Smartconnector™ Configuration Guide: Arcsight™ Forwarding Connector V5.1.2.5857 For Arcsight Esm™

SmartConnector™
Configuration Guide
ArcSight™ Forwarding Connector
v5.1.2.5857
for ArcSight ESM™
May 2011
SmartConnector™ Configuration Guide
Copyright © 2001-2011 ArcSight, LLC. All rights reserved.

ArcSight and the ArcSight logo are registered trademarks of ArcSight in the United States and in some other
countries. Where not registered, these marks and ArcSight Console, ArcSight ESM, ArcSight Express,
ArcSight Manager, ArcSight Web, ArcSight Enterprise View, FlexConnector, ArcSight FraudView, ArcSight
Identity View, ArcSight Interactive Discovery, ArcSight Logger, ArcSight NCM, SmartConnector, ArcSight
Threat Detector, ArcSight TRM, and ArcSight Viewer, are trademarks of ArcSight, LLC. All other brands,
products and company names used herein may be trademarks of their respective owners.
Follow this link to see a complete statement of ArcSight's copyrights, trademarks, and acknowledgements:
http://www.arcsight.com/copyrightnotice
The network information used in the examples in this document (including IP addresses and hostnames) is
for illustration purposes only.
This document is ArcSight Confidential.
Revision History
Date Product Version Description
08/02/2011 5.1.2.5857 Added support for HP OMi.
Document template version: 1.0.5
ArcSight Customer Support
Phone 1-866-535-3285 (North America)

+44 (0)870 141 7487 (EMEA)
E-mail support@arcsight.com
Support Web Site http://www.arcsight.com/supportportal/
Protect 724 Community https://protect724.arcsight.com

Contents
Product Overview ............................................................................................................ 5

What’s New .................................................................................................................... 5
The ArcSight Source Manager ........................................................................................... 6
Sending Events to an ArcSight Destination Manager ....................................................... 6
Sending Events to ArcSight Logger .............................................................................. 6
Sending Events to a Non-ESM Location ........................................................................ 7
Standard Installation Procedures ....................................................................................... 7
Installing ArcSight ESM .............................................................................................. 8
Assigning Privileges on the Source Manager ........................................................... 8
Forwarding Correlation Events .............................................................................. 9
Increasing the FileStore size (Enhanced version only) ............................................ 11
Installing the Forwarding Connector .......................................................................... 12
Uninstalling a Connector ................................................................................................ 13
Upgrading a Connector .................................................................................................. 13
Rolling Back a Connector ................................................................................................ 14
Forwarding Events to an ArcSight Manager ....................................................................... 15
Forwarding Events to ArcSight Logger .............................................................................. 19
Forwarding Events to NSP Device Poll Listener .................................................................. 20
Forwarding CEF Syslog Events ........................................................................................ 21
Forwarding Events to a CSV File ...................................................................................... 22
Forwarding Events to McAfee ePolicy Orchestrator ............................................................. 23
Installing the Microsoft SQL Server 2005 Driver for JDBC ............................................. 24
ArcSight Event to McAfee CEF Mappings ............................................................... 25
Configuring Multiple Destinations ..................................................................................... 26
The ArcSight Source Manager ......................................................................................... 29
Supported Versions of HP OM .......................................................................................... 30
HP OM and Correlation Events .................................................................................. 30
Installing the Connector ................................................................................................. 30
Creating an SNMP Interceptor (Policy) .............................................................................. 34
Uploading Interceptor Template ...................................................................................... 35
Using Operations Manager for Windows ...................................................................... 35
Using Operations Manager for Linux .......................................................................... 35
Deploying the Policy ...................................................................................................... 35
Adjusting the Event Processing Rate ................................................................................ 36
ArcSight Confidential SmartConnector™ Configuration Guide for ArcSight™ Forwarding Connector 3

What is FIPS? ............................................................................................................... 37
ArcSight ESM Installation ............................................................................................... 37
FIPS-Enabled Forwarding Connector Installation ................................................................ 38
Enable FIPS Suite B Support ........................................................................................... 43
Using Logger in FIPS Mode ............................................................................................. 43
4 SmartConnector™ Configuration Guide for ArcSight™ Forwarding Connector ArcSight Confidential

Chapter 1
Overview and Installation
This chapter provides information for installing an ArcSight Forwarding Connector for event
collection from an ArcSight Manager installation. The following topics are discussed.
“Product Overview” on page 5

“What’s New” on page 5
“The ArcSight Source Manager” on page 6
“Standard Installation Procedures” on page 7
“Uninstalling a Connector” on page 13
“Upgrading a Connector” on page 13
“Rolling Back a Connector” on page 14
The ArcSight Forwarding Connector is supported on Windows, Linux, Solaris, and AIX
platforms.
ArcSight recommends using the Forwarding Connector installer included with the
corresponding ESM release. The Forwarding Connector is released as part of the ESM
release; however, its build version might not match that of other ESM components within
the release.
Product Overview
The ArcSight Forwarding Connector lets you receive events from a source Manager
installation and send them to a secondary destination Manager, a non-ESM location or to
an ArcSight Logger.
What’s New
The ArcSight Forwarding Connector now has compatibility with the HP Operations
Manager (HP OM), providing event and performance management of enterprise
systems, applications, and services. For details on using this destination, Chapter 3‚
Configuration for HP Operations Manager‚ on page 29.
THe HP OM destination is not FIPS compatible.
ArcSight Confidential SmartConnector™ Configuration Guide for ArcSight Forwarding Connector 5

1 Overview and Installation
The ArcSight Source Manager

The Source Manager is the installation from which events originate on a network using the
ArcSight Forwarding Connector. The Forwarding Connector sends on (or “forwards”) events
to a destination Manager, a non-ESM location or a Logger appliance.
The Source Manager must be of the same version as the Destination Manager.
With data originating from an ArcSight Source Manager, the ArcSight Forwarding Connector
provides various destination options for forwarding events, including:
 An ArcSight destination Manager

 ArcSight Logger
 NSP Device Poll Listener
 CEF Syslog
 A CSV file
 McAfee ePolicy Orchestrator v4.0 or v4.5
 HP Operations Manager
Sending Events to an ArcSight Destination Manager

The ArcSight Forwarding Connector logs into the source Manager and then forwards events
to a destination Manager. For detailed configuration instructions, see “Forwarding Events to
an ArcSight Manager” on page 15.
The Destination Manager must be of the same version as the ource Manager.
Sending Events to ArcSight Logger

