New Ranks & Badges For The Community!
Notice something different? The ranks and associated badges have gone "Star Fleet". See what they all mean HERE
Highlighted
1881 views

Linux Integration to ArcSight

Jump to solution

Hi Community,

We have several Linux Redhat Servers (v4, v5.3, v5.9, v5.10, v6.4). Are these servers supported for integration to ArcSight by SmartConnector Syslog Daemon?

If yes, is there an easy step by step guide on how to configure the Linux Servers to send audit logs via syslog? The configuration guide (Linux Audit Syslog) seems unclear and we cannot find the files and directories stated.

Thanks for the help.

0 Likes
1 Solution

Accepted Solutions
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

There is a good documentation on Active Wiki but I'm not sure if your versions of Linux are supported.

https://hpe-sec.com/foswiki/bin/view/ArcSightActivate/PLinuxOS
https://hpe-sec.com/foswiki/bin/view/ArcSightActivate/PLinuxOSConnectorInstallation
https://hpe-sec.com/foswiki/bin/view/ArcSightActivate/PLinuxOSLoggingInstallation

Linux Auditd Best Practice:
https://gist.github.com/Neo23x0/9fe88c0c5979e017a389b90fd19ddfee

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.

View solution in original post

3 Replies
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

There is a good documentation on Active Wiki but I'm not sure if your versions of Linux are supported.

https://hpe-sec.com/foswiki/bin/view/ArcSightActivate/PLinuxOS
https://hpe-sec.com/foswiki/bin/view/ArcSightActivate/PLinuxOSConnectorInstallation
https://hpe-sec.com/foswiki/bin/view/ArcSightActivate/PLinuxOSLoggingInstallation

Linux Auditd Best Practice:
https://gist.github.com/Neo23x0/9fe88c0c5979e017a389b90fd19ddfee

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.

View solution in original post

Highlighted

Thanks for the help, these are very nice instructions.

0 Likes
Highlighted
Fleet Admiral
Fleet Admiral

Hello,

upon already provided information.

1) ArcSight Connectors Documentation:
https://community.softwaregrp.com/t5/ArcSight-Connectors/tkb-p/connector-documentation

2) Search for "Linux" or "Unix" on this page, there are multiple SmartConnectors.

3) For example there will be SmartConnector for Linux Audit Syslog:
https://community.softwaregrp.com/t5/ArcSight-Connectors/SmartConnector-for-Linux-Audit-Syslog/ta-p/1588670

In it you can see that Linux auditd is supported for pulling events from Red Hat Linux Enterprise 6.4, 6.5, 6.7, 7.1, and 7.2..

4) So this means that these events should be parsed (normalaized) Out-Of-The-Box by Syslog SmartConnector if you configure source (RHEL) to send these specific events.

Regards,

Marijo

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.