Installation of Smart Connector(s)#
The basic integration with EclecticIQ Platform consists of an ArcSight Smart Connector and the provided EclecticIQ base content package for ArcSight ESM.
The recommended connector to be used is a syslog daemon connector to receive threat intelligence in CEF format and send it into ArcSight ESM.
This connector can be installed on a separate connector server.
For a bi-directional integration, a second ArcSight CounterACT Smart Connector is needed to talk back to EclecticIQ Platform to create sightings in the EclecticIQ Platform.
A running ArcSight ESM instance.
A running EclecticIQ Platform instance.
A separate connector server to install the receiving syslog daemon connector.
Open a TCP or UDP port to that server for the syslog daemon connector, TCP 1514.
Install the smart connectors#
Log in to EclecticIQ Platform via SSH.
Create a user named arcsight and a directory to host the connectors and set its permissions:
sudo useradd arcsight sudo passwd arcsight sudo mkdir -p /opt/arcsight/connectors sudo chown –Rv arcsight:arcsight /opt/arcsight/
Upload the latest 64 bit ArcSight Connector binary to the platform.
Install the receiving syslog daemon connector as user arcsight:
install the connector in
Run the connector configuration as user arcsight:
Use the following settings:
Type: Syslog Daemon Network Port: 1514 IP Address: (ALL) Protocol: Raw TCP Forwarder: false ArcSight Manager Destination: Manager Hostname: <ESM fully qualified domain name> Manager Port: 8443 User: <user allowed to register connectors> Password: ******** AUP Master Destination: true Filter Out All Events: false Enable Demo CA: false Connector details Name:eiq-cef-syslog-daemon Location: eiq-platform.local DeviceLocation: Comment: TCP syslog connector - port 1514 for CEF input
Install the connector service wrapper script as root:
sudo /opt/arcsight/connectors/eiq-cef-syslog-daemon/current/bin/arcsight agentsvc -i -u arcsight -sn eiq-cef-syslog-daemon
Start the connector service:
sudo /etc/init.d/arc_eiq-cef-syslog-daemon start
Make sure the connector is running and listens on the configured port:
sudo netstat –tlpn |grep 1514
The receiving connector should appear in a running state in the ArcSight Console:
The connector logs its operations to: