ArcMC 2.6 Release Notes

0 Likes
over 4 years ago

THE FOLLOWING TEXT IS FOR SEARCH

HPE ArcSight Management Center SoftwareVersion: 2.6 Release Notes April15, 2017ReleaseNotes Legal Notices Warranty The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. The network information used in the examples in this document (including IP addresses and hostnames) is for illustration purposes only. HPE ArcSight products are highly flexible and function as you configure them. The accessibility, integrity, and confidentiality of your data is your responsibility. Implement a comprehensive security strategy and follow good security practices. This document is confidential. Restricted Rights Legend Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Copyright Notice Copyright Copyright 2017 Hewlett Packard Enterprise Development, LP Follow this link to see a complete statement of copyrights and acknowledgements: https://www.protect724.hpe.com/docs/DOC-13026 Support Contact Information Phone Alistofphone numbersisavailable onthe HPE ArcSightTechnicalSupport Page:https://softwaresupport.hpe.com/documents/10180/14684/esp-support- contact-list Support Web Site https://softwaresupport.hpe.com https://www.protect724.hpe.com Protect 724 Community HPEArcSightManagementCenter2.6 Page2of 16Contents AboutArcSightManagementCenter 4 What’sNewinthisRelease 5 TechnicalRequirements 6 ForArcSightManagementCenter 6 ForManagedArcSightProducts 7 InstallerFiles 7 ArcMC ApplianceOS UpgradeFiles 8 Prerequisiteto InstallationforRHEL7.x 8 UpgradingArcMC 9 UpgradePrerequisites 9 AgentUpgradeProcedure 11 FixedIssues 12 OpenIssues 13 SendDocumentationFeedback 16 HPEArcSightManagementCenter 2.6 Page3 of 16About ArcSight Management Center ArcSightManagementCenter(ArcMC), oneof theArcSightDataPlatform(ADP)  familyof products, is acentralizedmanagementtoolthatsimplifiessecuritypolicyconfiguration, deploymentmaintenance, andmonitoringinanefficientandcost-effectiveway. ArcMC offersthesekeycapabilities: •Management and Monitoring: deliverthesinglemanagementinterfaceto administrateandmonitor ArcSightmanagednodes, suchasEventBroker, Loggers, Connectors, ConnectorAppliances, andother ArcMCs. •SmartConnector Hosting: forthehardwareappliance, asaplatformto instantiate(hostandexecute) SmartConnectors. ArcMC includesthesebenefits: l Rapidimplementationof newandupdatedsecuritypolicies l Increasedlevelof accuracyandreductionof errorsinconfigurationof managednodes l Reductioninoperationalexpenses HPEArcSightManagementCenter 2.6 Page4of 16ReleaseNotes What’sNewinthisRelease What’s New in this Release Thisversionof ArcMC includesthefollowingnewfeaturesandenhancements: l Event Broker Management:  ArcSightEventBrokermanagementincludesrouteandtopiccreation, aswellashealthandstatusparametermonitoring. MonitoredparametersforEventBrokerinclude CPU  Usage, Memory, DiskUsage, EventBrokerThroughput, Total EPS In, EventParsingError, StreamProcessingEPS, andStreamProcessingLag. l Improved Node Management Interface:  TheNodeManagementinterfacehasbeenimprovedfor clarityandeaseof use. l Improvements to Topology View: TheTopologyViewnowincludesmanyimprovements, including time-outsettings, to ageoutinactivedevicesandremovethemfrommanagement. l Improved Import Hosts Process:  ImportinghostsfromaCSVwilltakelesstimethanformerly, as jobsruninparallel. l Improved License Consumption Report: TheLicenseConsumptionreportcannowberunfora specifiedtimeinterval, insteadof anentireyear. l New Rules: Severaladditionalmonitoringruleshavebeenenabledbydefault. Thesecanbeeditedor deletedaspreferred. FordetailedinformationaboutArcMC  2.6 featuresandfunctionality, referto theArc2.6 Administrator'sGuide, andotherdocumentation, availablefromtheArcSightProductDocumentation CommunityonProtect724. HPEArcSightManagementCenter 2.6 Page5of 16 TechnicalRequirements For ArcSight Management Center Server For software form factor: l Red Hat Enterprise Linux 6.8 or 7.3 l CentOS 6.8 or 7.3 For appliance upgrade: Red Hat Enterprise Linux 6.8 or 