ArcSight Logger is a hardware storage solution optimized for extremely high event
throughput. A typical use for Logger is to collect firewall data and then forward a subset of
that data to an ArcSight Manager for realtime monitoring and correlation. Arcsight Logger
now supports the Federal Information Processing Standard 140-2 (FIPS 140-2). See “Using
Logger in FIPS Mode” on page 43 for details.
SmartMessage is an ArcSight technology that provides a secure channel between

ArcSight SmartConnectors and Logger. SmartMessage provides an end-to-end encrypted
secure channel. One end is an ArcSight SmartConnector that receives events from the
many devices supported by ArcSight SmartConnectors, and the other is a SmartMessage
Receiver housed on the Logger appliance.
Before configuring the Forwarding Connector that sends events to the Receiver, you need
to create a Receiver of type SmartMessage. After you create this Receiver, you can
configure the SmartConnector to send events to Logger.
For information on configuring a Forwarding Connector to forward events to Logger, see

“Forwarding Events to ArcSight Logger” on page 19.
6 SmartConnector™ Configuration Guide for ArcSight Forwarding Connector ArcSight Confidential

Refer to the ArcSight Logger Administrator's Guide for complete instructions about:
 Receivers
 Configuring a SmartConnector to Send Events to Logger
 Configuring SmartConnectors to Send Events to Both Logger and a Manager
 Sending Events from ArcSight ESM to Logger
 Using Logger in FIPS mode
Sending Events to a Non-ESM Location

The ArcSight Forwarding Connector logs into the source Manager and then forwards events
to a non-ESM location.
When configuring the Forwarding Connector to send events to a non-ESM destination, you
might encounter a problem with certificate validation during connector setup. Make sure
that the demo CA is added to the client trust store to validate the Manager's demo
certificate.
To make sure the demo CA is added to the client trust store:

1 Install the connector as usual, but stop at the screen that prompts you to select a
destination type.
2 After the screen prompting you to select the destination type is displayed, run the
following command from the $ARCSIGHT_HOME\current\bin directory
arcsight connector tempca -ac
3 Return to the wizard and complete the installation.
For detailed configuration instructions on forwarding events to NSP, see Chapter 2‚

Forwarding Events to NSP Device Poll Listener‚ on page 20.
For detailed configuration instructions on forwarding CEF Syslog events, see Chapter 2‚
Forwarding CEF Syslog Events‚ on page 21.
For detailed configuration instructions on forwarding events to a .csv file, see Chapter 2‚
Forwarding Events to a CSV File‚ on page 22.
For detailed configuration instructions on forwarding events to McAfee ePolicy Orchestrator

(ePO), see Chapter 2‚ Forwarding Events to McAfee ePolicy Orchestrator‚ on page 23.
Use of ePO requires installation of MS SQL Server 2005 for JDBC driver. For
instructions on downloading, see “Installing the Microsoft SQL Server 2005
Driver for JDBC” on page 24.
For detailed configuration instructions on forwarding events to HP Operations Manager (HP

OM), see Chapter 3‚ Configuration for HP Operations Manager‚ on page 29.
Standard Installation Procedures

This section describes the standard installation procedures for the ArcSight Forwarding
Connector.

Installing ArcSight ESM

Before you install the ArcSight Forwarding Connector, make sure that ArcSight ESM has
already been installed correctly. Review the ArcSight Installation and Configuration Guide
before attempting a new ArcSight Forwarding Connector installation.
To ensure a successful ArcSight ESM installation:

1 Make sure that the ArcSight Manager, Database, and Console are installed correctly.
2 Run the ArcSight Manager; the ArcSight Manager command prompt window or
terminal box displays a Ready message when the Manager has started successfully.
You can also monitor the server.std.log file located in
ARCSIGHT_HOME\current\logs.
3 Run the ArcSight Console. Although not necessary, it is helpful to have the ArcSight
Console running when installing the SmartConnector to verify successful installation.
Before you install the SmartConnector, make sure you have the following available:
 Local access to the machine where the SmartConnector is to be installed

 Administrator passwords
Assigning Privileges on the Source Manager

Before installing the ArcSight Forwarding Connector, you need to create a Forwarding
Connector account on the source Manager. After doing this, you can assign filters for
incoming events.
To assign privileges in the Manager:

1 Run the ArcSight Console on the ArcSight Source Manager.
2 From the Navigator Resources tab, choose Users from the drop-down menu.
3 Create a user group under the Custom User Group.
4 Under the group created in step 3, create a user account of user type Forwarding
Connector, as shown below.
5 Returning to the Navigator Resources tab, right-click your chosen user group.

6 From the resulting menu, choose Edit Access Control.
7 From the Inspect/Edit window, click the Events tab under the new user type and
assign the proper filters.
For detailed instructions on assigning filters and other Arcsight Console functions, refer to
the Administrator's Guide for your ESM version.
Forwarding Correlation Events

The ArcSight Forwarding Connector can forward events based upon the ACL assigned to
the User Group on the source Manager. The connector can be configured to allow
forwarding of ArcSight correlation events from the source Manager to the target (or

destination) Manager. The ACL can also be configured to allow for viewing of the detailed
chain of the forwarded correlation event, including the original correlated event.
HP OM users commonly require only correlated events to be pulled from ESM.

In such cases, HP OM users can specify the selection of correlated events. To
allow for only correlated events and restrict the pulling of base events,
configure ESM to pull correlated events, then allow the forwarding of
correlated events, as described below. These steps should be performed in
sequence, then restart the source Manager.
The following steps should be performed in sequence, then restart the source Manager.
Configuring to Pull Correlated Events

To configure the source Manager to send both correlation events and on-demand
correlated events to the destination Manager, the ACL must contain two separate filters:
 Filter 1, provided with the latest version of ArcSight ESM:

/All Filters/ArcSight System/Event Types/ArcSight Correlation
Events
 Create Filter 2 containing the following conditions:

 Event Annotation Flags ContainsBits correlated
 Both filters need to be applied to the Event Permissions of the User Group ACL to
be able to extract correlated events from the correlation events that are
forwarded to the target Manager.
Correlated events pulled on-demand are for viewing only. They are not
persisted in the destination Manager.
Configuring to Allow Forwarding of Correlated Events

The Forwarding Connector can also be configured to automatically pull and forward
correlated events irrespective of the User Group ACL. Only one forwarding connector per
Manager can be configured to work in this mode. This configuration can aid in hierarchical
deployment scenarios in which you need to automatically forward correlated events for
further correlation and reporting on the destination Manager.
The source Manager keeps track of the events that have been previously forwarded by
using the “Forwarded” annotation, disallowing duplicates.
To configure the source Manager to send both correlation events and correlated events
automatically, you must specify the container ID. The container ID consists of two
elements, the entityid and the userid. To begin the configuration, you must locate these
two elements and combine them within the server.properties file.

