smartconnector for Active directory: questions

Hello everyone,

I have a question about integrating an active directory. in the configuration steps of SM wind unified, there is a step to configure parameters of domain controller. I am new in Arcsight I don't know what is the difference between domain user and active directory user? and what is parameters that we should enter to integrate a domain controller?

Best Regards.

  • Hi

    First things first, if possible, avoid at all costs the Windows Unified Connector (WUC)- it is not updated regularly and relies on old SMB Protocols that Microsoft may block at any point (previously used in Wannacry / NotPetya etc). Also avoid the Windows Native SmartConnector for Linux (WISC) - it just doesnt work for production loads.

    Use the Windows Native Connector, installed on a Windows Server (can be virtual or containerised).

    You need to add the details of an AD / Domain user account that has "builtin\Event Log Readers" permission on the domain / domain controllers - this can be set within Group Policies.
    As per the config guide:

    "If the hosts Domain parameters are the same as Active Directory, then you do not have to enter both. The information will be taken from the Active Directory Domain and credentials."

    So in most instances, you will just set the parameters in the Active Directory section (ignore the Domain Section)

     

  • Hello  ,

    thank you for your reply and details this is so helpful.

    if I understand the WISC is better than WUC because this one is used old protocols that are no longer supported. so why WISC doesn't work for linux what you mean by production loads?

    for your second answer for example I have a virtual machine that contain an Active directory domain controller for example "dc.test.local" the domain is "test.local" and in this machine I have a user account "arcsight" and password "Test123" this user has the "builtin\Event Log Readers" permission on the domain controller. 

    so in this case should I enter the domain parameters (domain name/domain username/domain password) or (Active Directory Domain and credentials including the active directory server IP for this example domain controller)?

    if I understand we enter the "Active Directory Domain and credentials without active directory server IP" if we have more than domain controllers or windows hosts that have the same Active Directory Domain and credentials. so for the next step we complete other parameters like (@ip ...).

    Best Regards.

     

     

     

  • Verified Answer

    WISC is an attempt to use Microsoft Native event log collection from a Linux host - but if you look in the release notes and known issues for each connector framework, it struggles with more than a few EPS - so is as good as useless if you want to rely on it in production - that said, i know a few organisations who have persevered and do use it - but with the warnings from Microfocus that it is not for production use, i would suggest that is a risky approach.

    To the second point - the first AD Connection section is intended to allow you to enter the AD Details and a single Domain Controller to allow LDAP(S) Query to autobrowse for the hosts on the domain - not sure about other people but this often doesnt actually work in practice. but those AD Credentials are then used on the next screen when you need to add the DC and any other hosts into the table for event log collection. If you have used the central AD Account then it means you dont need to add all the domain details and user / password for every host that you add - you can leave those records blank and it will use the common credentials.


    Give it a go and see how you get on...

  • Hello  ,

    now I understand thank you for your help.

    can you please tell me which firewall configuration should I do ?

    Best Regards.

  • If your connector is installed on a Domain Joined Windows Server on the same domain as the Domain Controller, then chances are you wont need to change any firewall settings as it uses standard Windows native ports / protocols that are used for Domain traffic.

    If you have a particularly locked down local firewall on the Connector server then you may need to allow a small range of ports TCP/49152 - TCP/49160 or similar outbound - but generally in most cases this should be auto negotiated between the hosts with no firewall changes needed - i notice that this port is not mentioned in the more recent SmartConnector guides - so it may be the case that it is no longer required to be explicitly open. Normally it isnt required to be added to a domain firewall rule.