CounterACT connector installation and configuration#

First make sure you can connect to the ESM server on tcp port 8443 you want the platform to connect to.

  1. Log in to EclecticIQ Platform via SSH.

  2. Upload the latest 64 bit ArcSight Connector binary to the platform:

    ArcSight-7.3.0.7886.0-Connector-Linux64.bin

  3. Install the receiving syslog daemon connector as user arcsight by running:

    sh  ArcSight-7.3.0.7886.0-Connector-Linux64.bin
    

    This starts an interactive installer in the terminal. Follow the on-screen instructions that follow:

    1. Choose Install Folder: When prompted to Choose Install Folder, enter:

      /opt/arcsight/connectors/eiq-counteract
      
    2. Choose Link Location: When prompted to Choose Link Location, press enter to select the default option: /home/arcsight.

      Caution

      If the default option is not /home/arcsight, make sure that you are running the installer as the user arcsight.

    3. Follow the on-screen instructions to finish installing the connector.

  4. Upload the provided EclecticIQ command properties file to the following location on the platform instance:

    /opt/arcsight/connectors/eiq-counteract/current/user/agent/flexagent/eiqcounteract.counteract.properties
    
  5. Run the connector configuration as user arcsight:

    /opt/arcsight/connectors/eiq-counteract/current/bin/runagentsetup.sh 
    

    This runs a configuration wizard.

  6. In the configuration wizard, select the following options:

    Prompt

    Instructions

    “What would you like to do?”

    Enter 0 to Add a Connector.

    “Select the connector to configure”

    Enter 11 to select the ArcSight FlexConnector CounterACT connector.

    “Configuration File:”

    Enter:

    eiqcounteract
    

    “Enter type of destination”

    Enter 0 to select ArcSight Manager (encrypted).

    Configure the ArcSight Manager

    “Manager Hostname:”

    Enter the fully qualified domain name (FQDN) for your ArcSight ESM instance. For example: esm.example.com.

    “Manager Port:”

    Enter a port to use to connect to your ArcSight ESM instance, or press enter to use the default port: 8443.

    “User:”

    Enter a user who is alloed to register connectors.

    “Password:”

    Enter the above user’s password.

    “AUP Master Destination:”

    Enter 0 to set this to true.

    “Filter Out All Events:”

    Enter 1 to set this to false.

    “Enable Demo CA:”

    Enter 1 to set this to false.

    Configure connector details

    “Name:”

    Enter:

    eiq-counteract
    

    “Location:”

    Enter:

    eiq-platform.local
    

    “DeviceLocation:”

    “Comment:”

    Enter:

    EclecticIQ CounterACT connector
    
  7. Install the connector service wrapper script as root:

    sudo /opt/arcsight/connectors/eiq-counteract/current/bin/arcsight agentsvc -i -u
    arcsight -sn eiq-counteract
    
  8. Start the connector service:

    sudo /etc/init.d/arc_eiq-counteract start
    
  9. Make sure the connector is running:

    tail -f /opt/arcsight/connectors/eiq-counteract/current/logs/agent.log
    
  10. The CounterACT connector should appear in a running state in the ArcSight Console.

Add scripts and configure the environment#

  1. Use arcsight user to move the scripts provided by EclecticIQ to the folder: /home/arcsight/scripts.

    • Python 2.7 has to be available in the same machine where the ACT Connector is installed.

    • Pip needs to be installed in the same machine where the ACT Connector is installed.

  2. Install the keyring, using the following command:

    pip install keyring
    pip install keyrings.alt
    
  3. Use arcsight to run the following command:

    keyring set eiq <eiq_user>
    

    Instead of <eiq_user>, enter your credentials for EclecticIQ Platform.

  4. Go to the configuration file in /home/arcsight/scripts/eiq.conf, and populate it with your data.

    • url = https://eiqplatform-address.com

    • verify_ssl = false (can be false or true)

    • version = 2.3 (should be in digit.digit format)

    • username = <eiq_user>

    • group_name = <group_name> (should be the same as in IC)

Additional information#

By right-clicking on the counterACT connector in ArcSight ESM Console you can the create-sighting command which is configured in eiqcounteract.counteract.properties file.

The command configured in the properties file is configured to execute scripts in the directory: /home/arcsight/scripts/.

The command executes locally on the EclecticIQ platform and can be used manually in views like Active Channels, and Lists or triggered automatically by Rules on ESM.

Upload all provided scripts to this directory.