7.3* *Additionally, for RHEL7.x installation of software ArcMC: See "Prerequisite to Installation for RHEL 7.x" on page 8. Client l Windows 7, 8, 10 System l MacOS 10.8 or later l RHEL 6.8 or 7.3 CPU 1 or 2 Intel Xeon Quad Core (or equivalent) Memory l 16 GB RAM l 80 GB Disk Space (for software form factor) Supported l Internet Explorer 11 Client l Microsoft Edge (version current as of release date) Browsers l Firefox ESR (version current as of release date) l Google Chrome (version current as of release date) Screen Optimal screen resolution is 1920x1200 Resolution Hardware For new and upgraded ArcMC appliance deployments, all models C650x running RHEL 6.8 and models C660x running RHEL 7.3 Models HPEArcSightManagementCenter(2.6) Page6 of 16 For ManagedArcSight Products ArcMC Agent Hardware  Version Managed Product Software Form Factor (Appliance) Required v6.0.3 or later. Applies to software N/A ArcMC Agent is SmartConnector connectors running on ArcMC Appliance, not required. Connector Appliance, Logger (L3XXX), or separate server. v6.2, v6.2 P1, v6.3, v6.3.1, v6.4 v6.1, v6.1 P1, v6.2,v2.62 Logger P1, v6.3, and v6.3.1 on models LX50X and LX60X ArcMC v2.2, v2.2 P1, v2.5, v2.5.1, v2.6 v2.1, v2.2, v2.2 P1,v2.65, v2.5.1 and v2.6 on models C650X and C660X. Connector Appliance v6.4 P3 or v6.4 P3 (6885) Hotfix v6.4 P3, on models v2.6 CX400 or CX500 Event Broker v2.0 N/A ArcMC Agent is not required Installer Files AvailablefromtheHPEdownloadsite, theinstallerfilesforArcSightManagementCenter2.6 are namedasfollows: l For Software ArcMC: ArcSight-ArcMC-2.6..0.bin l Software remote installer for use with the ArcMC Node Management:  arcmc-sw- -remote.enc l For ArcMC Appliance: arcmc-.enc l ArcMC Agent Installer: TheArcMC Agentinstallerforallappliancenodes, andforsometypes of softwarenodes, isbundledwiththeArcMC installerfile. You mayremotelyinstallorupgrade theArcMC AgentonamanagednodedirectlyfromArcMC, asfollows: l You caninstallorupgradetheArcMC agentremotelyfromamanagingArcMC onallmanaged appliancenodes(LoggerAppliance, ArcMC Appliance, andConnectorAppliancehardware formfactor). l You caninstallorupgradetheArcMC agentforremotelymanagedsoftwarenodeswhichare ArcMC v2.1andLoggerv6.0 orlater. HPEArcSightManagementCenter(2.6) Page7of 16 TheArcMC Agentcannotbeupgradedorinstalledremotelyonearlierversionsof ArcMC and Logger, norforanysoftwareConnectorAppliancemanagednode. Forthesenodetypes, the manualinstallerisrequiredandnamed ArcSight-ArcMCAgent-2.6..0.bin . ArcMC Appliance OS  Upgrade Files AvailablefromtheHPEdownloadsite, theOS  upgradefilesforArcSightManagementCenter2.6 Appliance(only)arenamedasfollows: l For Upgrade to RHEL 6.8: (C650x appliances)osupgrade-arcmc-rhel68- .enc l For Upgrade to RHEL 7.3: (C660x appliances)osupgrade-arcmc-rhel73- .enc ForOS upgradefilesforasoftwareArcMC host, contactyourhostvendor. Prerequisite to Installationfor RHEL7.x BeforeinstallingorupgradingsoftwareArcMC onRedHatEnterpriseLinux(RHEL)7.X, you must modifytheinter-processcommunication(IPC)settingof thelogind.conf file. To modify the logind.conf file for RHEL 7.X: 1. Navigateto th/etc/systemd directory, andopenthelogind.conf fileforediting. 2. Findthe RemoveIPC lineRemoveIPC shouldbeactiveandsetto no. ((Removethe#signif itisthere, andchangethe=yesto =no if appropriate. ThecorrectentrRemoveIPC=no ). 3. Savethefile. 4. Fromthe /etc/systemd directory, enterthefollowingcommandto restartthesystemd- logindserviceandputthechangeinto effect:systemctl restart systemd- logind.service Afteryou havemodifiedthissettingandmetanyotherprerequisites, you arereadyto install softwareArcMC. HPEArcSightManagementCenter(2.6) Page8 of 16 UpgradingArcMC UpgradeissupportedfromsoftwareArcSightManagementCenterversion2.5or2.5.1to software ArcSightManagementCenter2.6. You shouldalso upgradeanymanagedArcMCsto version2.6 aswell. Upgrade Prerequisites Besurethatyou meettheseprerequisitesbeforeupgradingto ArcMC 2.6. l ArcMC Appliance OS Upgrade: UpgradetheapplianceOS to asupportedOS  versionbefore upgradingtheArcMC