jring1 Trusted Contributor.
Trusted Contributor.
819 views

Smartconnector on raspberry pi - or how run it on any platform...

Hi everybody,

tonight was a night of lazy hacking with good music and wine for me... here's the result:

pi@raspberrypi ~/ArcSightSmartConnectors/current/bin $ ./arcsight connectors

Assuming ARCSIGHT_HOME: /home/pi/ArcSightSmartConnectors/current

Assuming JAVA_HOME: /home/pi/ArcSightSmartConnectors/current/jre

ArcSight Connectors starting...

   ___           _____      __   __

  / _ | ________/ __(_)__ _/ /  / /_

/ __ |/ __/ __/\ \/ / _ `/ _ \/ __/

/_/ |_/_/  \__/___/_/\_, /_//_/\__/

        SmartAgents /___/ Version 5.2.7.6544.0 (X6544_1-23-2013_14:33:12)

Copyright � 2001-2012 Hewlett-Packard Development Company, L.P.

Confidential commercial computer software. Valid license required.

[Tue Sep 24 22:42:49 UTC 2013] [INFO ] ArcSight Home: /home/pi/ArcSightSmartConnectors/current

[Tue Sep 24 22:42:49 UTC 2013] [INFO ] JVM name: Java HotSpot(TM) Client VM

[Tue Sep 24 22:42:49 UTC 2013] [INFO ] JVM path: /home/pi/ArcSightSmartConnectors/current/jre

[Tue Sep 24 22:42:49 UTC 2013] [INFO ] JVM vendor: Oracle Corporation

[Tue Sep 24 22:42:49 UTC 2013] [INFO ] JVM version: 25.0-b50

[Tue Sep 24 22:42:49 UTC 2013] [INFO ] Memory: 124 Megabytes (123993520/129761280)

[Tue Sep 24 22:42:49 UTC 2013] [INFO ] OS: Linux Version: 3.6.11+ arm

[Tue Sep 24 22:42:49 UTC 2013] [INFO ] User: pi

[Tue Sep 24 22:42:49 UTC 2013] [INFO ] Working Directory: /home/pi/ArcSightSmartConnectors/current

[Tue Sep 24 22:42:49 UTC 2013] [INFO ] version: 5.2.7.6544.0

[GC (Allocation Failure)  34944K->8419K(126720K), 0.5376780 secs]

[Tue Sep 24 22:43:24 UTC 2013] [WARN ] Starting remote management web services...

[Tue Sep 24 22:43:24 UTC 2013] [INFO ] Attempting to start tomcat ...

[GC (Allocation Failure)  43363K->13987K(126720K), 0.3434660 secs]

[Tue Sep 24 22:43:27 UTC 2013] [INFO ] Starting remote management server [org.apache.catalina.startup.Embedded/1.0] with default context root [jsp Second Listener port [10001] host [localhost]

[INFO] Embedded - Starting tomcat server

[INFO] StandardEngine - Starting Servlet Engine: Apache Tomcat/5.5.33

[INFO] StandardHost - XML validation disabled

[Full GC (Metadata GC Threshold)  24426K->11321K(126720K), 0.5462150 secs]

[INFO] ContextConfig - No default web.xml

[INFO] Http11BaseProtocol - Initializing Coyote HTTP/1.1 on http-localhost%2F127.0.0.1-10001

[INFO] Http11BaseProtocol - Starting Coyote HTTP/1.1 on http-localhost%2F127.0.0.1-10001

[Tue Sep 24 22:43:35 UTC 2013] [INFO ] Initializing Agent Framework Version [5.2.7.6544.0]

[Tue Sep 24 22:43:42 UTC 2013] [INFO ] Memory monitor started, heap limit: 123.8 MB

[GC (Allocation Failure)  46265K->15849K(126720K), 0.1771130 secs]

[Tue Sep 24 22:43:45 UTC 2013] [INFO ] Initializing agent flow for destination [<?xml version="1.0" encoding="UTF-8"?>

<ParameterValues>

    <Parameter Name="port" Value="443"/>

    <Parameter Name="host" Value="192.168.1.40"/>

    <Parameter Name="rcvrname" Value="SmartMessage Receiver"/>

    <Parameter Name="compression" Value="Disabled"/>

</ParameterValues>

]

[GC (Allocation Failure)  50793K->19274K(126720K), 0.2139700 secs]

[Tue Sep 24 22:43:54 UTC 2013] [INFO ] Zone based filtering disabled.

[Tue Sep 24 22:43:55 UTC 2013] [INFO ] HTTP Compression enabled.

[GC (Allocation Failure)  54218K->22411K(126720K), 0.2135880 secs]

[Tue Sep 24 22:44:07 UTC 2013] [INFO ] Created all streams/readers for the file[/var/log/syslog] successfully.

[Tue Sep 24 22:44:07 UTC 2013] [INFO ] Seeked to byte offset[105238] in the file[/var/log/syslog] successfully.

[Tue Sep 24 22:44:07 UTC 2013] [INFO ] successfully started Name Following File Reader Thread for the file[/var/log/syslog]

[Tue Sep 24 22:44:08 UTC 2013] [INFO ] Agent [Linux] started.

