Installation of Smart Connector(s)

The basic integration with EclecticIQ Platform consists of an ArcSight Smart Connector and the provided EclecticIQ base content package for ArcSight ESM.

The recommended connector to be used is a syslog daemon connector to receive threat intelligence in CEF format and send it into ArcSight ESM.

This connector can be installed on a separate connector server.

For a bi-directional integration, a second ArcSight CounterACT Smart Connector is needed to talk back to EclecticIQ Platform to create sightings in the EclecticIQ Platform.

Prerequisites

• A running ArcSight ESM instance.

• A running EclecticIQ Platform instance.

• A separate connector server to install the receiving syslog daemon connector.

• Open a TCP or UDP port to that server for the syslog daemon connector, TCP 1514.

Install the smart connectors

1. Log in to EclecticIQ Platform via SSH.

2. Create a user named arcsight and a directory to host the connectors and set its permissions:

   sudo useradd arcsight
   sudo passwd arcsight
   sudo mkdir -p /opt/arcsight/connectors
   sudo chown –Rv arcsight:arcsight /opt/arcsight/
   

3. Upload the latest 64 bit ArcSight Connector binary to the platform.

4. Install the receiving syslog daemon connector as user arcsight:

   sh ArcSight-7.3.0.7886.0-Connector-Linux64.bin
   

   install the connector in /opt/arcsight/connectors/eiq-cef-syslog-daemon.

5. Run the connector configuration as user arcsight:

   /opt/arcsight/connectors/eiq-cef-syslog-daemon/current/bin/runagentsetup.sh
   

   Use the following settings:

   Type: Syslog Daemon
   Network Port: 1514
   IP Address: (ALL)
   Protocol: Raw TCP
   Forwarder: false
   
   ArcSight Manager Destination:
   Manager Hostname: <ESM fully qualified domain name>
   Manager Port: 8443
   User: <user allowed to register connectors>
   Password: ********
   AUP Master Destination: true
   Filter Out All Events: false
   Enable Demo CA: false
   
   Connector details
   
   Name[]:eiq-cef-syslog-daemon
   Location[]: eiq-platform.local
   DeviceLocation[]:
   Comment[]: TCP syslog connector - port 1514 for CEF input
   

6. Install the connector service wrapper script as root:

   sudo /opt/arcsight/connectors/eiq-cef-syslog-daemon/current/bin/arcsight
   agentsvc -i -u arcsight -sn eiq-cef-syslog-daemon
   

7. Start the connector service:

   sudo /etc/init.d/arc_eiq-cef-syslog-daemon start
   

   Make sure the connector is running and listens on the configured port:

   sudo netstat –tlpn |grep 1514
   

8. The receiving connector should appear in a running state in the ArcSight Console:

   Connectors/Shared/All Connectors/eiq-arc.local/eiq-syslog-cef_tcp(running).

The connector logs its operations to:

/opt/arcsight//opt/arcsight/connectors/eiq-cef-syslog-daemon/current/logs