version. Note: BecausethelatestOSincludesimportantsecurityupdates, besureto applytheOS upgradeevenif you alreadyupgradedtheOS to 6.8 or7.3forArcMC 2.6. OS supportandrequiredOS  upgradefilenamesarelistedunderTechnicalRequirements. For instructionsonhowto applytheapplianceOS upgradelocally, seeUpgradingArcMC. Note: ForOS upgradefilesforasoftwareArcMC host, contactyourhostvendor. TheseinstructionsareforupgradingsoftwareArcMC usingawizardinGUI mode. You canalso upgradeyourArcMC  fromthecommandlineinconsolemode, andinsilentmode. Forthose instructions, referto theInstallationchapterof theAdministrator'sGuide. Remoteupgradeisanothermethodif thetargetArcMC ismanagedbyanotherArcMC usingthe NodeManagementupgradefeature. To upgrade to ArcSight Management Center 2.6 using the install wizard: 1. Copytherequiredupgradefilesto asecurenetworklocation. 2. Runthesecommandsfromthedirectorywhereyou copiedtheArcSightManagementCenter files: chmod u x ArcSight-ArcMC-2.6..0.bin ./ArcSight-ArcMC-2.6..0.bin Theinstallationwizardstarts. Reviewthedialogbox, andthenclickContinue. 3. Followthepromptsto upgrade. Foryourinstallationdirectory, chooseyouroriginalArcSight ManagementCenterinstallationdirectory. 4. If you runtheArcSightManagementCentersoftwareinstallerasarootuser, thenyou need to specifyanexistingnon-rootuserandaportthroughwhichArcSightManagementCenter HPEArcSightManagementCenter(2.6) Page9 of 16 userswillconnect. If anyportotherthan443(thedefaultHTTPS port)isspecified, then userswillneedto entertheportnumberintheURLtheyuseto accessArcSightManagement Center. Whenprompted, entertheusernameof thenon-rootuserandtheHTTPS port number, andthenclickNext. 5. Followthepromptsto completeproductinitialization. 6. If you runtheinstallerasarootuser, specifywhetherto runArcSightManagementCenteras asystemserviceorasaprocess. Note: Additionally, afewlibrariesareaddedusinldconfig . Foracompletelistof thoselibraries, s/etc/ld.so.conf.d/arcsight_arcmc.conf and/current/arcsight/install/ldconfig.out. Theupgradeiscompleted. 7. ClickStart ArcSight Management Now, orclickStart ArcSight Management Center later, andthenclickFinish. HPEArcSightManagementCenter(2.6) Page10 of 16 Upgradingthe ArcMC Agent ArcSightManagementCenter2.6 canonlymanagenodesthatarerunningArcSightManagement CenterAgentversion2.6. Consequently, afterupgradingto ArcSightManagementCenter2.6, you mayalso needto upgradetheArcSightManagementCenterAgentonsomeorallpreviously managedhostsinorderto continuemanagement. AnAgentupgradeisrecommendedforanyof thefollowinghosttypesrunningArcSight ManagementCenterAgent2.0 orearlierthatyou wishto continuemanaging: l Hardware Appliances: HardwareConnectorAppliances, LoggerAppliances, orArcMC Appliances l Software Form Factors: SoftwareConnectorAppliances, SoftwareLoggers, orsoftware ArcMCs Agent Upgrade Procedure ArcSightManagementCenter2.6 canremotelyupgradetheArcMC Agentonanynumberof managedhosts. ForArcMCAgentupgradeinstructions, seetheArcSightManagementCenter Administrator’sGuide. HPEArcSightManagementCenter(2.6) Page11of 16 FixedIssues Thisreleaseof ArcMC includesthefollowingfixedissues. ARCMC- The Software Installation chapter of the 2.5 Administrator's Guide gives the incorrect syntax for 9751 setting limits in /etc/security/limits.conf. This information is shown correctly in the 2.6 Administrator's Guide. ARCMC- On ArcMC 2.5 and 2.5.1, G8 appliances would longer respond to ICMP requests, such as ping requests. 9741 This issue has been resolved. ARCMC- When adding a connector to be managed by ArcMC 2.5, 2.5.1 license tracking for the day the connector 9695 is added would incorrectly include all connector ingestion since the last up time for the connector and could show spurious data spikes. ARCMC- In some cases, filters would not work correctly under the Property column on the Consumption Report. 