1 To find the entityID, go to $AGENT_HOME/user/agent/agent.properties and

search for agents[0].entityid. Copy the text string starting in 3w to a word or
note program.
agents[0].entityid=3w+05uiYBABCCLKvzx0stdQ\==
2 To find the userid, go to the Console of the source Manager.
a From to the Navigator panel, choose the Resource tab.
b Under Resources, choose Users to find your Forwarding Connector user.
c Locate the Resource ID and copy the text string from the second column, as
shown below.
Within $AGENT_HOME/config/server.properties on the source Manager, add

the entityid and userid to the eventstream.cfc property, as shown below.
eventstream.cfc=EntityID.UserID
3 Restart the source Manager and, if still running, the Forwarding Connector.
Increasing the FileStore size (Enhanced version only)

Installation of the ArcSight Forwarding Connector (Enhanced) option provides fault-
tolerance, enabling events to be saved in the event of a failure.
The capacity of events that can be stored during a system failure is dependent on the
amount of disk space the FileStore can use on the source Manager. Although the default
size of 1024 MB (1 GB) is suitable for most installations, you can increase the size of your
FileStore.
To increase the size of the FileStore:

1 Open the properties file server.defaults.properties, located under
$ARCSIGHT_HOME\config.
The file displays the current default:

filestore.disksize.max.megabytes.int=1024

2 Use this formula to determine appropriate rates for minutes of storage on your
system:
MinutesOfStorage = (((#MB / 1024) * 21,474,833) / EPS) / 60
 Given the most typical event sizes, a FileStore of 1 GB can store approximately
21,474,833 events, and at a rate of 5000 events per second, the default size
provides approximately 71 minutes of storage.
 When the FileStore fills up, the oldest events are purged to make room for recent
ones.
Installing the Forwarding Connector

Before installing the ArcSight Forwarding Connector, you need to assign privileges on your
Manager. For instructions on how to do this, see “Assigning Privileges on the Source
Manager” on page 8.
For information regarding operating systems and platforms supported, refer

to SmartConnector Product and Platform Support, available from ArcSight
Technical Support with each SmartConnector release.
To install an ArcSight Forwarding Connector:

1 Download the ArcSight executable for your operating system from the ArcSight
Customer Support Site according to the instructions provided in the connector release
notes.
2 Start the installer by running the executable for your operating system, then follow the
folder selection tasks and installation of the core SmartConnector software:
 Introduction
 Choose Install Folder
 Choose Install Set
 Choose Shortcut Folder
 Pre-Installation Summary
 Installing...
When installation of the connector core component is complete, the following dialog is
displayed:

3 Choose your ArcSight Forwarding Connector destination.
 To forward events to an ArcSight Manager, proceed with “Forwarding Events to

an ArcSight Manager” on page 15.
 To forward events to an ArcSight Logger, proceed with “Forwarding Events to
ArcSight Logger” on page 19.
 To forward events to an NSP appliance, proceed with “Forwarding Events to NSP
Device Poll Listener” on page 20.
 To forward events to a CEF Syslog, proceed with “Forwarding CEF Syslog Events”
on page 21.
 To forward events to a .csv file, proceed with “Forwarding Events to a CSV File”
on page 22.
 To forward events to McAfee ePolicy Orchestrator (ePO), proceed with
“Forwarding Events to McAfee ePolicy Orchestrator” on page 23.
Use of ePO requires installation of MS SQL Server 2005 for JDBC

driver. For instructions on downloading, see “Installing the Microsoft SQL
Server 2005 Driver for JDBC” on page 24.
 For detailed configuration instructions on forwarding events to HP Operations

Manager (HP OM), see Chapter 3‚ Configuration for HP Operations Manager‚ on
page 29.
Uninstalling a Connector
Before uninstalling a connector that is running as a service or daemon, first stop the
service or daemon. To uninstall on Windows, open the Start menu. Run the Uninstall
SmartConnectors program located under All Programs, ArcSight SmartConnectors.
If Connectors are not installed on the Start menu, locate the
$ARCSIGHT_HOME\UninstallerData folder and run:
Uninstall ArcSightAgents.exe
To uninstall on UNIX hosts, open a command window on the

$ARCSIGHT_HOME/UninstallerData directory and run the command:
./Uninstall_ArcSightAgents
The UninstallerData directory contains a file .com.zerog.registry.xml with

Read, Write, and Execute permissions for everyone. On Windows platforms,
these permissions are required for the uninstaller to work. However, on UNIX
platforms, you can change the permissions to Read and Write for everyone
(that is, 666).
The Uninstaller does not remove all the files and directories under the
ArcSight SmartConnector home folder. After completing the uninstall
procedure, manually delete these folders.
Upgrading a Connector
To locally upgrade the Forwarding Connector:
1 Stop the running connector.
2 Run the new installer for the ArcSight Forwarding Connector, which prompts you for an
installation location.

3 Select the location of the Forwarding Connector you want to upgrade; you will receive
the message “Previous Version Found - Upgrade Possible” Select the option to
continue and upgrade the connector.
The original installation is renamed by prefacing characters to the original folder

name; the upgraded connector is installed in the location
$ARCSIGHT_HOME\current
During upgrade, the "Default User Groups" user group is updated and adds the
/All Filters/ArcSight System/Core/No Events filter to the events ACL. If
the Forwarding Connector user is in that group, the connector cannot send
events to the destination Manager. To prevent this problem, edit the access
control for the Forwarding Connector's parent user group and select a filter
that gives permission to the subset of events for which the user has access.
Alternatively, if the user has access to all the events, delete the /All
Filters/ArcSight System/Core/No Events filter.
The ArcSight Forwarding Connectors must be of the same version as the

source ESM.
Rolling Back a Connector

To roll back a connector:
1 Stop the upgraded connector, which is under current.
2 Rename the current folder to a name based upon the build version of the upgraded
connector.
3 Rename the old connector build folder to current.
4 Start the connector.
Rolling back the connector to build 5116 or earlier disallows use of the
McAfee ePolicy Orchestrator destination.

