Administrator’s Guide : Managing Connectors : Connectors

Connectors
Viewing all Connectors

Adding a Connector

Editing Connector Parameters

Managing Destinations

Removing a Connector

Sending a Command to a Connector

Running Logfu on a Connector

Changing the Network Interface Address for Events

Developing FlexConnectors

Editing FlexConnectors

Sharing Connectors (ArcExchange)

A connector (also known as a SmartConnector) is an ArcSight software component that collects

events and logs from various sources on your network. A connector can be configured on a Logger
appliance running Connector Manager, on a Connector Appliance, or can be installed on a computer
on your network and managed remotely. For a complete list of supported connectors, go to the
HP Customer Support site (SSO).

You can perform many operations on connectors. You can view all the connectors you are managing
and add, remove, and edit a connector. You can update connector and table parameters, add and
remove connector destinations, and edit destination parameters and runtime parameters. You can
send a command to a connector or a destination, and run the Logfu utility. All these procedures are
described below.

Whenever applicable, the above listed operations can be performed on more

than one connector at a time. Each procedure described in this section
indicates if multiple connectors can be selected when performing a
procedure.

Viewing all Connectors

You can see all the connectors you are managing.

To view all connectors:

1Click Configuration > Manage Connectors.

2Click System in the left panel. The connectors display on the Connectors tab in the right panel.

Adding a Connector
Before you add a connector, review the following important information.

Make sure that the container, host, and location to which you want to add the connector exist on the
system. If any of these elements do not exist, first create them using procedures described in Adding
a Location, Adding a Host, and Adding a Container.

Follow the configuration best practices described in Configuration Suggestions for Connector Types.

If you are configuring the Check Point OPSEC NG Connector, see Configuring the Check Point
OPSEC NG Connector and refer to the SmartConnector Configuration Guide for Check Point OPSEC
NG.

If you are configuring a database connector that requires the MS SQL Server Driver for JDBC, follow
instructions in Adding the MS SQL Server JDBC Driver.

This connector type has special requirements concerning JDBC and

authentication setup. It is important that you refer to the SmartConnector
Configuration Guide for Microsoft SQL Server Multiple Instance Audit DB
for this important information before installing the connector.

If you are adding a software-based connector, make sure that the username and password for the
connector match the username and password for the container to which you are adding the
connector. Refer to Changing Container Credentials.

File-based connectors use the Network File System (NFS) or the Common Internet File System
(CIFS).

For the file-based connectors on a Windows system, a CIFS share needs to be configured before you
add those connectors. For information on creating a CIFS Mount, see Remote File Systems.

For all other connectors, an NFS Mount needs to be established before the connector can be added.
For information on creating an NFS Mount, see Remote File Systems.

For file-based FlexConnectors, make sure that an NFS Mount is established and a repository is
created on the system before you add the connector. In addition, when entering the connector
parameters, type the configuration file name without an extension in the Configuration File field. The
extension .sdkrfilereader.properties is appended automatically.

To add a Connector:

If you are adding a connector for the Check Point FW-1/VPN-1 system, see a
more detailed procedure in Configuring the Check Point OPSEC NG
Connector.

Click Configuration > Manage Connectors.

1
2Use one of these navigation paths:

User Interface Options Path

From the System-level Click System (left panel) > Containers tab (right
page panel).

From the location in which Click System (left panel) > Location (left panel) >
the container exists Containers tab (right panel).

From the host on which the Click System (left panel) > Location (left panel) >
container exists Host (left panel) > Containers tab (right panel).

From the Container page Click System (left panel) > Location (left panel) >
Host (left panel) > Container (left panel).

Click in the Action column of the container to run the wizard to configure a connector.
3
If you are on the specific Container page, is at the top of the page.

4Select a connector type from the pull-down list of available types. Click Next.

Enter basic parameters for the connector. Parameters vary based on the connector type. You can
hover the mouse pointer over a field for more information. When all fields have been entered, click
5Next.

When entering parameters that include a file path, enter the path in
POSTIX format (for example, /folder/filename). If you enter the path in
DOS/NTFS format (for example, \folder\filename), the backslash (\) is
included as part of the file name and the path will be incorrect.

For file-based connectors on Windows systems, specify the name of the CIFS mount point you
created for the connector, as shown in the following example. (You need to specify
/opt/mnt/CIFS_share_name.)
Some connectors include table parameters. For example, the Microsoft Windows Event Log includes
parameters for each host in the domain and one or more log types (security, application, system,
directory service, DNS, file replication, and so on). You can import table parameters from a CSV file.
See Adding Locations and Hosts from a File for the file format. You can import a CSV file that was
exported from another connector as long as you export and import the CSV file from the same
container. If the CSV file was exported from a different container, you need to change the secret
parameters, such as the password, which appear in obfuscated format in the CSV file to plain text
before you import the CSV file.

For connectors that query Microsoft Active Directory to detect devices (for
example, Microsoft Windows Event Log - Unified), if the “Network
Security: LDAP Server Signing Requirements” policy is set to “Signing
Required” on the Domain Controller, Connector Appliance will be unable
to connect to the Active Directory or browse for devices. You see an error
when selecting Windows Host Browser as the connector device browser
type.

For detailed information about individual connector parameters, refer to

the specific ArcSight SmartConnector Configuration Guide for the type of
connector chosen. The configuration guide also describes how to set up
the source device for use with the connector.

Choose a primary destination for the connector and enter destination-specific parameters on the
following page(s), then click Next. Destinations can be:
6
ArcSight Logger SmartMessage (encrypted)

ArcSight Manager (encrypted)

CEF Syslog (cleartext, that is, unencrypted)

 For containers running v5.1.2.5823 and later, Connector Appliance
retrieves the certificate for the destination automatically and displays the
certificate summary. To see certificate details, hover your mouse over
the certificate.

Select Import the certificate to the connector from the destination, then
click Next to import the certificate and continue.

Select Do not import the certificate to the connector from the

destination and click Next if you do not want to import the certificate.
The destination will not be added.

For containers running v5.1.2 and earlier, upload the certificate on the
container and then add the destination.

Note: FIPS Suite B mode is not supported. Connector Appliance cannot

download a manager certificate in Suite B mode.

Enter connector details:

7

Parameter Description

Name A descriptive name for this connector.

Location The location of the connector (such as the hostname).

Device The location of the device that sends events to the connector.
Location

Comment Additional comments.

Configuring a connector can take some time; the connector might initially
display Down while it is restarting.

Click Done.
8
Editing Connector Parameters
Updating Simple Parameters for a Specific Connector

Updating Table Parameters for a Specific Connector

Updating Simple and Table Parameters for Multiple Connectors

ArcSight supports a large number of connector types to gather security events from a variety of
sources, including syslog, log files, relational databases, and proprietary devices. Accordingly,
configuration parameters vary widely depending on the type of connector being configured. You can
edit parameters (simple and table) for a specific connector or for multiple connectors at the same
time.

Updating Simple Parameters for a Specific Connector

The following procedure describes how to update simple parameters for a specific connector. To
update table parameters for a specific connector, see Updating Table Parameters for a Specific
Connector.

To update both simple and table parameters for multiple connectors at the same time, see Updating
Simple and Table Parameters for Multiple Connectors.

To update parameters for a specific connector:

1Click Configuration > Manage Connectors.

2Use one of these navigation paths:

User Interface Options Path

From the System-level Click System (left panel) > Connectors tab (right panel)
page > Name of the Connector (right panel).

From the location in Click System (left panel) > Location (left panel) >
which the connector Connectors tab (right panel) > Name of the Connector
exists (right panel).

From the host on which Click System (left panel) > Location (left panel) > Host
the connector exists (left panel) > Connectors tab (right panel) > Name of the
Connector (right panel).

From the Connector Click System (left panel) > Location (left panel) > Host
page (left panel) > Container > Name of the Connector (left
panel).

Click ( ) next to the Connector Parameters link.

3
 Clicking the heading Connector Parameters toggles between displaying and hiding the information in
the Connector Parameters section.

4 Modify parameters as necessary and click Next.

Configuration parameters depend on the type of connector being configured.

When editing parameters that include a file path, enter the path in POSTIX
format (for example, /folder/filename). If you enter the path in DOS/NTFS
format (for example, \folder\filename), the backslash (\) is included as part of
the file name and the path will be incorrect.

Click Done when complete.

5
The updated parameters display in the Connector Parameters section of the Connector page.

Updating Table Parameters for a Specific Connector

Certain connectors, such as the Microsoft Windows Event connector, have table parameters. You can
update the table parameters for a specific connector when necessary.

To update table parameters for a specific connector:

 1Click Configuration > Manage Connectors.

2Use one of these navigation paths:

User Interface Options Path

From the System-level Click System (left panel) > Connectors tab (right panel)
page > Name of the Connector (right panel).

From the location in Click System (left panel) > Location (left panel) >
which the connector Connectors tab (right panel) > Name of the Connector
exists (right panel).

From the host on which Click System (left panel) > Location (left panel) > Host
the connector exists (left panel) > Connectors tab (right panel) > Name of the
Connector (right panel).

From the Connector Click System (left panel) > Location (left panel) > Host
page (left panel) > Container > Name of the Connector (left
panel).

Click ( ) next to the Table Parameters link.

3

Clicking the heading Table Parameters toggles between displaying and

hiding the information in the Table Parameters section.

Modify parameters as necessary and then click Next.

4
To add more rows of parameter information, click the Add Row link.

You can use an Excel-compatible program to prepare a comma-separated values text file with the
information and click the Import File button to load the entire table at once. The file needs to be in
the same format as the rows shown on the Update Table Parameters page and needs to include a
header row with parameter labels in the order shown on that page. For fields that require checkbox
values, enter True or False as the value. An example is shown below.

You can import a CSV file that was exported from another connector as
long as you export and import the CSV file from the same container. If the
CSV file was exported from a different container, you need to change the
 secret parameters, such as the password, which appear in obfuscated
format in the CSV file to plain text before you import the CSV file.

To export the table parameters to a CSV file for use as a backup or to import on another
Connector Appliance, click the Export File button.

5 Click Done when complete.

The updated table parameters display in the Table Parameters section of the Connector page.

Updating Simple and Table Parameters for Multiple Connectors

If you have multiple connectors of the same type, you can change the simple and table parameters for
all the connectors at the same time.

To edit parameters for multiple connectors at once:

1Click Configuration > Manage Connectors.

2Use one of these navigation paths:

User Interface Options Path

From the System-level page Click System (left panel) > Connectors tab (right
panel).

From the location in which Click System (left panel) > Location (left panel) >
the connector exists Connectors tab (right panel).

From the host on which the Click System (left panel) > Location (left panel) >
connector exists Host (left panel) > Connectors tab (right panel).

From the Connectors page Click System (left panel) > Location (left panel) >
Host (left panel) > Container (left panel).

Select the connectors whose parameters you want to update.

3

The connectors must be the same type; for example, you can change the
parameters for several syslog connectors at the same time; however, you
cannot change the parameters for several syslog and several SNMP
connectors at the same time.

Click Parameters.
4
5Follow the instructions in the wizard.
 You can choose to modify the simple parameters for all the selected connectors at once or modify
the simple parameters per connector.

If the connectors have table parameters, the table parameters are displayed so that you can modify
them. If you have many table parameters to modify for multiple connectors, you can import the
parameters from a CSV file (for information about adding rows and CSV file format, see Step 3). You
can also export the table parameters to a CSV file for use as a backup or to import on another
Connector Appliance.

When you update parameters for connectors that are of different

versions, the newer connectors might have additional parameters. In
this case, only the parameters that are the same for all connectors are
displayed for updating.

