pratikp Absent Member.
Absent Member.
390 views

Ethernet bonding in ArcSight Express

Dear All,

Before configuring ArcSight express 4.0 appliance , I would like to do Ethernet bonding for redundancy.

Please let me know whether bonding of Ethernet ports and then providing IP address to bond during configuration is possible in ArcSight Express.

Please provide valuable inputs ASAP.

Regards,

Pratik Patil

Labels (1)
0 Likes
Reply
9 Replies
Acclaimed Contributor.. lless Acclaimed Contributor..
Acclaimed Contributor..

Re: Ethernet bonding in ArcSight Express

I have not seen in official documentation for information about this. Believe you can on your own to use a third-party solution, but in the case of support may be asked to return settings to the destination state.

0 Likes
Reply
frankbijkersma Honored Contributor.
Honored Contributor.

Re: Ethernet bonding in ArcSight Express

Bonding of Ethernet Ports has no ill effects on ArcSight. However you should never bond before installation of ArcSight as there have been issues with the installation scripts not accepting the bond0 as an ethernet interface, requiring ethX instead.

So if you have it already installed; go ahead and bond those interfaces! We have it bonded as well on ESM 5.0, 6,5 and Logger 5,0 and 6,0.

Bonding is handled on OS level. So you should just follow the Red Hat or CentOS documentation and you are all set.

0 Likes
Reply
StevenvandeBraak Outstanding Contributor.
Outstanding Contributor.

Re: Ethernet bonding in ArcSight Express

Yup, bonding works fine. Although I had some trouble in the past with ESM 5 and bonding but that had to do with the contrack tables being flooded in iptables. That issue wasn't documented in ESM 5. 

rgds,

steven

0 Likes
Reply
jring1 Trusted Contributor.
Trusted Contributor.

Re: Ethernet bonding in ArcSight Express

Hi,

I can attest that we don't have problems with the bond interfaces on our ESM installations. The original poster is asking about arcsight express though, which is an appliance iirc. So configuring bonding without root access might prove difficult and even if you can pull it off it might void your support.

Joachim

0 Likes
Reply
frankbijkersma Honored Contributor.
Honored Contributor.

Re: Ethernet bonding in ArcSight Express

I have done this on an express as well. I had full root access. Though it was running on 5.0 so probably an express 3?
Maybe they changed it with newer models? I knew logger never had any root access.

0 Likes
Reply
jring1 Trusted Contributor.
Trusted Contributor.

Re: Ethernet bonding in ArcSight Express

Interesting... the arcsight appliances I have seen in the past (logger and connapps -  we never used express) were nailed shut and needed support to provide you with a one-time password for temporary root access. They also tried quite hard to disable "alternate root accounts" people might have accidentially created...

This policy has only stopped with the latest logger and ArcMC appliances which come with a root access via ssh and a default password which MUST BE CHANGED!

Joachim

0 Likes
Reply
frankbijkersma Honored Contributor.
Honored Contributor.

Re: Ethernet bonding in ArcSight Express

The Logger indeed was completely closed until 6.0 and needed a SSH challenge response code from Support to get access. But the ESM Express was fully open, at least for us. We now have software versions of ESM and Logger and I can root all day long now!

0 Likes
Reply
Honored Contributor.. simon.simcic@sr Honored Contributor..
Honored Contributor..

Re: Ethernet bonding in ArcSight Express

I Have setup nic bonding onexpress 4.0 following red hat documentation, just be sure to disable network manager on Linux.

br S

0 Likes
Reply
Outstanding Contributor.. LakeHealthInfoS Outstanding Contributor..
Outstanding Contributor..

Re: Ethernet bonding in ArcSight Express

   

ArcSight NIC Bonding

 

Version 1

 

June 29, 2010

 

Copyright © 2010 ArcSight, Inc. All rights reserved. ArcSight, the ArcSight logo, ArcSight ESM, ArcSight Enterprise Security Alliance, ArcSight Enterprise Security Alliance logo, FlexAgent, SmartAgent and CounterAct are trademarks of ArcSight, Inc. All other brands, products and company names used herein may be trademarks or registered trademarks of their respective owners.

 

To see a complete statement of ArcSight's copyrights, trademarks, and acknowledgements, visit: http://www.arcsight.com/copyrightnotice.

 

Revision History

 

Date

Product Version

Description

6/29/10

1

Initial Revision

 

 

   
   

Contents

 

1 Chapter Title.......................................................................................................... 3

 

Heading 1............................................................................................................. 3

 

Heading 2....................................................................................................... 3

 

Heading 3............................................................................................... 3

 

   
   

1 NIC Bonding

   

The Linux kernel in-use on ArcSight appliances (All Loggers and Connector Appliances, All ESM appliances) has the ability to perform NIC bonding or teaming. This allows multiple NICs on these servers to be used in a high-availability configuration. This configuration is used to circumvent any potential failures of the built-in NICs as well as cables or switch ports that a server is attached to.

 

Although unsupported on appliances where customers do not normally have root access (Loggers and Connector Appliances) customers do have access to the operating systems on the various ESM appliances (ArcSight Express and the E7x00-based systems.) For many environments providing a method of NIC/network failover is a requirement, and the default Linux kernel can meet this requirement.

 

Steps to enable NIC Bonding

 

The steps to enable NIC bonding are fairly straightforward. Before starting the system should be operational. The two (or more) NICs that are chosen to be used should be plugged into the appropriate switch ports and link lights should be showing on the switch and ArcSight-supplied equipment.

 

  1. Edit /etc/modprobe.conf on the system. Add the following lines to the bottom of the file

 

alias bond0 bonding

 

options bond0 max_bonds=2 miimon=100 mode=1

 

  1. Back-up the existing network configuration.

 

cd /etc/sysconfig/network-scripts

 

mkdir bak

 

cp ifcfg-eth* bak/.

 

  1. Create a new file in /etc/sysconfig/network-scripts called ifcfg-bond0. It should contain the following:

 

DEVICE=bond0

 

BOOTPROTO=none

 

IPADDR=CUSTOMER_IP

 

NETMASK=CUSTOMER_NETMASK

 

ONBOOT=yes

 

USERCTL=no

 

MII_NOT_SUPPORTED=yes

 

  1. Replace the existing /etc/sysconfig/network-scripts/ifcfg-eth0 and ifcfg-eth1. Their contents should be similar to the following, with the “DEVICE=eth0” matching the filename:

 

DEVICE=eth0

 

USERCTL=no

 

ONBOOT=yes

 

MASTER=bond0

 

SLAVE=yes

 

BOOTPROTO=none

 

MII_NOT_SUPPORTED=yes

 

 

  1. With these files in place, as root, issue the command “service network restart” This command will restart the Linux network stack. If this command is being performed remotely, the current ssh session will “pause” while the network stack is restarted, however, the session should re-establish after 30 seconds.

 

References

 

For further reading on the capabilities of Linux network bonding, please see the following websites:

 

http://www.linuxfoundation.org/collaborate/workgroups/networking/bonding

 

http://www.linux-corner.info/bonding.html

 

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.