Chapter 2
Configuration for Forwarding Events
This chapter provides step-by-step instructions for configuring various Forwarding

Connector destinations. The following destinations are described.
“Forwarding Events to an ArcSight Manager” on page 15

“Forwarding Events to ArcSight Logger” on page 19
“Forwarding Events to NSP Device Poll Listener” on page 20
“Forwarding CEF Syslog Events” on page 21
“Forwarding Events to a CSV File” on page 22
“Forwarding Events to McAfee ePolicy Orchestrator” on page 23
“Configuring Multiple Destinations” on page 26
Forwarding Events to an ArcSight Manager

To continue connector configuration for forwarding events to an Manager, follow the
procedure below.
To continue connector configuration:

1 Select ArcSight Manager (encrypted), and click Next.
2 The Wizard first prompts you for Manager certificate information.
 The default is No, the ArcSight Manager is not using a demo certificate.

2 Configuration for Forwarding Events
 Choose Yes if ArcSight Manager is using a demo certificate.

Before selecting this option, make sure the Manager is, in fact, using a demo SSL
certificate. If you are unsure, select No or consult your system administrator.
If your ArcSight Manager is using a self-signed or CA-signed SSL certificate, select No,
the ArcSight Manager is not using a demo certificate and click Next.
After completing the SmartConnector installation wizard, remember to

configure the connector for the type of SSL certificate your Manager is
using manually. Refer to the Administrator's Guide for your ESM version
for instructions about configuring your SmartConnector when the
Manager is using a self-signed or CA-signed certificate, and for
instructions about enabling SSL client authentication on SmartConnectors
so that the connectors and the Manager authenticate each other before
sending data.
3 You are prompted for Manager Host Name and Manager Port. This is your
destination Manager. Enter the information and click Next.
4 Enter a valid ArcSight User Name and Password and click Next.

This is the user name and password for the user account you created on the
destination Manager.
5 You are given a choice of Forwarding Connector versions to install. If you are currently
using ESM v4.0 SP3 or later, ArcSight recommends choosing the ArcSight
Forwarding Connector (Enhanced) option. When choosing which version to use,
note the following:
 The ArcSight Forwarding Connector option supports the previous software

version and does not include the increased event rate and recoverability features
of ArcSight Forwarding Connector (Enhanced). ArcSight recommends using
the older option only when communicating with a pre-v4.0 SP3 ESM installation.
 Neither Forwarding Connector release is FIPS compliant. If you require FIPS
compliance, retain your current Forwarding Connector version.
 The capacity of events that can be stored during a system failure is dependent on
the FileStore size of your source Manager. Choosing the ArcSight Forwarding
Connector (Enhanced) version requires configuration adjustments on your
source Manager.
For instructions on how to determine and change your source disk settings, see
“Increasing the FileStore size (Enhanced version only)” on page 11. Click Next.

6 Enter the information to configure the Forwarding Connector, then click Next to
continue. This is information about your source Manager, as described in the table
below.
Parameter Description
ArcSight Source Hostname where the ArcSight Source Manager is

Manager Hostname installed.
ArcSight Source Network Port where the ArcSight Source Manager is

Manager Port accepting requests.
ArcSight Source The ArcSight user name created with permissions for
Manager User Name the Forwarding Connector on the ArcSight Source
Manager.
ArcSight Source ArcSight's password that will be used to log this

Manager Password Connector into the ArcSight Source Manager.
7 Enter a name for the connector and provide other information identifying the
connector's use in your environment. Click Next.
8 Read the connector summary; if it is correct, click Next. If the summary is not correct,
click Previous to make changes before continuing.
9 When the connector completes its configuration, click Next. The wizard now prompts
you to choose whether you want to run the connector as a process or as a service. If
you choose to run the connector as a service, the wizard prompts you to define service
parameters for the connector.
10 After making your selections, click Next. The wizard displays a dialog confirming the
connector's setup and service configuration.
11 Click Finish.
12 Click Done.

Forwarding Events to ArcSight Logger

When configuring the Forwarding Connector to send events to a non-ESM
destination, you might encounter problems with certificate validation during
connector setup. See “Sending Events to a Non-ESM Location” on page 7 for
information on certificate validation.
Before you continue connector configuration for forwarding events to an ArcSight Logger,
ensure that a SmartMessage Receiver has been set up on ArcSight Logger for the
Forwarding Connector (Refer to the ArcSight Logger Administrator's Guide for details).
To continue connector configuration:

1 Select ArcSight Logger SmartMessage (encrypted) from the following dialog:
2 Enter the Logger Host Name/IP address, leave the port number at the default value
of 443, and enter the Receiver Name. This Receiver Name is the name of the
SmartMessage Receiver you set up on ArcSight Logger for the Forwarding Connector.
Click Next to continue.
3 Click Next and continue following the steps to complete your configuration. Refer to
the Parameters on page 18 for parameter descriptions. When a message confirms
that configuration was successful, click Finish to exit the wizard.

Forwarding Events to NSP Device Poll Listener

To continue connector configuration for forwarding events to NSP:

1 Select NSP Device Poll Listener from the selections and click Next.
2 Provide the NCM/TRM Host name or IP address, and login credentials for the
NCM/TRM that will interact with the Syslog Connector
3 Click Next and continue following the steps to complete your configuration until a
message confirms that it was successful. Click Finish to exit the wizard.
For more information about NSP, refer to the ArcSight™ NSP Installation and Administration
Guide.

Forwarding CEF Syslog Events

You can also configure the ArcSight Forwarding Connector to send CEF Syslog events to
any Syslog receiver (including ArcSight Logger.)

To configure the connector to send CEF Syslog events:

1 Select CEF Syslog from the following window:
2 Enter the Logger hostname or IP address, the desired port, and choose UDP or
TCP output. Click Next to continue.
3 Click Next and continue following the Configuration Wizard to complete your
configuration until a message confirms that it was successful. Click Finish to exit the
wizard.

Forwarding Events to a CSV File

This option allows you to capture events a SmartConnector would normally send to the
ArcSight Manager and send them to a .csv file. The Excel-compatible comma-separated
values (CSV) format allows for comments prefixed by #.

To forward events to a .csv file:

1 Select CSV File and click Next.
2 For these options, enter values as described in the table below.
CSV Path The path to the output folder. If one does not exist, a
folder is created.