Managing Destinations
Adding a Primary Destination to a Specific Connector

Adding a Failover Destination to a Specific Connector

Adding a Primary or Failover Destination to Multiple Connectors

Removing Destinations

Re-Registering Destinations

Editing Destination Parameters

Editing Destination Runtime Parameters

Managing Alternate Configurations

Sending a Command to a Destination

Connectors can forward events to more than one destination, such as ArcSight Manager and ArcSight
Logger. You can assign one or more destinations per connector. You can assign multiple destinations
to a connector and specify a failover (alternate) destination in the event that the primary destination
fails.

The following procedures describe how to perform these actions on a specific connector or for
multiple connectors at the same time:

Add a primary or failover destination

Edit destination parameters and destination runtime parameters

Remove destinations

Re-register destinations

Manage alternate configurations for a destination

Send a command to a destination

 You cannot configure two connectors with the same ArcSight Manager
destination if the destination (connector) name and location used for
configuration is the same.

Logger receivers do not support encrypted data.

You cannot use the Edit button ( ) to change or add a connector

destination. Its purpose is to change destination parameters. To add a

new destination, remove the unwanted destination configuration ( )

and create a new one ( ).

Adding a Primary Destination to a Specific Connector

When you add a primary destination to a connector, you need to enter details for the destination, such
as the destination hostname and port used.

To add a primary destination to a connector:

1Click Configuration > Manage Connectors.

2Use one of these navigation paths:

User Interface Options Path

From the System-level Click System (left panel) > Connectors tab (right panel)
page > Name of the Connector (right panel).

From the location in Click System (left panel) > Location (left panel) >
which the connector Connectors tab (right panel) > Name of the Connector
exists (right panel).

From the host on which Click System (left panel) > Location (left panel) > Host
the connector exists (left panel) > Connectors tab (right panel) > Name of the
Connector (right panel).

From the Connector Click System (left panel) > Location (left panel) > Host
page (left panel) > Container > Name of the Connector (left
panel).

Click ( )next to the Destinations link.

3
 Clicking the Destinations heading toggles between displaying and hiding
the information in the Destinations section.

Follow the steps in the wizard.

4
You can either select an existing destination or add a new destination. If you are adding a new
destination, select the destination type and enter parameters for the destination.

For containers running v5.1.2.5823 and later, Connector Appliance

retrieves the certificate for the destination automatically and displays the
certificate summary. To see certificate details, hover your mouse over
the certificate.

Select Import the certificate to the connector from the destination, then
click Next to import the certificate and continue.

Select Do not import the certificate to the connector from the

destination and click Next if you do not want to import the certificate.
 The destination will not be added.

For containers running v5.1.2 and earlier, upload the certificate on the
container and then add the destination.

Note: FIPS Suite B mode is not supported. Connector Appliance cannot

download a manager certificate in Suite B mode.

Click Done when complete.

5
Adding a Failover Destination to a Specific Connector
Each destination can have a failover destination that is used if the connection with the primary
destination fails.

UDP connections cannot detect transmission failure; use Raw TCP for CEF
Syslog destinations.

To add a failover destination:

1Click Configuration > Manage Connectors.

2Use one of these navigation paths:

User Interface Options Path

From the System-level Click System (left panel) > Connectors tab (right panel)
page > Name of the Connector (right panel).

From the location in Click System (left panel) > Location (left panel) >
which the connector Connectors tab (right panel) > Name of the Connector
exists (right panel).

From the host on which Click System (left panel) > Location (left panel) > Host
the connector exists (left panel) > Connectors tab (right panel) > Name of the
Connector (right panel).

From the Connector Click System (left panel) > Location (left panel) > Host
page (left panel) > Container > Name of the Connector (left
panel).

Click ( ) in the Destinations section to display the Add Connector Destination wizard.
3
4Follow the steps in the wizard to select from available destinations and enter the destination details.
 For containers running v5.1.2.5823 and later, Connector Appliance
retrieves the certificate for the destination automatically and displays the
certificate summary. To see certificate details, hover your mouse over
the certificate.

Select Import the certificate to the connector from the destination, then
click Next to import the certificate and continue.

Select Do not import the certificate to the connector from the

destination and click Next if you do not want to import the certificate.
The destination will not be added.

For containers running v5.1.2 and earlier, upload the certificate on the
container and then add the destination.

Note: FIPS Suite B mode is not supported. Connector Appliance cannot

download a manager certificate in Suite B mode.

Adding a Primary or Failover Destination to Multiple Connectors

You can add a primary or failover destination to several connectors at the same time.

To add a primary or failover destination to more than one connector:

1Click Configuration > Manage Connectors.

2Use one of these navigation paths:

User Interface Options Path

From the System-level Click System (left panel) > Connectors tab (right
page panel).

From the location in which Click System (left panel) > Location (left panel) >
the connector exists Connectors tab (right panel).

From the host on which the Click System (left panel) > Location (left panel) >
connector exists Host (left panel) > Connectors tab (right panel).

From the Connectors page Click System (left panel) > Location (left panel) >
Host (left panel) > Container (left panel).

Select all connectors to which you want to assign a destination.

3
4Click Add Destinations at the bottom of the page to open the wizard.
5Select Add a destination and click Next.

6Choose between a creating a new destination or selecting an existing destination, then click Next.

If you choose to create a new destination, select the destination type and then provide the destination
parameters.

If you choose to select an existing destination, select a destination from the list.

Connector Appliance retrieves the certificate for the destination

automatically and displays the certificate summary. To see certificate
details, hover your mouse over the certificate.

Select Import the certificate to the connector from destination, then

click Next to import the certificate and continue.

Select Do not import the certificate to the connector from the

destination and click Next if you do not want to import the certificate.
The destination will not be added.

Note: FIPS Suite B mode is not supported. Connector Appliance cannot

download a manager certificate in Suite B mode.

Define the destination function by choosing between a primary or failover destination.

7
If you choose Primary destination, click Next to update the configuration.

If you choose Failover destination:

aSelect the primary destination that applies to your failover.

Click the check box in the table header to modify all

b of the displayed connectors.

cClick Next to update the configuration.

8 Click Done when complete.

Removing Destinations
You can remove a destination from a connector at any time. The following procedures describe how
to remove a single destination from a specific connector and how to remove multiple destinations from
one or more connector.

To remove a single destination from a specific connector:

1Click Configuration > Manage Connectors.

2Use one of these navigation paths:

User Interface Options Path

 From the System-level Click System (left panel) > Connectors tab (right panel)
page > Name of the Connector (right panel).

From the location in Click System (left panel) > Location (left panel) >
which the connector Connectors tab (right panel) > Name of the Connector
exists (right panel).

From the host on which Click System (left panel) > Location (left panel) > Host
the connector exists (left panel) > Connectors tab (right panel) > Name of the
Connector (right panel).

From the Connector Click System (left panel) > Location (left panel) > Host
page (left panel) > Container > Name of the Connector (left
panel).

In the Destinations section, click for the destination you want to remove.
3

The shows in the Destinations table only if more than one destination is
listed.

When prompted, confirm the removal.

4
To remove multiple destinations from one or more connector:

1Click Configuration > Manage Connectors.

2Use one of these navigation paths:

User Interface Options Path

From the System-level Click System (left panel) > Connectors tab (right
page panel).

From the location in which Click System (left panel) > Location (left panel) >
the connector exists Connectors tab (right panel).

From the host on which the Click System (left panel) > Location (left panel) >
connector exists Host (left panel) > Connectors tab (right panel).
From the Connectors page Click System (left panel) > Location (left panel) >
Host (left panel) > Container (left panel).

Select the connectors whose destinations you want to remove.

3
4Click the Destinations button to open the wizard.

5Select Remove destinations and click Next.

6Follow the instructions in the wizard and click Done when complete.

Re-Registering Destinations
At certain times, you might need to re-register the destinations for one or more connector; for
example, after you upgrade ESM, or if a Logger appliance or ESM appliance becomes unresponsive.

To re-register destinations for one or more connector:

1Click Configuration > Manage Connectors.

2Use one of these navigation paths:

User Interface Options Path

From the System-level Click System (left panel) > Connectors tab (right
page panel).

From the location in which Click System (left panel) > Location (left panel) >
the connector exists Connectors tab (right panel).

From the host on which the Click System (left panel) > Location (left panel) >
connector exists Host (left panel) > Connectors tab (right panel).

From the Connectors page Click System (left panel) > Location (left panel) >
Host (left panel) > Container (left panel).

Select the connectors whose destinations you want to re-register.

3
4Click the Destinations button to open the wizard.

5Select Re-register destinations and click Next.

6Follow the instructions in the wizard and click Done when complete.

Editing Destination Parameters

The following procedures describe how to edit destination parameters for a specific connector and
how to edit destination parameters for multiple connectors at the same time.

You cannot change the connector type; however, you can remove the
unwanted connector configuration and create a new one.

To edit destination parameters for a specificconnector:

1Click Configuration > Manage Connectors.

2Use one of these navigation paths:

User Interface Options Path

From the System-level Click System (left panel) > Connectors tab (right panel)
page > Name of the Connector (right panel).

From the location in Click System (left panel) > Location (left panel) >
which the connector Connectors tab (right panel) > Name of the Connector
exists (right panel).

From the host on which Click System (left panel) > Location (left panel) > Host
the connector exists (left panel) > Connectors tab (right panel) > Name of the
Connector (right panel).

From the Connector Click System (left panel) > Location (left panel) > Host
page (left panel) > Container > Name of the Connector (left
panel).

In the Destinations section, click ( ) next to the destination you want to edit to display the Edit
Destination Parameters page.
3
 You cannot use the Edit button ( ) to change or add a connector
destination. Its purpose is to change destination parameters. To add a

new destination, remove the unwanted destination ( ) and create a

new one ( ).

Make your changes and click Next.

4
5Click Done when complete.

To edit destination parameters for multiple connectors:

1Click Configuration > Manage Connectors.

2Use one of these navigation paths:

User Interface Options Path

From the System-level Click System (left panel) > Connectors tab (right
page panel).

From the location in which Click System (left panel) > Location (left panel) >
the connector exists Connectors tab (right panel).

From the host on which the Click System (left panel) > Location (left panel) >
connector exists Host (left panel) > Connectors tab (right panel).

From the Connectors page Click System (left panel) > Location (left panel) >
Host (left panel) > Container (left panel).

Select the connectors whose destination parameters you want to edit.

3
4Click Destinations to open the wizard.

5Select Edit a destination and click Next.

6Follow the instructions in the wizard and click Done when complete.

Editing Destination Runtime Parameters

The runtime parameters for a destination enable you to specify advanced processing options such as
batching, time correction, and bandwidth control. The parameters you can configure are listed in
Destination Runtime Parameters appendix at the end of this guide . All the parameters listed in that
table are not available for all destinations. The user interface automatically displays the parameters
valid for a destination.

The following procedures describe how to edit the runtime parameters for a specific connector and
how to edit the runtime parameters for multiple connectors at the same time.

To edit destination runtime parameters for a specific connector:

1Click Configuration > Manage Connectors.

2Use one of these navigation paths:

User Interface Options Path

From the System-level Click System (left panel) > Connectors tab (right panel)
page > Name of the Connector (right panel).
From the location in Click System (left panel) > Location (left panel) >
which the connector Connectors tab (right panel) > Name of the Connector
exists (right panel).

From the host on which Click System (left panel) > Location (left panel) > Host
the connector exists (left panel) > Connectors tab (right panel) > Name of the
Connector (right panel).

From the Connector Click System (left panel) > Location (left panel) > Host
page (left panel) > Container > Name of the Connector (left
panel).

In the Destinations section, click next to the destination whose runtime parameters you want to
edit.
3
4Click next to the alternate configuration that you want to edit.

If you have not set up alternate configurations, click next to the Default. For more information
about alternate configurations, see Managing Alternate Configurations.

5Specify or update values for the listed parameters and click Save.

To edit destination runtime parameters for multiple connectors at the same time:

1Click Configuration > Manage Connectors.

2Use one of these navigation paths:

User Interface Options Path

From the System-level Click System (left panel) > Connectors tab (right
page panel).

