Installation of Smart Connector(s)

The basic integration with EclecticIQ Platform consists of an ArcSight Smart Connector and the provided EclecticIQ base content package for ArcSight ESM.
The recommended connector to be used is a syslog daemon connector to receive threat intelligence in CEF format and send it into ArcSight ESM.
This connector can be installed on a separate connector server.

For a bi-directional integration, a second ArcSight CounterACT Smart Connector is needed to talk back to EclecticIQ Platform to create sightings in the EclecticIQ Platform.

Prerequisites

  • A running ArcSight ESM instance.

  • A running EclecticIQ Platform instance.

  • A separate connector server to install the receiving syslog daemon connector.

  • Open a TCP or UDP port to that server for the syslog daemon connector, TCP 1514.

Install the smart connectors

  1. Log in to EclecticIQ Platform via SSH.

  2. Create a user named arcsight and a directory to host the connectors and set its permissions:

    sudo useradd arcsight
    sudo passwd arcsight
    sudo mkdir -p /opt/arcsight/connectors
    sudo chown –Rv arcsight:arcsight /opt/arcsight/
  3. Upload the latest 64 bit ArcSight Connector binary to the platform.

  4. Install the receiving syslog daemon connector as user arcsight:

    sh ArcSight-7.3.0.7886.0-Connector-Linux64.bin

    install the connector in /opt/arcsight/connectors/eiq-cef-syslog-daemon.

  5. Run the connector configuration as user arcsight:

    /opt/arcsight/connectors/eiq-cef-syslog-daemon/current/bin/runagentsetup.sh

    Use the following settings:

    Type: Syslog Daemon
    Network Port: 1514
    IP Address: (ALL)
    Protocol: Raw TCP
    Forwarder: false
     
    ArcSight Manager Destination:
    Manager Hostname: <ESM fully qualified domain name>
    Manager Port: 8443
    User: <user allowed to register connectors>
    Password: ********
    AUP Master Destination: true
    Filter Out All Events: false
    Enable Demo CA: false
     
    Connector details
     
    Name[]:eiq-cef-syslog-daemon
    Location[]: eiq-platform.local
    DeviceLocation[]:
    Comment[]: TCP syslog connector - port 1514 for CEF input
  6. Install the connector service wrapper script as root:

    sudo /opt/arcsight/connectors/eiq-cef-syslog-daemon/current/bin/arcsight
    agentsvc -i -u arcsight -sn eiq-cef-syslog-daemon
  7. Start the connector service:

    sudo /etc/init.d/arc_eiq-cef-syslog-daemon start

    Make sure the connector is running and listens on the configured port:

    sudo netstat –tlpn |grep 1514
  8. The receiving connector should appear in a running state in the ArcSight Console:
    Connectors/Shared/All Connectors/eiq-arc.local/eiq-syslog-cef_tcp(running).

The connector logs its operations to:
/opt/arcsight//opt/arcsight/connectors/eiq-cef-syslog-daemon/current/logs