parth.patel Absent Member.
Absent Member.
494 views

Arcsight topology for syslog collection and custom dashboards

Hi Guys,

I am new to the Arcsight and want to build a plugin for our product. Below are the high level requirements.

    1. Collect syslogs from several machines (Windows and *Nix)

    2. Forward data from all the machines to Centralize place, where I can parse and Index the data.

    3. Build custom dashboards and Reports on indexed data.

I have planned a topology (attached  figure) but I am not sure about some of the things and need help on that.

     I am planing to install Smart Connector on all the machines which I want to monitor. Connector will collect the syslogs (non-CEF) and forward them to Logger, which will eventually forwards logs to ESM.

I tried to collect data in CEF but lost some useful information from logs, so decided to collect syslogs as non-CEF source. Am I doing something wring here?

I am not sure about the roles and responsibilities of Logger and ESM and cant figure out If I need both of them or I can skip any of them. Any suggestions?

Also, Once I write some parsing logic, queries and create dashboards and reports, how can I bundle them as a separate plugin ? How can I install that plugin in new environment ?

Any help will be appreciated.

Thanks,

Parth

0 Likes
3 Replies
Highlighted
pratikp Absent Member.
Absent Member.

Re: Arcsight topology for syslog collection and custom dashboards

Hi Parth,

You no need to install smartconnector on the machines which you need to integrate in ArcSight. SmartConnectors are not like traditional agents which must be installed to capture required logs.

SmartConnectors works either Pull or Push mechanism to collect logs.

You can have dedicated machine (either windows or linux) which will work as Connector Server and you can install all smartconnectors on the same server.

1. For Windows, you have to install only 1 Windows Unified SmartConnector which you can configure to pull logs from all Windows Servers.

2. For Linux, you have to configure all Linux Servers to forward Syslog to Connector Server IP. In this case, Linux Servers are pushing logs to Connector Server.

As per my experience, you should have below setup

Connector server  will forward logs to ArcSight Manager as well as ArcSight logger at the same time.  This will not have problem of Single point of failure.

I hope this helps.

Regards,

Pratik

0 Likes
parth.patel Absent Member.
Absent Member.

Re: Arcsight topology for syslog collection and custom dashboards

Thanks a lot Pratik for reply.

One more question

What would I lose, if I don't use the logger in my setup?

Would I be able to do all the field parsing and dashboard creation on ESM?

Thanks,

Parth

0 Likes
siemmetry Absent Member.
Absent Member.

Re: Arcsight topology for syslog collection and custom dashboards

Hi Parth,

Generally, you would only use the relatively cheap, long term retention capability - tbh the backend on ESM and Logger are the same now with the CORR-E solution so performance (EPS) and scalability aren't massively different. Logger was traditionally put in front of ESM as a sort of DOS protection as it could handle much higher EPS and then send only a filtered stream on to your expensive and 'fragile' ESM - thats simply not that much of a concern anymore.

Parsing of events is done at your 'collection layer' i.e. the smart/flex connectors and dashboards (all really clever and useful content) is written in ESM/Express.

Having said all that, most important in answering your question regarding architecture would be what are your business requirements about retention, log capturing etc and what are your use cases?

-siemmetry

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.