Configuration Guide

Configuration Guide
ArcSight™ Express Version 5.0 Patch 1
October 20, 2010
Configuration Guide ArcSight™ Express Version 5.0 Patch 1
Copyright © 2010
ArcSight, Inc. All rights reserved. ArcSight, the ArcSight logo, ArcSight TRM, ArcSight NCM, ArcSight
Enterprise Security Alliance, ArcSight Enterprise Security Alliance logo, ArcSight Interactive Discovery,
ArcSight Pattern Discovery, ArcSight Logger, FlexConnector, SmartConnector, SmartStorage and CounterACT
are trademarks of ArcSight, Inc. All other brands, products and company names used herein may be
trademarks of their respective owners.
Follow this link to see a complete statement of ArcSight's copyrights, trademarks, and acknowledgements:
http://www.arcsight.com/company/copyright/
The network information used in the examples in this document (including IP addresses and hostnames) is
for illustration purposes only.
This document is ArcSight Confidential.
Revision History
Date
Product Version
Description
10/20/10
ArcSight™ Express Version 5.0
Patch 1
Released with ESM v5.0 Patch 1
ArcSight Customer Support
Phone
1-866-535-3285 (North America)
+44 (0)870 141 7487 (EMEA)
E-mail
support@arcsight.com
Support Web Site
http://www.arcsight.com/supportportal/
Protect 724 Community
https://protect724.arcsight.com
Contents
Chapter 1: What is ArcSight Express? ................................................................................. 1
Pre-installed Components on ArcSight Express Appliance ...................................................... 1
ArcSight Manager ...................................................................................................... 2
ArcSight Database ..................................................................................................... 2
ArcSight Web ........................................................................................................... 2
ArcSight Forwarding Connector ................................................................................... 2
Pre-installed Components on ArcSight Storage Appliance ...................................................... 2
ArcSight Logger ........................................................................................................ 2
ArcSight Connector Management ................................................................................. 3
ArcSight Console ............................................................................................................. 3
Deployment Overview ...................................................................................................... 3
ArcSight Express Communication Overview ......................................................................... 4
Effect on Communication when Components Fail ........................................................... 4
Related Documents ......................................................................................................... 5
Chapter 2: Configuring ArcSight Storage Appliance ............................................................ 7
Define Storage Volume .................................................................................................... 8
Create Storage Groups ..................................................................................................... 8
Configure NTP ................................................................................................................. 8
Indexing ........................................................................................................................ 9
Reboot Appliance ............................................................................................................ 9
Create SmartMessage Receivers ........................................................................................ 9
Adding an ArcSight Storage Appliance ................................................................................ 9
Chapter 3: Configuring ArcSight Express Appliance .......................................................... 11
Configuring ArcSight Express Appliance ............................................................................ 11
Configuring the Operating System ............................................................................. 11
Configuring Software Components on ArcSight Express Appliance .................................. 22
The Next Steps ............................................................................................................. 30
Chapter 4: Installing ArcSight Console .............................................................................. 31
Console Supported Platforms .......................................................................................... 31
Using a PKCS#11 Token ................................................................................................. 32
Installing the Console .................................................................................................... 32
ArcSight Confidential
ArcSight Express Configuration Guide iii
Transferring Configuration from an Existing Installation ................................................ 33
Selecting the Mode in which to Configure ArcSight Console ........................................... 34
Manager Connection ................................................................................................ 34
SSL Certificate used by Manager ............................................................................... 36
Authentication ........................................................................................................ 36
Web Browser .......................................................................................................... 37
User Logs and Preferences ....................................................................................... 38
Starting the ArcSight Console ......................................................................................... 39
Logging into the Console .......................................................................................... 39
Creating ArcSight Express Users ...................................................................................... 40
Reconnecting to the ArcSight Manager ............................................................................. 40
Reconfiguring the ArcSight Console ................................................................................. 40
Uninstalling the ArcSight Console .................................................................................... 40
Chapter 5: Using SmartConnectors with
ArcSight Express ............................................................................................................... 41
Installing the SmartConnector ........................................................................................ 41
Importing the Manager’s Certificate ................................................................................. 42
Using keytoolgui to Import Manager’s Certificate ......................................................... 42
Exporting the Manager’s Certificate ..................................................................... 42
Importing the Manager’s Certificate into the SmartConnector’s Truststore ................ 44
Import the Manager’s certificate using the Connector Manager ...................................... 47
Appendix A: Troubleshooting ............................................................................................ 49
Location of Log files for Components ................................................................................ 49
Customizing ESM Components Further ............................................................................. 50
Fatal Error when Running the First Boot Wizard ................................................................. 51
Manager Service Failed when Starting .............................................................................. 52
“Failed” Status while Configuring or Starting a Component .................................................. 52
Changing IP Address of ArcSight Express Appliance
After Configuring it in the First Boot Wizard ................................................................ 54
Changing Host Name of ArcSight Express Appliance
After Configuring it in the First Boot Wizard ................................................................ 56
Appendix B: Default Settings for Components ................................................................... 59
General ....................................................................................................................... 59
ArcSight Database ......................................................................................................... 59
About Data Retention on ArcSight Express ........................................................... 60
ArcSight Manager .......................................................................................................... 61
About ArcSight Web ...................................................................................................... 62
ArcSight Forwarding Connector ....................................................................................... 62
ArcSight Logger ............................................................................................................ 63
iv ArcSight Express Configuration Guide
ArcSight Confidential
Appendix C: Restoring Factory Settings ............................................................................ 65
Index ...................................................................................................................................................... 73
ArcSight Confidential
ArcSight Express Configuration Guide v
vi
ArcSight Express Configuration Guide
ArcSight Confidential
Chapter 1
What is ArcSight Express?
ArcSight Express is a Security Information and Event Management (SIEM) solution that
provides the essentials for security monitoring by leveraging ArcSight ESM’s superior
correlation capabilities in combination with a ArcSight Storage Appliance. ArcSight Express
delivers an easy-to-deploy enterprise-level security monitoring and response system
through a series of coordinated resources, such as dashboards, rules and reports included
as part of ArcSight Express Content.
This chapter covers the following topics:
“Pre-installed Components on ArcSight Express Appliance” on page 1
“Pre-installed Components on ArcSight Storage Appliance” on page 2
“ArcSight Console” on page 3
“Deployment Overview” on page 3
“ArcSight Express Communication Overview” on page 4
“Related Documents” on page 5
The ArcSight Express solution can be comprised of the following appliances:
„
ArcSight Express Appliance
The ArcSight Express Appliance comes with ArcSight Database, ArcSight Manager,
ArcSight Web and ArcSight Forwarding Connector pre-installed on it.
„
ArcSight Storage Appliance
The ArcSight Storage Appliance serves as a long term data storage hardware solution
that receives and stores events, and supports search and retrieval of the stored
events. It has the ArcSight Logger software pre-installed on it. The ArcSight Storage
Appliance comes as a standard component with certain models of ArcSight Express
only. However, you can purchase the ArcSight Storage Applinace separately for models
of ArcSight Express with which it is not included.
Pre-installed Components on ArcSight Express
Appliance
The ArcSight Express Appliance has the following software components pre-installed on it:
„
ArcSight Manager
„
ArcSight Database
„
ArcSight Web
„
ArcSight Forwarding Connector
ArcSight Confidential
ArcSight Express Configuration Guide 1
1 What is ArcSight Express?
ArcSight Manager
ArcSight Manager is at the center of the ArcSight Express Appliance. The Manager is a
software component that functions as a server that receives event data from Connectors
and correlates and stores them in the database. The Manager also provides advanced
correlation and reporting capabilities. The ArcSight Web interface is used to retrieve this
information from the Manager and display it.
ArcSight Database
ArcSight Database is the central repository for all information collected by the ArcSight
Manager and is based on Oracle DBMS. It also stores the configuration information for
users, groups, rules, dashboards, assets, and reports.
ArcSight Web
ArcSight Web is the primary user interface for ArcSight Express. ArcSight Web is a web
server component that enables you to access ArcSight Manager securely using a browser.
ArcSight Web supports the following browsers on the Windows Vista or Windows XP
platforms:
„
Internet Explorer 7 and 8
„
Safari on Macintosh 4
„
Firefox on Windows and Linux 3.0 - 3.6
„
Firefox on Macintosh 3.6
Check the Product Lifecycle document available on the ArcSight Customer
Support website for information on the exact browser versions supported.
ArcSight Web is an easy-to-use interface designed for operators in a Security Operations
Center (SOC) and customers of a Managed Security Service Provider (MSSP) who need to
view information on the Manager.
ArcSight Forwarding Connector
The ArcSight Forwarding Connector is a component that transports events from the
ArcSight Express Appliance to the ArcSight Storage Appliance.
Pre-installed Components on ArcSight Storage
Appliance
The ArcSight Storage Appliance comes installed with the following software:
ArcSight Logger
ArcSight Logger is a log management solution that is optimized for extremely high event
throughput. Logger stores time-stamped text messages, called events, at high sustained
input rates and can optionally forward selected events. Logger compresses raw data, but
can always retrieve unmodified data on demand, for forensics-quality litigation data.
2 ArcSight Express Configuration Guide
ArcSight Confidential
1 What is ArcSight Express?
ArcSight Connector Management
ArcSight Connector Management software incorporates a number of onboard ArcSight
SmartConnectors and a web-based user interface that provides centralized management
for SmartConnectors.