9235 This issue has been resolved. ARCMC- When ArcMC 2.5 enabled as ADP License Server was upgraded to ArcMC 2.5.1, the UI failed to display 9117 the accurate license limit GB/day on license usage graph on the Dashboard or on License information page under System Admin. This issue has been resolved. ARCMC- In the Topology view, if a connector had another connector as a destination, any devices sending events 9005 to the first connector would erroneously be shown as duplicate devices, shown sending events to the destination connector. ARCMC- In some cases, when ArcMC 2.5 was freshly deployed on a Gen9 appliance, the user had only access to 8975 the System Admin Page. ARCMC- In some cases, the topology view could be displayed twice. 8781 ARCMC- When Logger Event Archives have long names, the name will no longer be displayed incorrectly. 6502 ARCMC- In Internet Explorer 11, when selecting multiple rows with the mouse, the text in the rows also would also 4077 be incorrectly highlighted. ARCMC- If pages were loaded in a small browser window, then maximizing the browser did not resize wizard 52 pages correctly. HPEArcSightManagementCenter(2.6) Page12of 16 Open Issues Thisreleaseof ArcMC containsthefollowingopenissues. ARCMC- In some cases, a Kafka timeout causes an intermittent topic bootstrap failure. Because of this, route 11219 creation in ArcMC may fail. Workaround: Restart webservices on the Event Broker master node. ARCMC- When using local authentication to log in, and the user checks the Forgot Password checklist, the 11212 copyright statement is cut off. This issue only occurs in Chrome and Firefox. ARCMC- In some cases, adding a G8 Logger 6.31 to ArcMC as a managed host may return an Error 500 Internal 11174 Server Error. Workaround: Modify the iptables to reject instead of drop packets to unused ports as follows: 1. Ensure that ssh access is enabled in System Admin 2. On the logger appliance host, run the following commands at the command line: iptables --append INPUT -j REJECT --reject-with icmp-port-unreachable ARCMC- When choosing "Export" from the Node Management menu while viewing a feature other than Node 11140 Management, the page may be remain blank or show a spinner indefinitely, although the export will succeed. To avoid this, choose the "Node Management" menu option first, and after the page has loaded, choose "Export". ARCMC- In the Topology View, the Event Broker destination for a managed Event Broker will appear to be 11133 unmanaged.To view the Event Broker metric details page, on the Dashboard, click the EB Nodes tile at the top of the page. ARCMC- On a freshly imaged ARI for ArcMC 2.6, when you restart the web process for the first time, you will 11220 have access to only System & Admin page and no access to navigational menus. Workaround: If you have only access to System Admin page, restart the aps process on Process Status page. Once aps process restarts and is running, restart the web process. You should now have access to all menus. ARCMC- On some L7600/C6600 appliances running RHEL 7.2, the OS was crashing or hanging.FIX: Applying the 10797 RHEL 7.3 OS upgrade included with this release will upgrade the kernel to a more stable version. ARCMC- An error can occur on Process Status page under System Admin after upgrading the version of RHEL 10736 OS on an ArcMC appliance. Please perform the following steps to resolve the issue: 1. SSH to the ArcMC Appliance 2. Execute the command : chattr -i /opt/local/monit/watchdog/insp.monitrc 3. Execute the command : rpm -e arcsight-nsp 4. Re-initialize the monit daemon: /opt/local/monit/bin/monit HPEArcSightManagementCenter(2.6) Page13 of 16 ARCMC- After a product type ages out, the product type is permanently removed from ArcMC. To bring back 10478 the device type, update the DB entry as follows. Updating the DB directly to the existing entry: Run the following: On a Software arcmc:{install directory}/current/arcsight/bin/psql rwdb web On an Appliance arcmc:{install directory}/local/pgsql/bin/psql rwdb web Then run the sql:UPDATE arcmc_monitor_device_timeoutSET device_timeout='20', device_ tracking='t', device_ageout_days='13'WHERE device_product=''; Note: