ArcSight SmartConnector Installation
Follow the detailed steps in the ArcSight SmartConnector User Guide to install
the ArcSight SmartConnector:
https://www.microfocus.com/documentation/arcsight/arcsight-smartconnectors/
select the Application check box to capture the Application logs.
connector setup
Data Collection from a Windows Agent
Delinea software logs events in the Application logs on Windows machines. To
capture the Application logs, Delinea uses the ArcSight SmartConnector for
Windows.
There are a number of ways to collect data from Windows machines.
Some of the supported options include:
-
Data collection from a stand-alone Windows machine:
Application logs are collected on a stand-alone Windows machine and parsed using
the FlexConnector parser. Parsed events are forwarded to the ArcSight ESM where
all of the data from Delinea Server Suite is stored, and the ArcSight Console
is used to access that data.
-
Data collection using the Windows Event Forwarding (WEF) feature:
ArcSight SmartConnector supports WEF to collect Application logs forwarded by
several Windows machines to a central machine. You install the ArcSight
SmartConnector only on the central Windows machine that received the forwarded
events and enable the WFE while installing the ArcSight SmartConnector.
-
Data collection using the Active Directory (AD) Source:
ArcSight SmartConnector supports log collection for all of the member machines
from the Active Directory Source itself. You install the ArcSight SmartConnector
only on the AD server. During installation, you provide the Domain Controller
name and its credentials. If the credentials and the domain name are correct, a
list of all the member machines of that Domain Controller are seen in a new
window. Users select only those Windows machines from which they want to collect
Application logs.
Installing the ArcSight SmartConnector on a Windows Agent
To install ArcSight SmartConnector on a Windows agent:
-
Execute the ArcSight SmartConnector binary for Windows.
-
Choose an installation folder.
The default folder is:
C:\Programme Files\ArcSightSmartConnectors -
Wait for the installation to complete.
connector setup
-
When you are prompted to select the connector to configure, select Microsoft
Windows Event Log – Unified and click Next. -
If you want to use Windows Event Forwarding, select Enable WEF.
Note: You can also provide your Active Directory server parameters to get
a list of all member VMs, and then select only those Windows machines from which
you want to collect Application logs. As you are only installing on a
stand-alone machine at this point, leave all of these parameters blank. -
For the browser type, select Enter Devices Manually (do not use AD Source here).
-
Enter your host details.
-
Make sure that you only select the Application check box to capture the
Application logs because Delinea audit trail events are only stored in
the Windows Application logs. -
-
connector setup
-
-
When you are prompted for the type of destination, select ArcSight Manager
(encrypted).-
You select ArcSight Manager (encrypted) because Delinea is forwarding the
collected logs to the ArcSight ESM.
-
-
Provide your ArcSight ESM details:
-
Enter the following information for the machine where the ArcSight ESM is
installed:-
Hostname
-
Port
-
Username
-
Password
-
-
-
Provide a name for your ArcSight SmartConnector.
To assist you in assigning an applicable name, understand that the name is
displayed on the ArcSight Console to identify those SmartConnector events
that the console is receiving. -
(Optional) If you want to use your ArcSight ESM certificate, select Import Certificate from your ArcSight ESM.
-
Specify whether you want to install the ArcSight SmartConnector as a service or as a stand-alone application.
-
Install as a Service is generally preferred.
-
Data Collection from a Linux Agent
Delinea software logs events in the syslog directory on Linux machines. To
collect the Linux syslog messages, choose from these options:
-
Data collection from a stand-alone Linux machine:
To collect syslog messages from stand-alone Linux machines, use the Syslog File
type of connector. You provide the directory location for syslog collection.
Make sure that you have access to the syslog directory to avoid the error:
permission denied.
-
Data collection using the Syslog Daemon on a central Linux machine:
The Syslog Daemon type of connector is a syslogd-compatible daemon designed to
work in operating systems that have no syslog daemon in their default
configuration, such as Microsoft Windows.
The SmartConnector for the Syslog Daemon implements a UDP receiver on port 514
(the default; which can also be configured) that can be used to receive syslog
events. Use of the TCP protocol or a different port can be configured manually.
You can forward the syslog from multiple Linux agents to a single machine. For
example, when you configure the Syslog Daemon Connector on the 514 UDP port, you
need to specify the receiving syslog port (514) and the protocol (UDP).
Installing the SmartConnector on a Linux Agent
To install the SmartConnector:
-
Execute the SmartConnector binary for Linux.
-
Use the default name for the home folder.
-
Wait for the installation to complete.
-
When you are prompted to select the connector to configure, select Syslog File.
| -
Enter the file or directory of the syslog that you want to monitor.
-
When you are prompted to enter the type of destination, select ArcSight
Manager (encrypted) and click Next.-
-
arcsight manager
-
You select ArcSight Manager (encrypted) because Delinea is forwarding the
collected logs to the ArcSight ESM.
-
-
Provide your ArcSight ESM details.
-
Enter the following information for the machine where the ArcSight ESM is
installed:-
Hostname
-
Port
-
Username
-
Password
-
-
-
Provide a name for your ArcSight connector.
-
To assist you in assigning an applicable name, understand that the name is displayed on the ArcSight Console to identify those SmartConnector events that the console is receiving.
-
-
(Optional) If you want to use your ArcSight ESM certificate, select Import Certificate from your ArcSight ESM.
-
After the installation, check the status of the ArcSight SmartConnector
service using following command:-
/etc/init.d/arc_syslog_file status
-
