Copyright

© 2021 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.

Trademark

Outpost24® and OUTSCAN™ are trademarks of Outpost24® in Sweden and other countries.


Introduction

ArcSight is a Syslog service developed by HP and is available at the systems which offer the Syslog feature. To date that is only HIAB.

Before enabling ArcSight in the HIAB, the ArcSight server need to be set up and configured.

Set Up ArcSight

To enable ArcSight:

  1. Go to Menu > Settings > Integrations.
  2. Select the Syslog tab.
  3. Check the Arcsight: checkbox as shown in the figure.

    Integration11

  4. Click Save.


When ArcSight is enabled, the Syslog message is built differently to fit into the ArcSight protocol.

Using ArcSight

When a Syslog event is activated, an ArcSight message is built instead of the ordinary Syslog message.

The Syslog message is sent to the ArcSight logger or the connector. When the logger shows the message, it is divided into columns that is easier to work with than the raw data.

Note

No ArcSight specific errors should occur. If the ArcSight server has errors it is due to the Syslog implementation, not the ArcSight implementation.

It is recommended that the customer uses ArcSight together with TLS. If the logger cannot work with the TLS messages, a connector is recommended to be able to do so.

There is no maintenance needed for ArcSight, but the logger or the Syslog settings must be updated if IP numbers or other information are switched.


Examples:

A Syslog Message

Risk: Script Name: "Unencrypted Remote Authentication Available - POP3" Script Id: "219784" Target: "192.168.202.6" Port: "110" BugTraq: "No bugtraq" CVSS: "6.8" New: "0" CVE: "No CVE" Family: "pop3" First Seen: "2016-11-21 11:08" Last Seen: "2016-11-24 18:06" Product: "Unencrypted Remote Authentication" Has Exploits: "false" – Medium


An ArcSight Message

dvc=192.168.202.6 spt=110 cs1Label=Script Name cs1=Unencrypted Remote Authentication Available - POP3 cs4Label=BugTraq cs4=No bugtraq cs2Label=CVE cs2=No CVE deviceCustomDate1Label=First Seen deviceCustomDate1=Nov 21 2016 11:08:00 deviceCustomDate2Label=Last Seen deviceCustomDate2=Nov 24 2016 18:08:00 msg=Script Id: 219784 New: 0 Family: pop3 Product: Unencrypted Remote Authentication Has Exploits: false

Reference

Integrations