secure channel uses HTTPS.

Figure 6-1 Logger Receivers (R) and Forwarders (F)

Sending Events to Logger

1 Set up the SmartMessage Receiver on Logger (Refer to the ArcSight Logger
Administrator’s Guide for detailed instructions).
2 Install the SmartConnector component as previously shown (see Chapter 4‚ Installing
and Configuring SmartConnectors‚ on page 19 for detailed instructions).

46 SmartConnector User’s Guide ArcSight Confidential

 6 Using SmartConnectors with ArcSight Logger

3 Navigate through the panels to the one that states Please select the destination
type: and select ArcSight Logger SmartMessage (encrypted). Click Next.

4 Enter the Logger Host Name/IP, leave the port number at default (443), and enter
the Receiver Name. This setting should match the Receiver name you created in
step 1 so that Logger can listen to events from this SmartConnector. Click Next.

ArcSight Confidential SmartConnector User’s Guide 47

6 Using SmartConnectors with ArcSight Logger

5 Navigate through the subsequent panels until receiving a message that confirms the
configuration was successful. Click Finish to complete the process and exit the wizard.

Sending Events to Both Logger and an ESM Manager

1 Set up the SmartMessage Receiver on Logger (refer to the ArcSight Logger
Administrator’s Guide for detailed instructions).
2 Install the SmartConnector component as previously shown (see Chapter 4‚ Installing
and Configuring SmartConnectors‚ on page 19 for detailed instructions).

3 Register the SmartConnector with a running ArcSight ESM Manager and test that the
SmartConnector is up and running.

4 Using the $ARCSIGHT_HOME\current\bin\runagentsetup script (or arcsight

agentsetup -w), restart the SmartConnector configuration program.

5 When the SmartConnector Configuration Wizard is displayed, select I want to

add/remove/modify ArcSight Manager destinations and click Next.

48 SmartConnector User’s Guide ArcSight Confidential

 6 Using SmartConnectors with ArcSight Logger

6 Select Add new destination and click Next.

7 Select ArcSight Logger SmartMessage (encrypted).

8 Specify the Host Name/IP, the desired Port, and select either Disabled (the default
value) or Enabled data compression. Click Next.

ArcSight Confidential SmartConnector User’s Guide 49

6 Using SmartConnectors with ArcSight Logger

9 A message confirms that the configuration was successful. Click Finish to complete
the process and exit the wizard.

10 Restart the SmartConnector for changes to take effect.

Sending Events from ArcSight ESM to Logger

The ArcSight Forwarding SmartConnector can read events from an ESM Manager and
forward them to Logger using CEF format.

Configuring the Forwarding Connector to Send Events to

Logger
The Forwarding SmartConnector is a separate installable file, named similarly
to this: ArcSight-4.x.x.<build>.x-SuperConnector-<platform>.exe.
Use ArcSight Forwarding Connector build 4810 or later for compatibility with
Logger v1.5 or later.

50 SmartConnector User’s Guide ArcSight Confidential

 6 Using SmartConnectors with ArcSight Logger

1 Install the SmartConnector component normally, but click Cancel to exit the
installation when the Configuration Wizard asks whether the target Manager uses a
demo certificate, as shown below.

2 Confirm that you want to exit, then click Done to close the wizard. This installs the
SmartConnector core software.

3 Create a file called agent.properties in the directory

$ARCSIGHT_HOME\current\user\agent. This file should contain a single line:

transport.default.type=cefsyslog

4 Return to the SmartConnector Configuration Wizard using the

$ARCSIGHT_HOME\current\bin\runagentsetup script (or arcsight
agentsetup -w).

5 Specify the required parameters for CEF output. Enter the desired port for UDP or TCP
output. These settings should match the Receiver you created in Logger to listen for
events from ArcSight ESM.

Parameter Description

Ip/Host IP or host name of the Logger

Port 514 or another port that matches the Receiver

Protocol UDP or Raw TCP

ArcSight Source Manager IP or host name of the source ArcSight ESM

Host Name Manager

ArcSight Source Manager 8443 (default)

Port

ArcSight Source Manager A user account on the source Manager with the
User Name user type set to Super Agent. This user must have
privileges that allow event reading.

ArcSight Source Manager Password for the specified ESM Manager user
Password account

SmartConnector Name A name for the ESM-to-Logger connector (visible

in the Manager)

SmartConnector Location Notation of where this SmartConnector is installed

ArcSight Confidential SmartConnector User’s Guide 51

6 Using SmartConnectors with ArcSight Logger

Parameter Description

Device Location Notation of where the source ESM Manager is

installed

Comment Optional comments

To configure the ArcSight Forwarding SmartConnector to send CEF output to Logger and
send events to another ArcSight ESM Manager at the same time, see “Sending Events to
Both Logger and an ESM Manager” on page 48.

Defining SmartConnector Settings in Logger

After installing the SmartConnectors to communicate with Logger, you can set up their
properties through the SmartConnector Configuration Wizard. Assuming you have installed
the SmartConnector component as previously shown (see Chapter 4‚ Installing and
Configuring SmartConnectors‚ on page 19 for detailed instructions), complete these steps:

1 Using the $ARCSIGHT_HOME\current\bin\runagentsetup script (or

arcsight agentsetup -w), restart the SmartConnector configuration program.

2 After the SmartConnector Configuration Wizard is displayed, select I want to

add/remove/modify ArcSight Manager destinations and click Next.

52 SmartConnector User’s Guide ArcSight Confidential

 6 Using SmartConnectors with ArcSight Logger

3 Select ArcSight Logger SmartMessage (encrypted) and click Next.

4 Select Modify destination settings and click Next.

ArcSight Confidential SmartConnector User’s Guide 53

6 Using SmartConnectors with ArcSight Logger

5 The following window provides a choice of destination settings to modify. For this
example, select Time Correction and click Next.

For detailed descriptions of each configurable setting, see Chapter 7‚

Configuring SmartConnectors through the Console‚ on page 65.
For detailed instructions on using the Filter option, see Chapter 7‚ Using
Filters in the SmartConnector Configuration Wizard‚ on page 83.

6 Each choice opens a unique set of windows to configure. Modify the appropriate
settings and click Next.

54 SmartConnector User’s Guide ArcSight Confidential

 6 Using SmartConnectors with ArcSight Logger

7 The next window asks whether you want to end the session or select new destination
settings to modify. To make additional modifications, select No; to end the session,
select Yes.

8 When No is selected, the list of destination settings is redisplayed. When Yes is

selected, click Finish to end the session.

ArcSight Confidential SmartConnector User’s Guide 55

6 Using SmartConnectors with ArcSight Logger

56 SmartConnector User’s Guide ArcSight Confidential

 Chapter 6
Using SmartConnectors with NSP

The following topics are covered in this chapter:

“Deploying a Syslog SmartConnector with NCM/TRM” on page 58

“Configuring the Syslog SmartConnectors” on page 59
“Installing the SmartConnector” on page 61

ArcSight NSP is an appliance that consists of these two licensed software components, also
known as managers:

„ Network Configuration Manager (NCM)

„ Threat Response Manager (TRM)
These two components build and maintain a detailed understanding of your network’s
topology, enabling you to centrally manage your network infrastructure and rapidly respond
to security incidents.

The NCM/TRM solution enables you to automate network configuration changes across
heterogeneous networks, manage and audit configuration changes on the network from a
central console, and obtain quick and easy web-based reports for network device inventory
and configuration settings.

The ArcSight Syslog SmartConnector increases NCM/TRM’s visibility into the network. It
detects network configuration changes in syslog format using SNMP traps, which can then
trigger NCM/TRM to launch an action to poll the network devices for the complete, new
configuration.

The benefits of the NCM/TRM solution include:

„ Complete visibility into all changes being made to network devices, even if the
changes are made directly to the network devices.
„ Real-time detection and notification for any non-compliant or unauthorized changes.
„ Ensured compliance with internal standard operating procedures as well as external
regulations.

The following instructions apply to SmartConnector version 4.0.6 and

later, which supports SmartMessage communication with NCM/TRM. If you
do not have this or a later SmartConnector build, download the latest from
the ArcSight Customer Support Site.

ArcSight Confidential SmartConnector User’s Guide 57

6 Using SmartConnectors with NSP

Deploying a Syslog SmartConnector with NCM/TRM

Deploying NCM/TRM with an ArcSight Syslog Connector also connects NCM/TRM to
ArcSight ESM, enabling you to use ESM's correlation, trending, reporting, and monitoring
tools to track network configuration activity in conjunction with other activity on your
network. An ArcSight Syslog Connector can also connect NCM/TRM with ArcSight Logger,
which provides a clearer picture of network configuration changes happening on your
network.

Other uses for deploying syslog SmartConnectors in conjunction with NCM/TRM include:

„ Enabling a hybrid configuration and change control model that permits certain
changes to be made directly to network devices, while still maintaining control,
visibility, auditing, and compliance for all changes in a central repository (NCM/TRM).
„ Providing a closed-loop solution for capturing network configuration related event
information from all sources from which the change can be made (NCM/TRM directly,
proxied through NCM/TRM, or directly to the device) and forwarding this information
to ESM in an integrated manner.
The SmartConnector installation wizard contains an NSP Device Poll Listener
destination. The Device Poll Listener detects when changes are made to network devices
outside of NCM/TRM. The SmartConnector captures these changes by collecting syslog
output from modified network devices and categorizes the events for ESM.

The SmartConnector then initiates an action through NCM/TRM to poll the specific modified
network devices to determine the precise changes made to the configuration.

At the same time, NCM/TRM can run audits automatically to determine whether the
particular change caused the configuration to fall into a non-compliant state. NCM/TRM
determines this by comparing the current device configuration parameters against the
pre-defined policy or benchmark. If there is a deviation from the policy, the audit fails and
an alert is sent to the appropriate personnel within the organization, notifying them of the
audit failure so they can take immediate action.

You also have the option of forwarding all categorized events to ArcSight ESM or Logger in
a normalized format through ArcSight Common Event Format (CEF) for further analysis or
storage.

By capturing these changes and immediately prompting NCM/TRM to run a device poll or
audit at the precise time of the configuration change, this solution provides an automatic,
real-time, closed-feedback loop for all configuration changes, even if they are made directly
to network devices outside the scope of NCM/TRM.

58 SmartConnector User’s Guide ArcSight Confidential

 6 Using SmartConnectors with NSP

The following diagram depicts the Syslog SmartConnector solution deployed with
NCM/TRM and ESM.

Figure 6-1 The Syslog SmartConnector solution deployed with ArcSight NSP

The NCM/TRM solution can also be used to remediate the non-compliant

device by rolling back to the previous configuration, or by making the specific
configuration changes required to return the device into a state that is
compliant with the policy or benchmark.

Please keep the following in mind when configuring and deploying NCM/TRM:

„ It is optional to run NCM/TRM as an audit while the device is polled; however, it does
require that audits be currently subscribed to that particular network device or device
group.
„ Alert options include syslog, SNMP, and e-mail.
„ Remediation is an optional step, as some administrators may simply want to be alerted
of the change so they can take their own actions; however, remediation requires that
the appropriate remediation links be built in advance.
„ It is optional to forward events to ESM or Logger. Neither appliance is required for this
solution to be fully functional.
„ For NCM/TRM to poll a network device, it must be previously known within the
network.

Configuring the Syslog SmartConnectors

This section describes the Syslog SmartConnectors in more detail, and provides instructions
for how to configure them once the SmartConnector appropriate for your operating system
is installed.

ArcSight Confidential SmartConnector User’s Guide 59

6 Using SmartConnectors with NSP

The Syslog Daemon SmartConnector

The Syslog Daemon SmartConnector is a syslogd-compatible daemon designed to work in
operating systems that have no syslog daemon in their default configuration, such as
Microsoft Windows. The ArcSight syslog daemon connector implements a UDP receiver on
port 514 (configurable) that can be used to receive syslog events.

If you are using the syslog daemon connector, simply start the connector, either as a
service or as a standalone application, to start receiving events; no further configuration is
needed.

Messages longer than 1024K are split into multiple messages on syslog
daemon; no such restriction exists on syslog file or pipe.

The Syslog Pipe and File SmartConnectors

When a syslog daemon is already in place and configured to receive syslog messages, an
extra line in the syslog configuration file (syslog.conf) can be added to write the events to
either a file or a system pipe. ArcSight SmartConnector can then be configured to read
the events from this file or pipe. In this scenario, the ArcSight SmartConnector runs on the
same machine as the syslog daemon.

The Syslog Pipe SmartConnector is designed to work with an existing syslog daemon.
This SmartConnector is especially useful when storage space is a factor. In this case,
syslogd is configured to write to a named pipe, and the Syslog Pipe SmartConnector reads
from it to receive events.

The Syslog File SmartConnector is similar to the Syslog Pipe SmartConnector; however,
this SmartConnector monitors events written to a syslog file (such as messages.log) rather
than to a system pipe.

Configuring the Syslog Pipe or File SmartConnector

Once the SmartConnector is installed (see Chapter 4‚ Installing and Configuring
SmartConnectors‚ on page 19), configuration is required to set up your existing syslog
infrastructure to send events to the ArcSight Syslog Pipe or File SmartConnector.

The standard UNIX implementation of a syslog daemon reads the configuration parameters
from the /etc/syslog.conf file, which contains specific details about which events to
write to files, write to pipes, or send to another host. First, create a pipe or a file; then
modify the /etc/syslog.conf file to send events to it.