From the location in which Click System (left panel) > Location (left panel) >
the connector exists Connectors tab (right panel).

From the host on which the Click System (left panel) > Location (left panel) >
connector exists Host (left panel) > Connectors tab (right panel).

From the Connectors page Click System (left panel) > Location (left panel) >
Host (left panel) > Container (left panel).
 Select the connectors whose destination runtime parameters you want to edit.
3
4Click Runtime Parameters to open the wizard.

5Follow these steps in the wizard to edit the runtime parameters:

a Select the destinations whose runtime parameters you want to modify.

bSelect the configurations to be affected (default or alternate configurations).

Select the group of parameters you want to modify (for example, batching, cache, network,
c processing).

dModify the parameters.

Managing Alternate Configurations

Defining a New Alternate Configuration

Editing an Alternate Configuration

Specifying a Time Range for an Alternate Configuration

Editing Alternate Configurations in Bulk

An alternate configuration is a set of runtime parameters that is used instead of the default
configuration during a specified portion of every day. For example, you might want to specify different
batching schemes (by severity or size) for different times of a day. You can define more than one
alternate configuration per destination and apply them to the destination for different time ranges
during the day. For example, you can define a configuration for 8 am to 5 pm time range and another
configuration for the 5 pm to 8 am time range.

By default, a configuration labeled Default exists and is applied to a destination. Any subsequent
configurations you define are labeled Alternate#1, Alternate#2, and so on. The default configuration is
used if the time ranges specified for other alternate configurations do not span 24 hours. For example,
if you specify an alternate configuration, Alternate#1 that is effective from 7 am to 8 pm, the Default
configuration will be used from 8 pm to 7 am (assuming that there are no other alternate
configurations defined on this system).

If you need to apply the same alternate configuration for multiple destinations, you need to define an
alternate configuration (with the same settings) for each of those destinations.

Defining a New Alternate Configuration

The process of defining a new alternate configuration includes first defining the configuration, and
then editing it to specify the time range for which that configuration is effective.
To define an alternate configuration:

1Click Configuration > Manage Connectors.

2Use one of these navigation paths:

User Interface Options Path

From the System-level Click System (left panel) > Connectors tab (right panel)
page > Name of the Connector (right panel).

From the location in Click System (left panel) > Location (left panel) >
which the connector Connectors tab (right panel) > Name of the Connector
exists (right panel).

From the host on which Click System (left panel) > Location (left panel) > Host
the connector exists (left panel) > Connectors tab (right panel) > Name of the
Connector (right panel).

From the Connector Click System (left panel) > Location (left panel) > Host
page (left panel) > Container > Name of the Connector (left
panel).

Click ( ) in the Destinations section.

3
4Click Add.

5Specify or update values for the listed parameters.

6Scroll down to the end of the page and click Save.

If this is the first alternate configuration you defined, it is saved as Alternate#1. Subsequent
configurations are saved as Alternate#2, Alternate#3, and so on.

To specify the time range for which the configuration you just defined is effective, edit the
configuration you just defined using the following procedure Editing an Alternate Configuration below.

Editing an Alternate Configuration

In addition to editing an alternate configuration to change parameter values, you can edit it to specify
the time range for which it is effective.

To edit an alternate configuration:

1Click Configuration > Manage Connectors.

2Use one of these navigation paths:

User Interface Options Path

From the System-level Click System (left panel) > Connectors tab (right panel)
page > Name of the Connector (right panel).

From the location in Click System (left panel) > Location (left panel) >
which the connector Connectors tab (right panel) > Name of the Connector
exists (right panel).

From the host on which Click System (left panel) > Location (left panel) > Host
the connector exists (left panel) > Connectors tab (right panel) > Name of the
Connector (right panel).

From the Connector Click System (left panel) > Location (left panel) > Host
page (left panel) > Container > Name of the Connector (left
panel).

Click ( ) in the Destinations section.

3
4Select the alternate configuration that you want to edit and click ( ).

Specify or update values for the listed parameters, including the time range in the From Hour/To
5Hour.

6Scroll down to the end of the page and click Save.

Specifying a Time Range for an Alternate Configuration

See Editing an Alternate Configuration.

Editing Alternate Configurations in Bulk

If you need to update the same parameters in multiple alternate configurations, follow the procedure
described in Editing Destination Runtime Parameters.

Sending a Command to a Destination

You can send a command to a connector destination.

To send a command to a destination on a connector:

1Click Configuration > Manage Connectors.

2Use one of these navigation paths:

User Interface Options Path

From the System-level Click System (left panel) > Connectors tab (right panel)
page > Name of the Connector (right panel).

From the location in Click System (left panel) > Location (left panel) >
which the connector Connectors tab (right panel) > Name of the Connector
exists (right panel).

From the host on which Click System (left panel) > Location (left panel) > Host
the connector exists (left panel) > Connectors tab (right panel) > Name of the
Connector (right panel).

From the Connector Click System (left panel) > Location (left panel) > Host
page (left panel) > Container > Name of the Connector (left
panel).

Click ( ) in the Destinations section.

3
4Select the command you want to run and click Next.

5Enter values for the parameters that the user interface displays and click Finish.

Removing a Connector

After removing a connector, you need to reboot the system; otherwise, the
removed connector continues to forward events to its destination.
 To remove a Connector:
1Click Configuration > Manage Connectors.

2Use one of these navigation paths:

User Interface Options Path

From the System-level Click System (left panel) > Connectors tab (right
page panel).

From the location in which Click System (left panel) > Location (left panel) >
the connector exists Connectors tab (right panel).

From the host on which the Click System (left panel) > Location (left panel) >
connector exists Host (left panel) > Connectors tab (right panel).

Select the connectors you want to delete. You can select multiple connectors.
3
4Click Delete at the bottom of the page.

5 Reboot the system.

You can also delete a specific connector from its details page: Click System (left

panel) > Location (left panel) > Host (left panel) > Container > Connector >
at the top of the page.

Sending a Command to a Connector

You can send a command to a connector.

To send a command to a connector:

1Click Configuration > Manage Connectors.

2Use one of these navigation paths:

User Interface Options Path

From the System-level Click System (left panel) > Connectors tab (right panel)
page > Name of the Connector (right panel).

From the location in Click System (left panel) > Location (left panel) >
which the connector Connectors tab (right panel) > Name of the Connector
exists (right panel).

From the host on which Click System (left panel) > Location (left panel) > Host
the connector exists (left panel) > Connectors tab (right panel) > Name of the
Connector (right panel).

From the Connector Click System (left panel) > Location (left panel) > Host
page (left panel) > Container > Name of the Connector (left
panel).

Click in the Action column for the connector.

3

If you are on a specific Connector page, is on top of the page.

4From the Command Type drop-down list, select the command you want to send to the connector.

5Click Next.

Running Logfu on a Connector

Run Logfu on a connector to parse ArcSight logs and generate an interactive visual representation of
the information contained within the logs.

To run Logfu on a connector:

1Click Configuration > Manage Connectors.

2Use one of these navigation paths:

User Interface Options Path

From the System-level Click System (left panel) > Connectors tab (right panel)
page > Name of the Connector (right panel).

From the location in Click System (left panel) > Location (left panel) >
which the connector Connectors tab (right panel) > Name of the Connector
exists (right panel).

From the host on which Click System (left panel) > Location (left panel) > Host
the connector exists (left panel) > Connectors tab (right panel) > Name of the
Connector (right panel).
From the Connector Click System (left panel) > Location (left panel) > Host
page (left panel) > Container > Name of the Connector (left
panel).

Click ( ) on top of the page.A separate window displays.

3
The system proceeds to retrieve and analyze system data logs. After this process is complete, a
group of panels appears in the window.

From the Group box, choose which type of data you would like to view. The Group box lists all
connectors within the chosen container, plus many other types of data such as memory usage, and
4transport rates and logs.

Choose one of the Group box data points. Depending on which data point you choose, a list of fields
appears in the Field box below.

Choose a field to view. A graphic chart appears in the Chart box, providing rate and time information.
5The key at the bottom of the Chart box defines the data points mapped in the chart.

6If you need to choose a different data point for analysis, click Reset Data.

Changing the Network Interface Address for Events

Connector Appliance has multiple network interfaces. By default, the connector determines which
network interface address is used for events displayed in the ArcSight Console or Logger, but
typically uses eth0.

To use a specific network interface address for events, add the parameter
connector.network.interface.name to the Connector’s agent.properties file. For example, to use the IP
address for eth1, specify the following parameter:

connector.network.interface.name=eth1

Developing FlexConnectors
FlexConnectors are custom SmartConnectors that can read and parse information from third-party
devices and map that information to ArcSight’s event schema.

Connector Appliance provides a FlexConnector Development wizard that lets you quickly and easily
develop a FlexConnector by creating a parser file, and enables you to test and package your new
FlexConnector before deploying it. The wizard generates regular expressions and provides event field
mapping suggestions automatically so you do not need to be an expert in regular expression
authoring, parser syntax, or ArcSight event schema.

Use the FlexConnector Development wizard to develop FlexConnectors for simple log files. For
complex log files, use the FlexConnector SDK (available from the HP Customer Support site (SSO)).

Currently, the FlexConnector Development wizard supports Regex Files,

Folder Follower, and Syslog (Daemon, File, Pipe) FlexConnectors only.

The FlexConnector Development wizard does not support the extra

 processors property or multiple sub messages. If you need these features,
use the FlexConnector SDK to create your FlexConnector.

A FlexConnector that you develop with the FlexConnector Development

wizard might perform more slowly than an ArcSight SmartConnector.

To develop a FlexConnector:
1Click Configuration > Manage Connectors.

2Use one of these navigation paths to go to the Containers tab:

User Interface Options Path

From the System-level Click System (left panel) > Containers tab (right
page panel).

From the location in which Click System (left panel) > Location (left panel) >
the container exists Containers tab (right panel).

From the host on which the Click System (left panel) > Location (left panel) >
container exists Host (left panel) > Containers tab (right panel).

Click in the Action column of the container to which you want to add the FlexConnector. When
the FlexConnector Development wizard opens, click Next.
3
Provide the vendor and product name of the device for which you are creating a FlexConnector, then
4click Next.

The device vendor and product name are required.

Select the data source type, then click Next:

5
Select Syslog to create a Syslog FlexConnector to read events from Syslog messages.

Select File to create a FlexConnector to parse variable-format log files using regular expressions
(ArcSight FlexConnector Regex File) or to parse variable-format log files in batch mode (-
ArcSight FlexConnector Folder Follower).

Upload a sample log file for the data source type

6 you selected in the previous step, then click Next.

The wizard finds the first unparsed line in the log file, generates a regular expression to match and
extract tokens from that line, and displays the suggested field mappings for each extracted token in
7the Mappings table.
 The mappings are displayed in descending order of probability (based
on ArcSight training data). You can change the mappings by selecting
from the list.

The percentage of parsed lines in the file is shown in the top right of
the panel. You can use this percentage to estimate where you are in
the log file. The percentage of unparsed lines skipped in the file is
also shown in the top right of the panel.

To change the regular expression in the Regex box and recalculate the mappings, edit the
expression and then click the Recalculate button. You can set the regular expression back to the
suggested value by clicking the Reset button.

Field mappings that do not correspond directly to the extracted tokens in the unparsed line of the log
file are displayed in the Extra Mappings table. You can change the Event Field and provide a token
operation. To add a new Event Field, click Add Row.

You can use extra mappings to:

Remap an extracted token to a different Event Field in addition to the existing mapping. For example,
you can add an Event Field with the value $3 where $3 is the third token in the list of suggested
mappings.

Map a modified token or combination of tokens to an Event Field. For example, you can add an
Event Field with the value __operation($1,$3).

Map an Event Field to a constant string or integer. For example, you can add an Event Field with the
 value __stringConstant(constant).