SmartConnectors are ArcSight software components that forward security events from a
wide variety of devices and security event sources to ArcSight Logger.
You have the option to use up to four SmartConnector(s) locally depending on available
resources on the ArcSight Storage Appliance.
ArcSight Console
The ArcSight Console provides a user interface for you to perform administrative tasks on
ArcSight Express, such as fine tuning the pre-installed ArcSight Express content and
managing users. ArcSight Console is not bundled with ArcSight Express and should be
separately installed on a system other than the ArcSight Express Appliance.
Deployment Overview
The following is an example of how various ArcSight components are normally deployed in
a network.
Figure 1-1
ArcSight Confidential
ArcSight Express Deployment Overview
ArcSight Express Configuration Guide 3
1 What is ArcSight Express?
ArcSight Express Communication Overview
ArcSight Console, ArcSight Manager, and ArcSight SmartConnector communicate using
HTTP (HyperText Transfer Protocol) over SSL (Secure Sockets Layer), often referred to as
HTTPS (HyperText Transfer Protocol Secure). The HTTPS protocol provides for data
encryption, data integrity verification, and authentication for both server and client.
Figure 1-2
ArcSight Express Solution - Communication Overview
SSL works over TCP (Transport Control Protocol) connections. The default incoming TCP
port on ArcSight Manager is 8443, for ArcSight Web it is 9443 and for ArcSight Storage
Appliance it is 443.
The Manager never makes outgoing connections to the Console, ArcSight Web, or
SmartConnectors. The Manager connects to the Database on the appliance locally using
JDBC.
Effect on Communication when Components Fail
If any one of the software components in ArcSight Express Appliance is unavailable, it can
affect communication between other components.
If the database is unavailable for any reason, such as when database is filled to capacity,
the Manager stops accepting events and caches any events that were not committed to the
database. The SmartConnectors also start caching new events they receive, so there is no
event data loss. The Console gets disconnected. All existing ArcSight Web connections are
4 ArcSight Express Configuration Guide
ArcSight Confidential
1 What is ArcSight Express?
disconnected and no new login requests to the Web server are accepted until the database
is up and running again.
If the Manager is unavailable, the SmartConnectors start caching events to prevent event
data loss. The database server is idle. The Console is disconnected. All existing ArcSight
Web connections are disconnected and no new login requests to the Web server are
accepted.
If a SmartConnector fails, whether event data loss will occur or not depends on the
SmartConnector type. SmartConnectors that listen for events from devices such as the
SNMP SmartConnectors will stop accepting events. However, a SmartConnector that polls a
device, such as the NT Collector SmartConnector, may be able to collect events that were
generated while the SmartConnector was down, once the SmartConnector comes back up.
If the Forwarding Connector fails, the Manager will continue to store the events in its file
store which is 10 GB in size. If the file store gets filled up, the Manager will start dropping
the oldest events and the newer events will continue to get stored on the file store.
If the ArcSight Storage Appliance fails, the Forwarding Connector will cache the events that
were supposed to be forwarded to the ArcSight Storage Appliance.
Related Documents
To get you started, Getting Started with ArcSight Express document is available in hard
copy and is packaged with ArcSight Express.
The ArcSight Express Online Help is available from the ArcSight Console. Also, in addition
to this guide, you can refer to and download the following documents from the ArcSight
Customer Support download site:
„
Getting Started with ArcSight Express
„
Getting Started with ArcSight Logger
„
ArcSight Logger Administrator’s Guide
„
ArcSight ESM Installation and Configuration Guide
„
ArcSight ESM Administrator’s Guide
„
SmartConnector Configuration Guide for ArcSight Forwarding Connector
„
SmartConnector User’s Guide
„
ArcSight Express Release Notes
ArcSight Confidential
ArcSight Express Configuration Guide 5
1 What is ArcSight Express?
6 ArcSight Express Configuration Guide
ArcSight Confidential
Chapter 2
Configuring ArcSight Storage
Appliance
This chapter covers the following topics:
“Define Storage Volume” on page 8
“Create Storage Groups” on page 8
“Configure NTP” on page 8
“Indexing” on page 9
“Reboot Appliance” on page 9
“Create SmartMessage Receivers” on page 9
“Adding an ArcSight Storage Appliance” on page 9
After you have set up the hardware for ArcSight Express, the next step is to initialize the
the ArcSight Storage Appliance if applicable. ArcSight Storage Appliance (Storage
Appliance) is included with certain models of ArcSight Express.
The ArcSight Express Storage Appliance is also known as ArcSight Logger when purchased
separately. Refer to the ArcSight Logger Administrator’s Guide for details on how to
configure ArcSight Storage Appliance. You can download this guide from the ArcSight
Customer Support download site.
It is very important that you initialize the appliance in the sequence shown here. The
ArcSight Storage Appliance can be reset to its initial condition, but other than that, several
of the settings described here cannot be changed once set.
Make sure that you have obtained the license file from ArcSight Customer
Support and installed it on your appliance.
One-time initialization can only be changed by performing a factory reset (see
Appendix C‚ Restoring Factory Settings‚ on page 65). Be sure you know how
you want the ArcSight Storage Appliance storage set up before performing the
first steps of the initialization sequence (up to rebooting).
This sequence ensures that resources are created and parameters are set in the proper
order:
1
Define Storage Volume - establish where ArcSight Storage Appliance stores event data
ArcSight Confidential
ArcSight Express Configuration Guide 7
2 Configuring ArcSight Storage Appliance
2
Create Storage Groups - apply retention policies to the Storage Volume
3
Configure NTP (optional, but strongly recommended)
4
Indexing
5
Reboot Appliance - commit the changes made in previous steps
6
Create SmartMessage Receivers
Define Storage Volume
Establish the ArcSight Storage Appliance’s Storage Volume. See the section on Storage
Volume in the ArcSight Logger Administrator’s Guide for details. Choose Local to use
Logger’s built-in storage.
You can choose to pre-allocate your Storage Volume to save time later. Performance is
degraded if you don’t pre-allocate at least a portion of the storage volume. ArcSight
recommends 100% pre-allocation for your Storage Volume.
Storage Volume cannot be extended after initialization.
Create Storage Groups
Once the Storage Volume has been created, you must define the Default Storage Group.
ArcSight recommends that you increase the maximum size of the Storage Group and
increase the maximum age of the event retention policy to meet your internal data
retention policy. For example:
„
Increase the maximum size to 500 GB (this can be increased in the future if needed)
„
Set the maximum age to 120 days.
Create a second Storage Group with storage size of 5 GB and retention period set to 30
days.
Do not reboot the Appliance in the next step unless you are certain of your
Storage Volume and Storage Group choices. Additional Storage Groups cannot
be created once the Appliance is initialized.
See the section on Storage Groups in the ArcSight Logger Administrator’s Guide for the
details of adding Storage Groups.
Configure NTP
Optional, but a strongly recommended initialization step.
Precise time stamping of events is a key log management function. Therefore, ArcSight
strongly recommends that you use Network Time Protocol (NTP) for system time instead of
manually configuring it. See the section on Time Settings in the ArcSight Logger
Administrator’s Guide.
8 ArcSight Express Configuration Guide
ArcSight Confidential
2 Configuring ArcSight Storage Appliance
Indexing
The default option on the ArcSight Storage Appliance is No Indexing. However, ArcSight
recommends using default indexing options for the Storage Appliance for better
performance.
Reboot Appliance
Reboot the system to commit changes before other resources can be created. See the
section on System Reboot in the ArcSight Logger Administrator’s Guide.
When the ArcSight Storage Appliance is rebooted, the Storage Volume and
Storage Group settings become permanent. Only certain settings of
non-default Storage Groups can be changed. See the ArcSight Logger
Administrator’s Guide for details on this.
Create SmartMessage Receivers
After initializing the storage, you can create a SmartMessage Receiver to listen for events.
Make sure to use the settings mentioned below when creating the SmartMessage Receiver:
„
Receiver Name: esm-manager-receiver (or any name of your choice)
Make sure to create a receiver on the ArcSight Storage Appliance. Also, make a note of
the receiver name. You will be required to enter the receiver name when configuring
the ArcSight Express Appliance. The receiver name you enter has to match the
receiver name you configured on the ArcSight Storage Appliance exactly.
„
Receiver Type: SmartMessage
„
Receiver Encoding: UTF-8
After SmartMessage receiver is configured, enable the Receiver.
For more information about setting up the Receiver, see the ArcSight Logger
Administrator’s Guide.
The next step is to configure the ArcSight Express Appliance. Refer to the chapter,
“Configuring ArcSight Express Appliance” on page 11.
Adding an ArcSight Storage Appliance
ArcSight Storage Appliance (Storage Appliance) is included with certain models of ArcSight
Express. For those ArcSight Express models that do not include ArcSight Storage Appliance,
you can purchase and install the Storage Appliance separately at a later time.
The ArcSight Express Storage Appliance is also known as ArcSight Logger when purchased
separately.
See the Getting Started with ArcSight Logger document to install your newly purchased
ArcSight Storage Appliance.
Once you have installed the ArcSight Storage Appliance, you will need to configure the
ArcSight Forwarding Connector to send the events to the Storage Appliance. Refer to the
sections, “Sending Events to ArcSight Logger” and “Forwarding Events to ArcSight Logger”
in the SmartConnector Configuration Guide for ArcSight Forwarding Connector document
available on the ArcSight Customer Support website.
