Absent Member.
Absent Member.
1983 views

Ports used by Logger and ESM?

Hi all,

There used to be some documentation listing all network ports required to make ArcSight Logger and ESM/Express work. However, I cannot find it among the current documentation. Can anyone point me to the current version? I'd like to know, why ESM/ArcSight Express require the following ports bound and listening to all interfaces:

111/tcp, 846/tcp, 33377/tcp, 43353/tcp, 44433/tcp, 111/udp, 123/udp, 631/udp, 840/udp, 843/udp, 934/udp, 959/udp, 5353/udp, 34262/udp, 36370/udp, 40322/udp

Thank you for your support.

Cheers

JP

Labels (2)
0 Likes
6 Replies
Absent Member.
Absent Member.

Hi Jens,

i attached the document.

BR,

Christoph

0 Likes
Absent Member.
Absent Member.

Hi Christoph,

thanks for the document. It seems to be from pre-6.0 times (v5.x/v3.x). Assuming all required ports are listed in the document, none of the ports mentioned above are required for the correct function of ESM or ArcSight Express. Why are they up, bound & listening for connections on all interfaces? I could understand applications communicating internally via network sockets, but rather bound to localhost rather then all interfaces.

Anyone with insight into the functions of ESM >= v6.0 that can shed some light into this?

Cheers

JP

0 Likes
Absent Member.
Absent Member.

Just to give an example of what I mean: ESM 6.0c has port 33377/tcp bound to all interfaces:

Proto Recv-Q Send-Q Local Address               Foreign Address             State         PID/Program name

tcp   0      0      0.0.0.0:33377               0.0.0.0:*                   LISTEN        16086/java

Looking at the process with ps wwp 16086, I can find:

PID   TTY      STAT TIME   COMMAND

16086 ?        Sl   810:29 java -server -DARCSIGHT_HOME=/opt/arcsight/manager/bin/wrapper/linux64/../../.. -Dorg.mortbay.util.FileResource.checkAliases=false -Ddummy=dummy -verbose:gc -XX:MaxPermSize=320m -Darcsight.cid=default -XX:+UseParallelOldGC -XX:+HeapDumpOnOutOfMemoryError -Dosgi.instance.area=/opt/arcsight/manager/bin/wrapper/linux64/../../../arcsight-dm/workspace -Dorg.tanukisoftware.wrapper.WrapperManager.mbean=true -Xms8192m -Xmx8192m -Djava.library.path=. -classpath ../../../lib/modules/arcsight-launcher-1.0.0.release.65.jar:../../../arcsight-dm/plugins/org.eclipse.equinox.launcher_1.0.200.v20090520.jar:../../../lib/modules/wrapper-3.3.0-st.jar:../../../lib/arcsight-jsse.jar -Dwrapper.key=kJcGbSlzAdygjGzsYApOaJ6miAxy9EF6 -Dwrapper.port=32001 -Dwrapper.jvm.port.min=31000 -Dwrapper.jvm.port.max=31999 -Dwrapper.pid=16084 -Dwrapper.version=3.3.0-st -Dwrapper.native_library=wrapper -Dwrapper.service=TRUE -Dwrapper.disable_shutdown_hook=TRUE -Dwrapper.cpu.timeout=10 -Dwrapper.jvmid=1 com.arcsight.server.WrapperLauncher


I can't really tell much by that information. Some internal function requires this port. Why bound to all interfaces?


Cheers


JP


0 Likes
Absent Member.. Absent Member..
Absent Member..

This is the port list for the ESM 6.0c install guide:

Before installing ESM, open the following TCP ports on your system if not already open and

ensure that no other process is using these TCP ports:

Open the following TCP ports for external incoming connections:

8443

9443

The following TCP ports are used internally for inter-component communication by ESM:

1976, 2812, 3306, 5555, 7777, 7778, 7779, 7780, 8005, 8009, 8080, 8088, 8089, 8666,

8765, 8808, 8880, 8881, 8888, 8889, 9000, 9123, 9124, 9999, 45450


0 Likes
Absent Member.
Absent Member.

Hi Farridem,

thank you for your response. Yes. I have seen the documentation. However, none of the ports I listed above are mentioned in the documentation. If the used ports are for IPC only, why are they bound on all interfaces? If they are required externally, can someone explain to me, for what purpose?

I have a very security aware customer with hardening guides requiring explicit explanations why open ports are required for an application, before they can be deployed in a production environment.

Cheers

JP

0 Likes
Fleet Admiral
Fleet Admiral

This is a question for someone from ArcSight/HP.

I am curious to know why this port is exposed!

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.