Highlighted
Absent Member.
Absent Member.
726 views

How to send events from ArcOSI to ESM?

Jump to solution

Hi,

I am running the Smart Connector on Windows platform and have downloaded arcosi-28.exe on a different machine. On my machine (Not smart Connector Server) I ran arcosi-28.exe through command prompt. (arcosi-28.exe 10.1.1.1 where 10.1.1.1 is my Smart Connector Server's IP) Hundreds of events got generated but I do not see any events in Active Channels.

My question here is that Do I need to run ArcOSI on 10.1.1.1 or is it fine if i run it on a different machine.

Also is there anything that I am missing. maybe a syslog server on my machine. I know I need to make changes in the syslog configuration file but what changes and where?

If there is a complete intall guide can some one please share?

Labels (2)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Absent Member.
Absent Member.

Here you can get details,

https://protect724.arcsight.com/message/21327#21327

Apart from this,

You need to install arcosi.exe in a machine where syslog connector is running. You don't need to make any changes in the syslog configuratin as you are going to install in a windows machine.

First install a syslog connector and start it.
Then, download the arcosi-28.exe and place it on a server where you have a syslog connector running.
Open a command prompt, cd to the directory where arcosi-28.exe is
In my case I place the file in the root of D:\
and running the following: arcosi-28.exe localhost

Since your syslog connector is configured to send logs to your ESM, you will be able to see these events in active channel just by putting filter,

agenthostname = "your syslog server host name"

- Amit

View solution in original post

0 Likes
7 Replies
Highlighted
Absent Member.
Absent Member.

Here you can get details,

https://protect724.arcsight.com/message/21327#21327

Apart from this,

You need to install arcosi.exe in a machine where syslog connector is running. You don't need to make any changes in the syslog configuratin as you are going to install in a windows machine.

First install a syslog connector and start it.
Then, download the arcosi-28.exe and place it on a server where you have a syslog connector running.
Open a command prompt, cd to the directory where arcosi-28.exe is
In my case I place the file in the root of D:\
and running the following: arcosi-28.exe localhost

Since your syslog connector is configured to send logs to your ESM, you will be able to see these events in active channel just by putting filter,

agenthostname = "your syslog server host name"

- Amit

View solution in original post

0 Likes
Highlighted
Absent Member.
Absent Member.

Hi Amit,

Thank you for your help. I appreciate it.

Now I need to put the sources in the AL. Am new to ArcSight in terms of rules. So what would the condition be?

DeviceVendor = ArcOSI put source address/hostname in an AL and how would the rule fire? Can you also help me with that?

Thanks.

0 Likes
Highlighted
Absent Member.
Absent Member.

Hi Amit,

I was able to populate the Active List to add the ArcOSI events to an AL. Thanks.

0 Likes
Highlighted
Absent Member.
Absent Member.

Hi any chance of some help setting up the new version BadHarvest?

I have got the script running fine. Its getting it into ESM is the problem

Have set up a CEF Syslog connector listening on 514UDP (is this correct??) with dest of the manager on TCP8443

The manager marks the connector as UP so thats all cool.

When i run the script on the connector i enter: python harvest.py -c harvest.cfg localhost -p 514 and its off scraping..

I am confused as to why this is not working - Can someone point me in the right direction as i'm fairly new to this and probably over my head (lol)!

0 Likes
Highlighted
Absent Member.
Absent Member.

Hi Jitendra,

I'm also trying to create an AL or Rule on the ArcOSI events.

Kindly help me on how you were able to do yours.

Thanks

0 Likes
Highlighted
Absent Member.
Absent Member.

Hi,

Once ArcOsi is installed create an Active List with Sorce address and Source hostname as the key field. Then create a rule with the following parameters.

Condition

Device Vendor = ArcOsi

Aggregation should be default

Action: On Every event add it to AL which u created.

This will populate your AL. Once that is confirmed, create another rule.

Parameters: Device Vendor !=ArcOsi

Aggregation should be default and select the action that suits your environment.

Hope it helps.

Regards,

Jitendra

0 Likes
Highlighted
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Hi,

  Please let me know anybody is using ArcOsi still....

Regards,

Tejesh

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.