For syslog pipe:

1 Create a pipe by executing the following command:

mkfifo /var/tmp/syspipe

2 Add the following line to your /etc/syslog.conf file:

*.debug /var/tmp/syspipe

For syslog pipe on Linux, use:

*.debug |/var/tmp/syspipe

60 SmartConnector User’s Guide ArcSight Confidential

 6 Using SmartConnectors with NSP

3 After you have modified the file, restart the syslog daemon either by executing the
scripts /etc/init.d/syslogd stop and /etc/init.d/syslogd start, or by
sending a `configuration restart` signal.

On RedHat Linux, execute:

service syslog restart

On Solaris and other types of Unix, execute:

kill -HUP ‘cat /var/run/syslog.pid’

This command forces the syslog daemon to reload the configuration and start writing
to the pipe you just created.

For syslog file:

1 Create a file or use the default for the file into which log messages are to be written.

For Solaris, the default is /var/adm/messages

For Linux, the default is var/log/messages

2 After editing the /etc/syslog.conf file, restart the syslog daemon as described
above.

The SmartConnector Installation Wizard, then prompts you for the absolute path to the
syslog file or pipe you created.

Installing the SmartConnector

Install the daemon, syslog pip or syslog file SmartConnector appropriate for your operating
system using the SmartConnector Installation Wizard. The wizard will guide you through
the installation process. When prompted, select one of the following Syslog
SmartConnectors (see “Configuring the Syslog Pipe or File SmartConnector” on page 60
for more information):

„ Syslog Daemon
„ Syslog Pipe
„ Syslog File
The Syslog Daemon SmartConnector is supported on Windows, Linux, Solaris, and AIX
platforms. The Syslog Pipe and File Smartconnectors are supported on Linux, Solaris, AIX,
and HP UNIX.

Because all syslog SmartConnectors are sub-connectors of the main syslog

SmartConnector, the name of the specific syslog SmartConnector you are
installing is not required during installation.

The syslog daemon listens on port 514 (configurable) for UDP syslog events; the syslog
pipe and syslog file read events from a system pipe or file, respectively. Select the one that
best fits your syslog infrastructure setup.

Before installing the SmartConnector, be sure the following are available:

„ Local access to the machine where the SmartConnector is to be installed

„ Administrator passwords

ArcSight Confidential SmartConnector User’s Guide 61

6 Using SmartConnectors with NSP

To install a syslog SmartConnector to send events to the NSP Device Poll Listener:

1 Insert the ArcSight Installation CD into your CD-ROM drive or navigate to the location
of the ArcSight SmartConnector Installer directory.

2 Start the ArcSight SmartConnector Installer by running the executable for your
operating system.

When installing a syslog daemon SmartConnector in a UNIX environment, run

the executable as 'root' user.

3 Follow the installation wizard through the following folder selection tasks and
installation of the core connector software:

Introduction
Choose Install Folder
Choose Install Set
Choose Shortcut Folder
Pre-Installation Summary
Installing...

When the installation of ArcSight SmartConnector core component software is

finished, the following window is displayed:

4 Select NSP Device Poll Listener from the selections and click Next.

62 SmartConnector User’s Guide ArcSight Confidential

 6 Using SmartConnectors with NSP

5 Enter the NCM Host name or IP address, the NCM/TRM User, and the NCM/TRM
Password. The NCM/TRM Host is the IP address or hostname of the NCM/TRM
system that will interact with the syslog connector. The NCM/TRM User and
NCM/TRM Password are the user name and password credentials you use to log
into the NCM/TRM system.

6 Click Next.

7 The Configuration Wizard displays a list of available SmartConnectors you can

configure. Select Syslog Daemon, Syslog Pipe, or Syslog File and click Next.

8 Enter the required SmartConnector parameters to configure the SmartConnector, then

click Next.

Parameter Field Description

Syslog Network port The SmartConnector for Syslog Daemon listens for
Daemon syslog events on this port.
Parameters

IP Address The SmartConnector for Syslog Daemon listens for

syslog events only on this IP address (accept the
default (ALL) to bind to all available IP addresses).

Protocol The SmartConnector for Syslog Daemon uses the

selected protocol (UDP or Raw TCP) to receive
incoming messages.

Syslog Pipe Pipe Absolute Absolute path to the pipe, or accept the default:
Parameters Path Name /var/tmp/syspipe

Protocol The SmartConnector for Syslog Pipe uses the

selected protocol (UDP or Raw TCP) to receive
incoming messages.

Syslog File File Absolute Absolute path to the file, or accept the default:
Parameter Path Name /var/adm/messages (Solaris) or
/var/log/messages (Linux)

Protocol The SmartConnector for Syslog File uses the

selected protocol (UDP or Raw TCP) to receive
incoming messages.

ArcSight Confidential SmartConnector User’s Guide 63

6 Using SmartConnectors with NSP

9 Enter a name for the SmartConnector and provide any other information that identifies
how the connector is used in your environment. Click Next.

10 Read the SmartConnector summary and click Next. If the summary is incorrect, click
Back to make changes.

11 When the SmartConnector completes its configuration, click Next. The Wizard now
prompts you to choose whether you want to run the SmartConnector stand-alone or
as a service. If you choose to run the SmartConnector as a service, the Wizard
prompts you to define service parameters for the SmartConnector.

When running any SmartConnector as a service on Windows, specify the

file path in UNC (for example, \\10.0.111.4\xyz) and not as a network
mapped drive (Z:\xyz). Also, you will most likely need to change the
user who runs the service (by default SYSTEM), because the user running
the service must have access to the UNC path.

12 After making your selections, click Next. The Wizard displays a dialog confirming the
SmartConnector's setup and service configuration.

13 Click Finish.

For some SmartConnectors, a system restart is required before the configuration

settings you made take effect. If a System Restart window is displayed, read the
information and initiate the system restart operation.

Save any work on your computer or desktop and shut down any other
running applications (including the ArcSight Console, if it is running),
then shut down the system.

64 SmartConnector User’s Guide ArcSight Confidential

 Chapter 7
Configuring SmartConnectors through
the Console

Using the ArcSight ESM Console, you can configure and send control commands to
ArcSight SmartConnectors, set conditions that filter out events, and set ArcSight severity
levels. This chapter presents the basic information; for more detailed information about
managing ArcSight SmartConnectors, refer to the ArcSight ESM v4.0 Administrator’s Guide
and the ArcSight ESM Console Help.

The following topics are discussed in this chapter:

“Overview” on page 65
“Obtaining SmartConnector Status” on page 66
“Selecting and Setting SmartConnector Parameters” on page 66
“SmartConnector Time Interval Options” on page 85
“Setting Special Severity Levels” on page 86
“Setting Special Severity Levels” on page 86
“Sending Control Commands to SmartConnectors” on page 87
“Disabling Event Compression” on page 89

Overview
ArcSight SmartConnectors can be configured to optimize their performance and increase
their function. You can configure them to enable aggregation, batching, and time
correction as well as to send control commands from the ArcSight Console to ArcSight
SmartConnectors to manage the flow of events.

Based upon filtering conditions, ArcSight SmartConnectors can filter events sent to the
ArcSight ESM Manager. Filtering conditions are set with a combination of AND or OR
statements and data field values. Extraneous events can be filtered out to minimize the
number of events sent to the ESM Manager and displayed in the Console.

Events filtered out by ArcSight SmartConnectors are not reported to the

ArcSight ESM Manager, so they will not be stored or be available later from
the ArcSight Database.

You can configure SmartConnectors to set a specific severity level for events that match
specific criteria. One typical application is to change the default severity mapping. By

ArcSight Confidential SmartConnector User’s Guide 65

7 Configuring SmartConnectors through the Console

default, SmartConnectors map the device severity (which can contain multiple levels) to
the standard ArcSight severity levels: Very High, High, Medium, and Low.

For example, if a device has eight severity levels (0-7), where 0 is the highest severity,
most likely 0 and 1 are mapped to Very High, 2 and 3 to High, 4 and 5 to Medium, and
6 and 7 to Low. You can change this behavior and make the SmartConnector set the
severity based upon different parameters.

Obtaining SmartConnector Status

ArcSight SmartConnectors display their status on the Connectors tab in the Navigator
window of the ArcSight ESM Console. One of the following messages is displayed next to
the SmartConnector name:

down

The SmartConnector is not connected to the ESM Manager; therefore, no events are
received.

running

The SmartConnector is connected to the ESM Manager; therefore, any events sent are
received.

stopped

The SmartConnector is responding to the ESM Manager, but no events are sent from
the SmartConnector to the Console. When the SmartConnector is stopped, events are
lost.

paused

The SmartConnector is responding to the ESM Manager, but events are being cached
in the SmartConnector. When the SmartConnector is paused, events are cached and
eventually sent to the Manager when the SmartConnector is again active.

For current operational status at any time, in the Connectors resource tree, right-click the
SmartConnector and select Send Command -> Status -> Get Status. The
SmartConnector’s current parameters are displayed in the SmartConnector Status
window.

Selecting and Setting SmartConnector Parameters

From the Console, the SmartConnector Configuration Editor is your way to control
SmartConnectors.

1 In the Navigator panel, select the Connectors resource tree.

2 In the Connectors resource tree, right-click the ArcSight SmartConnector you want to
manage and select Configure. The Inspect/Edit panel for the Connector Editor is
displayed. On the Connector tab, the Name field is automatically populated with the
name assigned during SmartConnector Installation, as well as the creation date and
other information.

3 On the Default tab, change any additional Batching, Time Correction, or other
parameters as desired, using the configuration field explanations provided in the
following "Connector Editor Option Tabs" and "Configuration Fields" sections.

66 SmartConnector User’s Guide ArcSight Confidential

 7 Configuring SmartConnectors through the Console

4 Click Apply to add your changes and to keep the Connector Editor open. To apply
your changes and close the Connector Editor, click OK, or, if applicable, click Add
Alternate to save your changes as an alternate configuration you can select and
apply later.

These parameters are not localized because they come directly from the SmartConnector
and the SmartConnector may contain new resources (it could be a newer version).

The framework for SmartConnector commands operates in a similar way. Configuration of

the connector command menu is achieved by sending the list of commands that are
supported on the SmartConnector at registration time.

There are several controls you can adjust in the Connector Editor. The variety of options
are best summarized by briefly describing what is available at each of the editor's tabs and
subtabs.

Connector Editor Option Tabs

Connector Tabs Options

Connector Basic identification, ownership, and date/time parameters.

Networks The ArcSight network(s) to which the SmartConnector is or

can be assigned.

Default: Content Includes options for report batching, aggregation, and time
corrections.

Default: Filters A filter condition editor for constraining what the

SmartConnector reports.

Alternate: Content A set of options identical to those under Default, which you
can use to create alternate configurations.

Alternate: Filters A filter condition editor for constraining what the

SmartConnector reports, in an alternate configuration.

ANotes: Table A text editor for, and tabular list of, configuration notes.

Notes: List A text editor for, and text presentation of, configuration
notes.

Configuration Fields
You can perform basic configuration tasks through the Connector and Default: Content
tabs. Find their names and values in the tables below.

Name Field Value Field

Name The Name text field is automatically populated with the name
assigned during SmartConnector installation.

ID The identification string assigned during SmartConnector

installation.

Status The SmartConnector's current mode of operation.

Connector A description of the (usually) physical location of the

Location SmartConnector.

ArcSight Confidential SmartConnector User’s Guide 67

7 Configuring SmartConnectors through the Console

Name Field Value Field

Device A description of the (usually) physical location of the device the

Location SmartConnector is monitoring.

Version The SmartConnector 's software version number.

External ID An identification string suitable for, and which can be referenced by,
systems outside ArcSight. Common applications of External IDs
include appropriate naming for Case and Asset resources that are
tracked in common with defect reporting or
vulnerability-management systems. Your ArcSight administrator can
advise you on the correct values for this field, if applicable.

Alias An identification string suitable for referencing resources within

ArcSight. A given alias appears in place of the resource's name
everywhere it may be seen. Your ArcSight administrator can advise
you on the correct values for this field, if applicable.

Description A text description of the configuration or other related information.

Owner An ArcSight user (selected from the Users resource tree) who should
be notified about this SmartConnector.

Notification The ArcSight user groups (selected from the Users resource tree)
Groups who should be notified about this SmartConnector.

Created By A user identity provided at SmartConnector installation.

Creation The time of SmartConnector installation.

Time

Time Since A value calculated from Creation Time.

Creation

Last Updated The time of the last configuration change.

By

Last Update The time of the last configuration change.

Time

Time Since A value calculated from Last Update Time.

Last Update

68 SmartConnector User’s Guide ArcSight Confidential

 7 Configuring SmartConnectors through the Console

Default Content Tab Configuration Fields

Name Field Value Field

Batching SmartConnectors can batch events to

increase performance and optimize network
bandwidth. When activated, SmartConnectors
create blocks of events and send them when
they either (1) reach a certain size or (2) the
time window expires. You can also prioritize
batches by severity, forcing the
SmartConnector to send the highest-severity
event batches first and the lowest-severity
event batches later.

Enable Batching (per Create batches of events of this specified size

event) (5, 10, 20, 50, 100 events).

Enable Batching (in The SmartConnector sends the events if this

seconds) time window expires (1, 5, 10, 15, 30, 60).

Batch By This is Time Based should the

SmartConnector send batches as they arrive
(the default) or Severity Based should the
SmartConnector send batches based on
severity (batches of Highest Severity events
are sent first).

