Installing ArcSight SmartConnector (Linux)

This section describes how to install ArcSight SmartConnector.

To install ArcSight SmartConnector:

Run the ArcSight SmartConnector installation application.
This application is a component of HP ArcSight and is not included in Kaspersky CyberTrace.
Select the ArcSight SmartConnector installation directory (hereinafter referred to as %ARCSIGHT_HOME%).
Instruct the installer not to create links.
After the contents of the binary file are unpacked, select Add a Connector.

Adding a connector

If this window is not displayed, configure ArcSight SmartConnector manually. For this purpose, run the following command:

%ARCSIGHT_HOME%/current/bin/runagentsetup.sh
Select Syslog Daemon as the connector type.
In the Enter the parameter details form, specify the following data:
- Network Port—Port to which Feed Service will send detection events.
  It is the same port that is specified on the Settings > Service tab of Kaspersky CyberTrace Web (by default, it is 9998).
- IP Address—IP address to which Feed Service will send detection events.
  It is the same IP address that is specified on the Settings > Service tab of Kaspersky CyberTrace Web (by default, it is 127.0.0.1).
  
  You can specify (ALL) if you want Arcsight SmartConnector to receive events from all network interfaces of the computer on which it runs. (Note that you cannot specify (ALL) in the Feed Service configuration file.)
- Protocol—Specify Raw TCP.
- Forwarder—Specify false.
Parameters for sending detection events

Click Next.
Specify ArcSight Manager (encrypted) as the type of destination.

Type of destination

Click Next.
Specify other destination settings:
- Manager Hostname—Host where ArcSight Manager is running.
- Manager Port—Port where ArcSight Manager is available.
  By default, it is 8443.
- User—Name of the ArcSight ESM user that has rights for registering the connector.
- Password—Password of the ArcSight ESM user.
- AUP Master Destination—Specify false.
- Filter Out All Events—Specify false.
- Enable Demo CA—Specify false.
Destination parameters

Click Next.
Specify the connector details: the name (arbitrary value permitted), location (arbitrary value permitted), location of the device that will send events to the connector (arbitrary value permitted, can be empty), and comment about the connector (arbitrary value permitted, can be empty).

Connector details

Click Next.
If the ArcSight Manager parameters are valid, accept importing the certificate from the destination.
If the certificate is imported successfully, install the ArcSight SmartConnector service.
- If you do not run the installation as root, a warning will be displayed.
Warning about user privileges

You can either run the Connector Setup Wizard as root, or run the following command as root:

%ARCSIGHT_HOME%/current/bin/arcsight agentsvc -i -u $username -sn $service_name

Here
- $username is the name of the operating system user that will run the service.
- $service_name is the service name.
  We recommend that you set the service name to be the same as the connector name.
The %ARCSIGHT_HOME%/current/logs/agent.log log file will contain messages about the installation process.

Skip the next step that describes how to specify the service parameters.
- If you run the installation as root, select Install as a service.
Click Next.
Specify the service parameters.
We recommend that you set the service name to be the same as the connector name.

Specifying service parameters

Click Next.
Start ArcSight SmartConnector by calling the following command:
/etc/init.d/arc_$service_name start

In this command, $service_name is the service name.

After you have installed ArcSight SmartConnector, you can install Feed Service and integrate it with ArcSight. For more information, see section "Integration steps (ArcSight)".

Page top