parfuar2 Valued Contributor.
Valued Contributor.
189 views

I am not able to send alerts to a non-ArcSight non-ArcSight server

Hi,

I am not able to send alerts to a non-ArcSight server. I want to send alerts (fixes) to a non-arcsight server. Just this.

  • I created a user type: Forwarding connector (it is an AD user)
  • In Edit Access Control I used "/ All Filters / ArcSight / Event Types / ArcSight Correction Events"

My version is 6.11 and I installed the “ArcSight-7.5.0.7986.0-SuperConnector-Linux64.bin”.

In the installation I put:

  • /opt/arcsight/forward_events
  • Don´t create links

Already in the connector folder

run ./runagentsetup.sh (/opt/arcsight/forward_events/current/bin/runagentsetup.sh)

  • Add a connector
  • ArcSight Forwarding Connector
  • Name: Name server (ESM)
  • Port default: 8443
  • User name (user connector forwarding)
  • Password
  • Import the certificate to connector from source
  • CEF Syslog

After

  • IP from the target server (where I will keep the alerts coming from arcsight)
  • Port 514
  • Protocol: UDP
  • Forwarder: False
  • CEF Version: 0.1

I installed the connector as a service.
Something is missing? I am not able to send the alerts (correlation to a non arcsight server).

Thanks

0 Likes
6 Replies
Regular Contributor.. Answer_1 Regular Contributor..
Regular Contributor..

Re: I am not able to send alerts to a non-ArcSight non-ArcSight server

I assume you started the service after install? (it doesn't start automatically)

Do you see the forwarding connector being connected to you ESM?

Open you filter in an Active Channel to make sure it's ok. Also make sure the user has read access to the filter.

0 Likes
parfuar2 Valued Contributor.
Valued Contributor.

Re: I am not able to send alerts to a non-ArcSight non-ArcSight server

Used filter:

/All Filters/ArcSight System/Event Types/ArcSight Correlation Events

it works (image - attachment)

0 Likes
parfuar2 Valued Contributor.
Valued Contributor.

Re: I am not able to send alerts to a non-ArcSight non-ArcSight server

Permissions (User)

Resources - attachment

Operations

/All Permissions/ArcSight System/Case Operations/Case Delete

User groups

/All Users/Administrators    

Events

/All Filters/ArcSight System/Core/No Events /All Filters/ArcSight System/Event Types/ArcSight Correlation Events

Sortable Field Sets

/All Field Sets/ArcSight System/Event Field Sets/Sortable Field Sets/Field Set Based On ARC_E_ET Index

/All Field Sets/ArcSight System/Event Field Sets/Sortable Field Sets/Field Set Based On ARC_E_MRT Index

0 Likes
parfuar2 Valued Contributor.
Valued Contributor.

Re: I am not able to send alerts to a non-ArcSight non-ArcSight server

I used an option to start automatically.

The connector was installed directly to the ESM. Required ESM -> Server not arcsight.

Thank you 🙂

0 Likes
Regular Contributor.. Answer_1 Regular Contributor..
Regular Contributor..

Re: I am not able to send alerts to a non-ArcSight non-ArcSight server

The start automatically option will start the conenctor after a reboot, but won't start it after install. You need to manually start it.

Is the connector connected in the ESM dashboard?

0 Likes
parfuar2 Valued Contributor.
Valued Contributor.

Re: I am not able to send alerts to a non-ArcSight non-ArcSight server

I thought it started automatically. That was the problem: /
No connector does not appear in ESM

Thank you

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.