with this .arb can be realized the "Red Hat Linux - Indicators and Warnings" for Activate Operating Systems Monitoring? Because, i not find this package.
Yes, this will be the replacement package for the Red Hat Linux package. It has not yet been released. We're just preparing for it to be released.
I've found an when the using the P-Linux package filter /All Filters/Arcsight Activate /Core/Product Filters/Linux/Entity Authentication/Linux Auditd User Account Logon Failures. For events from RHEL 6/7 linux devices the rules weren't firing with the condition Name=USER_AUTH as the Name field contains more data than just the string USER_AUTH.
The rules fire if the condition is changed to Name Contains USER_AUTH.
Alternatively the Device Event Category field consistently matches on Name=USER_AUTH
This affects all rules that utilize the filter.
Have you applied syslogd and auditd parser overrides as it states in P-Linux Fos Wiki (attached at Connection Configuration section (https://hpe-sec.com/foswiki/bin/view/ArcSightActivate/PLinuxOSConnectorInstallation)?
The links are at the bottom of the connector setup page for the package:
It is worth mentioning that to get the IPTables parser override to work you need to remove the Juniper Junos entries from the subagent list and set "usecustomsubagentlist=true"
sed -i "s/junos_syslog[|]junos_sdsyslog[|]//" /<SYSLOG_CONNECTOR_PATH>/current/user/agent/agent.properties
sed -i "s/usecustomsubagentlist=false/usecustomsubagentlist=true" /<SYSLOG_CONNECTOR_PATH>/current/user/agent/agent.properties
otherwise the bulk of the IPTables events will parse as Juniper/JUNOS