I have taken over an Arcsight implementation with limited experience in the management of the backend. Most of the Connectors were set up before I got here. I have only had a hand in setting up a SEP and AIX connector, so no Windows connectors at this point. We currently have 6 Windows unified connectors set up to glean security log data only. In looking at the configuration wizard for these connectors, I'm a little confused about some of the parameters and what they are used for.
In part of the configuration, it asks for the Domain Name, Domain User Name, Domain User Password, Active Directory Server, Active Directory User Name, etc etc. When you get to the screen to add windows hosts, it also asks for the Domain Name, the Host Name, the User Name, and Password.
On our Connectors, we have a disparity going on between what's in these fields. For example, we have one connector that has a fqdn domain listed in the first Domain Name that isn't the domain that the host's are in with an account listed that doesn't even exist in that domain, but with an active directory server for that domain, and then it has no Domain Name listed in the Hosts table and no User Name, but it has a password listed. I checked, and we are definitely receiving security logs from this connector.
Then we have another connector that's set up with the first Domain Name as just the base name of the domain, but without the .com or anything, and it has the IP address listed as the Active Directory Server and a user name and password that is in that domain, and then there is no Domain Name listed in the Hosts table, but it does have the same user name and password that is on the first configuration page for the Smartconnector.
Then we have another one that have the fqdn, a proper Domain User Name and Password and the fqdn of the AD server with the same AD user name and password as the other one, but again no Domain Name, no User name, but does have a password defined.
Can someone tell me exactly what these fields are used for on Windows Unified connectors, and how they are supposed to be set up.
I always just leave those fields default and then populate the hosts table with the correct domain. You can just continue on that screen with the default entries.
The default is that everything is blank. Are you saying to just leave that first whole part blank and just put everything in the Host Table?
Thanks that works. I'd still like to know what the purpose of all of these settings are for. I'm guessing you would put in the initial settings if all of your servers on that connector are going to be in the same domain so you don't have to put in each domain individually on the host table. Does that sound right? It would be the same for the user name and password for the domain as well, i'm guessing.
What I don't understand is what the AD settings are for on that page. Could you or someone else clarify what I have stated as well as give clarification on the AD settings? Thanks.
Thanks for your help, Justin. I was able to get setup what I needed with this info. Thanks much.