Time Correction

Use Connector Time as Yes/No, default is no. Override the time the
Device Time device reports and instead use the time at
which the SmartConnector received the
event. This option assumes that the
SmartConnector is more likely to report the
correct time.

Enable Device Time The SmartConnector can adjust the time

Correction (in seconds) reported by the device Detect Time, using this
setting. This is useful when a remote device's
clock is not synchronized with the ArcSight
Manager. This should be a temporary setting.
The recommended way to synchronize clocks
between Manager and devices is the NTP
protocol.

Enable Connector Time The SmartConnector can also adjust the time
Correction (in seconds) reported by the Connector Time
SmartConnector itself, using this setting. This
is for informational purposes only and does
not modify the local time on the
SmartConnector. This should be a temporary
setting. The recommended way to
synchronize clocks between Manager and
SmartConnectors is the NTP protocol.

ArcSight Confidential SmartConnector User’s Guide 69

7 Configuring SmartConnectors through the Console

Name Field Value Field

Set Device Time Zone Disabled/Enabled, default is disabled.

To Ordinarily, it is presumed that the original
device is reporting its time zone along with its
time. And if not, it is then presumed that the
SmartConnector is doing so. If this is not true,
or the device isn't reporting correctly, you can
switch this option from Disabled to GMT or to
a particular world time zone. That zone is
applied to the reported time.

Device Time The values you set for these fields establish
Auto-correction forward and backward time limits that, if
exceeded, cause the SmartConnector to
automatically correct the time reported by the
device.

Future Threshold Default is -1. Value must be set to a positive

number to activate auto correction.
The SmartConnector sends the internal alert if
the detect time is later than the
SmartConnector time by Future Threshold
seconds.

Past Threshold Default is -1. Value must be set to a positive

number to activate auto correction.
The SmartConnector sends the internal alert if
the detect time is earlier than the
SmartConnector time by Past Threshold
seconds.

Device List A comma-separated list of the devices to

which the thresholds apply. The default, (ALL)
means all devices.

Time Checking These are the time span and frequency

factors for doing device-time checking.

Future Threshold Default is 5 minutes (300 seconds). The

number of seconds by which to extend the
connector's forward threshold for time
checking.

Past Threshold Default is 1 hour (3,600 seconds). The

number of seconds by which to extend the
connector's rear threshold for time checking.

Frequency The SmartConnector checks its future and

past thresholds at intervals specified by this
number of seconds. The default time is 1
minute (60 seconds).

70 SmartConnector User’s Guide ArcSight Confidential

 7 Configuring SmartConnectors through the Console

Name Field Value Field

Cache Changing these settings does not affect the

events already cached, only new events.

Cache Size SmartConnectors use a compressed disk

cache to hold large volumes of events when
the ArcSight Manager is down or when the
SmartConnector receives bursts of events.
This parameter specifies the disk space to
use. The default is 1 GB which, depending on
the SmartConnector, can hold about 15
million events, but it also can go down to 5
MB. When this disk space is full, the
SmartConnector drops the oldest events to
free up disk cache space. (5 MB, 50 MB, 100
MB, 200 MB, 250 MB, 500 MB, 1 GB, 2.5 GB,
5 GB, 10 GB, 50 GB.)

Notification Threshold The size of the cache's event content at which

a trigger notification occurs. The default is
10,000.

Notification Frequency How often to send notifications once the

Notification Threshold is reached. (1 min, 5
min, 10 min, 30 min, 60 min.)

Network

Heartbeat Frequency Default is 10 seconds. Range is 5 seconds to

10 minutes.
This setting controls how often the
SmartConnector sends a heartbeat message
to the ArcSight Manager. The default is 10
seconds, but it can go from 5 seconds to 10
minutes. Note that the heartbeat is also used
to communicate with the SmartConnector;
therefore, if its frequency is set to 10
minutes, it could take as much as 10 minutes
to send any configuration information or
commands back to the SmartConnector.

Enable Name Enabled/disabled, default is enabled. The

Resolution SmartConnector tries to resolve IP addresses
to host names, and host names to IP
addresses, if the event rate allows it and if
required. This setting controls this
functionality. The Source, Target and Device
IP addresses and Hostnames may also be
affected by this setting.

Name Resolution Host Yes/No, default is yes. If set to yes, for

Name Only reverse resolution (IP Address to Host name),
only the host name field is set.
If set to no, the host name is split up and put
into both the DNS domain and the host name
fields. This affects the source, destination,
device and SmartConnector name fields.

ArcSight Confidential SmartConnector User’s Guide 71

7 Configuring SmartConnectors through the Console

Name Field Value Field

Name Resolution Yes/No, default is yes. If set to yes, the host

Domain from Email name and DNS domain fields are empty, and
the corresponding user name field appears as
an email address, then the domain from the
email address is put in the DNS domain field.
This only affects the source and destination
fields.

Clear Host Names Yes/No, default is yes. If set to yes and the
Same as IP Address host name field is set to an IP Address that
matches the corresponding IP Address field,
then the host name field is cleared. This
affects the source, destination, and device
fields.

Don't Resolve Host Default is empty. Takes a regular expression

Names Matching as a value and skips resolution for host names
matching the regular expression, for example,
.*arcsight.com.

Don't Reverse-Resolve Default is empty. Takes a list of IP address

IP Ranges ranges as a value and skips reverse resolution
for all the IP addresses that fall in any given
range.
For example,
10.0.111.1-10.0.111.255,192.168.21.1-192.
168.21.255

Limit Bandwidth To Enabled/disabled, default is disabled.

Range is 1 kbit/sec to 100 Mbits/sec. A list of
bandwidth options you can use to constrain
the SmartConnector 's output over the
network.

Transport Mode You can configure the SmartConnector to

cache to disk all the processed events it
receives. This is equivalent to pausing the
SmartConnector. However, you can use this
setting to delay event-sending during
particular time periods. For example, you
could use this setting to cache events during
the day and send them at night. You can also
set the SmartConnector to cache all events,
except for those marked with a very-high
severity, during business hours, and send the
rest at night. (Normal | Cache | Cache (but
send Very High severity events).

Address-based Zone This field applies to ESM version 3.0 ArcSight

Population Defaults Managers, and is not relevant for v3.5 or v4.0
Enabled (these versions have integral zone mapping).

72 SmartConnector User’s Guide ArcSight Confidential

 7 Configuring SmartConnectors through the Console

Name Field Value Field

Address-based Zone This field applies to ESM version 3.0 ArcSight

Population Managers, and is not relevant for v3.5 or v4.0
(these versions have integral zone mapping).
For version 3.0, this table allows you to define
ranges of IP addresses to map to specific
zones. Each row of the table defines a range
to map to one zone. The system chooses the
first matching range, and ranges may overlap,
so enter the smaller ranges first. Assuming
the default zones are enabled (Address-based
Zone population Default Enabled = yes), the
zones entered here take precedence over the
default zones, so the default zones are only
used if none of these ranges match.

Zone Population Mode Default is Normal

Values are
• Normal: Zones are computed and
assigned if they are not already set
• Rezone (override): re-compute and
reassign if the zones are already
populated
• No Zoning (clear): clear the zones if they
are populated

Customer URI Applies the given customer URI to events

emanating from the SmartConnector.
Provided the customer resource exists, all
customer fields are populated on the ArcSight
Manager. If this particular SmartConnector is
reporting data that might apply to more than
one customer, you can use Velocity templates
in this field to conditionally identify those
customers.

Source Zone URI When populated, this field shows the URI of
the zone associated with the
SmartConnector's source address. How this
field gets populated is discussed in the Zones
section of the SmartConnectors topic. This
field is present for v3.0 compatibility. It is not
relevant in v3.5 or v4.0 because of integral
zone mapping.

Source Translated Zone When populated, this field shows the URI of
URI the zone associated with the
SmartConnector's translated source address.
The translation is presumed to be NAT
(network address translation). How this field
gets populated is discussed in the Zones
section of the SmartConnectors topic. This
field is present for v3.0 compatibility. It is not
relevant in v3.5 or v4.0 because of integral
zone mapping.

ArcSight Confidential SmartConnector User’s Guide 73

7 Configuring SmartConnectors through the Console

Name Field Value Field

Destination Zone URI When populated, this field shows the URI of
the zone associated with the
SmartConnector's destination address. How
this field gets populated is discussed in the
Zones section of the SmartConnectors topic.
This field is present for v3.0 compatibility. It is
not relevant in v3.5 or v4.0 because of
integral zone mapping.

Destination Translated When populated, this field shows the URI of

Zone URI the zone associated with the
SmartConnector's translated destination
address. The translation is presumed to be
NAT (network address translation). How this
field gets populated is discussed in the Zones
section of the SmartConnectors topic. This
field is present for v3.0 compatibility. It is not
relevant in v3.5 or v4.0 because of integral
zone mapping.

Connector Zone URI When populated, this field shows the URI of
the zone associated with the
SmartConnector's address. How this field gets
populated is discussed in the Zones section of
the SmartConnectors topic. This field is
present for v3.0 compatibility. It is not
relevant in v3.5 or v4.0 because of integral
zone mapping.

Connector Translated When populated, this field shows the URI of

Zone URI the zone associated with the
SmartConnector's translated address. The
translation is presumed to be NAT (network
address translation). How this field gets
populated is discussed in the Zones section of
the SmartConnectors topic. This field is
present for v3.0 compatibility. It is not
relevant in v3.5 or v4.0 because of integral
zone mapping.

Device Zone URI When populated, this field shows the URI of
the zone associated with the device's address.
How this field gets populated is discussed in
the Zones section of the SmartConnectors
topic. This field is present for v3.0
compatibility. It is not relevant in v3.5 or v4.0
because of integral zone mapping.

Device Translated Zone When populated, this field shows the URI of
URI the zone associated with the device's
translated address. The translation is
presumed to be NAT (network address
translation). How this field gets populated is
discussed in the Zones section of the
SmartConnectors topic. This field is present
for v3.0 compatibility. It is not relevant in
v3.5 or v4.0 because of integral zone
mapping.

74 SmartConnector User’s Guide ArcSight Confidential

 7 Configuring SmartConnectors through the Console

Name Field Value Field

Field Based This feature is an extension of basic connector

Aggregation aggregation. Basic aggregation aggregates
two events if, and only if, the fields of the two
events are the same per the fields listed in the
description of “Enable Aggregation (in
seconds)” on page 78. However, field-based
aggregation implements a more flexible
aggregation mechanism; two events are
aggregated if only the selected fields are the
same for both events. (Note: Field-based
aggregation creates a new alert that contains
only the fields that were specified, so the rest
of the fields are ignored, unless “Preserve
Common Fields” is set to “Yes”.)
Field-based aggregation offers several
advantages over basic aggregation, including:
•Control over what fields to aggregate on
•Start and end time set to the earliest start
time and latest end time, respectively
(instead of taking the values from the first
event in the group, like basic aggregation)
•Option to preserve common fields
•Option to sum one or more numeric fields
SmartConnector aggregation significantly
reduces the amount of data received, and
should be applied only when you use less than
the total amount of information the event
offers. For example, you could enable
field-based aggregation to aggregate
"accepts" and "rejects" in a firewall, but you
should use it only if you are interested in the
count of these events, instead of all the
information provided by the firewall.
Note: The legacy, basic aggregation feature
is described in the field description for “Enable
Aggregation (in seconds)” on page 78.

Time Interval Choose a time interval, if applicable, to use as

a basis for aggregating the events the
SmartConnector collects. It is exclusive of
Event Threshold. (Disabled, 1 sec, 5 sec, and
so on, up to 1 hour.)

Event Threshold Choose a number of events, if applicable, to

use as a basis for aggregating the events the
SmartConnector collects. This is the
maximum count of events that can be
grouped; for example, if 150 events were
found to be the same within the time interval
selected (i.e., contained the same selected
fields) and you select an event threshold of
100, you will then receive two events, one of
count 100 and another of count 50. This
option is exclusive of Time Interval. (Disabled,
10 events, 50 events, and so on, up to 10,000
events.)

ArcSight Confidential SmartConnector User’s Guide 75

7 Configuring SmartConnectors through the Console

Name Field Value Field

Field Names Choose one or more fields, if applicable, to

use as the basis for aggregating the events
the SmartConnector collects. Use Ctrl+click to
select multiple fields. The result is a
comma-separated list of fields to monitor. For
example, "eventName,deviceHostName"
would aggregate events if they have the same
event- and device-host name. You can use
any of the event fields displayed in the event
inspector; the name can contain no spaces
and the first letter should not be capitalized.

Fields to Sum If specified, this set of numeric fields is

summed rather than aggregated, preserved,
or discarded. The most common fields to sum
are bytesIn and bytesOut. Note that if any of
the fields listed here are also in the list of field
names to aggregate, they are aggregated and
not summed.

Preserve Common Yes/No, default is no. Choosing yes, adds

Fields fields to the aggregated event if they have the
same values for each event.
Choosing no, ignores non-aggregated fields in
aggregated events.

Filter Filter Aggregation is a way of capturing

Aggregation aggregated event data from events that
would otherwise be discarded due to a
SmartConnector filter. Only events that would
be filtered out are considered for filter
aggregation (unlike Field-based aggregation,
which looks at all events).