The wizard always contains an extra mapping for the Event Field name, which
maps all the words in the input log line. ArcSight strongly recommends that
you do not simply delete the name Event Field but map it in either the
Mappings or the Extra Mappings table.

For a list of the token operations used when tokens are mapped to ArcSight event fields, refer to the
FlexConnector Developer’s Guide (available from the HP Customer Support site (SSO)).
8 Click Next to save the mapping to the parser file and display the next unparsed line in the log file.

Click the Skip Line button to go to the next unparsed line in the log file
without saving the mapping.

Click the Skip to End button to go to the end of the log file without
processing any other lines and display the parser file for review.

Click the Previous button to go back to the previous line in the log file and
make changes if necessary. If you configured any mappings for the previous
line, the Previous button displays the configured mappings, not the default
mappings.

After all unparsed lines in the log file have corresponding regular expressions and mappings, the
wizard displays the parser file for review.
9 Review the parser file and make changes, if necessary, directly in the Review Parser File panel.

In Mozilla Firefox, if certain text in the Review Parser File panel is underlined
in red, you can disable Spell Check; Right-click in the panel and click Check
Spelling to remove the check mark.

Click Next to save and package the parser file.

10
11Choose how you want to deploy the FlexConnector:

Select Deploy parser to existing connector in container and click Next to use the parser file with an
existing connector. Click Done to close the FlexConnector wizard and redisplay the Container tab.

The Deploy parser to existing connector in container option displays only if

the container already contains a connector of the same type.

Select Add new connector to container and click Next to add the parser as a new connector. Follow
the steps to add the connector to the container.

After deploying your FlexConnector, you can edit it any time from the Connectors
tab. See Editing FlexConnectors.

You can share FlexConnectors with other users. See Sharing Connectors (ArcExchange).
Editing FlexConnectors
After you have developed a FlexConnector with the FlexConnector wizard and have deployed it in a
container, you can edit the FlexConnector to make changes to the parser file when needed.

The FlexConnector Edit wizard is available on the Connectors tab in the Action column.

Click in the Action column for the FlexConnector to open the wizard. To edit the parser file, follow
Step 6 through Step 11 in Developing FlexConnectors.

Only edit a FlexConnector that is created with the FlexConnector wizard.

Editing manually-created FlexConnectors might produce unpredictable results.

In addition to the FlexConnector Edit wizard, you can also use the Edit a File
action in the Container Diagnostics wizard to edit your FlexConnector. Refer
to Running Diagnostics on a Container.

Sharing Connectors (ArcExchange)

Packaging and Uploading Connectors

Downloading Connectors

You can share FlexConnectors and parser overrides with other users.

A FlexConnector is a custom connector that you define to gather security events from log files,
databases, and other software and devices. You can share the following FlexConnector types:

Syslog FlexConnectors (to read events from syslog messages)

Log File FlexConnectors (to read fixed-format log files)

Regular Expression Log File FlexConnectors (to read variable-format log files)

Regular Expression Folder Follower FlexConnectors (to read variable-format log files recursively in a
folder)

Regular Expression Multiple Folder Follower FlexConnectors (to read events in real time or batch
 mode from multiple folders)

XML FlexConnectors (to read events recursively from XML-based files in a folder)

A parser override is a file provided by ArcSight used to resolve an issue with the parser for a specific
connector, or to support a newer version of a supported device where the log file format changed
slightly or new event types were added. You can share parser overrides for all connector types that
use a parser.

To share a FlexConnector or parser override, you need to package and upload it to ArcExchange on
the ArcSight online community (Protect 724) or to your local machine. You can also download a
FlexConnector or parser override that you need from ArcExchange or from your local machine and
add it to a container.

Packaging and Uploading Connectors

Before uploading your FlexConnector or parser override to Protect 724 or to your local computer, you
need to package it into a zip file, (called an AUP package) using the upload wizard.

A FlexConnector AUP package contains the connector properties file, categorization file, connector
parameters, and a manifest file with all the metadata on the package required for successful
deployment. Metadata includes information about the AUP package, such as the package type,
connector type, connector description, and so on. You can create only one AUP package per
connector per device type. You can package a FlexConnector in Basic or Advanced mode. In Basic
mode:

The wizard packages the FlexConnector properties file automatically. If the wizard finds more than
one properties file, you are prompted to select the file you want to package.

The wizard packages the categorization file automatically only if it can be determined based on the
device vendor and product information found in the properties file.

The wizard does not package connector parameters. You are prompted to configure the connector
when it is downloaded and deployed.

In Advanced mode:

The wizard packages the FlexConnector properties file automatically. If the wizard finds more than
one properties file, you are prompted to select the file you want to package. (This is same as Basic
mode.)

The wizard packages the categorization file automatically if it can be determined based on the
device vendor and product information found in the properties file. If the categorization file cannot be
determined, you are prompted to select the categorization file you want to package from the list of
files found in the container.

The wizard displays connector parameters so you can configure the parameters you want to display
and set the default values you want to provide during connector deployment (download). The
parameters you do not configure for display are preconfigured with the current values and will not be
displayed during connector deployment.

A parser override package contains the parser override properties file and the manifest file only.

Follow the steps below to package and upload a FlexConnector or parser override.
 To upload to ArcExchange, you must have a valid username and
password for Protect 724.

Make sure that you have configured Connector Appliance network

settings under Setup > System Admin > Network and that the appliance
can communicate with the Protect 724 server.

To package and upload a FlexConnector or parser override:

1Click Configuration > Manage Connectors.

2Use one of these navigation paths:

User Interface Options Path

From the System-level Click System (left panel) > Connectors tab (right panel)
page > Name of the Connector (right panel).

From the location in Click System (left panel) > Location (left panel) >
which the connector Connectors tab (right panel) > Name of the Connector
exists (right panel).

From the host on which Click System (left panel) > Location (left panel) > Host
the connector exists (left panel) > Connectors tab (right panel) > Name of the
Connector (right panel).

From the Connector Click System (left panel) > Location (left panel) > Host
page (left panel) > Container > Name of the Connector (left
panel).

Click at the top of the Connector page to open the upload wizard. (From the Connectors page,
select the connector in the right panel and click in the Action column.)
3
4Click Next and follow the steps in the wizard to:

aSelect the type of AUP package you want to create for the selected connector.

Connector Appliance scans the container and displays the relevant files that can be packaged.

For a FlexConnector, select Basic to create a default package or select Advanced to customize the
package to meet your needs. For a description of Basic and Advanced mode, refer to Packaging and
bUploading Connectors.

If the connector contains several properties files, you are prompted to select the properties file you
want to package. Certain connectors, for example, syslog connectors, can have more than one
c parser override folder, in this case, you are prompted to select the folder you want to package.
 If you selected Advanced mode for a FlexConnector in Step b and the categorization file cannot be
determined, you are prompted to select the categorization file you want to package from a list of files
d found in the container.

Categorization files are not packaged for parser overrides.

If you selected Advanced mode for a FlexConnector in Step b, select the configuration parameters
you want to display when the connector is deployed and then provide default values for these
parameters. Parameters you do not select are pre-configured with the current values.
e
If any advanced connector parameters were previously modified from their defaults, the wizard
displays these parameters so that you can select which ones you want to be configured automatically
during deployment.

Configuration parameters are not displayed for parser overrides.

If the connector has table parameters, they are not displayed during
packaging. However, when the connector is downloaded to a
container, you will be prompted to provide values for all the table
parameters.

Provide a description of the AUP package and instructions on how configure the device used by
the connector.
f
Provide the vendor, product, and version of the
g device used by the connector.

If the wizard can determine the vendor, product, and version of the device, the information is
displayed in the fields provided. You can change the information to meet your needs.

h Upload the created AUP package to ArcExchange or to your local machine.

To upload the AUP package to ArcExchange, you must have a valid

username and password for Protect 724.

Downloading Connectors
You can download a FlexConnector or parser override that is available from ArcExchange on Protect
724 or from your local computer. You download a FlexConnector or parser override directly to a
container.

You can download only one FlexConnector per container using the download wizard. However, there
is no limit to the number of parser overrides you can download to a container.

When downloading a parser override to a container, the download wizard

overwrites any existing parser override with the same name in the
container without prompting for confirmation. To avoid overwriting an
existing parser override, send a Get Status command to the existing
parser override to check the parser information before you download a
new parser override. For information on sending a Get Status command,
refer to Sending a Command to a Connector.
 ArcSight recommends that you back up the container to the Backup Files
repository before downloading a connector or parser override so you can
revert to the previous configuration if the download produces unexpected
results.

Follow the steps below to download a FlexConnector or parser override to a container.

To download to ArcExchange, you must have a valid username and password for Protect 724. Also,
make sure that you have configured Connector Appliance network settings under Setup > System
Admin > Network and that the appliance can communicate with the Protect 724 server.

To download a FlexConnector or parser override:

1Click Configuration > Manage Connectors.

2Go to the Containers page. Use one of these navigation paths:

User Interface Options Path

From the System-level Click System (left panel) > Containers tab (right
page panel).

From the location in which Click System (left panel) > Location (left panel) >
the container exists Containers tab (right panel).

From the host on which the Click System (left panel) > Location (left panel) >
container exists Host (left panel) > Containers tab (right panel).

In the right panel, select the container into which you want to download the connector, and then click
in the Action column to open the download wizard.
3
4Click Next and follow the steps in the wizard to:

Select whether you want to download the connector from ArcExchange on Protect 724 or from
ayour local computer.

b Select the AUP package you want to download.

On Protect 724, you can search for a parser override or FlexConnector AUP package using a
keyword or a combination of keywords.

You can only download a parser override package to a container

that has a connector of the same type as the package.

You can download only one FlexConnector per container using the
download wizard. If the container already contains a FlexConnector
of the same type as the one you want to download, you can replace
the existing FlexConnector with the one you are downloading, but
 you cannot create a new one.

For a FlexConnector, provide connector configuration parameters, if needed.

c
Preconfigured and advanced parameters are deployed automatically with the values that were
packaged; you are not prompted to configure these parameters. The configurable parameters are
displayed with suggested defaults, which you can modify if necessary. The table parameters are
displayed with no configured values, you have to provide the values manually, as needed.

dAdd or select a destination for the connector.

If you are downloading the connector to a container that has an existing connector of the same type,
you are not prompted for a destination.

The wizard copies the properties and categorization files to the appropriate locations and also installs
the zip file for the AUP package in the user/agent/deployedaups folder on the Connector Appliance to
keep track of the deployment history.

After a successful download, the container is restarted automatically.

To use memory efficiently, parser overrides for the Windows Unified

connector only load when the first event is received.

Administrator’s Guide : Managing Connectors : Connectors

Administrator’s Guide : Managing Connectors : Configuration Suggestions for Connector Types

Configuration Suggestions for Connector Types

Deploying FlexConnectors

Configuring the Check Point OPSEC NG Connector

Adding the MS SQL Server JDBC Driver

Adding the MySQL JDBC Driver

The following table provides configuration suggestions for different types of connectors.

Connector
Effects of Limited Usage
Type

Syslog Due to the nature of UDP (the transport protocol typically used by
Syslog), these connectors can potentially lose events if the
configurable event rate is exceeded. This is because the connector
connectors delays processing to match the event rate configured, and while in this
state, the UDP cache might fill and the operating system drop UDP
messages.

Note: ArcSight recommends that you do not use the Limit CPU Usage
option with these connectors because of the possibility of event loss.

SNMP Similar to Syslog connectors, when the event rate is limited on SNMP
connectors connectors, they can potentially lose events. SNMP is also typically
UDP-based and has the same issues as Syslog.

Database Because connectors follow the database tables, limiting the event rate
connectors for database connectors can slow the operation of other connectors.
The result can be an event backlog sufficient to delay the reporting of
alerts by as much as minutes or hours. However, no events will be
lost, unless the database tables are truncated. After the event burst is
over, the connector might eventually catch up with the database if the
event rate does not exceed the configured limit.

