Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
babudheen Absent Member.
Absent Member.

Re: How to use ArcOSI software

Hi,

Actually i am new to Arcsight active list and learning how to do that. Since you are using ArcOS software for arcisght ESM , it will be great if you can provide me the documentation or steps you followed to enable this successfully.

You can reach me on babudheen@yahoo.co.in id also.

Can you help me?

0 Likes
Established Member.. anwarrhce1
Established Member..

Re: How to use ArcOSI software

Hi,

Yes it works perfectly, but fills up the database with more than 50K events everyday, and this is not a good idea atleast for us.

Can anyone suggest any alternative to achieve the objective of getting list of malicious domains and IP addresses on daily basis without the events get stored in DB ?

I hope some has achieved it already, would you guys mind to share ?

Rgds,

Anwar

0 Likes
Bsmithsweeney Absent Member.
Absent Member.

Re: How to use ArcOSI software

Just a follow-up point for any ArcSight folks following this thread - event-based import to ActiveLists seems like a hack.  Any chance we'll have a reasonably fleshed-out Web Services API for updating ActiveLists in the near-future?  It seems like that would be a *much* better way of handling this kind of problem.

0 Likes
dzuperku1 Absent Member.
Absent Member.

Re: How to use ArcOSI software

So, is there a doc out there explaining from start to finish how to set this up?

If I'm in a windows environment do I just need to run(schedule a daily run)  the arcosi-28.exe? do I need to put the .py file in the same directory?   where does it write the output? do I need to install python on the windows box?

This seems like an awesome feed I would like to use.

Thanks in advance,

Dan

0 Likes
Highlighted
dzuperku1 Absent Member.
Absent Member.

Re: How to use ArcOSI software

I think I found my own answer,  just a F.Y.I for all the other people that might have trouble setting this up.

For Windows users, download the arcosi-28.exe and place it on a server where you have a syslog connector running.

Open a command prompt, cd to the directory where arcosi-28.exe is

In my case I place the file in the root of D:\

and running the following: arcosi-28.exe localhost

This will take awhile to run (you can see the commands fly by in the command prompt), I pulled in over 2000 events this morning.

while it's running you can open a active channel for the Syslog connector and see the events come in.

Carterb Absent Member.
Absent Member.

Re: How to use ArcOSI software

I would also add that whatever syslog connector you send it to should have dns resolution turned off or you might trigger a lot of IDS alarms (like I did).

0 Likes
babudheen Absent Member.
Absent Member.

Re: How to use ArcOSI software

Actually i am new to Arcsight active list and learning how to do that. Since you are using ArcOS software for arcisght ESM , it will be great if you can provide me the documentation or steps you followed to enable this successfully.

You can reach me on babudheen@yahoo.co.in id also.

Can you help me?

Regards

Babu

0 Likes
Ladeay Absent Member.
Absent Member.

Re: How to use ArcOSI software

Hi Dzuperku,

I was able to pull events too but cant seem to populate the AL I created.

Kindly assist.

Thanks

0 Likes
dzuperku1 Absent Member.
Absent Member.

Re: How to use ArcOSI software

What does your rule look like?

0 Likes
Ladeay Absent Member.
Absent Member.

Re: How to use ArcOSI software

Rule 1.jpgRule 2.jpg

0 Likes
Ladeay Absent Member.
Absent Member.

Re: How to use ArcOSI software

AL.jpgI have uploaded the images.

Rule 3.jpg

0 Likes
dzuperku1 Absent Member.
Absent Member.

Re: How to use ArcOSI software

For your Active List "Bad IP"  is it Fields-based or Event based?

I have mine on Fields-based.

Everything looks Ok in your rule

0 Likes
Ladeay Absent Member.
Absent Member.

Re: How to use ArcOSI software

The Active List if field based. Also, the rule is placed under real-time rules.

0 Likes
ryanarcsight Absent Member.
Absent Member.

Re: How to use ArcOSI software

For the arcosi install, how might this look on a connector appliance? I currently do not have a syslog connector running on windows, but I suppose I could run one just for the arcosi content.

I am finding the conapp a little challenging since I am unable to access the cmd line and had little training on the gui.

0 Likes
Established Member.. tejeu_tejeu1
Established Member..

Re: How to use ArcOSI software

Hi,

Are you still using this ArcOsi for tracking blacklisted IP address...

Regards,

Tejesh

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.