Time Interval Choose a time interval, if applicable, to use as

a basis for aggregating the events the
SmartConnector collects. It is exclusive of
Event Threshold. (Disabled, 1 sec, 5 sec, and
so on, up to 1 hour.)

Event Threshold Choose a number of events, if applicable, to

use as a basis for aggregating the events the
SmartConnector collects. This is the
maximum count of events that can be
aggregated; for example, if 150 events were
found to be the same within the time interval
selected (i.e., contained the same selected
fields) and you select an event threshold of
100, you will then receive two events, one of
count 100 and another of count 50. This
option is exclusive of Time Interval. (Disabled,
10 events, 50 events, and so on, up to 10,000
events.)

Fields to Sum If specified, this set of numeric fields is

summed rather than aggregated, preserved,
or discarded. The most common fields to sum
are bytesIn and bytesOut.

76 SmartConnector User’s Guide ArcSight Confidential

 7 Configuring SmartConnectors through the Console

Name Field Value Field

Processing

Preserve Raw Event Yes/No, default is no. Some devices contain

a raw event that can be captured as part of
the generated event. If that is not the case,
most SmartConnectors can also produce a
serialized version of the data stream that was
parsed/processed to generate the ArcSight
event. This feature allows the
SmartConnector to preserve this serialized
"raw event" as a field in the event inspector.
This feature is disabled, by default, since
using raw data increases the event size and
therefore requires more database storage
space. You can enable this by changing the
Preserve Raw Event setting. If you choose
yes, the serialized representation of the "Raw
Event" is sent to the ArcSight Manager and
preserved in the Raw Event field.

Turbo Mode If your configuration, reporting, and analytic

usage permits, you can greatly accelerate the
transfer of a sensor's event information
through SmartConnectors by choosing one of
three "turbo" (narrower data bandwidth)
modes.
ArcSight defines turbo modes as follows:
Fastest (Mode 1) Recommended for simpler
devices, such as firewalls.
Faster (Mode 2) Manager default. Eliminates
all but a core set of event attributes in order
to achieve the best throughput. Because the
event data is smaller, it requires less storage
space and provides the best performance.
Complete (Mode 3) SmartConnector
default. All event data arriving at the
SmartConnector, including additional data, is
maintained.
When a turbo mode is not specified, Mode 3,
Complete, is used. Versions of ArcSight ESM
prior to 3.0 ran in turbo mode 3.
Only scanner SmartConnectors must run in
Complete mode, to capture the additional
data.
Note: In processing events, the ArcSight
Manager’s turbo mode trumps that of a
SmartConnector’s in processing events.

ArcSight Confidential SmartConnector User’s Guide 77

7 Configuring SmartConnectors through the Console

Name Field Value Field

Enable Aggregation (in Note: If you have already used this feature
seconds) for setting up previous SmartConnectors, you
can continue to do so. However, ArcSight
recommends that you use the new Field
Based Aggregation feature as a more
flexible option. (Please see “Field Based
Aggregation” on page 75.)
Here is the description of the legacy “Enable
Aggregation” feature, for those of you who
are still using it:
When enabled, Enable Aggregation (in
seconds) aggregates two or more events on
the basis of the selected time value.
(Disabled, 1, 2, 3, 4, 5, 10, 30, 60)
The aggregation is performed on one or more
matches for a fixed subset of fields:
• Agent ID
• Name
• Device event category
• Agent severity
• Destination address
• Destination user ID
• Destination port
• Request URL
• Source address
• Source user ID
• Source port
• Destination process name
• Transport protocol
• Application protocol
• Device inbound interface
• Device outbound interface
• Additional data (if any)
• Base event IDs (if any)
The aggregated event shows the event count
(how many events were aggregated into the
displayed event) and event type. The rest of
the fields in the aggregated event take the
values of the first event in the set of
aggregated events.

78 SmartConnector User’s Guide ArcSight Confidential

 7 Configuring SmartConnectors through the Console

Name Field Value Field

Limit Event Processing You can moderate the SmartConnector's

Rate burden on the CPU by reducing its processing
rate. This can also be a means of dealing with
the effects of event bursts.
The choices range from -1 (no limitation on
CPU demand) to 1 eps (pass just one event
per second, making the smallest demand on
the CPU).
Be sure to note that this option's effect varies
with the category of SmartConnector in use,
as described in the SmartConnector
Processing Categories table that follows.

Fields to Obfuscate Using MD5 hashing, this option allows you to

specify a list of fields for obfuscation in a
security event.

Store Original Time In This parameter allows you to move the

original device receipt time to a specified field
if altered by the time correction.

Enable Port-Service Disabled/Enabled, default is Disabled. If

Mapping enabled and one of the two fields destination
port and application protocol is set, and the
other is not, the one that is set is used to set
the other.
For example, if the destination port is 22 and
application protocol is not set, then the
application protocol is set to ssh.

Enable User Name Yes/No, default is no. If this is set to yes and
Splitting the destination user name contains commas
in the event, this parameter duplicates that
event. Each user name in the list is placed in
one of the events.
For example, if the destination user name in
an event is “User 123, User 456”, then that
event is sent twice, with the destination user
name set to “User 123” in the first and “User
456” in the second.

Split File Name into Yes/No, default is no. If this is set to yes and
Path Name an event’s file name field is set but its file
path field is not, this parameter splits the file
name into a path and a name, placing each
part into appropriate fields.
For example, if the file name field is set to
C:\dir\file.ext and the file path is not set, then
the file path is set to C:\dir and the file name
to file.ext. The separator character can be
either \ or / as the system looks to the
SmartConnector to determine its platform.

ArcSight Confidential SmartConnector User’s Guide 79

7 Configuring SmartConnectors through the Console

Name Field Value Field

Event Integrity (Disabled | SHA-256 | SHA-1 | MD5 |

Algorithm SHA-512)
If this is set to one of the algorithms (such as
SHA-256), and the Preserve Raw Event
parameter is Enabled, then additional event
integrity internal events are generated,
normally at a rate of about 1 per 50 normal
events.
The crypto signature field is also set in each
event in the format: "#seq(alg):digest",
where seq is a persistent event sequence
number, alg is the message digest algorithm,
and digest is the hexadecimal message
digest.
These extra events and the crypto signature
field values can be used to verify that no
events were tampered with after generation.
Supported algorithms are: SHA-256, SHA-1,
MD5, and SHA-512.
Default is Disabled (i.e., no algorithm is
applied).

Generate Unparsed Yes/No, default is no. If set to yes and some

Events incoming event data cannot be parsed
(perhaps because a device has been upgraded
since the SmartConnector parser was
written), then a special event named
“Unparsed Event” is generated. The raw event
appears in the event message field.
If set to no, the SmartConnector log files
indicate the unparsed events.

Preserve System Health Yes/No, default is no. If enabled, sends

Events system health events periodically to ArcSight
Manger. Events are named as a “Connector
System Health Event”, then generated for
several different types of statistics that are
collected. Examples include disk usage,
memory usage, and CPU usage.

Enable Device Status Enabled/Disabled, default is disabled.

Monitoring (in mins) Minimum is 1 min (60000 ms). If enabled,
sends an internal event named “Connector
Device Status” for each device tracked by the
connector containing the following types of
information:
• Last timestamp when the connector
received an event from the device
• Total number of events from this device
since the connector started
• Number of events sent by this device since
the last event of this type

80 SmartConnector User’s Guide ArcSight Confidential

 7 Configuring SmartConnectors through the Console

Name Field Value Field

Payload Payload sampling is used by some

Sampling SmartConnectors to send a portion of packet
payload (as opposed to the complete packet
payload) along with the original event.
This portion is retrieved using the on-demand
payload retrieval in the event inspector.

Maximum Length This feature allows you to configure the

maximum length of the payload sample using
the following values:
Discard, 128 bytes, 256 bytes, 512 bytes, and
1 Kbyte.
When the discard option is chosen, no payload
sample is sent inside the original event.

Mask Non-printable This feature allows you to mask the

Characters non-printable characters in the payload
sample.

Filters Enables you to modify the filtering done for a

destination without access to an ArcSight ESM
Console. See “Using Filters in the
SmartConnector Configuration Wizard” on
page 83.

SmartConnector Processing Categories

SmartConnector
Effects of Limited Usage
Tabs

Syslog connectors Due to the nature of UDP (the transport protocol used by syslog), these
SmartConnectors can potentially lose events if the configurable event
rate is exceeded. This is because the SmartConnector delays processing
to match the event rate configured, and while in this state, the UDP
cache may fill up, causing the operating system to drop UDP messages.
Note that ArcSight does not recommend using the Limit CPU Usage
option with these SmartConnectors because of this possibility of event
loss.

SNMP connectors Similar to Syslog SmartConnectors, when the event rate is limited on
SNMP connectors, they potentially lose events. SNMP is also UDP-based
and has the same issues as syslog.

Database Since SmartConnectors "follow" the database tables, limiting the event
connectors rate for database connectors can slow the operation of other
SmartConnector. The result can be an event backlog sufficient to delay
the reporting of alerts by as much as minutes or hours. On the other
hand, note that no events are lost, unless the database tables are
truncated. After the event burst is over, the SmartConnector may
eventually catch up with the database if the event rate does not exceed
the configured limit.

File connectors Similar to database connectors, file-based SmartConnectors "follow"

files, so limiting their event rates also causes an event backlog. This can
eventually force the SmartConnector to fall behind by as much as
minutes or hours, depending on the actual event rate. Similarly, the
SmartConnectors may catch up if the event rate does not exceed the
configured rate.

ArcSight Confidential SmartConnector User’s Guide 81

7 Configuring SmartConnectors through the Console

SmartConnector
Effects of Limited Usage
Tabs

Proprietary API These SmartConnectors' behavior depends on the particular API (e.g.,
connectors OPSEC behaves differently than PostOffice and RDEP). But in most cases,
there is no event loss unless the internal buffers and queues of the API
implementation fill up. Therefore, these SmartConnectors work much like
database or file SmartConnectors.

82 SmartConnector User’s Guide ArcSight Confidential

 7 Configuring SmartConnectors through the Console

Using Filters in the SmartConnector Configuration

Wizard
If you would like to modify a destination without accessing an ArcSight ESM Manger, you
can use the SmartConnector Configuration Wizard provided as part of the SmartConnector
setup.

Once you have a SmartConnector installed (if not, see Chapter 4‚ Installing and Configuring
SmartConnectors‚ on page 19),

1 Proceed through the SmartConnector Configuration Wizard until you reach the
destination setting window, as shown below.

2 Choose the Filters option.

3 Click Next.

4 Within the Filter Out field of the following screen, enter the string that represents
your setting modification.

While it’s not possible to use the graphical modifiers used within the ArcSight ESM
Console, you can write strings such as the following examples:

‹ name EQ “Agent”
‹ (name Contains “Super”) Or (name EQ “Agent”)
‹ attackerAddress Between (“10.0.0.1”, “10.0.0.10”)

ArcSight Confidential SmartConnector User’s Guide 83

7 Configuring SmartConnectors through the Console

The first example would be written as shown below:

See the table below for a list of usable operators. For additional information regarding data
fields, event mappings, and CEF fields, see the “Data Fields”, “Audit Events”, “Cases”, and
“Events” sections in the ESM User’s Reference.

Usable
Description
Operators

EQ equals

NE not equals

LT less than

LE less than or equal to

GE greater than or equal to

GT greater than

Between compares any specified range

ContainsBits equals, for bitmap fields

In standard CCE operator for membership test

Contains contains the specified substring

StartsWith starts with specified substring

EndsWith ends with specified substring

Like standard CCE operator for simple pattern matching for string type:
_ wildcard for single character
% wildcard for any number of characters

InSubnet for IP address that is in the specified subnet

InGroup for asset in the specified asset category or zone in the specified zone
group.

Is tests true for the selected state, null or not null

84 SmartConnector User’s Guide ArcSight Confidential

 7 Configuring SmartConnectors through the Console

SmartConnector Time Interval Options

These options are the Alternate tab's Time Interval option, which specify when the
alternate settings are to be used by the SmartConnector. For example, if you want to cache
the events during the day and send everything at night, you can configure the Transport
Mode to cache in the default configuration, then configure the Transport Mode to
normal in the Alternate Settings, and set the time interval from 8PM to 8AM (next day).

„ From: Specifies the starting time to apply the Alternate settings.

„ To: Specifies the ending time at which the Alternate settings no longer apply (and
revert to the default settings). If this is less than the From setting, the value is
interpreted as "next day." For example, a setting from 8PM to 8AM is interpreted as
starting at 8PM and ending at 8AM the following day.

Managing SmartConnector Filter Conditions

Based upon filtering conditions, SmartConnectors can filter events between devices and
the ArcSight ESM Manager. Filtering conditions are set with a combination of AND or OR
statements and data field values. Extraneous events are filtered out to minimize the
number of events sent to the Manager and analyzed in the ArcSight Console.

To create SmartConnector filters:

1 In the Navigator panel, select the Connectors resource tree.

2 In the Connectors resource tree, select an ArcSight SmartConnector, right-click and

select Configure from the drop-down menu.

3 In the SmartConnector Configuration Editor, click the following tabs: Connector:

Name -> Default -> Filters.