File Similar to database connectors, file-based connectors follow files and

connectors limiting their event rates causes an event backlog. This can eventually
force the connector to fall behind by as much as minutes or hours,
depending on the actual event rate. The connectors might catch up if
the event rate does not exceed the configured rate.

Asset All connectors on Connector Appliance run as a service (not as an

Scanner application). Therefore, asset scanner connectors running on
connectors Connector Appliance are not supported in Interactive mode.

To run the asset scanner connector in Interactive mode, install the

connector on a standalone system and manage it as a software-based
connector.

Proprietary The behavior of these connectors depends on the particular API, (for
API example, OPSEC behaves differently than PostOffice and RDEP). But
connectors in most cases, there will be no event loss unless the internal buffers
and queues of the API implementation fill up. These connectors work
much like database or file connectors.

Deploying FlexConnectors
FlexConnectors are custom connectors that are user-defined. FlexConnectors can be hosted on the
system if they are compatible with a Linux platform. Connector Appliance ships with several prototype
FlexConnectors, including:

ArcSight FlexConnector File

 ArcSight FlexConnector ID-based Database

ArcSight FlexConnector Multiple Database

ArcSight FlexConnector Regular Expression File

ArcSight FlexConnector Regular Expression Folder File

ArcSight FlexConnector Simple Network Management Protocol (SNMP)

ArcSight FlexConnector Time-based Database

ArcSight FlexConnector XML File

You can create and manage FlexConnectors using repositories. You can share FlexConnectors with
other Connector Appliance users. Refer to Sharing Connectors (ArcExchange).

For more information, consult the FlexConnector Developer’s Guide, available from customer support.

Configuring the Check Point OPSEC NG Connector

The Check Point FW-1/VPN-1 OPSEC NG connector can operate in clear channel or sslca mode.

This procedure is supported only for ArcSight connector release 4.6.2 or

later.

A hostname is called an Application Object Name on Check Point. A

password is a Communication Activation Key on Check Point.

To configure a connector to operate in sslca mode

On the Check Point SmartDashboard:

Create an OPSEC Application Object using the Check Point SmartDashboard. You
1 need to provide these parameters when creating the application object.

Parameter Description

Name A meaningful name for the application object you are creating; for example,
ArcSightLea-1.

This name is used to pull the OPSEC certificate in the system.

Host The hostname of the system managing the connector.

Client Entities Select LEA.

Secure Internal If a DN string is not present, initialize the communication by providing an

activation key. The activation key is used when the certificate is pulled. This is
Communication the SIC Name.

Click Communication > Initialize.

After the object is created, note down the following information, which you will need to provide when
continuing configuration.
SIC Name—DN string that you obtain after initializing communication as described below.

SIC Entity Name—Double-click the Check Point Gateway name in the SmartDashboard to view its
general properties. The SIC Entity Name is the SIC string configured in the general properties
window.

Check Point IP address or hostname.

2 Pull the Check Point certificate.

To do so, run the Pull OPSEC Certificate command on the container to which you will be adding the
connector. For detailed information about running a command on a container, see Running a
Command on a Container. You need to provide this information when running the command:

Parameter Description

Server hostname or The name or IP address of the Check Point server.

IP address

Application object The OPSEC Application object name you specified in the
name previous step. This parameter is case sensitive.

Password The activation key you entered when creating the OPSEC
application object in the previous step.

If the certificate is pulled successfully, a message similar to this is displayed:

 OPSEC SIC name (CN=ArcSightLea-1,0=cpfw1..5ad8cn) was retrieved and stored
in /opt/arcsight/<container name>/current/user/agent
/checkpoint/<name>. Certificate was created successfully and written to
"/opt/arcsight/<container name>/current/user/agent
/checkpoint/ArcSightLea-1.opsec.p12".

Note down the OPSEC SIC Name (CN=ArcSightLea-1,0=cpfw1..5ad8cn in the above example) and the
file name (ArcSightLea-1.opsec.p12 in the above example).

If the certificate is not pulled successfully, check to ensure that the

Application object name you specified is correct (including the case) and
the container on which you are running the command is up and running.

Install Policy on the LEA client for the Check Point Gateway using the SmartDashboard.
3
On the Connector Appliance:

Add a Check Point connector by following instructions described in Adding a Connector.

4 You need to provide the following information.

Parameters Values to input

Type Check Point FW-1/VPN-1 OPSEC NG

Connection SSLCA
Type

Connector Server IP: The IP address of the Check Point server.

Table
Parameters Server Port: The port on the server that listens for SSLCA connections.
Use the default value 18184.

OPSEC SIC Name: The name you noted in Step 1.

OPSEC SSLCA File: The name you noted after pulling the certificate in
Step 2.

OPSEC Entity SIC Name: The name you noted in Step 1.

An error similar to the following is displayed.

5
-1:[X] Unable to connect to the Lea Server[10.0.101.185] -1:1 connection test failed!

Click the Ignore warnings check box. Click Next.

6Continue to configure the rest of the connector. Go to Step 6 in Adding a Connector.

Adding the MS SQL Server JDBC Driver
When you install and configure database connectors that use Microsoft SQL Server as the database,
a JDBC driver is required. This driver does not ship pre-installed on the system; you need to install it
before configuring database connectors on the appliance.

To install a JDBC Driver:

Download the MS SQL Server JDBC Driver to a computer that can access Connector Appliance.
1You can download the driver from Microsoft at:

http://msdn.microsoft.com/en-us/sqlserver/aa937724

2Run the setup program to install the driver.

3Follow the instructions in Uploading Files to a Repository to add the sqljdbc.jar file.

The name of the jar file may be different from that of some JDBC driver
versions. Different versions of the JDBC driver are required for different SQL
Server database versions; be sure to use the correct driver for your database.

The new driver file is added to the repository, as shown in the following example.

After you have installed the JDBC driver, you need to upload the driver file to the containers that will
contain the SQL Server database Connectors. Follow the instructions in Uploading a File from the
Repository.

After the driver file has been uploaded to a container, follow the instructions in Adding a Connector to
add a connector that requires a JDBC driver.

Adding the MySQL JDBC Driver

When you install and configure database connectors that use MySQL as the database, a JDBC driver
is required. This driver does not ship pre-installed on the system; you need to install it before
configuring database connectors on the appliance.

To install a JDBC Driver:

Download the MySQL JDBC Driver to a computer that can access Connector Appliance. You can
1download the driver from:
http://dev.mysql.com/downloads/connector/j/5.0.html

2Extract the driver.

Follow the instructions in Uploading Files to a Repository to add the mysql-connector-java-x.x.x-bin.jar

3file.

The new driver file is added to the repository, as shown in the following example.

After you have installed the JDBC driver, you need to upload the driver file to the containers that will
contain the MySQL database Connectors. Follow the instructions in Uploading a File from the
Repository.

After the driver file has been uploaded to a container, follow the instructions in Adding a Connector to
add a connector that requires a JDBC driver.

Administrator’s Guide : Managing Connectors : Configuration Suggestions for Connector Types

Administrator’s Guide : Managing Repositories : Pre-Defined Repositories

Pre-Defined Repositories
Settings for Backup Files

Settings for Map Files

Settings for Parser Overrides

Settings for FlexConnector Files

Settings for Connector Properties

Settings for JDBC Drivers

Cloning Container Configuration

Adding Parser Overrides

You can define repositories for any connector-related files. As a convenience, the following
repositories are pre-defined.

Backup Files: connector cloning (see Cloning Container Configuration).

Map Files: enrich event data

Parser Overrides: customize the parser (see Adding Parser Overrides)

Flex Connector Files: user-designed connector deployment

Connector Properties: agent.properties; subset of cloning

JDBC Drivers: database connectors

To view the settings for a pre-defined repository, click the name of the repository and then click the
Settings tab in the right panel.

The settings for pre-defined repositories are read-only; to modify the settings,
click New Repository in the left panel to create a user-defined repository and
provide the settings you want to use.

The following tables lists the settings for each pre-defined repository.
Settings for Backup Files

Name Default Setting

Name backup

Display Name Backup Files

Item Display Name Backup File

Recursive Checked (Yes)

Sort Priority 0

Restart Connector Process Checked (Yes)

Filename Prefix ConnectorBackup

Download Relative Path

Download Include regular expression

Download Exclude regular expression (agentdata/|cwsapi_fileset_).*$

Delete before upload Checked (Yes)

Delete groups Checked (Yes)

Upload Relative Path

Delete Relative Path

Delete Include regular expression

Delete Exclude regular expression (agentdata/|cwsapi_fileset_).*$

Settings for Map Files

Name Default Setting

Name map

Display Name Map Files

Item Display Name Map File

Recursive Un-checked (No)

Sort Priority 5
Restart Connector Process Un-checked (No)

Filename Prefix Map

Download Relative Path map

Download Include regular expression map\.[0-9]+\.properties$

Download Exclude regular expression

Delete before upload Checked (Yes)

Delete groups Un-checked (No)

Upload Relative Path

Delete Relative Path map

Delete Include regular expression map\.[0-9]+\.properties$

Delete Exclude regular expression

Settings for Parser Overrides

Name Default Setting

Name parseroverrides

Display Name Parser Overrides

Item Display Name Parser Override

Recursive Checked (Yes)

Sort Priority 10

Restart Connector Process Checked (Yes)

Filename Prefix Parsers

Download Relative Path fcp

Download Include regular expression .*

Download Exclude regular expression

Delete before upload Checked (Yes)

Delete groups Checked (Yes)

Upload Relative Path

Delete Relative Path fcp

Delete Include regular expression .*

Delete Exclude regular expression

Settings for FlexConnector Files

Name Default Setting

Name flexconnectors
Display Name Flex Connector Files

Item Display Name Flex Connector File

Recursive Checked (Yes)

Sort Priority 15

Restart Connector Process Checked (Yes)

Filename Prefix FlexConnector

Download Relative Path flexagent

Download Include regular expression .*

Download Exclude regular expression

Delete before upload Checked (Yes)

Delete groups Checked (Yes)

Upload Relative Path

Delete Relative Path flexagent

Delete Include regular expression .*

Delete Exclude regular expression

Settings for Connector Properties

Name Default Setting

Name connectorproperties

Display Name Connector Properties

Item Display Name Connector Property File

Recursive Un-checked (No)

Sort Priority 20

Restart Connector Process Checked (Yes)

Filename Prefix ConnectorProperties

Download Relative Path

Download Include regular expression agent\..*

Download Exclude regular expression

Delete before upload Un-checked (No)

Delete groups Un-checked (No)

Upload Relative Path

Delete Relative Path

Delete Include regular expression agent\..*

Delete Exclude regular expression

Settings for JDBC Drivers

Name Default Setting

Name jdbcdrivers

Display Name JDBC Drivers

Item Display Name Connector JDBC Driver File

Recursive Un-checked (No)

Sort Priority 25

Restart Connector Process Checked (Yes)

Filename Prefix

Download Relative Path lib

Download Include regular expression

Download Exclude regular expression

Delete before upload Un-checked (No)

Delete groups Un-checked (No)

Upload Relative Path

Delete Relative Path lib

Delete Include regular expression

Delete Exclude regular expression

Cloning Container Configuration

Using the Backup Files repository, you can quickly copy a container to other containers. As a result,
all connectors in the source container are copied to the destination container. This process is called
cloning a container configuration. You can clone a container to several containers at once. The
contents of the source container replace the existing contents of the destination container.

Do not clone older, software-based connectors (such as build 4.0.8.4964) to

containers with newer connector builds (such as 4.0.8.4976 or later).

Cloning a connector using the Backup repository only works if the connector
version numbers are the same.

To clone a container:
Click Configuration > Manage Connectors to list the containers and determine the source and
1destination for cloning.

2Click Configuration > Repositories from the top-level menu bar.

3Click Backup Files under the Repositories section in the right panel.

