Configuring ArcSight ESM
March 5, 2024
ID 220896
For ArcSight ESM to receive events from Kaspersky Scan Engine, an ArcSight SmartConnector of the Syslog Daemon type must be installed. You can install ArcSight SmartConnector on any computer that can connect to Kaspersky Scan Engine and to ArcSight ESM.
To install an ArcSight SmartConnector:
- Run the ArcSight SmartConnector installation application.
This application is a component of HP ArcSight and is not included in Kaspersky Scan Engine.
- Specify the ArcSight SmartConnector installation directory (hereinafter referred to as
%ARCSIGHT_HOME%). - Select Don't create links.
- After unpacking the contents of the binary file, select Add a Connector.
Selecting Add a Connector
If this window is not displayed, run the following command:
%ARCSIGHT_HOME%/current/bin/runagentsetup.sh - Select Syslog Daemon as the connector type.
- Specify the parameters of the connector in the Enter the parameter details form as follows:
- Network port. Specify the port to which Kaspersky Scan Engine must send detection events.
You specify the same port in the Kaspersky Scan Engine Syslog settings.
- IP Address. Specify the IP address to which Kaspersky Scan Engine must send detection events.
You specify the same IP address in the Kaspersky Scan Engine Syslog settings.
You can specify (ALL) if you want Arcsight SmartConnector to receive events from all network interfaces of the computer on which it runs. Note that you cannot specify (ALL) in the Kaspersky Scan Engine configuration file.
- Protocol. Specify Raw TCP.
- Forwarder. Specify false.
Defining connector parameters
Click Next.
- Network port. Specify the port to which Kaspersky Scan Engine must send detection events.
- Specify ArcSight Manager (encrypted) as the type of destination.
Selecting the type of destination
Click Next.
- Specify the parameters of the destination:
- Manager Hostname. Specify the host where ArcSight Manager is running.
- Manager Port. Specify the port where ArcSight Manager is available. The default value is 8443.
- User. Specify the name of the ArcSight ESM user that has rights to register the connector.
- Password. Specify the password of the ArcSight ESM user.
- AUP Master Destination. Specify false.
- Filter Out All Events. Specify false.
- Enable Demo CA. Specify false.
Defining destination parameters
Click Next.
- Specify the connector details:
- Name (you can specify an arbitrary value).
- Location (you can specify an arbitrary value).
- Location of the device that must send events to the connector (you can specify an arbitrary value or leave it empty).
- Comment about the connector (you can specify an arbitrary value or leave it empty).
Click Next.
- If the ArcSight Manager parameters are valid, accept importing the certificate from the destination.
- If the certificate is imported successfully, install the ArcSight SmartConnector service.
If you do not run the installation as root, the following warning is displayed:
If you do not run the installation as root
The
%ARCSIGHT_HOME%/current/logs/agent.logfile contains messages about the installation process.You can skip the next step that describes how to specify the service parameters.
If you run the installation as root, select Install as a service.
Click Next.
- Specify the service parameters.
We recommend that you set the service name, specified in Service Internal Name, to be the same as the connector name.
Defining service parameters
Click Next.
- To start ArcSight SmartConnector, run the following command:
/etc/init.d/arc_$service_name startIn this command,
$service_nameis the service internal name.
After the ArcSight ESM configuration is complete, you can configure Kaspersky Scan Engine.