4 Select logic operators from the available buttons.

5 In the Common Conditions Editor, select the relevant conditions from the data fields.

Logic
Description
Operator

= equals

!= not equals

< less than

<= less than or equal to

>= greater than or equal to

ArcSight Confidential SmartConnector User’s Guide 85

7 Configuring SmartConnectors through the Console

Logic
Description
Operator

> greater than

Between event occurs between the specified date time period

ContainsBits equals, for bitmap fields

In standard CCE operator for membership test

Contains contains the specified substring

StartsWith starts with specified substring

EndsWith ends with specified substring

Like standard CCE operator for simple pattern matching for string type:
_ wildcard for single character
% wildcard for any number of characters

InSubnet for IP address that is in the specified subnet

InGroup for asset in the specified asset category or zone in the specified zone
group.

Is tests true for the selected state, null or not null

6 Enter a value in the last text field.

7 Click OK.

To add SmartConnector filter conditions:

1 In the Navigator panel, select the SmartConnectors resource tree.

2 In the SmartConnectors resource tree, select an ArcSight SmartConnector and select

Configure.

3 In the SmartConnector Configuration Editor, click the following tabs: Connector:

Name -> Default -> Filters.

4 Select logic operators from the available buttons.

5 Enter conditions into Common Conditions Editor text fields.

6 Click OK.

To delete SmartConnector filter conditions:

1 In the Navigator panel, choose the Connectors resource tree.

2 In the Connectors resource tree, right-click the ArcSight SmartConnector and select
Configure.

3 In the Filtering section on the Advanced tab, right-click a condition and select Delete.

Setting Special Severity Levels

You can customize or add conditions to the event-severity levels reported by
SmartConnectors. Customizing means pre-setting a given SmartConnector's filter to one
specific severity level; adding conditions is essentially the same, but with the addition of a
filter condition to determine when the preset severity level is reported.

86 SmartConnector User’s Guide ArcSight Confidential

 7 Configuring SmartConnectors through the Console

To set a custom severity level and configure a conditional severity:

1 Select the Connectors resource tree in the Navigator panel.

2 In the Connectors resource tree, right-click the appropriate SmartConnector and

select Configure.

3 In the Connector Configuration Editor, click the following tabs: Connector: Name ->
Default -> Filters.

4 Under the Filters tab, select a severity level event definition from the Filter group:
Filter Out (to drop an event), Very-High, High, Medium, Low, and Unknown.

5 Select logic operators from the available buttons.

6 Select the conditions of the severity level from the Common Conditions Editor.

7 Click OK in the Common Conditions Editor.

Sending Control Commands to SmartConnectors

From the ESM Console, you can issue basic event-flow-control commands to
SmartConnectors, get the operational status of a SmartConnector, or issue control
commands to network devices through their SmartConnectors. This topic discusses the first
two points.

To send flow-control commands:

1 Select the Connectors resource tree in the Navigator panel.

2 In the Connectors resource tree, right-click the ArcSight SmartConnector, select Send
Command, and one of the Status, Connector Process, Event Flow, Network, or
Upgrade menu options described below.

3 The Console's status bar shows a confirmation message when the flow control option
takes effect.

Commands available on this menu vary depending on which

SmartConnectors you are using. The following commands are the standard
set.

Flow-control
Description
Command

Status

Get Status Provides a full report on the selected

SmartConnector’s current operational state.

Get Device Provides the status of the device that reports to

Status the SmartConnector. Currently only available for
the Cisco IDS/IPS SmartConnector.

Connector
Process

ArcSight Confidential SmartConnector User’s Guide 87

7 Configuring SmartConnectors through the Console

Flow-control
Description
Command

Restart Restarts a running SmartConnector.

Once a SmartConnector is terminated, Console
commands cannot access it. Therefore, a "restart"
works only on a SmartConnector that is currently
running. Sending a restart command to a running
SmartConnector terminates and restarts the
SmartConnector.

Terminate Shuts down the SmartConnector and all the

processes the SmartConnector started.
Once a SmartConnector is terminated, Console
commands (including Connector Process ->
Restart) cannot access it. You must restart the
SmartConnector manually from the machine on
which it is installed.
Only use the Terminate command in very special
circumstances, as this command kills all
SmartConnector processes.

Event Flow

Pause Stops the SmartConnector from sending events to

the ArcSight Manager.
Events received from the target device are saved
in the SmartConnector cache (even though the
SmartConnector is in a Pause state).

Stop Stops the SmartConnector from sending events to

the ArcSight Manager.
A Stop command causes the SmartConnector to
drop all events, including events stored in the
SmartConnector cache.

Start Prompts the SmartConnector (previously in Stop

or Pause state) to start sending events to the
ArcSight Manager.

Network

Name Clears the cache for Network name resolver

Resolver
Cache

Upgrade

88 SmartConnector User’s Guide ArcSight Confidential

 7 Configuring SmartConnectors through the Console

Flow-control
Description
Command

Upgrade Launches a Command Parameters dialog for

remote upgrade to newer versions of ArcSight
SmartConnectors for managed assets.
Provide the version number of the
SmartConnector to which you want to upgrade
and a wait time to verify that the upgrade
completed successfully. (If the upgrade is not
successful, the system performs an automatic
rollback to the previous version of the
SmartConnector.)
Click OK to start the upgrade.
See “Overview of the Upgrade Process” on
page 34 for prerequisites for the upgrade process
and detailed information on how to upgrade
Connectors.

Rollback Launches a Command Parameters dialog for

Upgrade remote rollback of SmartConnector version to a
specified previous version.“Overview of the
Upgrade Process” on page 34 for complete
information.

Disabling Event Compression

ArcSight SmartConnectors can send event information to the ESM Manager in a
compressed format using HTTP compression. The compression technique used provides
compression rates of 1 to 10 or greater, depending upon the input data (in this case, the
events sent by the ArcSight SmartConnector). Using compression lowers the overall
network bandwidth used by ArcSight SmartConnectors dramatically without impacting their
overall performance.

By default, all SmartConnectors have compression enabled. To turn it off, add the following
line to the ARCSIGHT_HOME\current\user\agent\agent.properties file:

http.transport.compressed = false

ArcSight Confidential SmartConnector User’s Guide 89

7 Configuring SmartConnectors through the Console

Managing SmartConnector Groups

You can better manage ArcSight SmartConnectors by organizing them into groups.
Ungrouped SmartConnectors are listed in the Site Connectors group.

Groups and SmartConnectors can be managed by dragging-and-dropping groups and

SmartConnectors into other groups from the Administration window. If a group is
deleted, the SmartConnectors within that group are also deleted.

You should not delete a SmartConnector resource at the ESM Console unless you first stop
its corresponding SmartConnector. If the SmartConnector on the device is running, but you
delete its resource, the SmartConnector can no longer send events to the Manager. This
causes the SmartConnector to start caching events and, eventually, drop them.

For more detailed information about managing ArcSight SmartConnectors in general, refer
to the ArcSight ESM v4.0 Administrator’s Guide and the ArcSight ESM Console Help.

Creating a SmartConnector Group

1 In the Navigator Panel, select the Connectors resource tree.

If hidden, you can display the Navigator panel by selecting Navigator Panel
from the Window menu.

2 In the Connectors resource tree, right-click a group and choose New Group. A Name
text field appears under the group you selected.

3 In the Name text field, enter a name.

4 Click Enter.

Renaming a SmartConnector Group

1 In the Navigator Panel, select the Connectors resource tree.

2 In the Connectors resource tree, right-click a group and select Rename.

3 In the name text field, rename the group.

4 Click Enter.

90 SmartConnector User’s Guide ArcSight Confidential

 7 Configuring SmartConnectors through the Console

Editing a SmartConnector Group

1 In the Navigator Panel, select the Connectors resource tree.

2 In the Connectors resource tree, right-click a group and select Edit Group.

3 In the Group Editor, edit the Name and Description text field.

4 Click OK.

Moving or Linking a SmartConnector Group

1 In the Navigator Panel, select the Connectors resource tree.

2 In the Connectors resource tree, navigate to a group and drag-and-drop it into

another group.

3 Select Move to move the group or Link to create a copy of the group linked to the
original group.

If you select Link, you create a copy of the group that is linked to the original group.
Therefore, if you edit a linked group, whether it be the original or the copy, all links are
edited as well. When deleting linked groups, you can either delete the selected group or all
linked groups.

Deleting a SmartConnector Group

1 In the Navigator Panel, select the Connectors resource tree.

2 In the Connectors resource tree, right-click a group and choose Delete Group.

3 In the dialog box, click Yes.

For more detailed information about managing ArcSight SmartConnectors, refer to the
ArcSight ESM v4.0 Administrator’s Guide and the ArcSight ESM Console Help.

ArcSight Confidential SmartConnector User’s Guide 91

7 Configuring SmartConnectors through the Console

92 SmartConnector User’s Guide ArcSight Confidential

 Chapter 8
Configuring Multiple Destinations

This chapter provides information about configuring a SmartConnector to send events to

multiple destinations, as well as how to re-register connectors. A destination is an ArcSight
ESM Manager or ArcSight device that can receive events from a particular SmartConnector.
Destinations can be either additional destinations (additional to the original ESM
destination) or failover destinations.

The following topics are discussed in this chapter:

“Additional Destinations” on page 93

“Failover Destinations” on page 93
“Configuring Multiple Destinations” on page 94
“Adding a Failover Destination” on page 96
“Re-Registering a SmartConnector” on page 98

Additional Destinations
ArcSight SmartConnectors send a copy of events to each additional destination for which it
is configured. Additional destinations can be useful, for example, when you have a
development ArcSight environment working in parallel with your production environment
and you want to test rules and reports.

In such cases, you can configure the SmartConnector to send alerts to both your
production Manager and your development Manager to be able to view real-time event
flows on both systems. Because the destinations are independent, you do not compromise
the events sent to the production Manager.

Failover Destinations
A failover destination receives security events from the SmartConnector for which it is
configured only when the primary destination (such as the primary ArcSight ESM Manager)
is not available, or when a network problem occurs. Once these events are backed up in
the failover destination, the SmartConnector caches the events and resends them to the
primary destination.

A failover destination is active only when the primary destination is unavailable, so the
reports and replay features within the secondary Manager could contain incomplete
information. This feature performs as a real-time alternative for severe problems with the
primary ArcSight ESM Manager.

ArcSight Confidential SmartConnector User’s Guide 93

8 Configuring Multiple Destinations

Configuring Multiple Destinations

To configure multiple destinations, use the ArcSight SmartConnector Configuration Wizard
after installing the ArcSight SmartConnectors.

To start the wizard, execute the following command:

$ARCSIGHT_HOME\current\bin\runagentsetup

To add, remove, or modify a destination:

1 Select the option I want to add/remove/modify ArcSight Manager

destinations and click Next.

In this example, the SmartConnector currently installed is ActiveCard AAA Server

Accounting Log DB, but the message at the top of the window will be specific to the
connector you previously installed.

2 You can either modify the existing destination or you can add a new destination. For
this example, select Add new destination and click Next.

3 Select the destination type. For this example, select ArcSight Manager (encrypted)
and click Next.

94 SmartConnector User’s Guide ArcSight Confidential

 8 Configuring Multiple Destinations

4 Click Add new destination to add a new SmartCOnnector destination and click
Next.

5 Fill in the parameters for the destination you want to add and click Next to finish.

For information about the AUP Master Destination and Filter Out All Events
fields, see related information on page 24.

6 To apply your changes, restart the SmartConnector.

ArcSight Confidential SmartConnector User’s Guide 95

8 Configuring Multiple Destinations

Adding a Failover Destination

To add a failover destination:

1 Run the ArcSight SmartConnector Configuration Wizard and select the option I want
to add/remove/modify ArcSight Manager destinations.

2 Select your current destination (Host), as shown below.

96 SmartConnector User’s Guide ArcSight Confidential

 8 Configuring Multiple Destinations

3 Select Add fail over destination and click Next.

4 Select a failover destination type. For this example, select ArcSight Manager
(encrypted) to set up an alterative Manager in case the production Manager fails.

ArcSight Confidential SmartConnector User’s Guide 97

8 Configuring Multiple Destinations

5 Enter the settings for the failover destination and click Next to continue to the next
window.

To apply your changes, restart the SmartConnector.

For information about the AUP Master Destination and Filter Out All Events fields,
see related information on page 24.

Re-Registering a SmartConnector
When the ArcSight Manager recognizes a SmartConnector, it generates an ID token the
SmartConnector uses to identify its security events. If the Manager stops accepting events
from a SmartConnector for an unknown reason, or if you have upgraded a SmartConnector
but its resource was removed from the database, you may need to re-register the
SmartConnector.

To re-register a SmartConnector:

1 Run the ArcSight SmartConnector Configuration Wizard and select the option I want
to add/remove/modify ArcSight Manager destinations.

98 SmartConnector User’s Guide ArcSight Confidential

 8 Configuring Multiple Destinations

In the example above, the SmartConnector currently installed is "ActiveCard AAA

Server Accounting Log DB," but you can use the same procedure for any
SmartConnector.

2 Click Next.

3 Run the ArcSight SmartConnector Configuration Wizard and select your current (Host)
destination. Click Next.

4 Select the Re-register… option:

ArcSight Confidential SmartConnector User’s Guide 99

8 Configuring Multiple Destinations

5 Log in with a valid User Name on the ArcSight Manager where you are attempting to
re-register the SmartConnector. Click Next.

6 Restart the SmartConnector to apply the new ID token.

100 SmartConnector User’s Guide ArcSight Confidential

 Chapter 9
Overview of SmartConnector Types

SmartConnectors are the interface between the ArcSight ESM Manager and the network
devices that generate ESM-relevant data on your network.