If the backup file that you need to use for cloning exists in the repository, go to the next step.
Otherwise, follow the instructions in Retrieving a File from the Repository to retrieve the container’s
4backup file to the Backup repository.

The retrieved file is named in <connector name> ConnectorBackup <date> format.

Follow the instructions in Uploading a File from the Repository to upload the backup file to one or
5more containers.

The destination containers are unavailable while the backup file is applied and the connectors are
restarted.

The backup file does not include the container certificates. You have to re-
apply the certificates to the container after you upload the backup file.

After applying the certificates, check the status of the destination container to
make sure it is available.
Adding Parser Overrides
A parser override is a file provided by ArcSight used to resolve an issue with the parser for a specific
connector, or to support a newer version of a supported device where the log file format changed
slightly or new event types were added.

To use parser overrides, you need to:

Upload a parser override file to the pre-defined Parser Overrides repository.

Download the parser override file to the container that contains the connector that will use the parser
override.

Follow the steps below.

To upload a parser override file:

1Click Configuration > Repositories from the top-level menu bar.

2Click Parser Overrides under the Repositories section in the right panel.

3On the Parser Overrides tab, click the Upload To Repository button.

4Follow the wizard to upload the file. When prompted by the wizard, make sure you:

Select the Individual Files option from the Select the type of file that you want to upload field.

Add a slash (/) after fcp before adding the folder name in the Enter the sub folder where the files will
be uploaded field. For example, fcp/multisqlserver_audit_db.

When upload is complete, the parser override file is listed in the table on the Parser Overridestab.

To download the parser override file to a container:

1Click Configuration > Repositories from the top-level menu bar.

2Click Parser Overrides under the Repositories section in the right panel.

In the table on the Parser Overrides tab, locate the parser override file you want to download and
3click the up arrow next to the file.

4Follow the wizard to select the container to which you want to add the parser overrides.

When the wizard completes, the parser overrides will be deployed in the selected container.

You can download a parser override file from ArcExchange. For more
information, refer to Sharing Connectors (ArcExchange).

To verify that the parser override has been applied successfully, issue a Get Status command to the
connector. See Sending a Command to a Destination. In the report that appears, check for the line
starting with the text ContentInputStreamOverrides.

Administrator’s Guide : Managing Repositories : Pre-Defined Repositories

Administrator’s Guide : Configuration : System Maintenance

System Maintenance
Entering Maintenance Mode

Exiting Maintenance Mode

Checking Status of a Maintenance Operation

Database Defragmentation

Global Summary Persistence Defragmentation

Storage Volume Size Increase

Adding Storage Groups

Adding or Importing Schema Fields

Certain operations on Logger, such as database defragmentation, extending the storage volume size,
adding storage groups, and adding additional schema fields, require that Logger be in a maintenance
state—a state in which operations related to data on the Logger are not running. Maintenance mode
enables you to place the Logger in such a state. When a Logger is in maintenance mode:

Events are not processed

Reports are not generated

Search cannot run

Scheduled jobs do not run

Logger users who will be performing operations that require it to be in maintenance mode must have
the “Enable Maintenance Mode” privilege checked (System Admin > User Management > Groups tab
> System Admin Group).

When a Logger is in maintenance mode, users with the “Enable Maintenance Mode” privilege can
login but see this UI message:
All other users cannot login. The login screen displays this message:

Entering Maintenance Mode

You cannot place a Logger in maintenance mode directly. A Logger can enter maintenance mode
only when you perform an operation that requires it to be in that mode. For example, when
defragmenting database, the user interface prompts you to enter Logger in maintenance mode, as
illustrated in Database Defragmentation.

Exiting Maintenance Mode

To exit maintenance mode, reboot the Logger appliance or restart the software Logger.

Checking Status of a Maintenance Operation

You can check the status of a maintenance operation on the Maintenance Results page. To access
the Maintenance Results page (as shown in the example below), click Configuration > System
Maintenance > Maintenance Results.

Database Defragmentation
Guidelines for Database Defragmentation

Defragmenting a Logger

Logger’s database can get fragmented over time. Frequent retention tasks can exacerbate this issue.
The following symptoms are observed on a Logger when the database should be fragmented:

Slow search and reporting

For example, even a search operation over the last two minutes of data is slow.

Long pauses in the receiver and forwarder operations

You can defragment a Logger that exhibits the above listed symptoms. Make sure that you have read
the following guidelines before starting the defragmentation process.

Guidelines for Database Defragmentation

Ascertain that the Logger symptoms are not due to issues related to network infrastructure such as
network latency or unexpected load on the Logger.

The Logger system needs to be placed in maintenance mode before defragmentation can begin. As
a result, most processes on the Logger are stopped—no events are processed or scheduled jobs
 run, and most user interface operations are unavailable. For more information about maintenance
mode, see System Maintenance.

A minimum amount of free disk space is required on your system to run database defragmentation.
The utility automatically checks for the required free space and displays a message if sufficient disk
space is not found.

Although you can defragment as needed, if you are using this utility too often (such as on a system
that was defragmented over the last few days), contact customer support for guidance.

If the defragmentation process fails at any point, the Logger returns to the same state that it was in
before you started defragmentation.

You can safely reboot the Logger appliance and restart the process from the beginning.

For the software Logger, restart the Logger process as described in Process Status.

You can perform this process only if you have the “Enable Maintenance Mode” privilege set to Yes
(System Admin > User/Groups > Manage Groups > System Admin Group).

Defragmenting a Logger
Freeing storage space for defragmentation

To defragment a Logger:

Click Configuration > System Maintenance. The Maintenance Operations panel displays the
1available options.

2Click Database Defragmentation.

Click Enter Maintenance so that the Logger can enter maintenance mode. For more information
3about maintenance mode, see System Maintenance.
 A minimum amount of free storage is required for the database defragmentation process to proceed.
4 Therefore, Logger performs a check to determine free storage when entering maintenance mode.

If the required storage is not found, follow the instructions found in Freeing storage space for
defragmentation.

If the required amount of free storage is found and Logger successfully enters maintenance mode,
the following screen is displayed. Click Begin Defragmentation to start the defragmentation process.

On the software Logger, the following Database Defragmentation screens

instruct you to click Restart to resume normal operation when Logger is in
maintenance mode. When you click restart, only the Logger service and its
related processes are started on the machine on which the software Logger is
installed.

Begin Database Defragmentation

The defragmentation process starts. A progress indicator shows the status of defragmentation, as
shown in the example below. HP recommends that you do not attempt any operation on the Logger
5until defragmentation has completed.

Once defragmentation is complete, the Logger reboots automatically. This exits maintenance mode.
Freeing storage space for defragmentation

If the required storage is not found, Logger prompts you to free sufficient space, as shown in the
following example:

The Manual Deletion option (shown in the following figure) is not available on
L7X00 Loggers.

Required storage for Database Defragmentation is not available

You can choose from one of the following options:

Manual Deletion

A text file is automatically created on your Logger that lists the files you can safely delete. The figure
below is for a Logger appliance. On software Loggers, this file is located in
<install_dir>/current/arcsight/logger/user/logger/
defragmentation/filelist.txt.

The files are listed in descending order of size in the text file. You can delete sufficient number of files
to free up storage. However, do not delete the files before contacting customer support for
instructions and guidance.

Follow these steps to proceed:

iLeave the message screen without taking any action.

Contact customer support for instructions on deleting

ii files listed in the text file.

After deleting sufficient number of files, resume the Database Defragmentation process from the
message screen in Step i. To resume, click Recheck to check whether sufficient storage is now
iiiavailable for defragmentation to proceed.

If sufficient storage is found, the screen in Figure: Begin Database Defragmentation is displayed.
Click Begin Defragmentation to proceed further.

If sufficient storage is still not found, the screen in Figure: Required storage for Database
Defragmentation is not available is displayed. Choose from the listed options to create additional
space. See You can choose from one of the following options: for more information.

If you need to exit the defragmentation process without creating

sufficient storage, click Reboot.

Delete Database Indices

Logger automatically deletes a sufficient number of database indices, starting with the largest index,
to free up the required amount of storage. If sufficient space becomes available after deleting
database indices, defragmentation proceeds further automatically.

However, if sufficient storage is not available even after dropping database indices, the following
screen is displayed.
 The Manual Deletion option (shown in the following figure) is not
available on L7X00 Loggers.

Follow these steps to proceed:

iClick Manual Deletion.

A text file is created on your Logger that lists the files you can safely delete. The files are listed in
descending order of size in a text file.

iiClick Reboot.

Logger exits the maintenance mode.

iiiContact customer support for instructions on manually deleting the files.

You can delete sufficient number of files to free up storage.

iv After deleting the files, restart the defragmentation process from Step 1.

If the defragmentation process fails or is aborted at any time, Logger must

recover those indices. Although the recovery process is automatic, it can take
at least a few hours to complete. You will not lose any data during this process.

Reboot

The database defragmentation process is aborted and Logger returns to the state it was in before you
started the defragmentation utility.

Global Summary Persistence Defragmentation

Guidelines for Global Summary Persistence Defragmentation

There is a known issue with the new Global Summary Persistence functionality in version 5.3 of
Logger. This feature is designed to persist the statistics reported in the global summary section of
Logger through a reboot. In some environments, disk space may be affected due to this feature.

This release turns off the Global Summary Persistence functionality. As soon as possible after
upgrading to Logger 5.3 SP1, enter System Maintenance mode and defragment the Global Summary
table. Make sure that you have read the following guidelines before starting the defragmentation
process.

Guidelines for Global Summary Persistence Defragmentation

The Logger system needs to be placed in maintenance mode before Global Summary Persistence
defragmentation can begin. As a result, most processes on the Logger are stopped—no events are
processed or scheduled jobs run, and most user interface operations are unavailable. For more
information about maintenance mode, see System Maintenance.

A minimum amount of free disk space is required on your system to run Global Summary
Persistence defragmentation. The utility automatically checks for the required free space and
displays a message if sufficient disk space is not found.

If the defragmentation process fails at any point, the Logger returns to the same state that it was in
before you started defragmentation. You can safely reboot the appliance or restart the software
Logger process and try again.

Reboot the Logger appliance as described in System Reboot.

For the software Logger, restart the Logger process as described in Process Status.

You can perform this process only if you have the “Enable Maintenance Mode” privilege set to Yes
(System Admin > User/Groups > Manage Groups > System Admin Group).

To defragment for the Global Summary Persistence issue:

Click Configuration > System Maintenance. The Maintenance Operations panel displays the
1available options.

2Click Global Summary Persistence Defragmentation.

 Click Enter Maintenance so that the Logger can enter maintenance mode. For more information
about maintenance mode, see System Maintenance. The Global Summary Persistence Panel
3displays information about the operation.

Begin Global Summary Persistence Defragmentation

4Click Begin Global Summary Persistence Defragmentation to start the defragmentation process.

The defragmentation process starts. A progress indicator shows the status of defragmentation. HP-
recommends that you do not attempt any operation on the Logger until defragmentation has
5completed.

Once defragmentation is complete, the Logger reboots or restarts. This automatically exits
maintenance mode.

On software Loggers, only the Logger service and its related processes
are restarted.

Storage Volume Size Increase

About Increasing Storage Volume Size on a SAN Logger

You can extend the storage volume size you established during initialization at any time. Once
extended, the volume size cannot be reduced. The Logger interface guides you about current and the
maximum value to which you can increase the size.

For the “Storage Volume Size Increase” operation to show as an option under
the System Maintenance operations (Configuration > System Maintenance),
you need to belong to the System Admin group (with “Enable Maintenance
Mode” privilege enabled) and the Logger Rights group.
About Increasing Storage Volume Size on a SAN Logger
Logger cannot detect a resized LUN. Therefore, if you change the LUN size after it has been mounted
on a Logger, the new size is not recognized by Logger. As a result, you can only increase the size of
a storage volume to the LUN size that was initially mounted on the Logger. Currently, Logger supports
up to a 5.4 TB LUN.

