robert.baumer@u Absent Member.
Absent Member.
359 views

Smart Connectors Compatible with Logger

Greetings All,

    Not sure this is the forum I should be asking, but I will take a stab. I have setup for the company a few connectors for Snort.db to ESM. I am attempting to research a project in my lab using SNORT -> Smart Connector -> Logger -> ESM. My question is, are all the Connectors compatible with Logger or is it only a select few? Is so, will the SysLog version allow me to catch the payload?

Thank you,

Bob

Labels (3)
0 Likes
Reply
5 Replies
robert.baumer@u Absent Member.
Absent Member.

Re: Smart Connectors Compatible with Logger

I actually ran into the same problem while attempting to install a smart connector. When I attempt to configure the connector is returns an error:

Error:

Connection to [10.1.1.251] port 9000 failed ping test

Do you want to continue anyway?

I have opened ports 9000 UDP and 9000 TCP on the logger system.

[root@arcsight ~]# tcpdump -i eth0 (host 10.1.1.254 and port 9000)
-bash: syntax error near unexpected token `('
[root@arcsight ~]# tcpdump -i eth0 host 10.1.1.254 and port 9000
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
12:29:08.028482 IP 10.1.1.254.39044 > arcsight.dqo.com.cslistener: S 3776226166:3776226166(0) win 5840 <mss 1460,sackOK,timestamp 350086190 0,nop,wscale 7>
12:29:08.028585 IP arcsight.dqo.com.cslistener > 10.1.1.254.39044: R 0:0(0) ack 3776226167 win 0
12:29:08.030798 IP 10.1.1.254.39045 > arcsight.dqo.com.cslistener: S 3777374198:3777374198(0) win 5840 <mss 1460,sackOK,timestamp 350086194 0,nop,wscale 7>
12:29:08.030883 IP arcsight.dqo.com.cslistener > 10.1.1.254.39045: R 0:0(0) ack 3777374199 win 0

From the looks of things, it looks like Logger is responding, but the installer is not listening. I have this with any connector I try to install?

My OS is Centos releases 5.6 (Final)

Thanks Bob

0 Likes
Reply
Absent Member.. Dean Farrington Absent Member..
Absent Member..

Re: Smart Connectors Compatible with Logger

If I am not mistaken, the connectors communicate on port 443. Try opening that port and see if you get anything.

Dean

0 Likes
Reply
Highlighted
dtanner1 Honored Contributor.
Honored Contributor.

Re: Smart Connectors Compatible with Logger

1st thing I would do is verify that your connector can talk to your logger box.

telnet IP 443

Yes, the logger can accept all Smart Connector agents not just a select few. The Connector sends the events to the logger & or ESM over port 443.

make sure on the logger when you create the "Receiver" that you select "Smart Message Receiver" this isn't the default selection when creating a new one. Also note that you have to enable that Receiver after it's created another non-default setting.

0 Likes
Reply
vip
New Member.

Re: Smart Connectors Compatible with Logger

One of the roles of the SmartConnector is to normalize events into a pre-defined set of fields. The logger should understand all these fields (was not the case until version 4.X ...) so, yes a logger should be compatible with any SmartConnector.

0 Likes
Reply
Mat1 Absent Member.
Absent Member.

Re: Smart Connectors Compatible with Logger

Also note that you have to enable that Receiver after it's created another non-default setting.

Yes, the small icon at the end of the receiver table, in an column without label, is the status of the receiver, which is disabled by default. Not really  user-friendly !

Since it is not the first time I spend some time with this issue, may be this will be helpfull to other.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.