ArcSight Confidential
ArcSight Express Configuration Guide 9
2 Configuring ArcSight Storage Appliance
10 ArcSight Express Configuration Guide
ArcSight Confidential
Chapter 3
Configuring ArcSight Express
Appliance
This chapter covers the following topics:
“Configuring ArcSight Express Appliance” on page 11
“Configuring the Operating System” on page 11
“Configuring Software Components on ArcSight Express Appliance” on page 22
“The Next Steps” on page 30
The steps in this chapter presume that you have followed the instructions in the Getting
Started with ArcSight Express document to set up the ArcSight Storage Appliance if
applicable and the ArcSight Express Appliance.
Make sure that you have done the following:
„
(If applicable) Installed the ArcSight Storage Appliance according to the instructions in
the Getting Started with ArcSight Logger document available on ArcSight Customer
Support download site.
„
Installed the ArcSight Express Appliance according to the instructions in the Getting
Started with ArcSight Express document that is included with ArcSight Express.
We recommend that you read the ArcSight Express Release Notes before proceeding
further.
Configuring ArcSight Express Appliance
Configuring ArcSight Express Appliance is a two step process:
1
Configuring the Oracle Enterprise Linux operating system installed on the appliance.
2
Configuring the ArcSight Express software components that have been pre-installed on
the appliance.
Both these are performed through the First Boot Wizard which starts automatically when
you boot up the appliance for the first time.
Configuring the Operating System
The ArcSight Express Appliance has the Oracle Enterprise Linux operating system installed.
You have to set up the preferences for Oracle Enterprise Linux when you boot the system
for the first time only or when you boot the system after a factory restore.
ArcSight Confidential
ArcSight Express Configuration Guide 11
3 Configuring ArcSight Express Appliance
The following wizard will help you set the preferences for Oracle Enterprise Linux:
1
Click Next on the Welcome screen:
2
Read the license agreement.This license agreement is for Oracle Linux. Select Yes, I
agree to the License Agreement if you agree with it, and click Next:
12 ArcSight Express Configuration Guide
ArcSight Confidential
3 Configuring ArcSight Express Appliance
3
Select the Keyboard you will be using and click Next:
4
Select your mouse configuration and click Next:
ArcSight Confidential
ArcSight Express Configuration Guide 13
3 Configuring ArcSight Express Appliance
5
Enter a password for the root account which is used for system administration.
Re-enter to confirm it. Click Next:
6
Most components, including the Manager and ArcSight Web, run using an "arcsight"
user account for security reasons. The “arcsight” user account has already been
created for you. Set up a password for the user “arcsight” in the following screen and
click Next:
14 ArcSight Express Configuration Guide
ArcSight Confidential
3 Configuring ArcSight Express Appliance
7
Oracle runs as the user “oracle”. Set up a password for the Oracle user “oracle” in the
following screen and click Next:
8
The next step is to configure the IP addresses for the appliance. The appliance is set
up with the following pre-defined IP addresses:
‹
192.168.35.35 for eth0
‹
192.168.36.35 for eth1
‹
192.168.37.35 for eth2
‹
192.168.38.35 for eth3
Click Change Network Configuration... in the following screen and configure the
eth0 interface:
For the Network Setup screens, please note that if you click on the wizard
screen when the network setup dialog is in the foreground, the network
dialog disappears and the wizard buttons remain inoperable. Use Alt-Tab to
switch back to the network setup dialog
ArcSight Confidential
ArcSight Express Configuration Guide 15
3 Configuring ArcSight Express Appliance
a
Click the DNS tab in the Network Configuration dialog and enter a host name,
DNS servers, and DNS search path (domain name) for the ArcSight Express
Appliance, then click File->Save to save the changes.
Make sure that you do not change the default values in the Hosts tab of the
panel shown above. If you change the default values, it could lead to loss of
network connectivity and you will receive this error:
Could not look up internet addresses for <hostname>.This will
prevent GNOME from operating correctly.
b
Click the Devices tab. To configure a network interface, select it and click the
Edit button:
If you plan to configure a single network interface, make sure to
configure the eth0 interface. Configuring eth1 will cause the Manager
to not communicate with the database.
16 ArcSight Express Configuration Guide
ArcSight Confidential
3 Configuring ArcSight Express Appliance
c
Set the IP address, subnet mask, and default gateway in the Ethernet Device
dialog and click OK:
Make sure that the IP addresses you set up is not already in use. The
First Boot Wizard will report errors if IP address has not been configured
correctly.
If you want to change the host name or IP address after you have finished
running this wizard, you will have to do a system restore. The system restore
will run this First Boot Wizard and you can make the changes you want in the
First Boot Wizard.
d
Click File->Save to save the settings. If you exit the dialog without explicitly
saving, you will get a prompt asking you if you want to save the changes. Click
Yes in the Information box:
e
The Network will automatically be restarted and you will see a message,
"Restarting network. Please wait...".
ArcSight Confidential
ArcSight Express Configuration Guide 17
3 Configuring ArcSight Express Appliance
9
f
Click File->Quit to exit the Network Configuration dialog.
g
Click Next in the Network Setup dialog.
Choose Enable firewall in the Security Level dropdown menu and then make sure
the ports listed in the note below are open. and click Next:
Make sure that the ports 8443 and 9443 are open for outgoing
communications. The ArcSight Manager uses port 8443 and the ArcSight
Web uses port 9443 for communication. You will also need to leave port
22 open for remote ssh access.
10 Select the Timezone in which your ArcSight Express ESM appliance is located and click
Next.
By default, Network Time Protocol (NTP) is active. The system will attempt to contact
the NTP servers. It could take a few minutes to contact a server. If the system cannot
contact a server, the request will time out in a few minutes and will take you to the
next screen in the wizard.
18 ArcSight Express Configuration Guide
ArcSight Confidential
3 Configuring ArcSight Express Appliance
NTP requires 3 or more servers in order to work correctly. The list of servers
configured by default points ArcSight Express to a virtual cluster of time servers
operated by the NTP project. Assuming that UDP port 123 is open to the outside
internet in your firewall, you can keep the default values, unless you would prefer to
use your own cluster of NTP servers.
11 By default, the Enable Network Time Protocol checkbox is checked (recommended).
This will configure the operating system to use the NTP servers specified in the list
from which to obtain the time. If you choose to de-activate the Network Time Protocol,
make sure to set the local date and time in the Date & Time tab.
ArcSight strongly recommends using NTP, since accurate time keeping is
essential for event correlation and log management.
Enter the NTP server name in the Server text box and click Add. The NTP server
should show up in the box below.
If you enter a wrong server address and re-enter the right address, it could
take a few minutes for ArcSight Express to find the NTP server.
ArcSight Confidential
ArcSight Express Configuration Guide 19
3 Configuring ArcSight Express Appliance
Click Next. You will see a message saying that the NTP server is being contacted.
20 ArcSight Express Configuration Guide
ArcSight Confidential
3 Configuring ArcSight Express Appliance
12 Select the resolution and color depth for your screen and click Next.
13 Click Next in the following screen:
You will be prompted to enter your username in a login screen. This begin the second
phase of the First Boot Wizard which will help you configure the software components that
have already been installed on your ArcSight Express appliance.
ArcSight Confidential
ArcSight Express Configuration Guide 21
3 Configuring ArcSight Express Appliance
14 Important! Log in as user “root” when you are prompted with the screen below, and
enter the password for this account which you had set in Step 5 on page 14. The next
step is to set up the software components on the ArcSight Express Appliance:
After you have logged in successfully, the software components configuration wizard will
open. Follow the directions in the Configuring Software Components on ArcSight Express
Appliance section to configure ESM on ArcSight Express.
Configuring Software Components on ArcSight Express
Appliance
This wizard prompts you for information required to configure the ArcSight Express
software components - ArcSight Database, ArcSight Manager, ArcSight Web, and ArcSight
Forwarding Connector.
22 ArcSight Express Configuration Guide
ArcSight Confidential
3 Configuring ArcSight Express Appliance
See the ArcSight ESM Installation and Configuration Guide if you need further help with
these screens. For more information on ArcSight Storage Appliance software, refer to
ArcSight Logger Administrator’s Guide. You can download both these documents from the
ArcSight Customer Support download site.
Restarting this wizard if you exit it...
If you exit out of any of the following screens, the wizard will exit with the
following warning:
The wizard is not finished yet. Are you sure you want to exit?
You can re-start the wizard at any point until you get to the screen which tells
you that the Manager configuration has been complete. To re-start the
wizard, run the following command from /opt/arcsight/manager/bin
directory when logged in as user “root”:
./arcsight appliancefirstbootsetup
The wizard will open the screen you see in Step 3 below.
The ArcSight Express Appliance is functional only after the successful
completion of the wizard.
1
The wizard reminds you to configure the Storage Appliance before configuring the
ArcSight Express appliance in the following screen. Click Next:
ArcSight Confidential
ArcSight Express Configuration Guide 23
3 Configuring ArcSight Express Appliance
2
Select the language for the user interface display and click Next:
3
The database user account has already been created for you with username “arcsight”.
Enter a password for this account and click Next:
4
Enter passwords for the SYS and SYSTEM accounts and click Next.