Fields A comma-delimited string of field names to be sent to

the .csv file. Field names are in the form
event.<FieldName>.
File rotation interval The desired file rotation interval, in seconds. The
default is 3,600 (one hour).
Write format header Select true to send a header row with labels for each
column, as described above.
3 Click Next and continue following the steps to complete your configuration until a
message confirms that it was successful. Click Finish to exit the wizard.
For more information about capturing events and .csv files, refer to the section titled
“Capturing Events from SmartConnectors (ESM v4.0)” in the SmartConnector User’s Guide.
Forwarding Events to McAfee ePolicy Orchestrator

This option allows you to forward events to McAfee ePolicy Orchestrator (ePO), a scalable
tool for centralized anti-virus and security policy management and enforcement. ePO
leverages ESM event filtering/correlation and auditing capabilities to create a single view
into security events within ePO.
McAfee ePO v4.0 and v4.5 are supported currently.
Use of ePO requires installation of MS SQL Server 2005 for JDBC driver. For
instructions on downloading, see “Installing the Microsoft SQL Server 2005
Driver for JDBC” on page 24.
To forward events to McAfee ePO:

1 On the destination selection window displayed, select McAfee ePolicy Orchestrator
and click Next.
When using this transport, the Forwarding Connector is automatically

configured to limit the outgoing event rate to 10 events per minute. This
is due to a limitation on McAfee ePO’s database as specified by McAfee.

2 Enter values for the ePO database connectivity on the window displayed:
• To log on to the database at this point, only Microsoft SQL Server

authentication is supported (Windows authentication is not).
• Customers are encouraged to create a user dedicated to ArcSight
with permissions to execute the stored procedure.
3 Click Next to complete your configuration and verify that it is successful. Click Finish
to exit the wizard.
Rolling back the connector to build 5116 or earlier disallows use of the
McAfee ePolicy Orchestrator destination.
Installing the Microsoft SQL Server 2005 Driver for JDBC

To download and install a JDBC driver:
1 Download the MS SQL Server 2005 JDBC Driver 1.2 from Microsoft at:
http://www.microsoft.com/downloads/details.aspx?FamilyId=
C47053EB-3B64-4794-950D-81E1EC91C1BA&displaylang=en
2 Install the driver.
3 Copy the sqljdbc.jar jar file from the folder C:\Program Files\Microsoft
SQL Server 2005 JDBC Driver\sqljdbc_1.2\enu to
$ARCSIGHT_HOME/current/user/agent/lib, where $ARCSIGHT_HOME refers
to the connector install folder, such as c:\ArcSight\SmartConnectors.
4 From $ARCSIGHT_HOME/current/bin, double-click runagentsetup to return to

the SmartConnector Configuration Wizard.

ArcSight Event to McAfee CEF Mappings

The Forwarding Connector translates ArcSight events into McAfee’s Common Event Format.
The McAfee CEF field column shown below does not represent fields seen
within the Console GUI of McAfee ePolicy Orchestrator. This column represents
fields within the database.
The following table describes how the fields are mapped:
McAfee CEF Field ArcSight Field
AgentGUID agented (converted to match the AgentGUID format;

guaranteed to be unique ONLY within ArcSight)
Analyzer Fixed value: S_ARST__1000
AnalyzerDATVersion deviceCustomString6
AnalyzerHostName deviceHostName
AnalyzerIPV4 deviceAddress
AnalyzerMAC deviceMacAddress
AnalyzerName deviceProduct
AnalyzerVersion deviceVersion
DetectedUTC deviceReceiptTime
SourceHostName sourceHostName
SourceIPV4 sourceAddress
SourceMAC sourceMacAddress
SourceProcessName sourceProcessName
SourceURL requestUrl
SourceUserName sourceUserName
TargetFileName fileName
TargetHostName destinationHostName
TargetIPV4 destinationAddress
TargetMAC destinationMacAddress
TargetPort destinationPort
TargetProcessName destinationProcessName
TargetProtocol applicationProtocol
TargetUserName destinationUserName
ThreatActionTaken deviceAction
ThreatCategory deviceEventCategory

McAfee CEF Field ArcSight Field
ThreatEventID agentSeverity
200300 – Unknown
200301 – Low
200302 – Medium
200303 – High
200304 – Very High
ThreatName name
ThreatType deviceEventClassId
For more details regarding McAfee ePolicy Orchestrator, refer to the SmartConnector™
Configuration Guide for McAfee ePolicy Orchestrator DB.
Configuring Multiple Destinations

It is also possible to configure multiple destinations, after installation of the Forwarding
Connector, using the ArcSight SmartConnector Configuration Wizard.
To start the wizard, execute the following command:
$ARCSIGHT_HOME\current\bin\runagentsetup
You can either modify the existing destination or add a new destination. For this example,
adding a second Manager.
1 Select I want to add/remove/modify ArcSight Manager destinations and click

Next.

2 Select the destination type. Click ArcSight Manager (encrypted), then Next.
3 Click Add new destination to add a new SmartConnector destination and click
Next.

4 Fill in the parameters for the destination you want to add and click Next to finish.
5 To apply your changes, restart the SmartConnector.

Chapter 3
Configuration for
HP Operations Manager
HP Operations Manager (HP OM) provides comprehensive event management,

proactive performance monitoring, and automated alerting, reporting, and graphing for
operating systems, middleware, and applications. It is designed to provide service-driven
event and performance management of business-critical enterprise systems, applications,
and services. The following topics are described.
“The ArcSight Source Manager” on page 29

“Supported Versions of HP OM” on page 30
“Installing the Connector” on page 30
“Creating an SNMP Interceptor (Policy)” on page 34
“Uploading Interceptor Template” on page 35
“Deploying the Policy” on page 35
“Adjusting the Event Processing Rate” on page 36
ArcSight ESM sends correlated security events to IT operation teams to investigate and
take remediation measures to reduce or eliminate security risks. The ArcSight Forwarding
Connector logs into the source Manager, then sends system events and network health
information to HP OM from non-SNMP event sources. The ArcSight Forwarding Connector
can be used to collect from event sources that support syslog, file, database, API, and
other collection methods through ESM.
The ArcSight Source Manager

Before installing the Forwarding Connector, create a Forwarding Connector account on the
Manager. For detailed instructions on how to do this, see Chapter 1‚ Assigning Privileges on
the Source Manager‚ on page 8.