The following examples illustrate storage volume increase on a SAN Logger.

Initial LUN Current Storage Storage Volume Size

LUN Size Resized Volume Size Increase Allowed

4 TB No 1 TB Yes

4 TB No 4 TB No

4 TB 5 TB 1 TB Yes, only up to 4 TB

2 TB 4 TB 1 TB Yes, only up to 2 TB

To increase the size of a storage volume:

Click Configuration > System Maintenance. The Maintenance Operations panel displays the
1available options.

2Click Storage Volume Size Increase.

3Click Enter Maintenance so that the Logger can enter maintenance mode.

For more information about maintenance mode, see System Maintenance.

 While entering the maintenance mode, Logger performs a check to determine if the storage volume
size can be increased and by what amount. If the storage volume can be increased, a message
4 similar to the following is displayed. Enter the new size and click OK.

On the software Logger, the following Storage Volume Size Increase screens
instruct you to click restart to resume normal operation when Logger is in
maintenance mode. When you click restart, only the Logger service and its
related processes are restarted.

If sufficient space is not found to increase the storage volume, the following message is displayed.
Click Reboot to restart the Logger and exit the maintenance mode.
Adding Storage Groups
In addition to the two storage groups that exist on your Logger by default, you can add up to four
additional storage groups. Prior to Logger 5.2, the additional storage groups had to be added at
Logger initialization time. You could not add them later, once Logger was initialized. Starting with
Logger 5.2, you can add storage groups at any time if the following conditions are met:

The maximum allowed six storage groups do not exist on your Logger already.

The storage volume contains spare storage space that can be allocated to the storage groups you
will add.

If you do not have sufficient space in the storage volume to add another
storage group and the existing groups have free space, consider reducing the
size of existing storage groups to make space available for the storage groups
you want to add. Alternatively, increase the size of your existing storage
volume, as described in Storage Volume Size Increase.

The Logger must be in maintenance mode when adding storage groups. When you add a storage
group, Logger automatically checks to ensure that the storage group size you specified is greater than
the minimum size required (5 GB) and less than the amount of space available in the storage volume.
Once you have added storage groups and rebooted your Logger to exit the maintenance mode,
remember to configure the Archive Storage Settings for the groups you just added so that event
archives are created for them.

To add a storage group:

Click Configuration > System Maintenance. The Maintenance Operations panel displays the
1available options.
2Click Add Storage Groups.

A maximum of six storage groups can exist on Logger. Therefore, you can add up to four storage
groups in addition to the two that exist by default on Logger.

If the maximum number of allowed storage groups do not exist on Logger, a screen prompts you to
enter maintenance mode, as described in the next step.

If all six storage groups exist on Logger or sufficient space does not exist in the storage volume to add
additional group, a message is displayed on your screen and the Logger cannot enter maintenance
mode.

3Click Enter Maintenance so that the Logger can enter maintenance mode.

For more information about maintenance mode, see System Maintenance.

4Once Logger enters maintenance mode, the following Add Storage Groups page is displayed.
 This screen also lists information about the existing storage groups and the amount of space
remaining in the storage volume.

5 Enter the following information.

Parameter Description

Name Choose a name for the storage group

Maximum Specify the number of days to retain events. Events older than this number
Age of days are deleted.
(Days)

Maximum Enter a maximum event data size, in GB.

Size (GB)

Click Add.
6
The storage group is added to your Logger. If your Logger has not reached the maximum allowed six
storage groups, you can click Add to add more storage groups. However, if the maximum number has
been reached, the Add button is not displayed. If you do not want to add more storage group, go to
the next step.
 Reboot your Logger appliance or restart software Logger for changes to take effect and for the
7appliance to exit the maintenance mode

Adding or Importing Schema Fields

Importing Schema Fields from Peers

The Logger schema contains a predefined set of fields. A field-based query can contain only these
fields. Additionally, you can index only these fields for faster search operations. For instructions on
how to view the default Logger Schema fields, see Viewing Default Fields.

Prior to Logger 5.2, if your log analysis needs required you to search on a field that is currently not
present in the Logger schema, you did not have a way of adding it to the schema yourself. Starting
with Logger 5.2, you can add additional fields to the Logger schema. That is, you can insert fields in
your Logger schema that are relevant to the events you collect on your Logger, thus enabling you to
search and report using these fields. Additionally, you can index the fields you add so that the search
and report queries that use these fields run faster. For example, a financial institution might want to
add credit card numbers or social security numbers to the schema.

You can add up to 100 custom schema fields on Logger. You can also import custom fields from a
peer Logger. However, the total number of added and imported fields cannot exceed the maximum
allowed 100 fields.

You can index up to 123 fields on Logger. Therefore, the number of custom schema fields you can
index will depend on the number of default fields you currently have indexed on your Logger.

The events that contain custom fields must be in CEF format (key-value pairs) for Logger to process
them. Therefore, you will need to either use a SmartConnector that generates additional data or
define an ArcSight FlexConnector to collect and parse events containing custom fields from the event
source, convert them into CEF format, and forward them to the Logger.

Logger can only process events from FlexConnectors written using connector build 5.0.0.5560 or
later. For details about designing FlexConnectors, see the ArcSight FlexConnector Developer’s
Guide.

Logger cannot process the additional fields data received in CEF version 0
from a FlexConnector, and assumes a NULL value for such fields when they
are present in a CEF version 0 event. As a result, you cannot search on these
fields or index them. However, these fields are displayed in the UI display
when you select “*” in the fieldset because the interface displays information
contained in the raw event. Therefore, if Logger receives
“ad.callnumber=5678”, the Logger UI will display a column, ad.callnumber,
with value 5678. However, a search on “5678” will not return this event in the
search results.

You need to be in maintenance mode to add or import custom schema fields. The process of adding
or importing schema fields involves an add or import operation followed by a save operation. The add
or import operation adds the specified fields but does not write them to the Logger schema. You can
edit or delete the added or imported fields at this point. Once you save these fields, the fields are
written to the schema. From this point on, these fields cannot be edited or deleted. Therefore,
carefully review the fields you are adding to the schema before saving them.

For the “Add Fields” operation to show as an option under the System
 Maintenance operations (Configuration > System Maintenance), you need to
belong to the System Admin group (with “Enable Maintenance Mode” privilege
enabled) and the Logger Rights group.

You need to specify the following information to add a custom schema field:
Display name

A meaningful name for the field. This name is displayed as the column header name for the field and
is the one you specify in a search query. For example, SocialSecurityNumber.

Type

The type of data this field will contain. The available options are Double, BigInt, DateTime, Text.

The following table describes each data type.

Type Description

Double Use to store decimal numbers or fractions. Numbers from -

1.79769313486231570E+308 through
-4.94065645841246544E-324 for negative values and
4.94065645841246544E-324 through 1.79769313486231570E+308 for
positive values.

BigInt Use to store whole numbers. Numbers from

-2^63 (-9,223,372,036,854,775,808) through
2^63-1 (9,223,372,036,854,775,807)

DateTime Use to store both dates and time or only dates.

Text Use to store any characters. You can store a maximum of 255
characters per field.

Length

This field is only relevant when the Type specified is Text. This field specifies the maximum number of
characters allowed in the value of the field when the data type is Text.

Field name

The field name that you want to add to the Logger schema. Typically, this is an abbreviated version of
the Display name. For example, SSN.

Importing Schema Fields from Peers

If your Logger is a peer of another Logger, you can import the custom fields added to the peer’s
schema. You specify the peer from which you want to import fields in the user interface screen. Fields
can be imported if the following conditions are met:
 A field of the same Display name and Field name does not exist on the Logger to which you are
importing schema fields. If conflicting fields exist, they are still imported but are flagged in the user
interface screen. You cannot save the imported fields to schema until you resolve the conflicts.

A maximum of 100 custom fields has not been reached on the importing Logger. If there are more
fields than can be imported, only the first N until the allowed maximum is reached will be imported.

The custom schema fields contained in a search query must exist on all peers on which the query is
run. Otherwise, the query will not run and return an error.

To add or import custom schema fields:

Click Configuration > System Maintenance. The Maintenance Operations panel displays the
1available options.

2Click Add Fields (100 additional fields can be added).

You can add a maximum of 100 custom fields to Logger schema. The number in the “Add Fields” link
reflects the number of custom fields you can add. This number decreases as you add fields to Logger
schema.

3Click Enter Maintenance so that the Logger can enter maintenance mode.

For more information about maintenance mode, see System Maintenance.

4Once Logger enters maintenance mode, the following Add Fields page is displayed.
You can add fields manually or import them from a peer Logger.

To add fields manually see

To manually add fields:

1Click “Add a New Field”, if it is not selected.

2Enter a meaningful name in the Display Name field.

This name is the one you specify in a search query and is displayed as the column header name for
the field in search results. For example, SocialSecurityNumber. This name is not added to the Logger
schema. Follow these guidelines when specifying a display name:

The name can contain up to 100 characters.

The name can contain alphanumeric characters, hyphens (“-”), and underscores (“_”). However, a
hyphen (“-”) or an underscore (“_”) cannot be the first character in the name. Additionally, the name
cannot begin with “arc_”.

The name must be unique; that is, another field (custom or Logger schema) of the same display
name must not already exist on the Logger.

Only ASCII characters are allowed. That is, no native Chinese or Japanese characters are accepted
in this field.

3Select a data type for the field from the Type drop-down menu.

4The available options are Double, BigInt, DateTime, Text. See Type for more information.

In the Length field, enter the maximum number of characters allowed in the value of the field when
the data type is Text. This field is only available when the Type specified is Text. You can specify
5from 1 to 255 characters in this field.

6Enter a name in the Field name field.

This is the name that will be added to the Logger schema. Typically, this is an abbreviated version of
the Display name. For example, SSN. Follow these guidelines when specifying a Field name:

This is a required field.

The name can contain up to 40 characters and can contain alphanumeric, hyphen (“-”), and
underscore (“_”) characters. Underscore (“_”) is used as an escape character for the actual field
name. Therefore, the underscore (“_”) you specify in the field name is converted to a double
underscore (“__”) in the actual field name.

The name must be unique; that is, a custom field of the same Field name must not already exist on
the Logger.

Only ASCII characters are allowed. That is, no native Chinese or Japanese characters are accepted
in this field.

Once you enter a name in this field, a prefix and a suffix is automatically added to it, and the resulting
name is displayed in the Actual Field Name field, as shown in the following figure. This field displays
the way the field name you entered earlier will be stored on Logger. The prefix, “ad.” signifies
“additional data” and the suffix signifies the data type of the field. The Actual Field Name field is a
non-editable field and is displayed on the user interface only for your reference.

7Click OK.

The field you added is displayed in the upper section of the Add Fields form, as shown in the following
figure. This field is not saved yet (in “Ready to Save” state) and you can edit or delete it. Once you
click Save, the field is added to the schema and cannot be changed or deleted.

8Follow Step 1 through Step 7 to add additional fields.

9Review the added fields and make any edits ( )or deletions ( ), if necessary.
 The next step commits the added fields to Logger’s schema. This
process is irreversible; that is, once the fields are written to Logger’s
schema, they cannot be edited or deleted.

If you exit this process without saving, the fields you were adding are not
remembered and your changes are lost.

Click Save to commit the added fields and write them to your Logger’s schema.
10
To import fields from a peer:

1Click “Import Fields From Peers”.

2Select the peer from which you want to import the fields from the Peer Host Name drop-down list.

3Click OK in the bottom right corner of the screen.

If there are no conflicting fields, all fields from the peer are imported successfully.

If there are conflicts, the conflicting fields are displayed ahead of the ones that were imported
successfully. The Status column describes the reason for the conflict. You must fix the listed issues
before you can save these fields to the schema. Use the edit ( )or delete ( ) icon to make changes
or delete the added fields.

