ArcSight SmartConnector Installation

Follow the detailed steps in the ArcSight SmartConnector User Guide to install the ArcSight SmartConnector:

https://www.protect724.hpe.com/docs/DOC-2279

IMPORTANT: As you install the ArcSight SmartConnector, make sure that you only select the Application check box to capture the Application logs.



Data Collection from a Windows Agent

Centrify software logs events in the Application logs on Windows machines. To capture the Application logs, Centrify uses the ArcSight SmartConnector for Windows.

There are a number of ways to collect data from Windows machines.
Some of the supported options include:

  • Data collection from a stand-alone Windows machine:

Application logs are collected on a stand-alone Windows machine and parsed using the FlexConnector parser. Parsed events are forwarded to the ArcSight ESM where all of the data from Centrify Authentication Service, Privilege Elevation Service, and Audit & Monitoring Service is stored, and the ArcSight Console is used to access that data.

  • Data collection using the Windows Event Forwarding (WEF) feature:

ArcSight SmartConnector supports WEF to collect Application logs forwarded by several Windows machines to a central machine. You install the ArcSight SmartConnector only on the central Windows machine that received the forwarded events and enable the WFE while installing the ArcSight SmartConnector.

  • Data collection using the Active Directory (AD) Source:

ArcSight SmartConnector supports log collection for all of the member machines from the Active Directory Source itself. You install the ArcSight SmartConnector only on the AD server. During installation, you provide the Domain Controller name and its credentials. If the credentials and the domain name are correct, a list of all the member machines of that Domain Controller are seen in a new window. Users select only those Windows machines from which they want to collect Application logs.

Installing the ArcSight SmartConnector on a Windows Agent

To install ArcSight SmartConnector on a Windows agent:

  1. Execute the ArcSight SmartConnector binary for Windows.
  2. Choose an installation folder.

    The default folder is:
    C:\Programme Files\ArcSightSmartConnectors

  1. Wait for the installation to complete.

  2. When you are prompted to select the connector to configure, select Microsoft Windows Event Log – Unified and click Next.
  1. If you want to use Windows Event Forwarding, select Enable WEF.

    Note:   You can also provide your Active Directory server parameters to get a list of all member VMs, and then select only those Windows machines from which you want to collect Application logs. As you are only installing on a stand-alone machine at this point, leave all of these parameters blank.

  2. For the browser type, select Enter Devices Manually (do not use AD Source here).
  3. Enter your host details.

    Make sure that you only select the Application check box to capture the Application logs because Centrify audit trail events are only stored in the Windows Application logs.

  1. When you are prompted for the type of destination, select ArcSight Manager (encrypted).

    You select ArcSight Manager (encrypted) because Centrify is forwarding the collected logs to the ArcSight ESM.

  1. Provide your ArcSight ESM details:

    Enter the following information for the machine where the ArcSight ESM is installed:

    • Hostname

    • Port

    • Username

    • Password

  1. Provide a name for your ArcSight SmartConnector.

    To assist you in assigning an applicable name, understand that the name is displayed on the ArcSight Console to identify those SmartConnector events that the console is receiving.

  1. (Optional) If you want to use your ArcSight ESM certificate, select Import Certificate from your ArcSight ESM.
  2. Specify whether you want to install the ArcSight SmartConnector as a service or as a stand-alone application.

    Install as a Service is generally preferred.

Data Collection from a Linux Agent

Centrify software logs events in the syslog directory on Linux machines. To collect the Linux syslog messages, choose from these options:

  • Data collection from a stand-alone Linux machine:

To collect syslog messages from stand-alone Linux machines, use the Syslog File type of connector. You provide the directory location for syslog collection. Make sure that you have access to the syslog directory to avoid the error: permission denied.

  • Data collection using the Syslog Daemon on a central Linux machine:

The Syslog Daemon type of connector is a syslogd-compatible daemon designed to work in operating systems that have no syslog daemon in their default configuration, such as Microsoft Windows.

The SmartConnector for the Syslog Daemon implements a UDP receiver on port 514 (the default; which can also be configured) that can be used to receive syslog events. Use of the TCP protocol or a different port can be configured manually. You can forward the syslog from multiple Linux agents to a single machine. For example, when you configure the Syslog Daemon Connector on the 514 UDP port, you need to specify the receiving syslog port (514) and the protocol (UDP).

Installing the SmartConnector on a Linux Agent

To install the SmartConnector:

  1. Execute the SmartConnector binary for Linux.
  2. Use the default name for the home folder.
  3. Wait for the installation to complete.
  4. When you are prompted to select the connector to configure, select Syslog File.

  1. Enter the file or directory of the syslog that you want to monitor.
  2. When you are prompted to enter the type of destination, select ArcSight Manager (encrypted) and click Next.

    You select ArcSight Manager (encrypted) because Centrify is forwarding the collected logs to the ArcSight ESM.

  1. Provide your ArcSight ESM details.

    Enter the following information for the machine where the ArcSight ESM is installed:

    • Hostname

    • Port

    • Username

    • Password

  1. Provide a name for your ArcSight connector.

    To assist you in assigning an applicable name, understand that the name is displayed on the ArcSight Console to identify those SmartConnector events that the console is receiving.
  1. (Optional) If you want to use your ArcSight ESM certificate, select Import Certificate from your ArcSight ESM.
  2. After the installation, check the status of the ArcSight SmartConnector service using following command:

    /etc/init.d/arc_syslog_file status