Installation of Smart Connector(s)#
The basic integration with EclecticIQ Platform consists of an ArcSight Smart Connector and the provided EclecticIQ base content package for ArcSight ESM.
The recommended connector to be used is a syslog daemon connector to receive threat intelligence in CEF format and send it into ArcSight ESM.
This connector can be installed on a separate connector server.
For a bi-directional integration, a second ArcSight CounterACT Smart Connector is needed to talk back to EclecticIQ Platform to create sightings in the EclecticIQ Platform.
Prerequisites#
A running ArcSight ESM instance.
A running EclecticIQ Platform instance.
A separate connector server to install the receiving syslog daemon connector.
Open a TCP or UDP port to that server for the syslog daemon connector, TCP 1514.
Install the smart connectors#
Log in to EclecticIQ Platform via SSH.
Create a user named arcsight and a directory to host the connectors and set its permissions:
sudo useradd arcsight sudo passwd arcsight sudo mkdir -p /opt/arcsight/connectors sudo chown –Rv arcsight:arcsight /opt/arcsight/
Upload the latest 64 bit ArcSight Connector binary to the platform.
Install the receiving syslog daemon connector as user arcsight:
sh ArcSight-7.3.0.7886.0-Connector-Linux64.bin
install the connector in
/opt/arcsight/connectors/eiq-cef-syslog-daemon
.Run the connector configuration as user arcsight:
/opt/arcsight/connectors/eiq-cef-syslog-daemon/current/bin/runagentsetup.sh
Use the following settings:
Type: Syslog Daemon Network Port: 1514 IP Address: (ALL) Protocol: Raw TCP Forwarder: false ArcSight Manager Destination: Manager Hostname: <ESM fully qualified domain name> Manager Port: 8443 User: <user allowed to register connectors> Password: ******** AUP Master Destination: true Filter Out All Events: false Enable Demo CA: false Connector details Name[]:eiq-cef-syslog-daemon Location[]: eiq-platform.local DeviceLocation[]: Comment[]: TCP syslog connector - port 1514 for CEF input
Install the connector service wrapper script as root:
sudo /opt/arcsight/connectors/eiq-cef-syslog-daemon/current/bin/arcsight agentsvc -i -u arcsight -sn eiq-cef-syslog-daemon
Start the connector service:
sudo /etc/init.d/arc_eiq-cef-syslog-daemon start
Make sure the connector is running and listens on the configured port:
sudo netstat –tlpn |grep 1514
The receiving connector should appear in a running state in the ArcSight Console:
Connectors/Shared/All Connectors/eiq-arc.local/eiq-syslog-cef_tcp(running).
The connector logs its operations to:
/opt/arcsight//opt/arcsight/connectors/eiq-cef-syslog-daemon/current/logs