Step 2 (alternative). Installing ArcSight Forwarding Connector by using the console

You can install ArcSight Forwarding Connector by using the console instead of the GUI installer.

To install ArcSight Forwarding Connector by using the console:

  1. In the console, run the ArcSight Forwarding Connector installer.
  2. Read the Introduction section and press Enter.
  3. When prompted, select Choose Install Folder, and type the full path to the directory where ArcSight Forwarding Connector will be installed (%ConnectorInstallDir%).

    The default value of the installation directory is /root/ArcSightSmartConnectors

  4. When prompted, select Choose Install Set, and type 1 (stands for Typical).
  5. When prompted, select Choose Link Location, and specify whether a link to the installation directory must be created.

    We recommend that you specify Don't create links.

  6. Make sure that the Pre-Installation Summary section lists the correct values of the installation settings. Press Enter if the values are correct.

    After ArcSight Forwarding Connector is installed, the following information will be displayed in the console:

    Installation Complete

    ---------------------

    The core components of the ArcSight SmartConnector have been successfully installed to:

    %ConnectorInstallDir%

    To finish the configuration of the SmartAgent, please go to the folder:

    %ConnectorInstallDir%/current/bin/

    and execute the script:

    ./runagentsetup.sh

  7. Run %ConnectorInstallDir%/current/bin/runagentsetup.sh.
  8. At the prompt, select Add a Connector.
  9. Specify ArcSight Forwarding Connector as the connector type.
  10. Specify whether to mask passwords.

    We recommend that you specify yes.

  11. Specify the following connection parameters of ArcSight Source Manager:
    • Host Name

      ArcSight Source Manager host.

    • Port

      ArcSight Source Manager port (by default, it is 8443).

    • User

      User name of the account intended for use by ArcSight Forwarding Connector (by default, it is FwdCyberTrace).

      You can also specify a user other than FwdCyberTrace. To do so, specify a custom ArcSight user in the ArcSight Forwarding Connector settings.

    • Password

      Password for the account intended for use by ArcSight Forwarding Connector (by default, it is KasperskyLab!).

  12. Specify the following action for importing the certificate: Import the certificate to connector from destination.
  13. Specify the destination type: CEF Syslog.
  14. Specify the following settings:
    • Ip/Host

      IP address that Feed Service listens on for events.

    • Port

      Port through which Feed Service receives events. By default, it is 9999.

    • Protocol

      Specify Raw TCP.

    The IP address and port are the same as specified in the Connection settings section of the Service tab of Kaspersky CyberTrace Web.

  15. Specify the following connector settings:
    • Name

      Arbitrary value can be specified.

    • Location

      Arbitrary value can be specified.

    • DeviceLocation

      Arbitrary value can be specified.

    • Comment

      Arbitrary value can be specified.

    After this, the connector will be registered.

  16. Specify the way in which the connector must be installed: Install as a service.
  17. Specify the service settings:
    • Service Internal Name
    • Service Display Name
    • Start the service automatically

      Indicates whether the service will start on the system startup. We recommend that you specify yes.

  18. Check the specified data. If it is correct, press Enter.

    The connector will be installed as a service.

  19. Make sure that the connector is running (see the section about ArcSight troubleshooting on how you can do this). If it is not running, start it by using the following command:

    /etc/init.d/arc_%FORWARDING% start

    Here %FORWARDING% is the name of the connector.

If the forwarding connector sends a large amount of events (more than 1000 events per second) to Feed Service, we recommend that you do the following: in the %ConnectorInstallDir%/current/user/agentagent.wrapper.conf file, set the wrapper.java.maxmemory field to 512 and restart the forwarding connector.

Page top