Oracle SYS Password—Password for the Oracle superuser, SYS.
24 ArcSight Express Configuration Guide
ArcSight Confidential
3 Configuring ArcSight Express Appliance
Oracle SYSTEM Password—Password for the Oracle admin account.
5
Configure the following e-mail addresses:
Notification e-mail address: An e-mail address of the person who should receive
e-mail notifications in the event that the ArcSight Manager goes down or encounters
some other problem.
Escalation e-mail address: An e-mail address of the person who should receive an
escalation e-mail in case no action has been taken for a period of time after the
notification e-mail was sent.
From Address: E-mail address that will be used to represent the sender of the e-mail
notifications.
Click Next.
6
Enter or navigate to the location where you have stored the ArcSight Express license
file and click Next.
If you do not have a license file, contact ArcSight Customer Support to obtain one. You
can use the Web browser on the appliance to download the file once you obtain it from
ArcSight Confidential
ArcSight Express Configuration Guide 25
3 Configuring ArcSight Express Appliance
ArcSight Customer Support. Alternatively, you can download the license file elsewhere
and use scp or sftp to get it onto the appliance:
7
Enter the Manager’s host name, and configure information which will be used to create
an ArcSight Manager user with administrative privileges. Click Next.
Important: Make sure to change the Manager Host Name to either the host name
or IP address of the ArcSight Express Appliance. The Manager host name will be used
to generate a self-signed certificate and also when connecting the Console to the
Manager. The Common Name (CN) in the certificate will be the Manager host name
that you specify in this screen:
8
Select whether you would like to forward events to the ArcSight Storage Appliance for
long term storage and click Next.
If you select the Do not forward events to ArcSight Storage Appliance
option, you will not have any long term storage for your events. So, we
recommend that you select the Forward Events to ArcSight Storage
Appliance (Recommended) option.
26 ArcSight Express Configuration Guide
ArcSight Confidential
3 Configuring ArcSight Express Appliance
Make sure that you have installed and configured ArcSight Storage Appliance
and created a SmartMessage receiver on it before proceeding to the next
step. Receivers are used to receive events from files and over the network.
See the ArcSight Logger Administrator’s Guide for details on how to create a
SmartMessage receiver.
If you selected the Do not forward events to ArcSight Storage Appliance
option, you can skip the next step and go to Step 10 on page 28. You have the option
to install and configure the ArcSight Storage Appliance at a later time too. See “Adding
an ArcSight Storage Appliance” on page 9 for details on how to do this.
9
If you chose to forward events to the ArcSight Storage Appliance, please enter the
following information and click Next:
ArcSight Storage Appliance host name—The host name or IP address of the
ArcSight Storage Appliance.
ArcSight Storage Appliance receiver name—The name of the SmartMessage
Receiver created on the ArcSight Storage Appliance.
It is important that the receiver name you enter in this field exactly
matches the receiver name configured on the ArcSight Storage Appliance.
Forwarding Connector user name—Enter a user name for creating an ArcSight
Express account to be used by the Forwarding connector. This account is created
under the admin folder in the Console. The Forwarding connector uses this account to
pull events from the Manager, and forwards them to ArcSight Storage Appliance.
ArcSight Confidential
ArcSight Express Configuration Guide 27
3 Configuring ArcSight Express Appliance
Forwarding Connector password—Enter a password for the ArcSight Express
account to be used by the Forwarding Connector. Re-enter it to confirm it.
10 You will see a screen that informs you that ArcSight Express is ready to be configured.
Click Next to continue with the configuration.
Keep in mind that once the wizard has started configuring the software
components, if you exit the wizard or if an error occurs, you will have to
configure that component manually. See Appendix A‚ Troubleshooting‚ on
page 49 for detailed steps on how to do this.
28 ArcSight Express Configuration Guide
ArcSight Confidential
3 Configuring ArcSight Express Appliance
11 You can see the progress and errors if any as the configuration process continues.
Once the configuration completes successfully, click Next.
If you see a “Failed” status or exit this wizard after it has started configuring
the components, but before successful completion of the wizard, you are
required to manually configure the component that failed and perform the rest
of the steps shown in the screen capture under Step 11 manually. See “Failed”
Status while Configuring or Starting a Component section in the Appendix A‚
Troubleshooting‚ on page 49 for detailed steps on how to do this. Optionally,
you can restore your appliance to its original factory settings. See Appendix C‚
Restoring Factory Settings‚ on page 65 for details.
You cannot restart the wizard once the Manager configuration has started.
You will see a message telling you that the tablespace expansion is in progress.
ArcSight Confidential
ArcSight Express Configuration Guide 29
3 Configuring ArcSight Express Appliance
12 Once your appliance has been configured successfully, you will see the following
screen:
ArcSight Express is ready for use.
The Next Steps
Now you have configured both the appliances. The next steps are:
„
If there are any service packs availlable, be sure to download and install them. Refer
to the respective service pack Upgrade Guide for instructions on how to upgrade
ArcSight Express with the service pack.
„
Download the ArcSight Console and install it on a supported platform. The Console
should not be installed on ArcSight Express Appliance. Refer to the next chapter,
Installing ArcSight Console, for details on how to do this.
Please also read the ArcSight Express Release Notes, available on the ArcSight Customer
Support download site.
30 ArcSight Express Configuration Guide
ArcSight Confidential
Chapter 4
Installing ArcSight Console
The ArcSight Console provides a user interface for you to perform administrative tasks on
ArcSight Express, such as fine tuning the pre-installed ArcSight Express content and
creating/editing/deleting users. The Console should only be used for administrative
purposes. The ArcSight Console provides a host-based interface (as opposed to the
browser-based interface of ArcSight Web) to ArcSight Express. This chapter explains how
to install and configure the ArcSight Console.
Make sure that you have successfully configured ArcSight Express before
proceeding.
The following topics are covered in this chapter:
“Console Supported Platforms” on page 31
“Using a PKCS#11 Token” on page 32
“Installing the Console” on page 32
“Starting the ArcSight Console” on page 39
“Reconnecting to the ArcSight Manager” on page 40
“Reconfiguring the ArcSight Console” on page 40
“Uninstalling the ArcSight Console” on page 40
ArcSight Console is deployed on several perimeter machines located outside the firewall
which protects the ArcSight Express.
Console Supported Platforms
The following operating system platforms are supported.
Platform
Windows
Supported Operating
System
Typical System Requirements
Microsoft Windows Vista
SP2 64-bit
x86-compatible single or multi-CPU
system with 1-2 GB RAM
Microsoft Windows Vista
SP2 32-bit
Microsoft Windows XP
Professional SP3 32-bit
ArcSight Confidential
31
4 Installing ArcSight Console
Using a PKCS#11 Token
PKCS #11 token support may not be available for all ESM versions and
ArcSight Express models.
Starting ESM v4.0 SP2, ArcSight ESM supports the use of a PKCS#11 token, such as the
Common Access Card (CAC), which is used for identity verification and access control.
PKCS#11 is a public key cryptography standard which defines an API to cryptographic
tokens.
You can use the PKCS#11 token regardless of the mode that the client is running in - with
clients running in FIPS 140-2 mode or with clients running in the default mode. See
Appendix I‚ Using the PKCS#11 Token‚ on page 219 for details on using a PKCS #11 token
with the Console.
Installing the Console
Do not install the ArcSight Console on the ArcSight Express Appliance. See the
section “Console Supported Platforms” on page 31 for supported platforms for
ArcSight Console.
A Windows system was used for the sample screens. If you are installing on a
Unix based system, you will notice a few Unix-specific screens. Path
separators are / for Unix and \ for Windows.
Download the ArcSight Console installer file for your platform from the ArcSight Customer
Support download site and install the Console on your system after configuring ArcSight
Express.
1
To install ArcSight Console, run the self-extracting archive file . Click Next in the
Installation Process Check screen.
2
Read the introductory text in the Introduction panel and click Next.
3
Read the text in the Special Notice panel and click Next.
4
Navigate to an existing folder where you want to install the Console or accept the
default and click Next. If you specify a folder that does not exist, the folder gets
created for you.
On Windows Vista (64-bit): Make sure that you have administrative
privileges to the C:\, C:\Program Files, and C:\Windows directories because
these are protected folders and you will not be able to create files (creating a
folder is allowed, but you need administrative privileges to create a file) under
them without having administrative privileges. When you try to export a
package to one of these protected folders, the Console checks the permissions
for the parent folder, and when it tries to write the file, an exception is thrown
if the parent folder does not have explicit write permission. As a result, the
Console will not be able to export a resource package directly under these
folders.
5
32
Select where you would like to create a shortcut for the Console and click Next.
ArcSight Confidential
4 Installing ArcSight Console
6
View the summary in the Pre-Installation Summary screen and click Install if you are
satisfied with the paths listed. If you want to make any changes, use the Previous
button to do so.
You can view the installation progress in the progress bar.
Transferring Configuration from an Existing Installation
After the Console has been installed, the wizard asks if you would like to transfer
configuration options from an existing installation of ArcSight Console. Choose No, I do
not want to transfer the settings to create a new, clean installation and click Next. If
you choose Yes, I want to transfer the settings, the wizard will determine the version
of the previous installation and may offer additional upgrade options.
ArcSight Confidential
33
4 Installing ArcSight Console
Selecting the Mode in which to Configure ArcSight
Console
The FIPS 140-2 mode is not supported for ArcSight Express.
