ArcSight troubleshooting

This section provides information to help you solve problems you might encounter when using Kaspersky CyberTrace with ArcSight.

If you encounter a problem while using Kaspersky CyberTrace, the specialists at Kaspersky can assist you. Contact your Technical Account Manager (TAM) for more information about solutions to problems.

Problem: ArcSight does not display the events from Kaspersky CyberTrace Service or displays them incorrectly

To solve this problem, try the following actions:

• Make sure that the Kaspersky CyberTrace Service computer is turned on and Kaspersky CyberTrace Service is running (for Windows version, see section "Managing Kaspersky CyberTrace Service using the script (Windows)").
• Make sure that the ArcSight computer is accessible from the Kaspersky CyberTrace Service computer.
• Make sure that the port specified in the output connection string is open.
• Make sure that ArcSight Forwarding Connector and ArcSight SmartConnector (for Windows version, see section "Installing ArcSight SmartConnector (Windows)") are running.
• Make sure that Kaspersky CyberTrace Service listens on the port to which Forwarding Connector sends data from ArcSight ESM.
• Make sure that Kaspersky CyberTrace Service sends the events to ArcSight SmartConnector.
• Check that ArcSight SmartConnector is configured properly.

  For this purpose, run the following command:

  • %ARCSIGHT_HOME%/current/bin/runagentsetup.sh (in Linux)
  • %ARCSIGHT_HOME%\current\bin\runagentsetup.bat (in Windows)

  Here, %ARCSIGHT_HOME% is the directory where ArcSight SmartConnector is installed.

Problem: An active channel does not display events after a new ARB package is imported

To solve this problem, try the following actions:

Check the filter used in the active channel:

1. Go to Filters > Shared > All Filters > Public > Kaspersky CyberTrace Connector.
2. Make sure that the device product field has the value of Kaspersky CyberTrace for ArcSight.

Create a new active channel:

1. Delete the current active channel, and then create a new one.
2. Configure the new active channel as follows:
   • Set the Start Time and End Time parameters as you wish.
   • Set the Use as Timestamp parameter to Manager Receipt Time.
   • If you want the active channel to be updated automatically, select Continuously evaluate in the Time Parameters section of the active channel's properties.
   • In the Filters section, specify the filter that has the same name as the active channel itself. You can find available filters in the tree view of ArcSight Console, at the Filters > Shared > All Filters > Public > Kaspersky CyberTrace Connector location when the Filters item is selected in the drop-down box.
   • In the Fields section, specify the item that has the same name as the active channel itself.

     You can find available fields in the tree view of ArcSight Console, at the Field Sets > Shared > All Field Sets > Public > Kaspersky CyberTrace Connector location when the Field Sets item is selected in the drop-down box.

Problem: Kaspersky CyberTrace Service does not receive events from ArcSight

To solve this problem, try the following actions:

• Make sure that the Kaspersky CyberTrace Service computer is turned on and Kaspersky CyberTrace Service is running (for Windows, see section "Managing Kaspersky CyberTrace Service using the script (Windows)").
• Make sure that the ArcSight computer is turned on and ArcSight is running.
• Make sure that the Kaspersky CyberTrace Service computer is accessible from the ArcSight computer.

  You can use the ping utility for this purpose.

• Make sure that the port that is specified in the input connection string is open on the Kaspersky CyberTrace Service computer.

  You can use the netcat utility for this purpose.

• Check the regular expressions in the Kaspersky CyberTrace Service configuration file or by using the Settings > Events format tab in Kaspersky CyberTrace Web.
• Make sure that the ArcSight forwarding connector that you installed is running.

  In Linux, you can use the following command for this purpose:

  ps -Af | grep %DIR_NAME%/current/bin

  Here, %DIR_NAME% is the directory in which the forwarding connector is installed. If the forwarding connector process is running, the information about it will be displayed in the console.

• If Kaspersky CyberTrace Service stopped receiving events from ArcSight after a new ARB package is imported, register ArcSight Forwarding Connector once more by running the following command, and then following the instructions of the wizard:

  %ConnectorInstallDir%/current/bin/runagentsetup.sh

  Here, %ConnectorInstallDir% is the directory in which ArcSight Forwarding Connector is installed.

Problem: an authentication error occurs in ArcSight Forwarding Connector or the account intended for use by ArcSight Forwarding Connector is absent

To solve this problem, try the following actions:

1. Run ArcSight Console.
2. Select Users > Shared > Custom User Groups.
3. Create the Kaspersky CyberTrace Connector group.
4. Right-click the Kaspersky CyberTrace Connector group, and then select Edit Access Control.
5. Select the Events tab.
6. Click Add.
7. Select the CyberTrace forwarding events filter.
8. Click Save.
9. In the Kaspersky CyberTrace Connector group, specify the following options for the account:
   • Any user name (for example, FwdCyberTrace)
   • In the type field, the Forwarding Connector type
   • Password

These credentials will be used to forward events from ArcSight to Kaspersky CyberTrace.