ArcSight (HIAB only)
Purpose
This document provides set up information on the ArcSight integration.
Introduction
ArcSight is a Syslog service developed by HP and is available at the systems which offer the Syslog feature. To date that is only HIAB.
Before enabling ArcSight in the HIAB, the ArcSight server need to be set up and configured.
Set Up ArcSight
To enable ArcSight:
- Go to Menu > Settings > Integrations.
- Select the Syslog tab.
- Check the Arcsight: checkbox as shown in the figure.
- Click Save.
When ArcSight is enabled, the Syslog message is built differently to fit into the ArcSight protocol.
Using ArcSight
When a Syslog event is activated, an ArcSight message is built instead of the ordinary Syslog message.
The Syslog message is sent to the ArcSight logger or the connector. When the logger shows the message, it is divided into columns that is easier to work with than the raw data.
Note
No ArcSight specific errors should occur. If the ArcSight server has errors it is due to the Syslog implementation, not the ArcSight implementation.
It is recommended that the customer uses ArcSight together with TLS. If the logger cannot work with the TLS messages, a connector is recommended to be able to do so.
There is no maintenance needed for ArcSight, but the logger or the Syslog settings must be updated if IP numbers or other information are switched.
Examples:
A Syslog Message
Risk: Script Name: "Unencrypted Remote Authentication Available - POP3" Script Id: "219784" Target: "192.168.202.6" Port: "110" BugTraq: "No bugtraq" CVSS: "6.8" New: "0" CVE: "No CVE" Family: "pop3" First Seen: "2016-11-21 11:08" Last Seen: "2016-11-24 18:06" Product: "Unencrypted Remote Authentication" Has Exploits: "false" – Medium
An ArcSight Message
dvc=192.168.202.6 spt=110 cs1Label=Script Name cs1=Unencrypted Remote Authentication Available - POP3 cs4Label=BugTraq cs4=No bugtraq cs2Label=CVE cs2=No CVE deviceCustomDate1Label=First Seen deviceCustomDate1=Nov 21 2016 11:08:00 deviceCustomDate2Label=Last Seen deviceCustomDate2=Nov 24 2016 18:08:00 msg=Script Id: 219784 New: 0 Family: pop3 Product: Unencrypted Remote Authentication Has Exploits: false
Related Articles
Copyright
© 2024 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.
Trademark
Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.