3 Configuration for HP Operations Manager
Supported Versions of HP OM
The supported versions of HP OM include
 OM for Windows v9.0 and 8.16 (patch level 90)

 OM for Unix v9.10
 OM for Linux v9.10
THe HP OM destination is not supported for FIPS.
HP OM and Correlation Events

When all rule conditions and thresholds are met, ESM generates an internal event called a
correlation event. A correlation event represents the events that contributed to the rule
being triggered and the relevant data contained in them.
Although most ESM users can use the default settings available for pulling events, HP OM
users commonly require only correlated events to be pulled from ESM. In such cases, 
HP OM users can specify the selection of correlated events. To allow for only correlated
events and restrict the pulling of base events, configure ESM to pull correlated events,
then allow the forwarding of correlated events, in that order. For detailed instructions
to perform these steps, see Chapter 1‚ Forwarding Correlation Events‚ on page 9.
HP OM uses a SNPM trap policy to allow ArcSight events to be accepted within the HP OM
environment. For instructions on how to create an SNMP interceptor, see “Creating an
SNMP Interceptor (Policy)” on page 34.
Installing the Connector

Before you install the connector, make sure that the ArcSight products with which the
connectors will communicate have already been installed correctly (such as ArcSight ESM
or ArcSight Logger) and that you have assigned the appropriate privileges.
1 Download the ArcSight executable for your operating system from the ArcSight
Customer Support Site.
2 Start the ArcSight Installer by running the executable.
Follow the installation wizard through the following folder selection tasks and
installation of the core connector software:
Introduction 
Choose Install Folder 
Choose Install Set 
Choose Shortcut Folder 
Pre-Installation Summary 
Installing...
3 The destination selection window is displayed. If you are using the Manager Demo
License, continue with steps A through C below. Otherwise, click Next and continue
with step 4.

When configuring the connector to send events to a non-ESM destination, you could
encounter a problem with certificate validation during connector setup when using the
Manager Demo certificate. To make sure the demo CA is added to the client trust store to
validate the Manager's demo certificate, follow these steps:
a Click Cancel to exit the configuration wizard.
b From the $ARCSIGHT_HOME\current\bin directory, run the following

command:
arcsight connector tempca –ac –n <1.1.1.1>
where <1.1.1.1> is the IP address of the Manager.
c Enter the following command from the same location to return to the wizard:
arcsight connectorsetup
The following destination window is displayed, choose HP Operations Manager, then

click Next to continue.

4 Fill in the parameter information required for connector configuration, then click Next.
Host Enter the Host name or IP address of the HP OM

device.
Port Enter the port to be used by the adaptor to forward

events.
Version Accept the default value of SNMP_VERSION_2.

SNMP_VERSION_3 is not available at this time.
Read Community(v2) Enter the SNMP Read Community name.
Write Community(v2 Enter the SNMP Write Community name.
Authentication For use with SNMP v3; not available at this time.
Username(v3)
Authentication Password(v3)
Security Level(v3)
Authentication Scheme(v3)
Privacy Password(v3)
Context Engine Id(v3)
Context name(v3)

5 Choose ArcSight Forwarding Connector (Enhanced), then click Next.
6 Enter the Source Manager information, then click Next.
ArcSight Source Enter the name of the host on which the Source
Manager Host Name Manager is installed.
ArcSight Source Enter the network port from which the Source
Manager Port manager is accepting requests. The default port is
8443.
ArcSight Source Enter the ArcSight user name created with

Manager User Name permissions for the adaptor on the ArcSight Source
Manager.
ArcSight Source Enter the ArcSight password that will be used to log
Manager Password this adaptor into the ArcSight Source Manager.

8 Read the installation summary and click Next. If the summary is incorrect, click
Previous to make changes.
9 When the connector completes its configuration, click Next. The Wizard now prompts
you to choose whether you want to run the connector as a process or as a service.
If you choose to run the connector as a service, the Wizard prompts you to define
service parameters for the connector.
10 After making your selections, click Next. The Wizard displays a dialog confirming the
11 Click Finish.
For some connectors, a system restart is required before the configuration settings you
made take effect. If a System Restart window is displayed, read the information and
initiate the system restart operation.
12 Click Done.
Creating an SNMP Interceptor (Policy)

An SNMP Interceptor is a type of HP OM policy (HP OM SNMP Policy Type) with Rules and
Actions. These policies can be configured on either HP OM UI, Operations Manager for
Windows (OMW) or Operations Manager for Linux (OML). They are uploaded from the
policy files using the HP OM ovpmutil tool. The Forwarding Connector sends security events
as SNMP traps to an HP OM SNMP Interceptor that you will create.
The Interceptor should be configured to monitor SNMP events and respond when a given
pattern is found in an SNMP message. ArcSight provides a template interceptor (policy) for
use in creating your own customized SNMP Inteceptor. This template policy should be
customized and enhanced to satisfy different needs and requirements with HP OM's
powerful policy edit features.

Uploading Interceptor Template

After you have completed connector installation, navigate to
$ARCSIGHT_HOME\current\user\agent\hpompolicy. This folder provides policy
files as a basic SNMP interceptor template.
The following files are provided in the ArcSight Events folder:
157F1ADF-B7A5-4328-8175-5D370D6EC4A9_data
157F1ADF-B7A5-4328-8175-5D370D6EC4A9_header.xml
PolicyConfig_EE72B589-0893-4EC1-899B-502DE1289DBF.xml
Using Operations Manager for Windows

Copy the hpompolicy folder from $ARCSIGHT_HOME\current\user\agent to the
destination HP OM (OMW, the Windows version of HP OM) machine's C:\temp directory.
Then use the following command to upload the policy:
C:\Program Files\HP\HP BTO Software\bin\win64>ovpmutil CFG POL UPL

"C:\temp\hpompolicy"
You should receive the following messages:
Root policy group "for ArcSight Integration" uploading:

Policies upload completed successfully.
For descriptions of specific HP OM commands, refer to the HP Operations

Manager online help and documentation.
Using Operations Manager for Linux

Copy the hpompolicy folder from $ARCSIGHT_HOME\current\user\agent to the
destination HP OM machine's /tmp directory. Then use the following command to upload
the policy:
/opt/OV/bin/OpC/utils/opcpolicy -upload
dir=/tmp/hpompolicy/"ArcSight Events"
You should receive the following message:
Operation successfully completed.
For descriptions of specific HP OM commands, refer to the HP Operations

Manager online help and documentation.
Deploying the Policy

Once you have created your customized Interceptor, deploy or assign the policy through
the HP Operations Manager UI (for Windows) or HP Operations Manager Administration UI
(for Linux). For details, refer to the HP Operations Manager online help and documentation.