If there are more fields than can be imported, only the first N until the allowed maximum (100) is
reached will be imported.
 The imported fields are not committed to Logger’s schema yet. The next
step commits them. This process is irreversible; that is, once the fields are
written to Logger’s schema, they cannot be edited or deleted.

If you exit this process without saving, the fields you were adding are not
remembered and your changes are lost.

Click Save to commit the added fields and write them to your Logger’s schema.
4
To view existing custom schema fields:

See Viewing Custom Fields.

Administrator’s Guide : Configuration : System Maintenance

Administrator’s Guide

Administrator’s Guide
Overview

Introduction

Logger Features

Storage Configuration

Receiver Configuration

Analyzing Events

Grouping Events

Exporting

Forwarder Configuration

User Management

Other Setup and Maintenance

Deployment Scenarios

What’s New in Logger 5.3 SP1

Installation and Initialization

Deployment Planning

Storage Strategy

Retention Policy

Initial Configuration

SAN

Storage Volume

Storage Groups

Indexed Fields and Full-text Indexing

Receivers

Licensing

Initializing a Logger Appliance

Acquire a License for the Logger Appliance

Log In and Accept the License Agreement

Initialize the Logger Appliance

Set Up the Logger Appliance for Remote Access

Installing a Software Logger

Supported Platforms

Downloading the Software Logger

Acquiring a License for Software Logger

How Licensing Works on the Software Logger

Prerequisites for Installation

Installation Modes

Installation Steps

Starting and Stopping the Software Logger

Uninstalling the Software Logger

Installing Logger on Microsoft Hyper-V

Connecting to Logger for the first time

Configuring Logger

Receivers
Devices

Device Groups

Storage Rules

Using SmartConnectors to Collect Events

SmartMessage

Downloading SmartConnectors

Configuring a SmartConnector to Send Events to Logger

Configuring SmartConnectors to Send Events to Both Logger and an ArcSight Manager

Configuring SmartConnectors for Failover Destinations

Sending Events from ArcSight ESM to Logger

User Interface and Dashboards

Connecting to the Logger User Interface

Logging In

Navigating the User Interface

Help

Options

Logout

Summary

Dashboards

Creating and Managing Dashboards

Adding and Managing Panels in a Dashboard

The Default Monitor Dashboard

Platform

Network

Logger

Receivers

Forwarders

Storage

Searching and Analyzing Events

The Need to Search Events

The Process of Searching Events

Elements of a Search Query

Query Expression

Time Range

Field Set

Syntax Reference for Query Expression

Using the Search Builder Tool

Accessing Search Builder

Nested Conditions

Alternate Views for Query Building in Search Builder

Search Analyzer

Performance Optimizations for Indexed Fields in Search Queries

Regex Helper Tool

Search Helper

Autocomplete Search

Search History

Search Operator History

Examples

Usage

Suggested Next Operators

Help

Searching for Events on Logger

Advanced Search Options

Searching Peer Loggers (Distributed Search)

Tuning Search Performance

Understanding the Search Results Display

User-defined Fields in Search Results

Viewing Search Results using Field Sets

Using the Histogram

Multi-line Data Display

Auto Updating Search Results

Chart Drill Down

Understanding Field Summary

Exporting Search Results

Scheduling an Export Operation

Indexing

How indexing works

Full-text Indexing (Keyword Indexing)

Field-based Indexing

Saving Queries (Saved Filters and Searches)

Saving a Query

Using a Saved Filter or a Saved Search

System Filters/Predefined Filters

Using a System Filter

Alerts

Viewing Alerts

Receiving Alerts for Events

Base Event Fields

Go, Export, and Auto Update Options

Live Event Viewer

Reporting

The Reports Home Page

Explorers

Category Explorer

Report Explorer

Query Explorer

Parameter Explorer
Favorites Explorer

List of Buttons in the Explorers

Categories

System Defined Categories

Solution Reports

Adding a New Category

Deleting an Existing Category

Placing a System Defined Query or Parameter into a Category

Dashboards

Viewing the Dashboard

Designing Dashboards

Viewing an Existing Dashboard in a Tab in the Dashboard Viewer

Removing an Existing Tab from the Dashboard Viewer

Deleting a Dashboard

Editing an Existing Dashboard

Selecting a Default Dashboard View for the Reports Home Page

Widgets

The Widget Designer

Placing Widgets in a Dashboard

Moving an Existing Widget within a Dashboard

Using Dashboards Created in Pre-5.2 Logger

Viewing a Classic Dashboard

Designing Classic Dashboards

Setting Pre-5.0 Dashboard Preferences

Running, Viewing, and Publishing Reports

Best Practices

Finding Reports

Task Options on Available Reports

Running and Viewing Reports

Publishing Reports

Report Delivery Options

Viewing the Output of a Published Report

Designing Reports

Opening the Report Designer

Creating New Reports

Editing a Report

Setting Access Rights on Reports

Setting up Queries

Working with Parameters

Configuring Parameter Value Groups

Applying Report Template Styles

Scheduling Reports

Viewing and Editing Scheduled Reports

Scheduling a Report

Deploying a Report Bundle

Report Server Administration

Timeouts when Running Reports

Using Report Category Filters

Backup and Restore of Report Content

iPackager

The iPackager Page

Buttons Available from the iPackager

Importing References from the Report Server

Modifying Properties for Imported Objects

Opening a .conf File

Deleting an Item from the .conf File

Clearing the Contents in a .conf File

Building the CAB

Deploying a CAB file in Logger

Configuration

Devices

Devices

Device Groups

Event Archives

Guidelines for Archiving Events

Archiving Events

Scheduled Event Archive

Archive Storage Settings

Loading and Unloading Archives

Storage

Storage Groups

Storage Rules

Storage Volume

Event Input

Receivers

Source Types

Parsers

Event Output

Forwarders

ESM Destinations

Certificates

Forwarding Log File Events to ESM

Alerts

Alert Triggers and Notifications

Receiving Alert Notifications

Configuring and Managing Real Time Alerts

Creating and Managing Saved Search Alerts

Sending Notifications to SNMP Destinations

Sending Notifications to Syslog Destinations

Sending Notifications to ESM Destinations

Scheduled Tasks

Scheduled Tasks

Currently Running Tasks

Finished Tasks

Filters

Filters

Search Group Filters

Saved Searches

Saved Searches

Scheduled Saved Search

Saved Search Files

Search

Adding Search Indexes

Tuning Advanced Search Options

Viewing and Deleting Field Sets

Viewing Default Fields

Viewing Custom Fields

Running Search Tasks

View and Add Parsers for Specific Log Types

Peer Loggers

Guidelines

Authorizing Peers

Configuration Backup and Restore

Running a Configuration Backup (Ad-hoc or Scheduled)

Restoring from a Configuration Backup

Editing Configuration Backup Settings

System Maintenance

Entering Maintenance Mode

Exiting Maintenance Mode

Checking Status of a Maintenance Operation

Database Defragmentation

Global Summary Persistence Defragmentation

Storage Volume Size Increase

Adding Storage Groups

Adding or Importing Schema Fields

License Information

Data Volume Restrictions

Retrieve Logs

Content Management

Importing Content

Exporting Content

System Admin - Logger Appliance

System

System Locale

System Reboot

Network

SMTP

License & Update

Process Status

SNMP

SSH Access to the Appliance

Logs

Audit Logs

Audit Forwarding

Storage
Remote File Systems

SAN

RAID Controller/Hard Disk SMART Data

Security

SSL Server Certificate

SSL Client Authentication

FIPS 140-2

Users/Groups

Authentication

Login Banner

User Management

Change Password

Other System Administration Information

Monitoring System Health

Using the Command Line Interface

System Admin - Software Logger

System

System Locale

SMTP

License & Update

Process Status

System Settings

Logs

Audit Logs

Audit Forwarding

Security

SSL Server Certificate

SSL Client Authentication

FIPS 140-2
Users/Groups

Authentication

Login Banner

User Management

Change Password

Other System Administration Information

Monitoring System Health

Managing Connectors

Connector Overview

Navigating the Manage Connectors Tab

Locations

Viewing All Locations

Viewing Hosts, Containers, and Connectors in a Location

Adding a Location

Exporting and Importing Remote Management Configuration

Adding Locations and Hosts from a File

Editing a Location

Deleting a Location

Adding Hosts to a Location

Hosts

Viewing All Hosts

Viewing Containers and Connectors in a Host

Adding a Host

Scanning a Host

Deleting a Host

Moving a Host to a Different Location

Editing a Host

Upgrading a Host Remotely

Adding a Container to a Host

Containers

Viewing All Containers

Viewing Connectors in a Container

Adding a Container

Adding a Connector to a Container

Editing a Container

Deleting a Container

Updating Container Properties

Changing Container Credentials

Enabling and Disabling FIPS on a Container

Managing Certificates on a Container

Running a Command on a Container

Upgrading a Container to a Specific Connector Version

Viewing Container Logs

Deleting Container Logs

Running Logfu on a Container

Running Diagnostics on a Container

Connectors

Viewing all Connectors

Adding a Connector

Editing Connector Parameters

Managing Destinations

Removing a Connector

Sending a Command to a Connector

Running Logfu on a Connector

Changing the Network Interface Address for Events

Developing FlexConnectors

Editing FlexConnectors

Sharing Connectors (ArcExchange)

Configuration Suggestions for Connector Types

Deploying FlexConnectors

Configuring the Check Point OPSEC NG Connector

Adding the MS SQL Server JDBC Driver

Adding the MySQL JDBC Driver

Managing Repositories

Overview

Logs Repository

Uploading a File to the Logs Repository

CA Certs Repository

Uploading CA Certificates to the Repository

Removing CA Certificates from the Repository

UpgradeAUP Repository

About the AUP Upgrade Process

Uploading an AUP Upgrade File to the Repository

Removing a Connector Upgrade from the Repository

Content AUP Repository

Applying a New Content AUP

Applying an Older Content AUP

Remote Management AUP Repository

Downloading Remote Management AUP Files

Uploading Remote Management AUP Files

Deleting Remote Management AUP Files

Emergency Restore

User-Defined Repositories

Creating a User-Defined Repository

Retrieving Container Files

Uploading Files to a Repository

Deleting a Repository
Updating Repository Settings

Managing Files in a Repository

Pre-Defined Repositories

Settings for Backup Files

Settings for Map Files

Settings for Parser Overrides

Settings for FlexConnector Files

Settings for Connector Properties

Settings for JDBC Drivers

Cloning Container Configuration

Adding Parser Overrides

Search Operators

cef (Deprecated)

chart

Aggregation Functions

Multi-Series Charts

The span function

dedup

eval

extract

fields

head

keys

parse

rare

regex

rename

replace

rex
sort

tail

top

transaction

where

Using the Rex Operator

Syntax of the rex Operator

Understanding the rex Operator Syntax

Ways to Create a rex Expression

Creating a rex Expression Manually

Samples of rex Expressions

Logger Audit Events

Types of Audit Events

Information in an Audit Event

Platform Events

Logger Application Events

Examples of System Health Events

Event Field Name Mappings

Logger Content

Reports

Device Monitoring

Foundation

SANS Top 5

Parameters

IPAddress

categoryObjectParameter

commonlyBlockedPorts

destinationAddress

destinationPort
deviceGroupParameter

deviceProduct

deviceSeverityParameter

deviceVendor

dmBandwidthParameter

dmConfigurationParameter

dmLoginParameter

eventNameParameter

resourceTypeParameter

webPorts

zoneParameter

zones

System Filters

Destination Runtime Parameters

Restoring Factory Settings

Before Restoring Your System

Restoring Your System

Restoring the LX500

Restoring LX400 and Earlier Appliance Models

Logger Search From An ArcSight Console

Understanding the Integrated Search Functionality

Prerequisites

Setup and Configuration

ESM

Logger

Supported Search Options

Guidelines

Searching on Logger From ArcSight Console

Administrator’s Guide