This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
jitendra-singh1
Absent Member.
Absent Member.
‎2012-04-13 11:30
780 views

How to send events from ArcOSI to ESM?

Jump to solution

Hi,

I am running the Smart Connector on Windows platform and have downloaded arcosi-28.exe on a different machine. On my machine (Not smart Connector Server) I ran arcosi-28.exe through command prompt. (arcosi-28.exe 10.1.1.1 where 10.1.1.1 is my Smart Connector Server's IP) Hundreds of events got generated but I do not see any events in Active Channels.

My question here is that Do I need to run ArcOSI on 10.1.1.1 or is it fine if i run it on a different machine.

Also is there anything that I am missing. maybe a syslog server on my machine. I know I need to make changes in the syslog configuration file but what changes and where?

If there is a complete intall guide can some one please share?

Labels (2)
Labels
0 Likes
Reply
Report Inappropriate Content
1 Solution

Accepted Solutions
amgupta
Absent Member.
Absent Member.
‎2012-04-13 11:39

Jump to solution

Here you can get details,

https://protect724.arcsight.com/message/21327#21327

Apart from this,

You need to install arcosi.exe in a machine where syslog connector is running. You don't need to make any changes in the syslog configuratin as you are going to install in a windows machine.

First install a syslog connector and start it.
Then, download the arcosi-28.exe and place it on a server where you have a syslog connector running.
Open a command prompt, cd to the directory where arcosi-28.exe is
In my case I place the file in the root of D:\
and running the following: arcosi-28.exe localhost

Since your syslog connector is configured to send logs to your ESM, you will be able to see these events in active channel just by putting filter,

agenthostname = "your syslog server host name"

- Amit

View solution in original post

0 Likes
Reply
Report Inappropriate Content
7 Replies
amgupta
Absent Member.
Absent Member.
‎2012-04-13 11:39

Jump to solution

Here you can get details,

https://protect724.arcsight.com/message/21327#21327

Apart from this,

You need to install arcosi.exe in a machine where syslog connector is running. You don't need to make any changes in the syslog configuratin as you are going to install in a windows machine.

First install a syslog connector and start it.
Then, download the arcosi-28.exe and place it on a server where you have a syslog connector running.
Open a command prompt, cd to the directory where arcosi-28.exe is
In my case I place the file in the root of D:\
and running the following: arcosi-28.exe localhost

Since your syslog connector is configured to send logs to your ESM, you will be able to see these events in active channel just by putting filter,

agenthostname = "your syslog server host name"

- Amit

View solution in original post

0 Likes
Reply
Report Inappropriate Content
jitendra-singh1
Absent Member.
Absent Member.
‎2012-04-19 07:44

Jump to solution

Hi Amit,

Thank you for your help. I appreciate it.

Now I need to put the sources in the AL. Am new to ArcSight in terms of rules. So what would the condition be?

DeviceVendor = ArcOSI put source address/hostname in an AL and how would the rule fire? Can you also help me with that?

Thanks.

0 Likes
Reply
Report Inappropriate Content
jitendra-singh1
Absent Member.
Absent Member.
‎2012-04-19 13:21

Jump to solution

Hi Amit,

I was able to populate the Active List to add the ArcOSI events to an AL. Thanks.

0 Likes
Reply
Report Inappropriate Content
sammmm-e1
Absent Member.
Absent Member.
‎2012-08-06 05:09

Jump to solution

Hi any chance of some help setting up the new version BadHarvest?

I have got the script running fine. Its getting it into ESM is the problem

Have set up a CEF Syslog connector listening on 514UDP (is this correct??) with dest of the manager on TCP8443

The manager marks the connector as UP so thats all cool.

When i run the script on the connector i enter: python harvest.py -c harvest.cfg localhost -p 514 and its off scraping..

I am confused as to why this is not working - Can someone point me in the right direction as i'm fairly new to this and probably over my head (lol)!

0 Likes
Reply
Report Inappropriate Content
Ladeay
Absent Member.
Absent Member.
‎2012-12-06 10:39

Jump to solution

Hi Jitendra,

I'm also trying to create an AL or Rule on the ArcOSI events.

Kindly help me on how you were able to do yours.

Thanks

0 Likes
Reply
Report Inappropriate Content
jitendra-singh1
Absent Member.
Absent Member.
‎2012-12-12 06:01

Jump to solution

Hi,

Once ArcOsi is installed create an Active List with Sorce address and Source hostname as the key field. Then create a rule with the following parameters.

Condition

Device Vendor = ArcOsi

Aggregation should be default

Action: On Every event add it to AL which u created.

This will populate your AL. Once that is confirmed, create another rule.

Parameters: Device Vendor !=ArcOsi

Aggregation should be default and select the action that suits your environment.

Hope it helps.

Regards,

Jitendra

0 Likes
Reply
Report Inappropriate Content
tejeu_tejeu1
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class
‎2015-01-26 13:12

Jump to solution

Hi,

  Please let me know anybody is using ArcOsi still....

Regards,

Tejesh

0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.