Installation notes for ArcSight ESM 6.9.1 on CentOS 7.1 February 27, 2016 - Installation of HPE ArcSight Enterprise Security Manager (ESM) 6.9.1 on CentOS 7.1 is substantially easier with engineering adding a “pre-installation” setup script to this version.  For a smooth installation, there are still a few steps we need to take .. … Continue reading
Using the ArcSight ESM Console to Create Replay Files November 9, 2015 - HP ArcSight Enterprise Security Manager (ESM) has some built-in capabilities to generate event files suitable for use with the ArcSight Test SmartConnector.  These replay files can be used to test functioning of new ESM content (Dashboards, Datamonitors, Filters, Rules, Queries, … Continue reading
ESM ActiveList Import Script October 1, 2015 - <shamelessly copied from Konrad Kaczkowski’s post on iRock> ESM Active List Import script – Version 20 Created by Konrad Kaczkowski on Oct 29, 2014 5:44 AM. Last modified by Konrad Kaczkowski on Mar 16, 2015 5:42 PM. Active List … Continue reading
How To Increase ArcSight ESM Command Center GUI Timeout June 22, 2015 - In the appliance versions of most ArcSight products, there is the ability to set the user session timeout period. Typically this defaults to somewhere between five (5) and 15 minutes – good for a default but incredibly annoying for any … Continue reading
Common ArcSight Command Line Operations June 15, 2015 - Here are a number of command line operations that are frequently needed within the ArcSight ecosystem. Export Enterprise Security Manager Certificate without a GUI Use for ESM 6 or later. Lookup the manager certificate details and alias name by running … Continue reading
Installation notes for Logger 6 on CentOS April 30, 2015 - [Update 2016/04/15]:  Installing Logger 6.2 on CentOS 7.1 CentOS (or RHEL) 7 changed a number of things in the OS for command and control, such as the facility to control services – for example, rather than “service” the command is … Continue reading
Creating event replay files for ArcSight SmartConnectors April 20, 2015 - The ArcSight connector framework includes the capability to record event replay files from inbound event streams, regardless of the type of event data. This is enormously useful for development and testing individual of use cases, demonstrations and training. The following … Continue reading
Enabling Single Line Logging from pfSense Firewalls to ArcSight September 20, 2014 - While pfSense firewall offerings are based on the BSD packet filter (pf) functions and offer excellent performance and value, the current implementation my customers are running (2.1.5) outputs firewall rule logs in two syslog lines.  The skilled developers that maintain … Continue reading
Building a Highly-Available ArcSight SmartConnector Cluster with Pacemaker August 6, 2014 - Cost Effective SmartConnector HA This paper describes the use of open source clustering software used to build a low-cost, reliable, high availability environment on CentOS Linux in which to run both passive and active SmartConnectors, providing automated failure recovery. Continue reading
Libraries needed to install ArcSight SmartConnectors on RedHat Enterprise Linux and CentOS August 7, 2013 - [Update 2016/03/11]: Starting with SmartConnector 7.1.7 (I think, might be a rev or two earlier), there are a couple more libraries that are needed to successfully install the SmartConnector on Linux. Include libXrender.i686 libXrender.x86_64 libgcc.i686 libgcc.x86_64 yum install libXrender.i686 libXrender.x86_64 … Continue reading
How to replay syslog events using the performance testing feature of ArcSight SmartConnectors August 6, 2013 - For testing ArcSight SmartConnector settings or Logger and Enterprise Security Manager (ESM) content, it is quite useful to be able to replay previously captured syslog events. The built in PerfTestSyslog class in ArcSight SmartConnectors make this easy. Continue reading