Our vBulletin migration is complete.
Welcome vBulletin users! All content and user information from the Micro Focus Forums (vBulletin) site has been migrated to this site. READ MORE.
parfuar Contributor.
Contributor.
262 views

how to send correlation alerts from esm to logger

I want to send events and alerts to a new machine.
At this moment I have the logger to send all the events, the new machine.
Now I just need to send the ESM alerts (correlations).
The process has to be done by syslog, is it possible? I was thinking send the ESM events to the logger, and then resending them to the new machine.

0 Likes
8 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Re: how to send correlation alerts from esm to logger

There you go: https://community.microfocus.com/t5/ArcSight-User-Discussions/HOW-TO-ESM-to-Logger-forwarding/td-p/1586474

In order to forward only correlation events, you need to edit ACL for the forwarding connector user that you create.

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
0 Likes
parfuar Contributor.
Contributor.

Re: how to send correlation alerts from esm to logger

Ok. I have a filter with the events (correlation) that I want to send to the logger.

The connector (forwarding connector) have to be installed in the ESM?

At the end the connector will not be visible how can I apply the filter, configure, etc?

 

Thanks for listening

0 Likes
Knowledge Partner
Knowledge Partner

Re: how to send correlation alerts from esm to logger

Hello,

the FWD SM can be installed on ESM side and the majority are choosing to do this. But this is not necessarily requested. This special SM can be installed on a separate location as well. Most probably the majority chose to install this SM on ESM to be easy to be controlled and contained.

What's very important is to get the correct binaries of the FWD SM of the corrected version of ESM. Each ESM version it's come with his version of FWD SM.

Once installed the FWD SM will be seen into ESM side. It's also true that you can easly import into ArcMC.

Once again please read carefully the "ArcSight Forwarding Connector Configuration Guide" and follow all the steps and requirements to install and configure for your specific task.

For ESM 6.9.1 the FWD documentation is:

https://community.microfocus.com/t5/ESM-and-ESM-Express-Previous/Forwarding-Connector-7-1-7-7602-0-Configuration-Guide/ta-p/1589010?advanced=false&collapse_discussion=true&filter=includeTkbs,location&include_tkbs=true&location=tkb-board:ESM_ESMExpress_Previous_Releases&q=ArcSight%20Forwarding%20Connector%20Configuration%20Guide&search_type=thread

For ESM 6.11 the FWD documentation is:

https://community.microfocus.com/t5/ESM-and-ESM-Express-Previous/ArcSight-Forwarding-Connector-Config-Guide-7-5-0-7986-0/ta-p/1584921?collapse_discussion=true&filter=includeTkbs,location&include_tkbs=true&location=tkb-board:ESM_ESMExpress_Previous_Releases&q=Forwarding%20Connector%20Configuration%20Guide&search_type=thread

For ESM 7.0 the FWD documentation is:

https://community.microfocus.com/t5/ESM-and-ESM-Express-Previous/ArcSight-Forwarding-Connector-Configuration-Guide-7-7-0-8046-0/ta-p/1641717?advanced=false&collapse_discussion=true&filter=includeTkbs,location&include_tkbs=true&location=tkb-board:ESM_ESMExpress_Previous_Releases&q=ArcSight%20Forwarding%20Connector%20Configuration%20Guide&search_type=thread

For ESM 7.0P1 the FWD documentation is:

https://community.microfocus.com/t5/ESM-and-ESM-Express/Micro-Focus-Security-ArcSight-Forwarding-Connector-Configuration/ta-p/1661022

Best Regards,

Daniel

 

Please read carefully the required steps and procedure in order to install this specific SM as

parfuar Contributor.
Contributor.

Re: how to send correlation alerts from esm to logger

Hello
Thank you for your help

in my case the version is ESM express v.6.11.02385.1
I am using smart connect 7.11 (ArcSight-7.11.0.8139.0-Connector-Linux64.bin). I'm installing on ESM.

The first setup was normal as the image shows.

 

My problem now is when I run runagentsetup.sh, these options appear:


"Please verify the following parameters

Unique Generator ID:
FIPS Mode: Disabled
Remote Management: Disabled
Remote Management Listener Port:
Preferred IP Version: IPv4
Format Preserving Encryption: Disabled
Format Preserving Host URL:
Proxy Host (https):
Proxy Port:
Format Preserving Identity:
Format Preserving Secret:
Event Fields to Encrypt: rawEvent,requestUrl,requestCookies,deviceCustomNumber1,deviceCustomString1,deviceDomain,deviceEventClassId,deviceVendor,deviceProduct,sourceHostName,sourceNtDomain,sourcePort,sourceUserName,sourceUserId,sourceUserPrivileges,destinationHostName,destinationNtDomain,destinationPort,destinationUserName,destinationUserId,destinationUserPrivileges"

 

Thanks

0 Likes
Knowledge Partner
Knowledge Partner

Re: how to send correlation alerts from esm to logger

It seems you installed a SmartConnector. Forwarding Connector is different than the SmartConnector. You should download it separately.

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
Knowledge Partner
Knowledge Partner

Re: how to send correlation alerts from esm to logger

Hello,

 

the FWD connector for ESM 7.0P1 is "ArcSight-7.9.0.8087.0-SuperConnector-Linux64.bin"

for ESM 6.11 is ArcSight-7.5.0.7986.0-SuperConnector-Linux64.bin and for ESM 6.9.1 is "ArcSight-7.1.7.7602.0-SuperConnector-Linux64.bin"

Please connect on the MF donwload portal and download this special SM from the same place where you get ESM 7.0P1, ESM 6.11 or ESM 6.9.1.

Also i encourage you to read the links to the documentation that covers the ESM that you have.

Best Regards,

Daniel

0 Likes
Micro Focus Contributor
Micro Focus Contributor

Re: how to send correlation alerts from esm to logger

If you enable Remote Management on the connector, you can manage connector with ArcMC.

 

0 Likes

Re: how to send correlation alerts from esm to logger

The Super/Forwarding Connector guide has the information you're looking for including how to send directly to syslog.

https://community.microfocus.com/t5/ESM-and-ESM-Express-Previous/ArcSight-Forwarding-Connector-Configuration-Guide-7-7-0-8046-0/ta-p/1641717

If you do send event data from the ESM to a Logger that also forwards events from other systems to the ESM make sure you add a line in your Forwarders that prevents the Logger from sending the events from the ESM back to the ESM. Something like deviceAddress != x.x.x.x. If you do not it is possible to create a loop between the systems. If you turn on the Forwarding Connector and see a big spike in EPS on the Logger and ESM that is probably what is happening and you should shut it off immediately then fix it.

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.