ArcSight SmartConnectors are generally one of the following types

“File Connectors” on page 101

“Database Connectors” on page 103
“Scanner Connectors” on page 105
“API Connectors” on page 105
“SNMP Connectors” on page 106
“Microsoft Windows Event Log Connectors” on page 107
“Syslog Connectors” on page 108
“Flex Connectors” on page 109
“Other Connectors” on page 110

SmartConnectors collect event data from network devices, then normalize this data in two
ways. First, they normalize values (such as severity, priority, and time zone) into a common
format. They then normalize the data structure into a common schema. SmartConnectors
can filter and aggregate events to reduce the volume sent to the
ESM Manager, which increases ArcSight's efficiency and reduces event processing time.

For general information about ArcSight SmartConnectors, see Chapter 1‚ Introduction to

ArcSight Components‚ on page 1.

For installation information and device-specific configuration and mapping information, see
the SmartConnector Configuration Guide for the specific device.

File Connectors
There are two primary types of log file connector, Real Time and Folder Follower:

Real Time
These connectors can continue to follow a log file that retains its name or changes its
name based upon the current date and other factors. The type of real time file
connector is based upon the number of files monitored by the connector. There are
connectors that monitor a single log file, such as the Snort File connector and
connectors that monitor multiple log files, such as the Cisco Secure ACS and SAP Real
Time Audit connectors.

ArcSight Confidential SmartConnector User’s Guide 101

9 Overview of SmartConnector Types

Real Time log file connectors can read normal log files in which lines are separated by
a new line character as well as fixed length records in which a file consists of only one
line but multiple records of fixed length (such as the SAP Real Time Audit connector).

Folder Follower
Folder follower connectors can follow files deposited into a single folder. There are
connectors that monitor a single log file (such as HP-UX or IBM AIX) and connectors
that monitor log files recursively (such as F-Secure AntiVirus).

.txt and .xml file types are supported by ArcSight SmartConnectors; which type
depends upon the particular device. Text log files are the most common; however,
Tripwire and most of the scanner file connectors, such as Nessus, nCircle, and
NeXpose are in xml format.

The type of log file connector is not usually part of the connector name unless both types
of connector exist for a particular device (such as SAP Audit and SAP Real-Time Audit).

Connectors are normally installed on the device machine, but when the monitored files are
accessible through network shares or NFS mounts, the connectors can be installed on
remote machines.

Files are renamed by default to increments such as .processed, .processed.1, and

so on.

For some connectors, a trigger file is required to tell the connector when the file is
complete and ready for processing. Typically, this is the same file name with a different
extension.

Generally, the only parameter required at installation is the location of the log file or files
(the absolute path). When default file paths are known, they appear in the installation
wizard.

Folders require permissions to rename or delete the files as configured in the

connector.properties file.

ArcSight has dozens of log file connectors, including connectors for:

‹ Aladdin eSafe Gateway

‹ Apache HTTP Server
‹ BEA WebLogic
‹ Blue Coat Proxy SG
‹ Bro IDS
‹ CA eTrust and Top Secret
‹ Cisco IronPort, NetFlow, Secure ACS, and CSA
‹ Enterasys Dragon IDS
‹ F-Secure Anti-Virus
‹ HP-UX Audit and HP OpenVMS
‹ IBM AIX Audit, AS/400 Audit Journal, and DB2 Audit
‹ IBM Lotus Domino Server, Tivoli Access Manager, and WebSphere
‹ IBM OS/390, OS/390 NVAS, RACF and SDSF
‹ Juniper Steel-Belted Radius
‹ Lumeta IPsonar and Brick Managed Services

102 SmartConnector User’s Guide ArcSight Confidential

 9 Overview of SmartConnector Types

‹ McAfee VirusScan
‹ Microsoft DHCP
‹ Microsoft Exchange Message Tracking Log
‹ Microsoft IIS, IAS, ISA, and SQL Servers
‹ Symantec NetRecon
‹ Network Appliance NetCache
‹ NFR Central Management and Sentivist Servers
‹ Nmap
‹ Oblix NetPoint
‹ OVAL
‹ Rapid7 NeXpose
‹ SAP Security Audit
‹ Secure Computing SafeWord and Webwasher
‹ Snort
‹ Squid Web Proxy Server
‹ Sun ONE Directory and Web Servers
‹ Symantec AntiVirus Corporate Edition
‹ Symantec Gateway Security/Enterprise Firewall
‹ Symantec Intruder Alert
‹ Tenable Nessus
‹ Tripwire Manager

Database Connectors
Database connectors use SQL queries to periodically poll for events. ArcSight
SmartConnectors support major database types, including MS SQL, MS Access, MySQL,
Oracle, DB2, Postgres, and Sybase.

In addition to the native JDBC driver for each database type, database connectors allow
the use of a JDBC ODBC driver for databases that support them, such as MS SQL, Postgres,
and MS Access. To use a JDBC ODBC driver, a JDBC ODBC data source is required.

During installation, the installation wizard will ask for at a minimum the following
parameters:

‹ JDBC ODBC Driver

‹ JDBC ODBC Data Source
‹ Database User
‹ Database Password
The database user must have adequate permission to access and read the database. For
Audit database connectors, such as SQL Server Audit DB and Oracle Audit DB, system
administrator permissions are required.

In addition to connectors supporting event collection from a single database, some

database connectors support multiple database events such as the Microsoft SQL Server
Multiple DB connector. Others collect events from scanner databases, such as
SmartConnectors for McAfee FoundScan DB and Mazu Profiler.

ArcSight Confidential SmartConnector User’s Guide 103

9 Overview of SmartConnector Types

There are three major types of database connector:

Time-Based
Queries use a time field to retrieve events found since the most recent query time until
the current time.

ID-Based
Queries use a numerically increasing ID field to retrieve events from the last checked
ID until the maximum ID.

Job ID-Based
Queries use Job IDs that are not required to increase numerically. Processed Job IDs
are filed in such a way that only new Job IDs are added. Unlike the other two types of
database connector, Job IDs can run both in GUI or Interactive mode as well as in
Automatic mode.

Some of the database products currently supported by ArcSight SmartConnectors include:

‹ ActivCard AAA Server

‹ Application security AppDetective
‹ eEye REM Security Management Console
‹ eEye Retina Network Security Scanner
‹ Harris STAT Scanner (now Lumension Security)
‹ IBM Lotus Domino
‹ IBM SiteProtector
‹ Intrusion SecureNet Provider
‹ Mazu Profiler
‹ McAfee Desktop Firewall
‹ McAfee Entercept
‹ McAfee ePolicy Orchestrator
‹ McAfee ePO Asset Scanner
‹ McAfee FoundScan
‹ McAfee Host Intrusion Detection
‹ McAfee IntruShield
‹ Microsoft Operations Manager
‹ Microsoft SQL Server Audit
‹ NetIQ Security manager
‹ NFR Host Intrusion Detection
‹ Novell Nsure Audit
‹ Oracle Audit
‹ Oracle SYSDBA Audit
‹ PureSight Content Filter
‹ Qualys Vulnerability Scanner
‹ Quest InTrust
‹ Snort
‹ Symantec Critical System Protection

104 SmartConnector User’s Guide ArcSight Confidential

 9 Overview of SmartConnector Types

‹ Symantec Endpoint Protection

‹ Symantec Enterprise Security Manager
‹ Symantec ManHunt
‹ Symantec SESA
‹ Trend Micro Asset Scanner
‹ Trend Micro Control Manager
‹ Visionael ESP

Scanner Connectors
There are two types of scanner connector whose results are retained in a file, making them
log file connectors:

‹ XML files (such as Tenable Nessus, nCircle Audit, Qualys Scanner, and Rapid7
NeXpose)
‹ Text files (such as Tenable Nessus NSR, NetRecon NRD)
Other scanners deposit there events in a database per scan and are treated as database
connectors, requiring the same installation parameters as database parameters.

Scan reports or jobs are converted into base events that can be viewed on the ESM
Console, and aggregated meta events that are not shown on the console. Meta events
create assets, asset categories, open ports, and vulnerabilities on the ESM Console.

Scanner SmartConnectors run in either of two modes, automatic or interactive.

Interactive mode
Displays the scan reports or scan jobs that can be individually selected to be sent to
the connector. This mode is not supported for a connector running as a service.

Automatic mode
Checks periodically for any new reports deposited into the folder or any new jobs
inserted into the database, then processes them. This mode is supported for both
stand-alone applications and services.

Other than the operating mode, other parameters required for scanner installation depends
upon whether a file or database connector has been implemented. For file connectors, the
absolute path to and name of the log file is required. For database connectors, see
“Database Connectors” on page 103.

API Connectors
API connectors use a standard or proprietary API to pull events from devices. In most
cases, a certificate must be imported from the device to authenticate connector access to
the device. There are also a number of configuration steps required on the device side. For
example, Check Point devices require connection type configuration and importing a
certificate, Sourcefire eStreamer devices require adding a client, configuring a certificate,
configuring event types to be sent, and so on.

‹ During installation, the installation wizard will ask for the following types of
parameters, although each device's parameters are specific to its API:
‹ Device IP
‹ Service Port

ArcSight Confidential SmartConnector User’s Guide 105

9 Overview of SmartConnector Types

‹ Event types to be pulled

‹ Certificate information
‹ Information specific to the particular API
Some of the product APIs currently supported by ArcSight SmartConnectors include:

‹ CA eTrust SiteMinder
‹ Check Point Firewall and VPN OPSEC NG
‹ Cisco Secure IDS and IPS devices
‹ HP OpenView Operations MSI
‹ McAfee Entercept
‹ Microsoft Auditing Collection System
‹ QoSient ARGUS
‹ Solaris Basic Security Module (BSM)
‹ Solsoft Policy Server
‹ Sourcefire Defense Center eStreamer

SNMP Connectors
SNMP Traps contain variable bindings, each of which holds a different piece of information
for the event. They are usually sent over UDP to port 162, but the port can be changed.

SNMP connectors listen on port 162 (or any other configured port) and process the
received traps. They can process traps only from one device with a unique Enterprise OID,
but can receive multiple trap types from this device.

As with syslog connectors (because SNMP is based upon UDP), there is a slight chance of
events being lost over the network.

Parsers use the knowledge of the MIB to map the event fields, but, unlike some of the
other SNMP-based applications, the connector itself does not need the MIB to be loaded.

No parameters are required during connector installation for SNMP devices.

SNMP devices supported by ArcSight SmartConnectors include:

‹ Check Point Firewall-1

‹ Cisco PIX
‹ Enterasys Dragon
‹ HP ProCurve Ethernet Switch
‹ IBM Lotus Domino
‹ Intrusion SecureNet Provider
‹ nCircle IP360 Threat Monitor
‹ SANA Primary Response
‹ Securify SecurVantage
‹ Symantec Enterprise Firewall
‹ Symantec Intruder Alert
‹ Websense Web Security

106 SmartConnector User’s Guide ArcSight Confidential

 9 Overview of SmartConnector Types

Microsoft Windows Event Log Connectors

System administrators use the Windows Event Log for troubleshooting errors. Each entry in
the event log can have a severity of Error, Warning, Information. and Success or
Failure audit.

There are three default Windows Event Logs:

‹ Application log (tracks events that occur in a registered application)

‹ Security log (tracks security changes and possible breaches in security)
‹ System log (tracks system events)
There are three SmartConnectors for Microsoft Windows Event Log:

„ SmartConnector for Microsoft Windows Event Log – Unified, this connector

can connect to local or remote machines, inside a single domain or from multiple
domains, to retrieve and process security and system events.
„ SmartConnector for Microsoft Windows Event Log – Local, which collects
events from the Windows Event Log on your local machine.
„ SmartConnector for Microsoft Windows Event Log – Domain, which lets you
collect Microsoft Windows Event Log events from multiple remote machines and
forward them into the ArcSight system (such as multiple occurrences of the same
application installed on different machines in one domain).
For details about the local and domain connectors deployment, installation, and
configuration, see the SmartConnector Configuration Guide for Microsoft Windows Event
Log. For mappings, see ArcSight SmartConnector Mappings to Windows Security Events.

For details about the new Unified connector, see the SmartConnector Configuration Guide
for Microsoft Windows Event Log – Unified. Mappings for this connector are incorporated
into its configuration guide.

The SmartConnector for Microsoft Windows Event Log – Unified supports event collection
from Microsoft Windows XP, Server 2000, Server 2003, and beta support for Microsoft Vista
and Server 2008 platforms, as well as beta support for partial event parsing based upon
the Windows event header for all System and Application events as well as support for a
FlexConnector-like framework that enables users to create and deploy their own parsers for
parsing the event description for all System and Application events.

Some individual Windows Event Log applications are supported by the SmartConnector for
Microsoft Windows Event Log – Domain, for which Windows Event Log sub-connectors
have been developed. These sub-connectors have individual configuration guides that
provide setup information and mappings for the particular application. These sub-
connectors include:

‹ CA eTrust AntiVirus
‹ Microsoft Active Directory Service
‹ Microsoft WINS
‹ Oracle Audit
‹ RSA ACE Server
‹ Symantec Mail Security

ArcSight Confidential SmartConnector User’s Guide 107

9 Overview of SmartConnector Types

Syslog Connectors
Syslog messages are free-form log messages prefixed with a syslog header consisting of a
numerical code (facility + severity), timestamp, and host name. They can be installed as a
syslog daemon, pipe, or file connector. Unlike file connectors, a syslog connector can
receive and process events from multiple devices. There is a unique regular expression that
identifies the device.