[Tue Sep 24 22:44:09 UTC 2013] [INFO ] {C=0, ET=Up, HT=Up, N=Linux, S=0, T=0.0}

[GC (Allocation Failure)  57355K->25438K(126720K), 0.2643080 secs]

[Tue Sep 24 22:44:10 UTC 2013] [INFO ] Agent upgrade status check thread started

[Tue Sep 24 22:44:12 UTC 2013] [INFO ] First event from [ArcSight|ArcSight|127.0.1.1|raspberrypi] received.

Screenshot from 2013-09-25 01:01:05.png

Here's a little howto:

- Started with default raspbian system

- Downloaded and installed the OpenJDK 8 beta from oracle - see https://wiki.openjdk.java.net/display/OpenJFX/OpenJFX+on+the+Raspberry+Pi for instructions and download link...

- Started and configured the Logger VM with Virtualbox and installed and configured the Linux Smartconnector from the free logger demo package on my Ubuntu Laptop (I always forget to take home ESM and Connector installers for playing and then I'd probably need to get test licenses while the demo package has one built in).

- copied over AGENT_HOME directory to the raspberry (home directory of the default user pi - if you want to make it nice you want an arcsight user of course).

- went to $AGENT_HOME/current and moved the folder jre to jre_old (or just delete it - it's x86 java and won't help on arm).

- copied over jre folder from JDK 8  folder to $AGENT_HOME/current

- tried to start connector with $AGENT_HOME/current/bin/arcsight connectors - and got "Server VM is only supported on ARMv7+ VFP" - ouch...

- googled around and found that while this is true people are running tomcat with Client VM on raspberry - so can we, after all the connector is just a tomcat...  now just find how to start the VM with -client instead of -server

- rummaged through the scripts under $AGENT_HOME/current/bin and found the dirty truth - all JVM options can be set elsewhere - but the -server is hardcoded in some scripts in $AGENT_HOME/current/bin/scripts - most importantly connectors.sh. Changed that to -client and here we go...

- haven't done a lot of testing besides starting up the connector and looking it actually sends events to logger - one problem is that the unix syslog aren't properly parsed and categorized - but I had this on ubuntu too (another non-supported platform :-). I suspect it's got sth to do with the limited connector package from the free demo logger which I haven't really used before since we of course have the real thing at work...

The same procedure with exchanging the jre folder (and w/o the script change which is due to some java limitation on the ARMv6 platform of the pi) can probably be probably be used to get the connector to run on other very unsupported platforms - Solaris x86 anybody?

Todo:

- try the same with a real connector

- have a closer look at the installer and put the alien JRE in there so you can create your own installer files...

PS: Don't even think about calling support for a connector installed like this 😉

Good night,

Joachim

Labels (3)
0 Likes
1 Reply
jring1 Trusted Contributor.
Trusted Contributor.

Re: Smartconnector on raspberry pi - or how run it on any platform...

Hi everybody,

another tuesday night of hacking with music and drinks... get prepared for more news from way beyond supported...

Last time I did a quick and dirty proof-of-concept to see whether it runs at all - today I'll try to install a real connector on the pi and keep the install as close as possible to normal.

So I started by copying the Smartconnector 6.0.5 Linux Installer file to the pi. If we run this, it unpacks the (wrong)  JRE and the Connector files and then tries to start the real installer wizard, which is a java program. This fails due to the wrong jre being used.

But you can force the InstallAnywhere installer (which is what HP uses here) to use a different JVM than the one in the package...


- run installer with like this - provided the jre is installed under /opt/jdk1.8.0 as shown in last post:


./ArcSight-6.0.5.6782.0-Connector-Linux.bin LAX_VM /opt/jdk1.8.0/jre/bin/java

- now switch the x86 jre against the arm one:

rm -rf $AGENT_HOME/current/jre

cp -a /opt/jdk1.8.0/jre $AGENT_HOME/current

- do the fix mentioned before to use the client flavor of the jvm as the default server one is not supported on the pi's strange arm platform - edit $AGENT_HOME/current/bin/scripts/connectors.sh and change -server to -client

- we're a bit short on memory for the runagentsetup... let's save a bit - first for runagentsetup itself:

export ARCSIGHT_JVM_OPTIONS="-Xms64m -Xmx128m"

- then change memory settings for the connector in standalone mode - which is being run by runagentsetup... (forget about agent.wrapper.conf - see below why) - create $AGENT_HOME/current/user/agent/setmem.sh with the following content:

#!/bin/bash

export ARCSIGHT_MEMORY_OPTIONS="  -Xms128m -Xmx224m "

- now we're ready to do runagensetup as usual - the first time it timed out due to the connector started in the background taking too long to initialize. The 2nd try worked fine - installed syslog file reader and connected to my free logger demo vm.


- you can even do the arcsight agentsvc incantation to set up the service - unfortunately the service won't start due to the fact that the wrapper is currently an x86 binary. So some scripting might be needed to autostart the connector in standalone mode...


I'm happy to announce that with the normal connector installer (vs the limited one from the demo package) the events from my raspberry's syslog are now correctly parsed and categorized...

Also it is probably a very good idea to never configure AUP master destinations for connectors hack^h^h^h^hinstalled like this... the autoupgrade will probably leave a nice mess...


TODO: find a way to run the wrapper (maybe qemu?) or do scripting to autostart connector in standalone mode. Also try to inject arm jre into installer file... and finally - performance testing.

Good night,

Joachim

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.