New Ranks & Badges For The Community!
Notice something different? The ranks and associated badges have gone "Star Fleet". See what they all mean HERE
Highlighted
Vice Admiral
Vice Admiral
1436 views

P-Linux

This is the official forum for discussing the basic ArcSight Activate P-Linux product package as described in the Activate Wiki.

Labels (2)
11 Replies
Highlighted

Hi,

with this .arb can be realized the "Red Hat Linux - Indicators and Warnings" for Activate Operating Systems Monitoring? Because, i not find this package.

Regards,

Valentina

0 Likes
Highlighted
Vice Admiral
Vice Admiral

Hey Valentina,

Yes, this will be the replacement package for the Red Hat Linux package. It has not yet been released. We're just preparing for it to be released.

FYI,

--

Prentice

0 Likes
Highlighted
Ensign Ensign
Ensign

Hi,

I've found an when the using the P-Linux package filter /All Filters/Arcsight Activate /Core/Product Filters/Linux/Entity Authentication/Linux Auditd User Account Logon Failures. For events from RHEL 6/7 linux devices the rules weren't firing with the condition Name=USER_AUTH as the  Name field contains more data than just the string USER_AUTH.

The rules fire if the condition is changed to Name Contains USER_AUTH.

Alternatively the Device Event Category field consistently matches on Name=USER_AUTH

Linux Audtid User Account Logon Failure.jpg

This affects all rules that utilize the filter.

0 Likes
Highlighted
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Have you applied syslogd and auditd parser overrides as it states in P-Linux Fos Wiki (attached at Connection Configuration section (https://hpe-sec.com/foswiki/bin/view/ArcSightActivate/PLinuxOSConnectorInstallation)?

0 Likes
Highlighted
Ensign Ensign
Ensign

Hi Nellie,

No I missed that step. My bad, applying the parser overrides fixes it.

Thanks for your support.

0 Likes
Highlighted
Vice Admiral Vice Admiral
Vice Admiral

The link to the parser over rides no longer exists.  Can you please supply them?  thank you,

0 Likes
Highlighted
Vice Admiral Vice Admiral
Vice Admiral

Has anyone used this package to monitor ESM, Logger and ArcMC?

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

The links are at the bottom of the connector setup page for the package:

https://hpe-sec.com/foswiki/bin/view/ArcSightActivate/PLinuxOSConnectorInstallation

0 Likes
Highlighted
Vice Admiral Vice Admiral
Vice Admiral

Ah, for some reason i was selecting the readme link and expecting to see the parser there.  i have no clue why.....duh John....lol

Many Thanks!

0 Likes
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

It is worth mentioning that to get the IPTables parser override to work you need to remove the Juniper Junos entries from the subagent list and set "usecustomsubagentlist=true"

sed -i "s/junos_syslog[|]junos_sdsyslog[|]//" /<SYSLOG_CONNECTOR_PATH>/current/user/agent/agent.properties
sed -i "s/usecustomsubagentlist=false/usecustomsubagentlist=true" /<SYSLOG_CONNECTOR_PATH>/current/user/agent/agent.properties

otherwise the bulk of the IPTables events will parse as Juniper/JUNOS

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

You are right. I'll update the documentation and see if I can come up with a way around this.

Beirne Konarski

ArcSight Pro Services

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.