Adjusting the Event Processing Rate

The default event processing rate for forwarding events from ESM to HP OM is 50 eps. If
this rate proves excessive for your system, HP OM may queue some incoming events and
affect the rate at which these events are processed.
If this occurs, you can adjust the rate at which events are forwarded to HP OM. To do so,
you will need to change the event processing rate within your XML properties file.
To adjust the event processing rate,
1 Stop the currently running SmartConnector from operating.
2 From a Windows command line, access your XML properties file using the command
cd %ARCSIGHT_HOME%/current/user/agent
3 Use WordPad or any XML Editor to open the .xml file for your HP OM destination,
similar to the example below:
0Ajv5S8BABCAAeabNXP5Rw==.xml
4 From within the .xml file, search for the following:
ProcessingSettings.ThrottleRate="50"
This value controls the current processing event rate, and has a default value of 
50 eps.
5 Change this value to the desired rate of events per second. For example, to lower the
rate of events to 10 eps, change the value after the string to 10:
ProcessingSettings.ThrottleRate="10"
If there are multiple destinations, repeat the steps above to change the
rate for each destination, as required.
6 Save the .xml file and exit the XML editor.
7 Restart the SmartConnector.

Appendix A
Using the
Forwarding Connector in FIPS mode
The following provides explanation and instructions for enabling FIPS compliance in the use
of the Forwarding Connector.
“What is FIPS?” on page 37

“ArcSight ESM Installation” on page 37
“FIPS-Enabled Forwarding Connector Installation” on page 38
“Enable FIPS Suite B Support” on page 43
“Using Logger in FIPS Mode” on page 43
What is FIPS?
Under the Information Technology Management Reform Act (Public Law 104-106), the
Secretary of Commerce approves standards and guidelines that are developed by the
National Institute of Standards and Technology (NIST) for Federal computer systems.
These standards and guidelines are issued by NIST as Federal Information Processing
Standards (FIPS) for use government-wide. NIST develops FIPS when there are compelling
Federal government requirements such as for security and interoperability and there are no
acceptable industry standards or solutions.
FIPS compatibility applies only to standard ESM and Logger destinations.
ArcSight ESM Installation

Before you install an ArcSight Forwarding Connector, make sure that ArcSight ESM has
already been installed correctly for FIPS compliance. See “Standard Installation
Procedures” on page 7 for instructions. Also, ArcSight recommends reading the ArcSight
ESM Installation and Configuration Guide before attempting to install a new Forwarding
Connector.
For information regarding operating systems and platforms supported, see SmartConnector
Product and Platform Support, available from ArcSight Technical Support with each
SmartConnector release.

A Using the Forwarding Connector in FIPS mode
FIPS-Enabled Forwarding Connector Installation

After completion of ArcSight ESM installation (which includes assigning privileges on the
source manager, allowing the forwarding of correlation events, and so on), follow the
instructions under “Installing the Forwarding Connector” on page 12 up to and including
step 2.
When the installation is complete after step 2, the following dialog is displayed:
1 Click Cancel to exit connector setup in order to perform configuration of the NSS DB,
a necessary step for installing the connector in FIPS-compliant mode. (You will return
to the wizard after performing these configuration steps.)
2 Create a properties file using the following location:
$ARCSIGHT_HOME/user/agent/agent.properties
3 Add the following line within the file: fips.enabled=true
4 Copy your key files for source and destination Managers (in this example,
srcmgrkey.cert and destmgrkey.cert) into the
$ARCSIGHT_HOME\current\bin directory.
5 Turn off FIPS enablement on the new installation using the following command:
arcsight runmodutil –fips false –dbdir user/agent/nssdb.client
6 Import the certificates for the source and destination Managers. To do this, see the
detailed instructions below:
Where srcmgrkey and destmgrkey are alias names and srcmgrkey.cert and
destmgrkey.cert are the names with which the certificates from the Managers
were saved, import the certificates for the source and destination Managers, using the
following commands:
This command imports the source Manager’s certificate: arcsight runcertutil –

A –n srcmgrkey –t "CT,C,C" –d user/agent/nssdb.client –i
bin/srcmgrkey.cert
This command will display, in plain text (as shown below), the contents of the source
Manager’s certificate and can be used to determine the name put into the connector

configuration for the source Manager: arcsight runcertutil –L –n

srcmgrkey –t "CT,C,C" –d user/agent/nssdb.client
To confirm the Manager’s certificate name, look under Subject: “CN=*”,

as shown in the example below.
This command imports the destination Manager’s certificate: arcsight

runcertutil –A –n destmgrkey –t "CT,C,C" –d
user/agent/nssdb.client –i bin/destmgrkey.cert
This command will display, in plain text, the contents of the destination Manager’s
certificate and can be used to determine the name put into the connector
configuration for the destination manager: arcsight runcertutil –L –n
destmgrkey –t "CT,C,C" –d user/agent/nssdb.client
Your host name needs to match the Manager’s certificate name

(circled above as an example) and be DNS resolvable. If these fields do
not match, the connection will be unsuccessful.
7 Re-enable FIPS using the following command: arcsight runmodutil –fips

true –dbdir user/agent/nssdb.client
8 Return to connector setup by entering the following command from the

$ARCSIGHT_HOME\current\bin directory:
arcsight connectorsetup
9 When prompted to start in Wizard Mode, click Yes.

10 The Destination selection window is again displayed. Make sure ArcSight Manager
(encrypted) is selected and click Next.
11 You are prompted for Manager Host Name and Manager Port.
The host name and manager’s certificate name must match and be
DNS resolvable. If these fields do not match, the connection will be
unsuccessful.
This is your destination Manager. Enter the information and click Next.

12 Enter a valid ArcSight User Name and Password, and click Next. This should be the
user name and password for the user account you created on the destination Manager.
13 You are given a choice of Forwarding Connector versions to install. If you are currently
using ESM v4.0 SP3 or later, ArcSight recommends choosing the ArcSight
Forwarding Connector (Enhanced) option.
When choosing which version to use, note the following:
 The ArcSight Forwarding Connector option supports the previous software

version and does not include the increased event rate and recoverability features
of ArcSight Forwarding Connector (Enhanced). ArcSight recommends using
the older option only when communicating with a pre-v4.0 SP3 ESM installation.
 The capacity of events that can be stored during a system failure is dependent on
the FileStore size of your source Manager. Choosing the ArcSight Forwarding
Connector (Enhanced) version requires configuration adjustments on your
source Manager.
For instructions on how to determine and change your source disk settings, see
“Increasing the FileStore size (Enhanced version only)” on page 11. Click Next.

