CounterACT connector installation and configuration#
First make sure you can connect to the ESM server on tcp port 8443 you want the platform to connect to.
Log in to EclecticIQ Platform via SSH.
Upload the latest 64 bit ArcSight Connector binary to the platform:
ArcSight-7.3.0.7886.0-Connector-Linux64.bin
Install the receiving syslog daemon connector as user arcsight by running:
sh ArcSight-7.3.0.7886.0-Connector-Linux64.bin
This starts an interactive installer in the terminal. Follow the on-screen instructions that follow:
Choose Install Folder: When prompted to Choose Install Folder, enter:
/opt/arcsight/connectors/eiq-counteract
Choose Link Location: When prompted to Choose Link Location, press enter to select the default option:
/home/arcsight
.Caution
If the default option is not
/home/arcsight
, make sure that you are running the installer as the user arcsight.Follow the on-screen instructions to finish installing the connector.
Upload the provided EclecticIQ command properties file to the following location on the platform instance:
/opt/arcsight/connectors/eiq-counteract/current/user/agent/flexagent/eiqcounteract.counteract.properties
Run the connector configuration as user arcsight:
/opt/arcsight/connectors/eiq-counteract/current/bin/runagentsetup.sh
This runs a configuration wizard.
In the configuration wizard, select the following options:
Prompt
Instructions
“What would you like to do?”
Enter 0 to Add a Connector.
“Select the connector to configure”
Enter 11 to select the ArcSight FlexConnector CounterACT connector.
“Configuration File:”
Enter:
eiqcounteract
“Enter type of destination”
Enter 0 to select ArcSight Manager (encrypted).
Configure the ArcSight Manager
“Manager Hostname:”
Enter the fully qualified domain name (FQDN) for your ArcSight ESM instance. For example: esm.example.com.
“Manager Port:”
Enter a port to use to connect to your ArcSight ESM instance, or press enter to use the default port: 8443.
“User:”
Enter a user who is alloed to register connectors.
“Password:”
Enter the above user’s password.
“AUP Master Destination:”
Enter 0 to set this to true.
“Filter Out All Events:”
Enter 1 to set this to false.
“Enable Demo CA:”
Enter 1 to set this to false.
Configure connector details
“Name:”
Enter:
eiq-counteract
“Location:”
Enter:
eiq-platform.local
“DeviceLocation:”
“Comment:”
Enter:
EclecticIQ CounterACT connector
Install the connector service wrapper script as root:
sudo /opt/arcsight/connectors/eiq-counteract/current/bin/arcsight agentsvc -i -u arcsight -sn eiq-counteract
Start the connector service:
sudo /etc/init.d/arc_eiq-counteract start
Make sure the connector is running:
tail -f /opt/arcsight/connectors/eiq-counteract/current/logs/agent.log
The CounterACT connector should appear in a running state in the ArcSight Console.
Add scripts and configure the environment#
Use arcsight user to move the scripts provided by EclecticIQ to the folder:
/home/arcsight/scripts
.Python 2.7 has to be available in the same machine where the ACT Connector is installed.
Pip needs to be installed in the same machine where the ACT Connector is installed.
Install the keyring, using the following command:
pip install keyring pip install keyrings.alt
Use arcsight to run the following command:
keyring set eiq <eiq_user>
Instead of
<eiq_user>
, enter your credentials for EclecticIQ Platform.Go to the configuration file in
/home/arcsight/scripts/eiq.conf
, and populate it with your data.url = https://eiqplatform-address.com
verify_ssl = false
(can befalse
ortrue
)version = 2.3
(should be in digit.digit format)username = <eiq_user>
group_name = <group_name>
(should be the same as in IC)
Additional information#
By right-clicking on the counterACT connector in ArcSight ESM Console
you can the create-sighting command which is configured in
eiqcounteract.counteract.properties file
.
The command configured in the properties file is configured to execute
scripts in the directory: /home/arcsight/scripts/
.
The command executes locally on the EclecticIQ platform and can be used manually in views like Active Channels, and Lists or triggered automatically by Rules on ESM.
Upload all provided scripts to this directory.