Next, you will see the following screen:
Select the Run console in default mode radio button and click Next.
Manager Connection
The ArcSight Console configuration wizard prompts you to specify the ArcSight Manager
with which to connect.
The hostname is the ArcSight Express Appliance host name or its IP address. The Manager
host name that you had entered in the First Boot Wizard while configuring the ArcSight
Express Appliance and the value of the Manager Host Name that you will be entering in this
screen should be identical. If you had entered the machine name when configuring the
First Boot Wizard, then you must enter the machine name here too, likewise, if you had
entered the machine’s IP address then you must enter the machine’s IP address in this
screen too.
Do not change the Manager’s port number.
34
ArcSight Confidential
4 Installing ArcSight Console
Click Next.
Select Use direct connection option and click Next. You can set up a proxy server and
connect to the Manager using that server if you cannot connect to the Manager directly.
ArcSight Confidential
35
4 Installing ArcSight Console
If you select the Use proxy server option, you will be prompted to enter the proxy server
information.
Enter the Proxy Host name and click Next.
SSL Certificate used by Manager
You will see the following screen:
ArcSight Express is pre-configured with a self-signed certificate, so leave this checkbox
unchecked. Click Next.
Authentication
The ArcSight Console configuration wizard prompts you to choose the type of client
authentication you want to use, as shown in the following screen:
36
ArcSight Confidential
4 Installing ArcSight Console
This release of ArcSight Express supports Password Based Authentication
only.
Select Password Based Authentication and click Next.
Web Browser
The ArcSight Console configuration wizard prompts you to specify the default web browser
you want to use to display reports, Knowledge Base articles, and other web page content.
Specify the location of the executable for the web browser that you want to use to display
the Knowledge Base articles and other web pages launched from the ArcSight Console.
Click Next.
ArcSight Confidential
37
4 Installing ArcSight Console
User Logs and Preferences
Select This is a single user installation (Recommended) and click Next.
You have completed configuring your ArcSight Console. Click Finish in the following
screen.
Click Done in the next screen.
On Mac OS X 10.5 update 8 and later:
The Mac OS update changed the password for the cacerts file in the system's
JRE. Before you start the Console, you need to change the default password
for the cacerts file by setting it to the following in the client.properties
file (create the file if it does not exist) in the Console’s \current\config
folder by adding:
ssl.truststore.password=changeme
38
ArcSight Confidential
4 Installing ArcSight Console
You have installed the ArcSight Console successfully. Please be sure to install any available
patches for the Console. Refer to the ArcSight ESM Patch Release Notes for instructions on
how to install a patch for the Console.
Starting the ArcSight Console
The Manager on ArcSight Express Appliance should be up and running before
you start the Console.
After installation and setup is complete, you can start ArcSight Console.
To start the ArcSight Console, use the shortcuts installed or open a command window on
the Console’s \bin directory and run:
arcsight console
Logging into the Console
To start the Console, click Login.
When you start the Console for the first time, after you click Login, you will get a dialog
asking you whether you want to trust the Manager’s certificate. The prompt will show
details specific to your settings (following is just an example). Click OK to trust the
Manager’s certificate. The certificate will be permanently stored in the Console’s truststore
and you will not see the prompt again the next time you log in.
ArcSight Confidential
39
4 Installing ArcSight Console
Creating ArcSight Express Users
The next step is to create users. ArcSight Express comes configured with a custom user
group called ArcSight Express. Add users to this group with ArcSight Web privileges.
In the Navigator panel, go to Users > Shared > Custom User Groups. ArcSight Express
comes configured with a custom user group called ArcSight Express. Add users to this
group with ArcSight Web privileges.
1
In the Navigator panel, go to Users > Shared > Custom User Groups.
2
Right click on ArcSight Express and select New User.
For each user you add, provide a User ID and Password, and set the User Type to
Web User and click OK. If the Navigator panel is not visible, you can open it by
clicking Window->Navigator Panel. Then right click on ArcSight Express and select
New User.
3
For each user you add, provide a User ID and Password, and set the User Type to
Web User and click OK.
Reconnecting to the ArcSight Manager
If the ArcSight Console loses the connection to the ArcSight Manager (for example,
because the Manager was restarted), a dialog box appears in the ArcSight Console stating
that your connection to the ArcSight Manager has been lost. Click Retry to re-establish a
connection to the ArcSight Manager or click Start Over.
Connections to the ArcSight Manager cannot be re-established while the ArcSight Manager
is restarting or if the Manager refuses the connection. In addition, you may see connection
exceptions during the Retry process while the connection is lost or ArcSight Manager is
restarting.
Reconfiguring the ArcSight Console
You can reconfigure ArcSight Console at any time by running the following command within
a command window from the Console’s \bin directory:
arcsight consolesetup
and follow the prompts.
Uninstalling the ArcSight Console
Before uninstalling the ArcSight Console, exit the current session.
To uninstall on Windows, run the Start->All Programs (Programs in the case of
Windows XP)->ArcSight Console ->Uninstall ArcSight Console 5.0 program. If a
shortcut to the Console was not installed on the Start menu, locate the Console’s
\UninstallerData folder and run:
Uninstall_ArcSight_Console.exe
40
ArcSight Confidential
Chapter 5
Using SmartConnectors with
ArcSight Express
This chapter covers the following topics:
“Installing the SmartConnector” on page 41
“Importing the Manager’s Certificate” on page 42
SmartConnectors process raw data generated by various vendor devices throughout an
enterprise. Devices are hardware and software products such as routers, anti-virus
products, firewalls, intrusion detection systems (IDS), VPN systems, anti-DoS appliances,
operating system logs, and other sources that detect and report security or audit
information.
ArcSight SmartConnectors collect a vast amount of varying, heterogeneous information.
Due to this variety of information, SmartConnectors format each event into a consistent,
normalized ArcSight events, letting you find, sort, compare, and analyze all events using
the same event fields. The “normalized” events are then sent to the ArcSight Manager and
are stored in the ArcSight Database or forwarded to ArcSight Storage Appliance if you
choose to enable forwarding events.
You have the option to use up to four SmartConnector(s) locally depending on available
resources on the ArcSight Storage Appliance.
Installing the SmartConnector
Installing and configuring the SmartConnector is a three step process:
1
Install the SmartConnector.
For an overview of the SmartConnector installation and configuration process, see the
SmartConnector User's Guide.
2
Import the Manager’s certificate to the Connector’s truststore. See the section
Importing the Manager’s Certificate for details on how to do this.
3
Configure the SmartConnector.
For complete configuration instructions for a particular SmartConnector, see the
configuration guide for that connector. The product-specific configuration guide
provides specific device configuration information, installation parameters, and device
event mappings to ArcSight ESM fields.
ArcSight Confidential
ArcSight Express Configuration Guide 41
5 Using SmartConnectors with ArcSight Express
Importing the Manager’s Certificate
You will be required to import the Manager’s certificate manually. You can use either of the
two methods to import the certificate:
„
Use the keytoolgui tool. See the ArcSight ESM Administrator’s Guide for details on
importing the Manager’s certificate using the keytoolgui.
„
Import the Manager’s certificate using the Connector Manager software.
Using keytoolgui to Import Manager’s Certificate
You will need to export the Manager’s certificate from ArcSight Express Appliance before
you can import it on the Smart Connector in the Smart Connector server.
Exporting the Manager’s Certificate
To export the Manager’s certificate:
a
Open a shell/command prompt window on the ArcSight Express Appliance.
b
Run the following command from the ArcSight Express Manager’s
/opt/arcsight/manager/bin directory while logged in as user “arcsight”:
./arcsight keytoolgui
The keytoolgui interface will open.
42 ArcSight Express Configuration Guide
ArcSight Confidential
5
Using SmartConnectors with ArcSight Express
c
Select File->Open KeyStore from the menu and navigate to the Manager’s
truststore (cacerts) located in
/opt/arcsight/manager/jre/lib/security/ directory.
d
Enter the keystore password. The default password is “changeit” (without the
quotes).
e
Right-click the Manager’s certificate as shown below and select Export.
ArcSight Confidential
ArcSight Express Configuration Guide 43
5 Using SmartConnectors with ArcSight Express
f
Accept the default settings in the following dialog and click OK.
g
Navigate to the location where you want to export the certificate and make sure
to enter cacerts in the File Name text box when naming the certificate and click
Export.
h
You will see the following prompt when the certificate is exported successfully.
i
Click OK and exit the keytoolgui.
j
Transfer (or scp) this exported certificate file from the ArcSight Express Appliance
to the Smart Connector server where you will be importing it into the
SmartConnector.
Importing the Manager’s Certificate into the SmartConnector’s
Truststore
Import the certificate you exported above into the Connector’s truststore.
44 ArcSight Express Configuration Guide
ArcSight Confidential
5
Using SmartConnectors with ArcSight Express
To do so:
a
Open a shell/command prompt window on the SmartConnector server.
b
Run the following command from the Connector’s
/opt/arcsight/connector/current/bin directory while logged in as user
“arcsight”:
./arcsight agent keytoolgui
The keytoolgui interface will open.
c
Select File->Open KeyStore from the menu and navigate to the Connector’s
truststore (cacerts) located in
/opt/arcsight/connector/current/jre/lib/security/ directory.
d
Enter the password. The default password is “changeit” (without the quotes).