14 Enter the information to configure the Forwarding Connector.
The host name and manager certificate name must match and be
DNS resolvable. If these fields do not match, the connection will be
unsuccessful.
This is information about your source Manager, as described in the table below.
Click Next to continue.
ArcSight Source Hostname where the ArcSight Source Manager is

Manager Hostname installed.
ArcSight Source Network Port where the ArcSight Source Manager is

Manager Port accepting requests.
ArcSight Source The ArcSight user name created with permissions for
Manager User Name the Forwarding Connector on the ArcSight Source
Manager.
ArcSight Source ArcSight's password that will be used to log this

Manager Password Connector into the ArcSight Source Manager.
Fips Cipher Suites fipsDefault: Standard Fips
SuiteB 128: Fips Suite B with 128Bit encryption
SuiteB 192: Fips Suite B with 192Bit encryption
16 Read the connector summary; if it is correct, click Next. If the summary is not correct,
click Previous to make changes before continuing.
17 When the connector completes its configuration, click Next. The wizard now prompts
you to choose whether you want to run the connector as a process or as a service. If
you choose to run the connector as a service, the wizard prompts you to define service
parameters for the connector.

18 After making your selections, click Next. The wizard displays a dialog confirming the
19 Click Finish.
Enable FIPS Suite B Support

If you have installed a SmartConnector in FIPS-compliant mode, you can enable FIPS 
Suite B support by modifying the ESM destination parameters.
The Manager must also be installed in FIPS Suite B mode.
To enable FIPS Suite B support:

1 From $ARCSIGHT_HOME\current\user\agent, open agent.properties to
edit.
2 Locate the following property for ESM destination parameters (approximately, line 10
in the file):
agents[0].destination[0].params=<?xml version\="1.0"
encoding\="UTF-8"?>\n<ParameterValues>\n <Parameter
Name\="port" Value\="8443"/>\n <Parameter
Name\="filterevents" Value\="false"/>\n <Parameter
Name\="host" Value\="samplehost.sv.arcsight.com"/>\n
<Parameter Name\="aupmaster" Value\="false"/>\n <Parameter
Name\="fipsciphers"
Value\="fipsDefault"/>\n</ParameterValues>\n
3 The destination parameters are specified here as an XML string where each element is
one parameter. Based upon the Suite B mode of the Manager, change fipsDefault
to suiteb128 (for 128-bit security) or suiteb192 (for 192-bit security).
4 Save and exit agent.properties.
Using Logger in FIPS Mode

Arcsight Logger supports the Federal Information Processing Standard 140-2 (FIPS 140-2).
If you want to use Logger in the FIPS mode, refer to the ArcSight Logger Administrator's
Guide and see “Installing or Updating a SmartConnector to be FIPS-compliant” in 
Chapter 7, “System Admin” for complete instructions.


Smartconnector™ Configuration Guide: Arcsight™ Forwarding Connector V5.1.2.5857 For Arcsight Esm™

Uploaded by

Copyright:

Available Formats

Smartconnector™ Configuration Guide: Arcsight™ Forwarding Connector V5.1.2.5857 For Arcsight Esm™

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Smartconnector™ Configuration Guide: Arcsight™ Forwarding Connector V5.1.2.5857 For Arcsight Esm™

Uploaded by

Copyright:

Available Formats

SmartConnector™

Copyright © 2001-2011 ArcSight, LLC. All rights reserved.

Date Product Version Description

08/02/2011 5.1.2.5857 Added support for HP OMi.

Document template version: 1.0.5

ArcSight Customer Support

Phone 1-866-535-3285 (North America)

Support Web Site http://www.arcsight.com/supportportal/

Protect 724 Community https://protect724.arcsight.com

Product Overview ............................................................................................................ 5

ArcSight Confidential SmartConnector™ Configuration Guide for ArcSight™ Forwarding Connector 3

4 SmartConnector™ Configuration Guide for ArcSight™ Forwarding Connector ArcSight Confidential

“Product Overview” on page 5

THe HP OM destination is not FIPS compatible.

ArcSight Confidential SmartConnector™ Configuration Guide for ArcSight Forwarding Connector 5

The ArcSight Source Manager

 An ArcSight destination Manager

Sending Events to an ArcSight Destination Manager

Sending Events to ArcSight Logger

SmartMessage is an ArcSight technology that provides a secure channel between

For information on configuring a Forwarding Connector to forward events to Logger, see

6 SmartConnector™ Configuration Guide for ArcSight Forwarding Connector ArcSight Confidential

Sending Events to a Non-ESM Location

To make sure the demo CA is added to the client trust store:

arcsight connector tempca -ac

3 Return to the wizard and complete the installation.

For detailed configuration instructions on forwarding events to NSP, see Chapter 2‚

For detailed configuration instructions on forwarding events to McAfee ePolicy Orchestrator

For detailed configuration instructions on forwarding events to HP Operations Manager (HP

Standard Installation Procedures

ArcSight Confidential SmartConnector™ Configuration Guide for ArcSight Forwarding Connector 7

Installing ArcSight ESM

To ensure a successful ArcSight ESM installation:

 Local access to the machine where the SmartConnector is to be installed

Assigning Privileges on the Source Manager

To assign privileges in the Manager:

3 Create a user group under the Custom User Group.

8 SmartConnector™ Configuration Guide for ArcSight Forwarding Connector ArcSight Confidential

6 From the resulting menu, choose Edit Access Control.

Forwarding Correlation Events

ArcSight Confidential SmartConnector™ Configuration Guide for ArcSight Forwarding Connector 9

HP OM users commonly require only correlated events to be pulled from ESM.

Configuring to Pull Correlated Events

 Filter 1, provided with the latest version of ArcSight ESM:

 Create Filter 2 containing the following conditions:

Configuring to Allow Forwarding of Correlated Events

10 SmartConnector™ Configuration Guide for ArcSight Forwarding Connector ArcSight Confidential

1 To find the entityID, go to $AGENT_HOME/user/agent/agent.properties and

2 To find the userid, go to the Console of the source Manager.

a From to the Navigator panel, choose the Resource tab.

b Under Resources, choose Users to find your Forwarding Connector user.

Within $AGENT_HOME/config/server.properties on the source Manager, add

Increasing the FileStore size (Enhanced version only)

To increase the size of the FileStore:

The file displays the current default:

ArcSight Confidential SmartConnector™ Configuration Guide for ArcSight Forwarding Connector 11

MinutesOfStorage = (((#MB / 1024) * 21,474,833) / EPS) / 60

Installing the Forwarding Connector

For information regarding operating systems and platforms supported, refer