„ Syslog Daemon connectors listen for syslog messages on a configurable port, using
port 514 as a default. It is the only syslog option supported for Windows platforms.
„ Syslog Pipe connectors require syslog configuration to send messages with a certain
syslog facility and severity. Solaris under-performs when using Syslog Pipe connectors.
The operating system requires that the connector (reader) open the connection to the
pipe file before the syslog daemon (writer) writes the messages to it.
When using Solaris and running the connector as a non-root user, using a Syslog Pipe
connector is not recommended. It does not include permissions to send an HUP signal
to the syslog daemon.

„ Syslog File connectors require syslog configuration to send messages with a certain
syslog facility and severity. For high throughput connectors, Syslog File connectors
perform better than Syslog Pipe connectors because of operating system buffer
limitations.
UNIX supports all three types of syslog connector. If a syslogd process is already running,
you can "kill" it or run the daemon connector on a different port.

Because UDP is not a reliable protocol, there is a slight chance of missing syslog messages
over the network. TCP is now a supported protocol for syslog connectors.

There is a basic syslog connector, the SmartConnector for UNIX OS Syslog, which provides
the base parser for all syslog sub-connectors.

„ For syslog connector deployment information, see the configuration guide for this
SmartConnector.
„ For device-specific configuration information and field mappings, see the
SmartConnector Configuration Guide for the specific device. Each syslog sub-
connector has its own configuration guide.
During connector installation, for all syslog connectors, choose Syslog Daemon, Syslog
Pipe, or Syslog File from the installer selections rather than the name of the syslog sub-
connector.

Syslog connectors include, but are not limited to, the following devices:

‹ AirDefense Enterprise
‹ AirMagnet Enterprise
‹ Alcatel
‹ Apache HTTP Server
‹ Arbor Peakflow
‹ Aruba
‹ Barracuda Spam Firewall
‹ Blue Coat Proxy SG
‹ BroadWeb NetKeeper

108 SmartConnector User’s Guide ArcSight Confidential

 9 Overview of SmartConnector Types

‹ Cisco AIRONET, CatOS, PIX/ASA/FWSM, Router, Secure ACS, VPN, and

CiscoWorks
‹ CyberGuard
‹ F5 BIG-IP
‹ Fortinet FortiGate
‹ Foundry BigIron
‹ HoneyD
‹ iPolicy Intrusion Prevention Firewall
‹ InterSect Alliance SNARE
‹ Juniper M Series, NetScreen IDP, NetScreen Firewall, NetScreen VPN
‹ Lancope Stealthwatch
‹ McAfee IntruShield and Secure Internet Gateway
‹ Microsoft IIS
‹ Mirage CounterPoint Appliance
‹ MessageGate
‹ Nagios
‹ NetContinuum
‹ Newbury WiFi Watchdog
‹ NitroSecurity
‹ Nortel VPN
‹ Oracle Audit
‹ Packet Alarm
‹ Radware DefensePro
‹ RSA ACE Server
‹ SaberNet NTsyslog
‹ Secure Computing Gauntlet, IronMail, and Sidewinder
‹ Sendmail
‹ SonicWall
‹ Sourcefire/Snort
‹ Stonesoft StoneGate
‹ Symantec Endpoint Protection, Mail Security, ManHunt, and Network Security
‹ TippingPoint
‹ TopLayer Attack Mitigator NG
‹ Tripwire Enterprise
‹ Type80
‹ Vormetric CoreGuard

Flex Connectors
ArcSight FlexConnectors allow you to create custom SmartConnectors that can read and
parse information from third-party devices and map that information to ArcSight’s event
schema. When creating a custom SmartConnector, you define a set of properties (a

ArcSight Confidential SmartConnector User’s Guide 109

9 Overview of SmartConnector Types

configuration file) that identify the format of the log file or other source that will be
imported into the ArcSight Manager or ArcSight Logger.

Use of this SmartConnector option requires the FlexConnector Developer’s

Kit.

The following is a list of available FlexConnectors

‹ Log file FlexConnector for reading fixed-format log files

‹ Regular expression FlexConnector for reading variable-format log files
‹ Regular expression FlexConnector for recursively reading variable-format log files
in a folder
‹ Time-based and ID-based database FlexConnectors for reading the latest security
events from a database
‹ Multi-database FlexConnector for reading events from multiple databases
‹ Simple Network Management Protocol FlexConnector for gathering events from
SNMP traps
‹ Syslog FlexConnector for reading events from Syslog messages
‹ Extensible Markup Language (XML) FlexConnector for recursively reading events
from XML-based files in a folder
‹ Scanner FlexConnector to import the scan results from a scanner device

Other Connectors
Some connectors use multiple mechanisms. For example, the SmartConnector for Oracle
Audit monitors both the database tables and audit files. Other examples of connectors with
multiple mechanisms include:

NetFlow
Retrieves data over TCP in a Cisco-defined binary format.

ArcSight Streaming Connector

Retrieves data over TCP from ArcSight Logger in an ArcSight-proprietary format.

110 SmartConnector User’s Guide ArcSight Confidential

 Appendix A
Payload Support

Payload support is available with current SmartConnector versions. Payload refers to the
information carried in the body of an event's network packet, as distinct from the packet's
header data.

The following topics are discussed in this appendix:

“Introduction” on page 111

“Working with Payload Data” on page 111

Introduction
Extra information can be retrieved by using the on-demand payload feature on the ArcSight
ESM Console. Click on any of the vulnerability events sent by the SmartConnector and you
will see in the Event Inspector that Payload data is available; click on the Payload tab and
you can see additional information including Description and Recommendation. For
services events, you will receive Description and Detail.

You can retrieve, preserve, view, or discard payloads using the ArcSight Console. Because
event payloads are relatively large, ArcSight does not store them by default. Instead, you
can request payloads from devices for selected events through the Console. If the payload
is still held on the device, the ArcSight SmartConnector retrieves it and sends it to the
Console.

Payloads are downloaded and stored only on demand; you must configure ArcSight ESM to
log these packets. By default, 256 bytes of payload are retrieved.

Whether an event has a payload to store is visible in event grids. Unless you specifically
request to do so, only the event's "payload ID" (information required to retrieve the
payload from the event source) is stored. Payload retention periods are controlled by the
configuration of each source device.

Working with Payload Data

The first step in handling event payloads is to be able to locate payload-bearing events
among the general flow of events in a grid view. In an ArcSight Console Viewer panel grid
view, right-click a column header and select Add Column <Device> Payload ID. Look
for events showing a Payload ID in that column.

To retrieve payloads, in a Viewer panel grid view, double-click an event with an associated
payload. In the Event Inspector, click the Payload tab, then click Retrieve Payload.

ArcSight Confidential SmartConnector User’s Guide 111

A Payload Support

To preserve payloads, in a grid view, right-click an event with an associated payload, select
Payload, then Preserve. Alternatively, in the Event Inspector, click the Payload tab, then
the Preserve Payload icon.

To discard payloads, in a grid view, right-click an event with an associated payload, select
Payload, then Discard Preserved. You also can use the Event Inspector: In a grid view,
double-click an event with an associated payload. In the Event Inspector, click the Payload
tab, then click the Discard Preserved Payload icon.

To save payloads to files, in a grid view, double-click an event with an associated payload.
In the Event Inspector, click the Payload tab. Click the Save Payload icon. In the Save
dialog box, navigate to a directory and enter a name in the File name text field. Click
Save.

112 SmartConnector User’s Guide ArcSight Confidential

 Appendix B
Capturing Events from
SmartConnectors

The information in this appendix applies only to SmartConnectors used with ArcSight ESM
v4.0. The following topics are discussed:

“Summary” on page 113

“Installation” on page 113
“Event Data Rotation” on page 114

Summary
This appendix explains how to capture events a SmartConnector normally would send to
the ArcSight ESM Manager into a file. This is an advanced topic; typical ArcSight
configurations do not require the use of external files to communicate events to the
ArcSight ESM Manager.

Event data is written to a file in Excel-compatible comma-separated values (CSV) format,

with comments prefixed by ‘#.’ A SmartConnector can be configured to preface the data
with a comment line that describes the fields found on a subsequent line. A typical event
file might look like this:

#event.eventName,event.attackerAddress,event.targetAddress

"Port scan detected","1.1.1.1","2.2.2.2"

"Worm ""Code red"" detected","1.1.1.1","2.2.2.2"

"SQL Slammer detected","1.1.1.1","2.2.2.2"

"Email virus detected","1.1.1.1","2.2.2.2"

Event data is written to files in the specified folder and can be configured to rotate
periodically.

Installation
To create a SmartConnector that logs security events in a CSV file rather than forwarding
them to an ArcSight ESM Manager:

1 Run the SmartConnector Installation Wizard.

ArcSight Confidential SmartConnector User’s Guide 113

B Capturing Events from SmartConnectors

2 When the wizard asks whether the Manager is using a demo certificate, click the
Cancel button.

3 When asked for confirmation that you are exiting early, click Yes.

4 Use a text program to create a new file named agent.properties in the directory
$ARCSIGHT_HOME\current\user\agent\.

This file need contain only the following line:

transport.default.type=file

5 Return to the SmartConnector Installation Wizard by opening a command window in

the $ARCSIGHT_HOME\current\bin directory and entering arcsight
connectorsetup. When queried whether to use Wizard mode, click Yes.

6 At the point where the SmartConnector Configuration Wizard ordinarily asks about the
Manager certificate, a new window is displayed that contains parameters for the CSV
file transport.

Enter the following values for these parameters:

Parameter What to enter or select

CSV Path The path to the output folder. If it does not exist, the folder is
created.

Fields A comma-delimited list of field names to be sent to the CSV file.

Field names are in the form event.targetPort.

File rotation The desired file rotation interval, in seconds. The default is 3,600
interval (one hour).

Write format Select true to send a header row with labels for each column, as
header described above.

After you enter the file trans port parameters and click Continue, the SmartConnector
Configuration Wizard proceeds as usual.

Event Data Rotation

Events are appended to the current file until the rotation time interval expires, at which
time a new current file is created and the previous current file is renamed. One hour is a
typical rotation time interval.

Event files are named using the timestamp of their creation, and all files, with the
exception of the current file, have the text '.done' appended. For example, a typical CSV
file set configured to rotate every hour might consist of files named in this manner:

2007-01-28-10-55-33.csv

2007-01-28-09-55-33.csv.done

2007-01-28-08-55-33.csv.done

Using the properties file, you can customize the configuration of your CSV SmartConnector
to filter and aggregate events as desired.

You also can configure a SmartConnector to send events to a CSV file and an ESM Manager
at the same time.

114 SmartConnector User’s Guide ArcSight Confidential

 Appendix C
ArcSight Update Packs (AUP)

This appendix details the different ArcSight Update Packs (AUPs) used in updating content
to and from the ArcSight Manager and ArcSight SmartConnectors. AUP files may contain
information that applies to SmartConnectors or ESM related updates.

The following topics are discussed in this appendix:

“Defining an AUP” on page 115

“ArcSight Content AUPs” on page 115
“ArcSight Connector Upgrade AUP” on page 116
“ESM Generated AUPs” on page 118

Defining an AUP
AUP files provide a way to collect a set of files together and update ArcSight resources as
well as distribute parsers to ArcSight SmartConnectors.

For some AUPs, ArcSight provides downloadable packages of new content available to
subscribing customers. You can obtain a content subscription through ArcSight Sales or
Customer Support. Subscribers also have access to related articles in the ArcSight
Customer Support Center's Knowledge Base.

The download files are offered through a special subdirectory on the ArcSight software
server. The directory is visible only to subscribers, who receive a notification e-mail from
ArcSight Customer Support when files are posted.

ArcSight Content AUPs

ArcSight continuously develops new SmartConnector event categorization mappings, often
called "content." This content is packaged in ArcSight Update Packs (AUP) files.

All existing content is included with major product releases, but it is possible to stay
completely current by receiving up-to-date, regular content updates via Arcsight
announcements and the Customer Support website
(https://software.arcsight.com). Under "Content Subscription Downloads", the
files are located in "RELEASE3.X".

Content updates (ArcSight-xxxx-ConnectorContent.aup) are provided by ArcSight

and contain data that is then transferred to registered connectors. An AUP can provide
updates for:

1 Event categorizations (Category Behavior, Category Object, etc.)

ArcSight Confidential SmartConnector User’s Guide 115

C ArcSight Update Packs (AUP)

2 Default zone mappings (what IP maps to which zone by default)

3 OS mappings (when a network is scanned, where the asset is created)

As shown below, the method of uploading an AUP varies depending on the ArcSight
product.

ArcSight ESM
As an ArcSight customer, you will receive an e-mail notification about content updates from
ArcSight support. To update,

1 Download the latest AUP release from the Customer Support website
(https://software.arcsight.com).

2 Copy the .aup file to ARCSIGHT_HOME\updates\ onto a running ArcSight ESM

Manager. SmartConnectors registered to this ESM automatically download the .aup
and, once completed, an audit event is generated.

ESM/Logger
A SmartConnector can send events to ArcSight ESM and Logger simultaneously. In this
configuration, it’s helpful to use the AUP Master Destination feature. AUP Master
Destination allows ESM to push AUP content to the SmartConnector used for its Logger
destination(s). Logger is not capable of storing or pushing its own AUP content.