ArcSight Confidential
ArcSight Express Configuration Guide 45
5 Using SmartConnectors with ArcSight Express
e
Click Tools->Import Trusted Certificate.
f
Navigate to the Manager’s certificate, select it and click Import.
g
You will see the following prompt. Click OK to see the certificate details.
The Certificate Details dialog will be displayed.
h
Click OK on the Certificate Details dialog to accept the certificate.
46 ArcSight Express Configuration Guide
ArcSight Confidential
5
Using SmartConnectors with ArcSight Express
i
Click Yes in the following dialog.
j
Enter an alias for the certificate and click OK.
k
You will see the following message when the import is successful.
Click OK.
l
Click File->Save KeyStore to save the certificate in the Connector’s truststore
and exit the keytoolgui interface.
Import the Manager’s certificate using the Connector
Manager
1
Copy the cacerts file manually from the ArcSight Express Manager’s
/opt/arcsight/manager/jre/lib/security/ directory on to your local
desktop.
2
Open a web browser on your desktop and connect to the ArcSight Storage Appliance
by typing in the URL https://<the_IP_address_of_your_ArcSight_Storage_Appliance>
3
To upload the cacerts file to the ArcSight Storage Appliance, go to
Configuration->Advanced Operations->CA Certs->CA Certs Repositories
tab, and click Upload.
4
Navigate to the file, select the file, and click Submit to start the upload process.
5
Click Apply CA Certs tab and select the container by checking the checkbox to the
right of it.
6
Click Update to apply this cacerts to the container.
7
Continue to configure the connectors and register them with the Manager whose
certificate you just imported.
ArcSight Confidential
ArcSight Express Configuration Guide 47
5 Using SmartConnectors with ArcSight Express
48 ArcSight Express Configuration Guide
ArcSight Confidential
Appendix A
Troubleshooting
The following information may help solve problems that might occur when installing or
using ArcSight Express. In some cases, the solution can be found here or in other ArcSight
Express documentation, but ArcSight Customer Support is available if you need it. Refer to
the documents listed in section “Related Documents” on page 5.
This chapter covers the following topics:
“Location of Log files for Components” on page 49
“Customizing ESM Components Further” on page 50
“Fatal Error when Running the First Boot Wizard” on page 51
“Manager Service Failed when Starting” on page 52
““Failed” Status while Configuring or Starting a Component” on page 52
If you intend to have ArcSight Customer Support guide you through a diagnostic process,
please prepare to provide specific symptoms and configuration information.
Location of Log files for Components
The log file for each component can be found in the following location:
On ArcSight Express Appliance:
First Boot Wizard:
/opt/arcsight/manager/logs/firstboot.log
/opt/arcsight/manager/logs/default/managerwizard.log
/opt/arcsight/manager/logs/default/serverwizard.log
ArcSight Database:
/opt/arcsight/db/logs
ArcSight Manager:
/opt/arcsight/manager/logs/default
ArcSight Web:
/opt/arcsight/web/logs/default
ArcSight Forwarding Connector:
ArcSight Confidential
ArcSight Express Configuration Guide 49
A Troubleshooting
/opt/arcsight/connector/current/logs
On ArcSight Storage Appliance:
ArcSight Logger:
/opt/arcsight/logger/logs
On the machine where you install the Console:
ArcSight Console:
<ARCSIGHT_HOME>\current\logs
Customizing ESM Components Further
The First Boot Wizard configures the software components on ArcSight Express Appliance
(ArcSight Database, ArcSight Manager, ArcSight Web, and ArcSight Forwarding Connector)
for you. But, in the event that you would like to customize a component further, you can
follow these instructions to start the setup program for the component:
ArcSight Database
While logged in as the “root” user, run the following command from
/opt/arcsight/db/bin directory:
./arcsight database pc
ArcSight Manager
While logged in as user “arcsight”, run the following command from
/opt/arcsight/manager/bin directory:
./arcsight managersetup
ArcSight Web
While logged in as user “arcsight”, run the following command from
/opt/arcsight/web/bin directory:
./arcsight websetup
Follow the prompts on the wizard screens. To get more information on an individual screen
for any of the components listed above, see the ArcSight ESM Installation and
Configuration Guide available on the ArcSight Customer Support download site.
ArcSight Forwarding Connector
While logged in as user “root”, run the setup program from the
/opt/arcsight/connector/current/bin directory:
./arcsight connectorsetup
and follow the prompts on the screen. Refer to the SmartConnector Configuration Guide for
ArcSight Forwarding Connector document available on the ArcSight Customer Support
download site.
50
ArcSight Express Configuration Guide
ArcSight Confidential
A
Troubleshooting
Fatal Error when Running the First Boot Wizard
If you encounter a fatal error such as a the one shown below while running the First Boot
Wizard, the wizard will display an error message and then exit.
To resolve this issue, try the following steps:
1
Check the /opt/arcsight/manager/logs/firstboot.log file to figure out
where the error occured.
2
Check to make sure that the IP address for the appliance has been configured
correctly (eth0 has been configured correctly) and is available (not already in use for
some other system on your network).
3
Make sure that the tnslistener and Oracle services are started.
To check the status of the TNS listener, run this command from the
/opt/arcsight/db/bin directory:
To run the commands in this step, you must be logged in as the Oracle
user. Run the following command to switch to the Oracle user if not
logged in as one already:
su – oracle
% ./arcdbutil lsnrctl status
To check whether Oracle services have been started, run the following:
% ./arcdbutil sql
Enter user-name: / as sysdba
Enter password:
Enter “arcsight” without the quotes when prompted for the password. You will get the
sqlplus prompt only if the Oracle services are running.
4
Restart the First Boot Wizard by running the following command from the
/opt/arcsight/manager/bin directory when logged in as user “root”:
./arcsight appliancefirstbootsetup
ArcSight Confidential
ArcSight Express Configuration Guide 51
A Troubleshooting
The First Boot Wizard can only be rerun until the point that the Manager has not been
configured.
If the steps above do not solve the issue, you will be required to revert your ArcSight
Express Appliance to its factory settings. For instructions on how to do this, see Appendix
C‚ Restoring Factory Settings‚ on page 65.
Manager Service Failed when Starting
If the Manager service fails to start giving you the following error:
„
You will need to start the Manager service manually. See Step 3 on page 53 for
information on how to start the Manager service manually.
„
You will also be required to configure the Forwarding Connector and ArcSight Web
manually. See “Failed” Status while Configuring or Starting a Component section for
details on how to run Forwarding Connector and ArcSight Web setups manually.
„
You will be required to run the tablespace expansion manually. See Step 2 for details
on how to do this.
In the event that any of the above steps do not work, we recommend that you revert your
ArcSight Express Appliance to its factory settings. For instructions on how to do this, see
Appendix C‚ Restoring Factory Settings‚ on page 65.
“Failed” Status while Configuring or Starting a
Component
If you cancel out of the First Boot Wizard before you reach the screen below, you can rerun the wizard:
52
ArcSight Express Configuration Guide
ArcSight Confidential
A
Troubleshooting
However, once you click Next in the screen above and the configuration begins, if any step
fails or you cancel out of the wizard, you will be required to run the corresponding
component setup program and configure the component manually.
If you see a “Failed” status for any component, such as the follows, you will be required to
configure the component manually. To find out the reason for the failure, look at the log for
the component. See “Location of Log files for Components” on page 49 for the location of
the logs.
Here are the steps to configure a component manually:
1
To configure the partition management notification e-mails for the ArcSight Database
software component, run the following command from /opt/arcsight/db/bin
directory on ArcSight Express Appliance while logged in as user “root”:
./arcsight database pc
and follow the prompts on the screen. Refer to the ArcSight ESM Installation and
Configuration Guide for information on each screen. You can download this guide from
the ArcSight Customer Support download site.
2
To expand the tablespaces manually, run the following command from
/opt/arcsight/db/bin directory on ArcSight Express Appliance while logged in as
user “root”:
./arcsight database xts
3
To start the Manager service manually, run the following command from
/etc/init.d directory as user “root” on ArcSight Express Appliance:
./arcsight_manager start
and follow the prompts on the screen. Refer to the ArcSight ESM Installation and
Configuration Guide for information on each screen.
4
To configure the Forwarding Connector manually, run the setup program from the
/opt/arcsight/connector/current/bin directory on ArcSight Express
Appliance as user “root”:
./arcsight connectorsetup
ArcSight Confidential
ArcSight Express Configuration Guide 53
A Troubleshooting
and follow the prompts on the screen. Refer to the SmartConnector Configuration
Guide for ArcSight Forwarding Connector document available on the ArcSight
Customer Support download site.
5
To configure ArcSight Web manually, run the following command from the
/opt/arcsight/web/bin directory on ArcSight Express Appliance as user
“arcsight”:
./arcsight websetup
and follow the prompts on the screen. Refer to the ArcSight ESM Installation and
Configuration Guide for information on each screen.
6
To start the Web server service manually, run the following command from
/etc/init.d directory as user “root” on ArcSight Express Appliance:
./arcsight_web start
7
To manually start a Forwarding Connector service, run the following command from
/etc/init.d directory on ArcSight Express Appliance as user “root”:
./arc_logger_connector start
In the event that any of the above steps do not work, we recommend that you revert your
ArcSight Express Appliance to its factory settings. For instructions on how to do this, see
Appendix C‚ Restoring Factory Settings‚ on page 65.
