Highlighted
Absent Member.
Absent Member.
3714 views

ESM Destinations

Jump to solution

Hello, everybody.. I am new here and newbie with logger and ESM as well.

Currently I am testing Logger L3400 appliance.

I am doing all stuff with reference to guides that was provided me.

But I have 1 issue that couldn't be solved by guides,

I couldn't add ESM destination in Logger, there are an error "There was a problem: Failed to add destination".

I have tried to do everything that is written in guides, I guess 2 reasons could be for this:

1 SSL cert

2 Connector

As i understand from architecture for sending events from Logger to ESM we have to set up streaming connector

but here the question where to setup? on ESM or Logger, or remote machine?

Labels (3)
0 Likes
Reply
1 Solution

Accepted Solutions
Highlighted
Honored Contributor.
Honored Contributor.

Azamat,

You'll need to provide the hostname or ip of your ESM to match exactly as you provided it in the self signed or otherwise signed certificate file during the ESM installation so if you went with hostname you'll have to use hostname not the IP it won't work otherwise.

also an easy way to grab that cert file just go to the ESM from your web browser https://address:8443 and copy the certificate to your local drive and upload to the logger your account will of course need permissions to add connectors to the ESM.

logger to esm.jpg

View solution in original post

0 Likes
Reply
19 Replies
Highlighted
Absent Member.
Absent Member.

When i want to add ESM destionation on Logger, there are few fileds.



Also this error comes out when i want to save it "There was a problem: Failed to add destination"

what type of connector should be specified in connector name field? or there should be some steps before this?

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Hi Azamat,

you have to configure a forwarding Connector on the Logger. For that you basically need to do the following steps:

1.      Import the ESM Managers certificate (cacerts file found in $MANAGER_HOME/jre/lib/security) under >Configuration>Event Input                    Output>Certificates

2.     Create a Destination for the ESM



= MyESM

= for example myESM_Forwarder
= /All Connectors/myLogger
= where is your logger located
= myESM Hostname or IP (must match name used for creating the certificate)
= 8443 is default
= ESM admin account

3. Create a Forwarder ( Configuration>Event Input Output> Forwarder > ADD)

     -     Name: myESM_Forwarder

     -     Type: ArcSight ESM

     -     Filter Type: pick what you want to use

--> Next

     -     Create a Query if you want to filter (for example: storageGroup(Default Storage Group,Internal Event Storage Group)  )

     -     Choose your above configured ESM Destination

Done

When you still have problem go to configuration>Retrieve Logs and browse the logs for a more detailled Description of your Error. "There was a problem: Failed to add destination" can really mean anything.

Hope this helped,

Christoph

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

You mean import the SSL cert from manager(export from manager) or whole cacerts file?

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Actually I was doing all the steps from your post before, but still same error. anyway thanks for response

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Well yea that's the same imho, you import the whole cacerts file into the Logger.

Do the Logs supply any additional infos here? Maybe we can find a hint there.

BR,

Christoph

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

I've looked to the logs, and didn't get any useful info for me, may be coz I don't now what to search and also there so many files, I am not sure which one to see.

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

I think its $LOGGER_HOME/current/logs/

platform.log

and/or

core-service.log

Another essential thing: Firewall Port 8443 TCP is open between Logger and Manager?

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

on the ESM side firewall is off, on the logger side I am not sure.

can You look for the logs pls, cos i couldn't get any info

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

this is the logs, if you have time pls look at it

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Connector_1 says:

[2012-04-24 10:16:34,900][ERROR][default.com.arcsight.manager.XmlRpcManager][execute]
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1623)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:198)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:192)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1074)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:128)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:529)
    at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:465)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1120)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1147)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1131)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:904)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
    at helma.xmlrpc.XmlRpcClient$Worker.execute(Unknown Source)
    at helma.xmlrpc.XmlRpcClient.execute(Unknown Source)
    at com.arcsight.manager.XmlRpcManager.privateExecute(XmlRpcManager.java:424)
    at com.arcsight.manager.XmlRpcManager.execute(XmlRpcManager.java:248)
    at com.arcsight.f.k.loginAndReturnValue(k.java:223)
    at com.arcsight.agent.wf.n.a(n.java:1582)
    at com.arcsight.agent.transport.b.m.a(m.java:495)
    at com.arcsight.loadable.soap.v1.CWSAPIBase.registerDestination(CWSAPIBase.java:486)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at org.apache.axis.providers.java.RPCProvider.invokeMethod(RPCProvider.java:384)
    at org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:281)
    at org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:319)
    at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
    at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
    at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
    at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:453)
    at org.apache.axis.server.AxisServer.invoke(AxisServer.java:281)
    at org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:697)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
    at org.apache.axis.transport.http.AxisServletBase.service(AxisServletBase.java:327)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:879)
    at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
    at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
    at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
    at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
    at java.lang.Thread.run(Thread.java:619)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:294)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:200)
    at sun.security.validator.Validator.validate(Validator.java:218)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1053)
    ... 49 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:289)
    ... 55 more
[2012-04-24 10:16:34,901][ERROR][default.com.arcsight.manager.XmlRpcManager][execute] Could not execute (admin,[B@29d50d,680310680,true,Agent Registration Tool)
[2012-04-24 10:16:34,901][FATAL][default.com.arcsight.agent.loadable.transport.event._AgentHTTPEventTransport][doRegistration] Registration failed: Manager certificate not trusted. Please check your SSL configuration.

This is very likely a certificate issue. If you have imported it correctly, then make sure that the the IP or Hostname of the Manager in the certificate matches the one you configured as ESM Destination in the Logger. So if you created a Self-Signed Cert under usage of the ESM Hostname MYESM, then you MUST you this Hostname MYESM in the Logger as ESM Destination (and create an entry in /etc/hosts of course - but i don't know how to do this on appliances )

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

We had a similar issue and then we made sure the name of the ESM destination matched the certificate exactly, it started working.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.