Ports used by Logger and ESM?
There used to be some documentation listing all network ports required to make ArcSight Logger and ESM/Express work. However, I cannot find it among the current documentation. Can anyone point me to the current version? I'd like to know, why ESM/ArcSight Express require the following ports bound and listening to all interfaces:
111/tcp, 846/tcp, 33377/tcp, 43353/tcp, 44433/tcp, 111/udp, 123/udp, 631/udp, 840/udp, 843/udp, 934/udp, 959/udp, 5353/udp, 34262/udp, 36370/udp, 40322/udp
Thank you for your support.
thanks for the document. It seems to be from pre-6.0 times (v5.x/v3.x). Assuming all required ports are listed in the document, none of the ports mentioned above are required for the correct function of ESM or ArcSight Express. Why are they up, bound & listening for connections on all interfaces? I could understand applications communicating internally via network sockets, but rather bound to localhost rather then all interfaces.
Anyone with insight into the functions of ESM >= v6.0 that can shed some light into this?
Just to give an example of what I mean: ESM 6.0c has port 33377/tcp bound to all interfaces:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:33377 0.0.0.0:* LISTEN 16086/java
Looking at the process with ps wwp 16086, I can find:
PID TTY STAT TIME COMMAND
16086 ? Sl 810:29 java -server -DARCSIGHT_HOME=/opt/arcsight/manager/bin/wrapper/linux64/../../.. -Dorg.mortbay.util.FileResource.checkAliases=false -Ddummy=dummy -verbose:gc -XX:MaxPermSize=320m -Darcsight.cid=default -XX:+UseParallelOldGC -XX:+HeapDumpOnOutOfMemoryError -Dosgi.instance.area=/opt/arcsight/manager/bin/wrapper/linux64/../../../arcsight-dm/workspace -Dorg.tanukisoftware.wrapper.WrapperManager.mbean=true -Xms8192m -Xmx8192m -Djava.library.path=. -classpath ../../../lib/modules/arcsight-launcher-1.0.0.release.65.jar:../../../arcsight-dm/plugins/org.eclipse.equinox.launcher_1.0.200.v20090520.jar:../../../lib/modules/wrapper-3.3.0-st.jar:../../../lib/arcsight-jsse.jar -Dwrapper.key=kJcGbSlzAdygjGzsYApOaJ6miAxy9EF6 -Dwrapper.port=32001 -Dwrapper.jvm.port.min=31000 -Dwrapper.jvm.port.max=31999 -Dwrapper.pid=16084 -Dwrapper.version=3.3.0-st -Dwrapper.native_library=wrapper -Dwrapper.service=TRUE -Dwrapper.disable_shutdown_hook=TRUE -Dwrapper.cpu.timeout=10 -Dwrapper.jvmid=1 com.arcsight.server.WrapperLauncher
I can't really tell much by that information. Some internal function requires this port. Why bound to all interfaces?
This is the port list for the ESM 6.0c install guide:
Before installing ESM, open the following TCP ports on your system if not already open and
ensure that no other process is using these TCP ports:
Open the following TCP ports for external incoming connections:
The following TCP ports are used internally for inter-component communication by ESM:
1976, 2812, 3306, 5555, 7777, 7778, 7779, 7780, 8005, 8009, 8080, 8088, 8089, 8666,
8765, 8808, 8880, 8881, 8888, 8889, 9000, 9123, 9124, 9999, 45450
thank you for your response. Yes. I have seen the documentation. However, none of the ports I listed above are mentioned in the documentation. If the used ports are for IPC only, why are they bound on all interfaces? If they are required externally, can someone explain to me, for what purpose?
I have a very security aware customer with hardening guides requiring explicit explanations why open ports are required for an application, before they can be deployed in a production environment.