Changing IP Address of ArcSight Express Appliance
After Configuring it in the First Boot Wizard
You set the IP address for the ArcSight Express Appliance when you boot the appliance for
the very first time and configure it using the First Boot Wizard. Once the First Boot Wizard
has run successfully, you will not be allowed to run it again. In case you want to change
the IP address of the ArcSight Express Appliance after running the First Boot Wizard
successfully, follow these steps:
Please note:
1
•
Manager and Web setup commands must be run when logged in as user
“arcsight.”
•
All other commands must be run as user “root”.
•
All services are to be stopped and started when logged in as user “root”.
Stop all ESM related services:
a
To stop the Manager service, run the following command from /etc/init.d
directory as user “root”:
./arcsight_manager stop
b
To stop the Web service, run the following command from /etc/init.d
directory as user “root”:
./arcsight_web stop
c
To stop the Forwarding Connector service, run the following command from
/etc/init.d directory as user “root”:
./arc_logger_connector stop
54
ArcSight Express Configuration Guide
ArcSight Confidential
A
2
Troubleshooting
Stop the TNS Listener by running the following command from
/opt/arcsight/db/bin directory:
./arcdbutil listener stop
3
Change the IP address of the appliance in the /etc/sysconfig/networkscripts/ifcfg-eth0 file.
4
Change the IP address in the
/home/oracle/OraHome10g/network/admin/sqlnet.ora file.
5
Reboot the ArcSight Express ESM appliance.
Only If you had entered an IP address (instead of a host name) do the following
additional steps:
When prompted for a Manager Host Name in the First Boot Wizard, then you will be
required to do the following in addition to the steps mentioned above:
6
Stop the Manager and Web services again. These services would have started upon
reboot.
7
Run the following to start the setup program for the Manager from
/opt/arcsight/manager/bin directory:
./arcsight managersetup
This will open the Manager’s setup wizard.
8
a
Enter the new IP address that you set for your appliance in Step 4 above in the
Manager Host Name field when prompted by the wizard.
b
Make sure to select the self-signed keypair option when prompted by the wizard
and enter the required information to generate the self-signed certificate
containing the new IP address.
Start the Manager service by running the following command from the /etc/init.d
directory as user “root”:
./arcsight_manager start
9
Import the Manager’s newly generated self-signed certificate on the webserver using
the keytoolgui tool. See “Using keytoolgui to Import Manager’s Certificate” on
page 42.
10 While logged in as user “arcsight”, run the following to start the setup program for the
Web from the /opt/arcsight/web/bin directory:
./arcsight websetup
a
Enter the new IP address in Webserver Host Name field when prompted.
b
Make sure to select the self-signed keypair option when prompted by the wizard
and enter the required information to generate the self-signed certificate
containing the new IP address.
11 If you chose to set up Logger and Forwarding Connector when configuring your
appliance using the First Boot Wizard, stop the Forwarding Connector service by
running the following command from the /etc/init.d directory as user “root”:
./arc_logger_connector stop
ArcSight Confidential
ArcSight Express Configuration Guide 55
A Troubleshooting
12 Import the Manager’s certificate on the connector using keytoolgui. See ArcSight
ESM Administrator’s Guide available on the ArcSight Customer Support download site
for details on how to do this.
13 Run the setup program for the connector from the
/opt/arcsight/connector/current/bin directory:
./arcsight connectorsetup
and enter the new IP address for the appliance in the Host Name field when
prompted.
14 Restart the Connector service by running the following from the /etc/init.d
directory as user “root”:
./arc_logger_connector start
15 Import the Manager’s certificate on all clients (Console and connectors) that will be
accessing the Manager. You can do so using the keytoolgui. See ArcSight ESM
Administrator’s Guide available on the ArcSight Customer Support download site for
details on how to do this.
16 Test to make sure that the clients can connect to the Manager.
Changing Host Name of ArcSight Express Appliance
After Configuring it in the First Boot Wizard
Please note:
•
Manager and Web setup commands must be run when logged in as user
“arcsight.”
•
All other commands must be run as user “root”.
•
All services are to be stopped and started when logged in as user “root”.
You set the host name for the ArcSight Express Appliance when you boot the appliance for
the very first time and configure it using the First Boot Wizard. Once the First Boot Wizard
has run successfully, you will not be allowed to run it again. In case you want to change
the host name of the ArcSight Express Appliance after running the First Boot Wizard
successfully, follow these steps:
1
Stop all ESM related services:
a
To stop the Manager service, run the following command from /etc/init.d
directory as user “root”:
./arcsight_manager stop
b
To stop the Web service, run the following command from the /etc/init.d
directory as user “root”:
./arcsight_web stop
c
To stop the Forwarding Connector service, run the following command from the
/etc/init.d directory as user “root”:
./arc_logger_connector stop
2
56
Stop the TNS Listener by running the following command from the
/opt/arcsight/db/bin directory:
ArcSight Express Configuration Guide
ArcSight Confidential
A
Troubleshooting
./arcdbutil listener stop
3
Change the host name of the appliance by editing it in the
/etc/sysconfig/network file.
4
Edit the /etc/hosts file to reflect the new host name of the ArcSight Express
Appliance.
5
Run the following from the shell prompt to change the hostname on the appliance:
hostname <new_hostname>
6
Run the following from a shell prompt for your changes to take effect:
service network restart
7
Change the host name in the
/home/oracle/OraHome10g/network/admin/listener.ora file.
8
Change the host name in the
/home/oracle/OraHome10g/network/admin/tnsnames.ora file.
9
Change the host name in the
/home/oracle/OraHome10g/network/admin/sqlnet.ora file.
10 Start the TNS Listener by running the following command from
/opt/arcsight/db/bin directory:
arcdbutil listener start
11 Start the Partition Configuration wizard by running the following command from
/opt/arcsight/db/bin directory:
./arcsight database pc
and enter the new host name in the Database Host Name field when prompted.
If you had entered an IP address in the Manager Host Name field when configuring the
ArcSight Express Appliance you will also need to do the following steps:
12 Start the Manager by running the following command from the /etc/init.d
directory as user “root”:
./arcsight_manager start
13 Start the Web by running the following command from the /etc/init.d directory as
user “root”:
./arcsight_web start
If you had entered a host name when prompted for a Manager Host Name in the First Boot
Wizard, then you will be required to do the following in addition to the steps mentioned
above:
14 Stop the Manager.
15 Run the Manager’s setup program from the /opt/arcsight/manager/bin
directory as user “arcsight”:
./arcsight managersetup
a
ArcSight Confidential
Enter the new host name that you set for your appliance in the Manager Host
Name field when prompted by the wizard.
ArcSight Express Configuration Guide 57
A Troubleshooting
b
Make sure to select the self-signed keypair option when prompted by the wizard
and enter the required information to generate the self-signed certificate
containing the new host name.
16 Start the Manager service by running the following command from the /etc/init.d
directory as user “root”:
./arcsight_manager start
17 Import the Manager’s newly generated self-signed certificate on the Webserver using
the keytoolgui tool. See ArcSight ESM Administrator’s Guide available on the
ArcSight Customer Support download site for details on how to do this.
18 While logged in as user “arcsight”, run the following to start the setup program for the
Web from the /opt/arcsight/web/bin directory:
./arcsight websetup
a
Enter the new host name in the Manager Host Name and the Webserver Host
Name fields when prompted.
19 If you had chosen to set up Logger and Forwarding Connector when configuring your
appliance using the First Boot Wizard, stop the Forwarding Connector service by
running the following command from the /etc/init.d directory as user “root”:
./arc_logger_connector stop
20 Import the Manager’s certificate on the connector using keytoolgui. See ArcSight
ESM Administrator’s Guide available on the ArcSight Customer Support download site
for details on how to do this.
21 While logged in as user “root”, run the setup program for the connector from the
/opt/arcsight/connector/bin directory:
./arcsight connectorsetup
and enter the new host name for the appliance in the Host Name field when
prompted.
22 Restart the Connector service by running the following from the /etc/init.d
directory as user “root”:
./arc_logger_connector start
23 Import the Manager’s certificate on all clients (Console and connectors) that will be
accessing the Manager. You can do so using the keytoolgui. See ArcSight ESM
Administrator’s Guide available on the ArcSight Customer Support download site for
details on how to do this.
24 Test to make sure that the clients can connect to the Manager.
58
ArcSight Express Configuration Guide
ArcSight Confidential
Appendix B
Default Settings for Components
This appendix gives you the default settings for each software component in ArcSight
Express. It covers the default settings for the following:
“General” on page 59
“ArcSight Database” on page 59
“ArcSight Manager” on page 61
“About ArcSight Web” on page 62
“ArcSight Forwarding Connector” on page 62
“ArcSight Logger” on page 63
You can always customize any component by running its setup program. Refer to Appendix
A‚ Troubleshooting‚ on page 49 for information on running the setup program for a
component.
The following tables list the default settings for each component.