the device_timeout and device age_out parameters should be set to the desired valuestype \q to quiteRestart the web service after update. ARCMC- In some cases, when an ArcMC has been upgraded from a connector appliance, only a limited selection 10355 of destination types (3) is available. Workaound: Edit “agent.properties” and append a new destination string (e.g: loggersecurepool, the string is dedicated for “logger secure pool” destination) to the end of the entry of “transport.types”, and then restart the container. Note that when modifying agent.properties to include the new destinations, those new destinations must be supported on the current container build. ARCMC- Only the 64-bit version of the Checkpoint OPSEC NG connector is supported on hardware series C6600. 10256 ARCMC- Several ArcMC processes may be left running after the ArcMC appliance is stopped using monit. 10178 ARCMC- ArcMC can be used to change the username used to authenticate to a connector. However, the new 9287 value is merely stored in ArcMC and not actually changed on the connector. ARCMC- Enabling the demo CA certificate fails when editing the destination from the Connector Summary ESM 9225 destination in Node Management.Workaround: Perform the demo CA enablement operation by using the Certificates button for selected connectors. ARCMC- When platform:230 and platform:201 events are forwarded from Logger to an ESM manager, the device 8944 host name and device address are converted to localhost and 127.0.0.1, respectively. ARCMC- The Apache process fails to start if "Client Certificate" or "Client Certificate AND User Password" has 7898 been enabled before Trusted Certificates are uploaded.Workaround: Apache will fail to start if the Trusted Certificates directory is empty. Upload Trusted Client certificates in the System Admin > Security > SSL Client Authentication > Trusted Certificates tab before enabling authentication methods from the System Admin > Users/Groups > Authentication > External Authentication tab. ARCMC- On the Monitoring page, Connector Count can take a long time to update. Please be patient while the 7783 count is updated. ARCMC- After adding a connector to a localhost container, listing all destinations to select from may take some 6497 time. Please be patient while the list of destinations is built. HPEArcSightManagementCenter(2.6) Page14of 16 ARCMC- If the location of Logger nodes is updated, the new location will not be reflected in the path of the 4114 Logger initial configuration source nodes. ARCMC- Under Administration > Network > System DNS, the primary and secondary DNS should be set to 0.0.0.0 2783 instead of letting them be empty fields. Setting the fields to an empty string causes issues with the DNS provider. ARCMC- In some circumstances, multiple copies of the same Content AUP file are created in the user/agent/aup 2129 directory. This may cause large Appliance Backup files to accumulate. HPEArcSightManagementCenter(2.6) Page15of 16SendDocumentation Feedback If you havecommentsaboutthisdocument, you cancontactthedocumentationteambyemail. If an emailclientisconfiguredonthissystem, clickthelinkaboveandanemailwindowopenswiththe followinginformationinthesubjectline: Feedback on Release Notes (ArcSight Management Center 2.6) Justaddyourfeedbackto theemailandclicksend. If no emailclientisavailable, copytheinformationaboveto anewmessageinawebmailclient, andsend yourfeedbackto arc-doc@hpe.com. Weappreciateyourfeedback! HPEArcSightManagementCenter 2.6 Page16 of 16

Labels:

ArcMC v2.6
Comment List
Anonymous
  • Hi Rajmouni

     

    Regarding SmartConnectorHosting capability of ArcMC, is that capability avaialable only for hardware appliance form factor, or can I use it for software form factor as well? and in that case, will the Technical Requirements mentioned in the release not be the same (RHEL 6.8, 6.9, or 7.3 / 1 or 2 Intel Xeon Quad Core / 16 GB RAM / 80 GB Disk Space)?

     

    BR,

    Hatem

Related Discussions
Recommended