Step 2. Installing ArcSight Forwarding Connector

This section describes how to install ArcSight Forwarding Connector.

ArcSight Forwarding Connector is a component of HP ArcSight and is not included in Kaspersky CyberTrace. You can receive this application in one of the following ways:

• Contact the HP support team to get ArcSight Forwarding Connector.
• Contact a Kaspersky Technical Account Manager (TAM) to get ArcSight Forwarding Connector.

To install ArcSight Forwarding Connector:

1. Run the ArcSight Forwarding Connector installation application.
2. Select the ArcSight Forwarding Connector installation directory (hereinafter referred to as %ConnectorInstallDir%).
3. After the installation files are unpacked, select Add a Connector.

   

   Adding a connector

   Click Next.

4. In the Type drop-down list, select ArcSight Forwarding Connector (Enhanced).

   

   Selecting the connector type

   Click Next.

5. Specify the following connection parameters of ArcSight Source Manager:
   • Host Name

     ArcSight Source Manager host.

   • Port

     ArcSight Source Manager port (by default, it is 8443).

   • User Name

     User name of the account intended for use by ArcSight Forwarding Connector (by default, it is FwdCyberTrace).

     You can also specify a user other than FwdCyberTrace. To do so, specify a custom ArcSight user in the ArcSight Forwarding Connector settings.

   • Password

     Password for the account intended for use by ArcSight Forwarding Connector (by default, it is KasperskyLab!).

   

   ArcSight Source Manager parameters

   If an authentication error occurs (user name or password is incorrect), we recommend that you verify the FwdCyberTrace user is present in ArcSight Console. If not, create it manually.

   Click Next.

6. If valid connection parameters are specified, import the required certificate.

   

   Importing the certificate

   Click Next.

7. Specify CEF Syslog as the event format that will be used for events sent to Feed Service.

   

   Specifying event format

   Click Next.

8. Specify the IP address (or host) and port that Feed Service will listen on for events. Specify Raw TCP as the protocol.

   The IP address and port are the same as specified on the Settings > Service tab of Kaspersky CyberTrace Web. By default, 127.0.0.1:9999 is used as the IP address and port for receiving events from ArcSight.

   

   Specifying event destination

   Click Next.

9. Specify the details of the new ArcSight Forwarding Connector object: the name (arbitrary value permitted), location (arbitrary value permitted), location of the device that will send events to the connector (arbitrary value permitted, can be empty), and comment about the connector (arbitrary value permitted, can be empty).

   

   Connector details

   Click Next.

10. Install the ArcSight Forwarding Connector service.
    • If you do not run the Connector Setup Wizard as root, a warning will be displayed.

    

    Warning about user privileges

    You can either run the Connector Setup Wizard as root, or run the following command as root:

    %ConnectorInstallDir%/current/bin/arcsight agentsvc -i -u $username -sn $service_name

    Here

    • $username is the name of the operating system user that will run the service.
    • $service_name is the service name.

      We recommend that you set the service name to be the same as the connector name.

    Log file %ConnectorInstallDir%/current/logs/agent.log will contain messages about the installation process.

    Skip the next step, which describes how to specify the service parameters.

    • If you run the installation as root, select Install as a service.

    

    Choosing installation mode

    Click Next.

11. Specify the service parameters.

    We recommend that you set the service name to be the same as the connector name.

    

    Specifying service parameters

    Click Next.

    After this, the Connector Setup Wizard informs you that the new forwarding connector is installed.

12. Make sure that the connector is running (see the section about ArcSight troubleshooting on how you can do this). If it is not running, start it by using the following command:

    /etc/init.d/arc_%FORWARDING% start

    Here %FORWARDING% is the name of the connector.

If the forwarding connector sends a large amount of events (more than 1000 events per second) to Feed Service, we recommend that you do the following: in the %ConnectorInstallDir%/current/user/agentagent.wrapper.conf file, set the wrapper.java.maxmemory field to 512 and restart the forwarding connector.

Page top