1 Using the SmartConnector Configuration Wizard, add the ESM destination and set the
AUP Master Destination parameter to true (the default is false).

2 If you have not already done so, you can also add the Logger destination.

3 Copy the .aup file to ARCSIGHT_HOME\updates\ on the running ArcSight ESM

Manager you added in step 1.

The AUP content is pushed from ESM to the SmartConnector, which then sends an internal
event to confirm. Since the AUP Master Destination flag was set for the ESM destination,
that AUP content is used by the SmartConnector for Logger or any other non-ESM
destinations.

The AUP Master Destination flag should be set to true for only one ESM
destination at a time. If more than one ESM destination is set and the flag is
true for more than one, only the first is treated as master.

Failover ESM destinations cannot be AUP Masters.

Logger
Logger has no facility to store or forward AUPs to SmartConnectors.

Connector Appliance
Connector Appliance does not support automatic deployment of an AUP. This feature will
be included in future releases. Please call customer support for assistance.

ArcSight Connector Upgrade AUP

ArcSight ESM
1 Download the latest AUP release from the Customer Support website (at
https://software.arcsight.com).

116 SmartConnector User’s Guide ArcSight Confidential

 C ArcSight Update Packs (AUP)

2 Copy the .aup file to ARCSIGHT_HOME\updates\ onto a running ArcSight ESM

Manager. SmartConnectors registered to this ESM automatically download the .aup
and, once completed, an audit event is generated.

3 From the ArcSight Console, select connectors to be upgraded (one at a time) and
launch the upgrade command for each of them.

4 Upon receipt of the upgrade command, the selected connectors upgrade themselves,
restart, and send upgrade results (success or failure) back to the ArcSight Console
through the ArcSight Manager.

a If the upgrade is successful, the new connector starts and reports a successful
upgrade status. (The upgraded connector runs in the same home directory as the
old one.)

b If the upgraded connector fails to start, the original connector restarts

automatically as a fail-over measure. (This is essentially an automatic rollback,
and re-start).

Connector Appliance
Uploading an AUP through Connector Appliance is performed through it’s web-based user
interface. From the Advanced Operations tab, the Connector Upgrade Repository
displays upgrades that have been uploaded using the Connector Upgrade command.

To upload .aup updates,

1 Download the latest AUP release from the Customer Support website (at
https://software.arcsight.com).

2 From the Advanced Operations tab, click Upgrade, and then click the Upgrade
Repositories sub-tab.

3 Click Upload to browse to the downloaded .aup file.

4 Click the Submit button.

The next step is to push this upgrade to one or more containers. To push the upgrade
.aup to a container(s),

1 Click the Upgrade Connectors sub-tab.

2 Click the check box for container(s) that you wish to upgrade.

3 Click the Upgrade button.

4 From the drop down menu, select the appropriate upgrade.

5 Click Save.

The file you updated should now appear in the list.

For more detailed information about Connector Appliance, see the Connector Appliance
Administrator's Guide.

ArcSight Confidential SmartConnector User’s Guide 117

C ArcSight Update Packs (AUP)

ESM Generated AUPs

Some AUPs are generated by ESM itself for internal maintenance and operation.

User Categorization Updates

User Categorization Updates (user-
categorizations_user_supplied_00000000001300014581.aup) are generated
by ESM when a user modifies the way an event is categorized through the ArcSight Console
tools. These updates are then transferred to the registered connectors to update the way
the newly sent events will be categorized. This is generally used for categorizing custom
signatures for which ArcSight does not provide categorization.

System Zones Updates

System Zones updates (system-zone-mappings_00000000000000000001.aup) are
generated by ESM when a change to the ArcSight System zones is detected, then
transported to the necessary connectors. It contains the new System-Zone mappings so
incoming events are attached to the correct zones or assets in ESM.

As System Zones are always present, all SmartConnectors connected to ESM routinely
receive them as an AUP.

User Zones Updates

User Zones updates (user-zone-
mappings_3RxkkOxYBABDRZlZyr6nrWg==_00000000001700001895.aup) are
generated by ESM when a change to a user-created zone configuration is detected, then
transported to the necessary connector. It contains the new zone mappings so that
incoming events are attached to the correct zones or assets in ESM.

118 SmartConnector User’s Guide ArcSight Confidential

 Appendix D
SmartConnector Frequently
Asked Questions

What if my device is not one of the listed SmartConnectors?

„ ArcSight offers an optional feature called the FlexConnector Development Kit (SDK),
which can assist you in creating a custom SmartConnector for your device.
„ ArcSight can create a custom SmartConnector; contact ArcSight Customer Support for
more information.
My device is on the list of supported products; why doesn't it appear in the
SmartConnector Configuration Wizard?

SmartConnectors are installable based upon the operating system you are using. If your
device is not listed, either it is not supported by the operating system on which you are
attempting to install, or your device is served by a Syslog server and is, therefore, a syslog
sub-connector. To install a Syslog SmartConnector, select Syslog Daemon, Syslog Pipe,
or Syslog File during the installation process.

Why isn't the SmartConnector reporting all events?

Check that event filtering and aggregation setup is appropriate for your needs.

Why are some event fields not showing up in the Console?

Check that the two separate turbo modes for the SmartConnector and the ArcSight ESM
Manager are compatible for the specific SmartConnector resource. If the Manager is set for
a faster turbo mode than the SmartConnector, some event details will be lost. See
"“Understanding ArcSight Turbo Modes” on page 17 for detailed information.

Why isn't the SmartConnector reporting events?

Check the SmartConnector log for errors. Also, if the SmartConnector cannot communicate
with the Manager, it caches events until its cache is full. A full cache can result in the
permanent loss of events.

How can I get my database SmartConnector to start reading events from the
beginning?

If it is a FlexConnector for Time-Based DB, set the following parameter in agent.properties:

agents[0].startatdate=01/01/1970 00:00:00

If it is an FlexConnector for ID-Based DB, set the following parameter in agent.properties:

agents[0].startatid=0

ArcSight Confidential SmartConnector User’s Guide 119

D SmartConnector Frequently Asked Questions

When events are cached and the connection to the Manager is re-established,
which events are sent?

Events are sent with a 70% live and 30% cached events ratio. If live events are not arriving
quickly, the percentage of cached events can be higher. This can reach 100% if there are
no live events.

Also, if the settings dictate that certain event severities are not sent at the time connection
is restored, those events are never sent. This is true even if they were originally generated
(and cached) at a time when they would ordinarily go out.

Why does the status report the size of the cache as smaller than it should be?
For example, I know that a few events have been received by the
SmartConnector since the Manager went down, yet the report marks events as
zero.

Some of the events are in other places in the system, such as the HTTP transport queue.
Shut down the SmartConnector and look at the cache size in the .size.dflt file to confirm
that the events are really still there.

Why does the estimated cache size never change in some SmartConnectors?
Why is the estimated cache size negative in others?

The estimated cache size is derived from a size file that gets read at startup and written at
shutdown. If the SmartConnector could not write the size at shutdown (for example, due to
an ungraceful shutdown, disk problem, or similar problem) the number could be incorrect.
Newer versions will attempt to rebuild this cache size if they find it to be incorrect, but
older builds do not.

One solution is to:

1 Stop the SmartConnector.

2 Delete the size file (a file with extension .size under

current\user\agent\agentdata.

3 Re-start the SmartConnector.

The SmartConnector detects that there is no size file and re-builds the cache size by
reading all the cache files.

Can the SmartConnector cache reside somewhere other than....

/user/agent/agentdata?

You can change the folder to contain the SmartConnector cache by adding the following
property in agent.properties:

agentcache.base.folder=<relative-folder-path>

where <relative-folder-path> is the path of the folder relative to

$ARCSIGHT_HOME.

Why is my end time always set to an earlier date and time?

ArcSight Manager performs auto time correction for older events. If the end time is older
than your retention period, it is set automatically to that lower bound. A warning is
displayed and an internal event with the same message is sent to you.

120 SmartConnector User’s Guide ArcSight Confidential

 D SmartConnector Frequently Asked Questions

Do our Syslog SmartConnectors support forwarded messages from KIWI or

AIX?

Yes.

The property related to KIWI is

syslog.kiwi.forwarded.prefix=KiwiSyslog Original Address

Kiwi adds a prefix with the original address. For example, the message:

Jan 01 10:00:00 myhostname SSH connection open to 1.1.1.1

is converted to

Jan 01 10:00:00 myhostname KiwiSyslog Original Address

myoriginalhost: SSH connection open to 1.1.1.1

The SmartConnector strips out the prefix and uses myoriginalhost as the Device
Host Name.

The property related to AIX is

syslog.aix.forwarded.prefixes=Message forwarded from,Forwarded

from

Similar actions are performed for messages forwarded using AIX.

What does the T mean in the periodic SmartConnector status lines?

"T" is shorthand for "throughput(SLC)." The following lines are in

agent.defaults.properties:

status.watermark.stdoutkeys=AgentName,Events
Processed,Events/Sec(SLC),Estimated Cache
Size,status,throughput(SLC),hbstatus,sent
status.watermark.stdoutkeys.alias=N,Evts,Eps,C,ET,T,HT,S

The SLC stands for Since Last Check, which means "in the last minute," assuming
status.watermark.sleeptime=60 has not been overridden.

The throughput (SLC) status is returned by the AgentHTTPEventTransport class.

What do EVTS AND EPS refer to?

EVTS is an acronym for Events Processed and EPS is an acronym for Events/Sec(SLC).

These values are calculated by the SimpleObjectCounter.getStatus method, although the

class is actually instantiated as the SimpleEventCounter subclass.

Does a file reader SmartConnector reading files over a network share display
errors when the network share is disconnected? How can I recognize which
error message refers to which file in agent.log and agent_out_wrapper.log?

If the network share is a Linux/UNIX NFS mount or a Windows network mapped drive, the
file reader SmartConnector displays errors in the agent log.

If files are being read using a Windows UNC path that does not require network mapping,
the file reader SmartConnector cannot detect a network connection loss.

ArcSight Confidential SmartConnector User’s Guide 121

D SmartConnector Frequently Asked Questions

Error messages related to file access contain the file name, but error messages related to
log line parsing do not.

Are log files accessed sequentially or in parallel?

This depends upon the SmartConnector you are using. Some log file connectors process
files sequentially and others process log files in parallel.

After reading a log file, can a SmartConnector move them using NFS?

Yes. Folder Follower connectors can rename or move the files using NFS, as long as the
folders containing the log files give the correct permissions for the SmartConnector.

My SmartConnector must read log files from a remote machine through a

network share. How can I do this?

To establish a network share to a remote machine, you can use network mapping on
Windows platforms, and NFS or Samba mounting on Linux/UNIX platforms.

If you are running the SmartConnector as a Windows service, access privileges to the
network share are required. To access the user name and password panel:

1 From the Start menu, select Control Panel.

2 Double-click Administrative Tools.

3 Double-click Services.

4 Right-click the name of the appropriate SmartConnector and select Properties.

5 Click the Log on tab, and enter the user name and password for the user with access
permissions to the file share. Specify the file path using UNC notation, not as a
network mapped drive.

How do you disable the DOS Protector component?

To disable the component, add the following property to agent.properties:

agent.mainevent.component.com.arcsight.agent.loadable._DOSProtecto
r.enabled=false

What is the maximum event rate per SmartConnector?

These rates are subjective and depend upon the system resources, number of devices,
number of events, and so on. ArcSight recommends limiting each SmartConnector to 500
eps to allow for growth.

Is there any limitation on performance relating to EPS?

These limitations are subjective and depend upon system resources, number of devices,
number of events, and so on.

How many log files can a SmartConnector access at one time?

The SmartConnector can access as many log files as it is configured with. The folders are
processed in parallel.

122 SmartConnector User’s Guide ArcSight Confidential

 D SmartConnector Frequently Asked Questions

What is the recommended maximum number of SmartConnectors per ArcSight

ESM Manager?

There is no hard and fast maximum. The Manager has a restriction of 64 concurrent
SmartConnector threads by default. The more threads you add, the more it affects
performance, because there is more thread context-switching overhead. The general
recommendation is to definitely stay lower than the triple-digit range.

How can I determine the hardware requirements for my SmartConnector box?

If enough memory is available (256 MB per SmartConnector by default plus at least 256 MB
for the operating system), SmartConnectors are usually CPU bound. Therefore, the number
of SmartConnectors you can install on a single box depends upon the number of events per
second that all the SmartConnectors are to process.

It also depends upon how many eps' the combined SmartConnectors will be processing.
For example, if you have the Check Point, RDEP, and Syslog SmartConnectors and, when
combined, they process fewer than 500 eps, a dual Pentium IV with 2GB Ram would be
enough (and it would let you process bursts of about 2-times if needed, amounting to 1000
eps).

However, the SmartConnector for Check Point itself, for example, could easily go beyond
1000 eps. If that is the case with one or more of the SmartConnectors, you most likely
need at least two SmartConnector boxes; one for a SmartConnector that goes beyond 1000
eps, and another one for RDEP and syslog. RDEP usually is under 100 eps, but syslog can
go anywhere from 10 eps to more than 1000 eps; you need to know the expected volume
before sizing the hardware.

An easy rule of thumb is to limit each SmartConnector to 500 eps, which should give you
some room to grow.

ArcSight Confidential SmartConnector User’s Guide 123

D SmartConnector Frequently Asked Questions

124 SmartConnector User’s Guide ArcSight Confidential