General
Setting
default password for Java keystore
Default Value
changeit
ArcSight Database
ArcSight Express Appliance comes pre-installed with Oracle 10.2.0.4. An Oracle instance
has already been created for you. The following are some of the default values that have
been pre-configured in ArcSight Database for you:
Setting
Default Value
ArcSight Database Home
/opt/arcsight/db
Oracle Home
/home/oracle/OraHome10g
Location of Oracle data files
/opt/data
CPU Information
ArcSight Confidential
Oracle has the July 2010 CPU applied
ArcSight Express Configuration Guide 59
B Default Settings for Components
Setting
Default Value
Tablespace name
Data file Size
ARC_SYSTEM_DATA
5 GB (1 file x 5 GB)
ARC_SYSTEM_INDEX
5 GB (1 file x 5 GB)
ARC_EVENT_DATA
400 GB (25 files * 16 GB)
ARC_EVENT_INDEX
800 GB (50 files * 16 GB)
ARC_UNDO
96 GB (12 files * 8GB)
ARC_TEMP
48 GB (6 files * 8GB)
Partition Retention Method
Space Based Retention
Target free space %
15%
Partition Management runtimes
Runs 4 times in a 24 hour period. The
default timings are 02:00, 07:00, 13:00,
20:00.
E-mail notification level
Warning
Location of Control Files
/home/oracle/OraHome10g/oradata/arc
sight
Database Host name
Host name or IP address of your ArcSight
Express ESM machine
Database port number
1521
Database instance name
arcsight
Database OS user name
oracle
Database user name
(This account will be used by ArcSight
Manager to connect to ArcSight Database)
arcsight
Database Template Size
Extra Large
Database Character set
UTF-8
Allowed TNS Clients
localhost
Auto Archive Redo logs
No
Database OS username
oracle
System User name
systemuser
Minimum Partition Retention Period
2 days, by default.
To increase this period, add the following
property in the
/opt/arcsight/manager/config/server
.properties file:
sbr.extend.min.retention.period=
About Data Retention on ArcSight Express
ArcSight Express uses the Space Based Retention method to maintain online data. Your
data is retained based on the target free space which is the amount (percentage) of free
60
ArcSight Express Configuration Guide
ArcSight Confidential
B
Default Settings for Components
space available in your database. The target free space is set to 15% by default. You can
change this percentage by running the ./arcsight database pc command from the
/opt/arcsight/db/bin directory and entering the desired percentage when prompted.
The Partition Manager (a component of the ArcSight Manager that manages the life-cycle
of event data partitions from creation to elimination) is scheduled to run once every 6
hours. When the Partition Manager runs, it calculates the free space in the database. If you
get sudden spikes of events that fill up the database before the next 6-hourly scheduled
run of the Partition Manager, you will get alerts in the Console and via e-mail. You can
either manually launch Partition Manager to free up space immediately or just wait for the
next scheduled Partition Manager run to do so. (In the latter case, events would continue
to be cached on the connectors.) As soon as it detects that the free space available is less
than the target free space, it drops the oldest retained partition and continues to drop the
next oldest partition until the available free space reaches the target free space percent. At
a minimum the current partition plus the two most recent partitions are retained even if the
amount of free space in the database falls below the target free space. For example, if
today is Wednesday, the Partition Manager makes sure to at least retain partitions from
Monday and Tuesday even though that might mean leaving less than the target free space
in the database. Audit events are generated every time a partition is dropped.
For long term data storage beyond what the disk space on ArcSight Express Appliance
allows, forward the events to ArcSight Storage Appliance.
ArcSight Manager
ArcSight Manager uses a self-signed certificate, which gets generated for you
when you configure the appliance using the First Boot Wizard. When you log
into the Console for the very first time you will be prompted to accept the
Manager’s certificate. You can either click Yes in that dialog or optionally
import the Manager’s certificate manually at a later time.
The following are some of the default values that have been pre-configured in ArcSight
Manager for you:
Setting
Location of Manager
Manager host name
Manager Port
Manager license file
Default Value
/opt/arcsight/manager
Host name or IP address of ArcSight
Express
8443
Please obtain from ArcSight Customer
Support
Packages installed
ArcSight Express, ArcSight Administration
Java Heap Memory
2048 MB
Authentication Type
Type of certificate used
Password Based
self-signed
Default password for keystore
password
Default password for truststore
changeit
ArcSight Confidential
ArcSight Express Configuration Guide 61
B Default Settings for Components
Setting
Default Value
E-mail Notification
Internal SMTP server. If you want to use
an External SMTP server, run the following
command from the
/opt/arcsight/manager/bin directory
and set up the external SMTP server when
prompted:
./arcsight managersetup
Sensor Asset Auto Creation
Enabled
Packages/default content installed
Appliance-related content
Manager installed as service
Yes
(name of service is arcsight_manager)
About ArcSight Web
The following are some of the default values that have been pre-configured in ArcSight
Web for you:
Setting
Location of ArcSight Web
ArcSight Web host name
ArcSight Web port
Default Value
/opt/arcsight/web
Host name or IP address of ArcSight
Express
9443
Java Heap Size
512 MB
Authentication Type
Password Based
Default password for keystore
password
Default password for truststore
changeit
ArcSight Web installed as service
Yes
(name of service is arcsight_web)
ArcSight Forwarding Connector
The Forwarding Connector receives the events from the Manager and forwards the events
to the ArcSight Storage Appliance using the SmartReceiver. The following are some of the
default values that have been pre-configured in ArcSight Web for you:
Setting
Default Value
Location of ArcSight Forwarding Connector
/opt/arcsight/connector
ArcSight Forwarding Connector installed
as service
Name of the Forwarding Connector
Service
62
ArcSight Express Configuration Guide
Yes
arc_logger_connector
ArcSight Confidential
B
Default Settings for Components
ArcSight Logger
The ArcSight Storage Appliance includes the ArcSight Logger software, software for
connector management and 4 connectors that run on the appliance itself.
Setting
Default Value
ArcSight Logger host name
IP address of ArcSight Logger
ArcSight Logger Port
443
ArcSight Confidential
ArcSight Express Configuration Guide 63
B Default Settings for Components
64
ArcSight Express Configuration Guide
ArcSight Confidential
Appendix C
Restoring Factory Settings
ArcSight Express can be restored to its original factory settings using the built-in Acronis
True Image software.
Restoring ArcSight Express to factory settings will irrevocably delete all event
data and configuration settings.
To restore ArcSight Express to its original factory settings, perform these steps:
1
Attach a keyboard, monitor, and mouse directly to the ArcSight Express system.
2
Reboot ArcSight Express using the command line interface.
3
Press any key.
ArcSight Confidential
ArcSight Express Configuration Guide 65
C Restoring Factory Settings
66
4
A screen similar to that shown in the figure below will appear on the attached monitor.
Use the mouse or arrow keys to select System Restore and press Enter.
5
On the Pick a Task list, shown in the figure below, choose Recovery.
ArcSight Express Configuration Guide
ArcSight Confidential
C Restoring Factory Settings
6
The Restore Data Wizard opens. Click Next to continue.
7
Select the Acronis Secure Zone, as shown in figure below, and click Next. You will
have a chance to review the choices you make on this page and the wizard pages that
follow before initiating the restore process.
ArcSight Confidential
ArcSight Express Configuration Guide 67
C Restoring Factory Settings
68
8
Select Restore disks or partitions and click Next. Choose other options only if
specifically directed to do so by ArcSight Customer Support.
9
Select the entire drive, labeled 'sda' in the figure below. Click Next to continue.
ArcSight Express Configuration Guide
ArcSight Confidential
C Restoring Factory Settings
10 Select Generate new NT signature in the following screen and click Next.
11 Choose the drive to restore ('sda') and click Next.
ArcSight Confidential
ArcSight Express Configuration Guide 69
C Restoring Factory Settings
12 Select Yes, I want to delete all the partitions on the destination hard drive
before restoring and click Next.
13 Because there are no other partitions or disks to restore, choose No, I do not, on the
Next Selection page of the wizard. Click Next.
70
ArcSight Express Configuration Guide
ArcSight Confidential
C Restoring Factory Settings
14 Validating the archive before restoring is optional. Check the box to validate the
archive or leave it unchecked to skip this step. Check the box to Restart machine
automatically if needed for the recovery. Click Next.
15 Review the checklist of operations to be performed and click Proceed to begin the
restore process, or click Back to revisit previous wizard pages.
Do not interrupt or power-down ArcSight Express during the restore process.
Interrupting the restore process may force the system into a state from which
it cannot be recovered.
ArcSight Confidential
ArcSight Express Configuration Guide 71
C Restoring Factory Settings
16 The progress bars shown in the figure below display the status of the current and total
operations.
17 When the restoration is complete, an alert is displayed that says "Data was
successfully restored." Click OK in the message box and close the Acronis True Image
Server window to reboot ArcSight Express..
72
ArcSight Express Configuration Guide
ArcSight Confidential
Index
A
ArcSight
Database 2
Manager 2
Web 2
ArcSight Console 3, 31
client authentication 36
connecting to the Manager 34
installing 31, 32
reconfiguring 40
reconnecting to Manager 40
starting 39
uninstalling 40
user logs and preferences 38
web browser configuration 37
ArcSight Database 2
default settings 59
setup 50
ArcSight Express 1
appliance 1
changing host name after it has been configured 56
changing IP address after configuring it 54
communication overview 4
configuring 11
configuring software components 22
customizing components 50
data retention 60
deployment overview 3
effects of communication when components fail 4
Logger 1, 2
pre-installed software 1
related documents 5
restarting wizard 23
Restore Factory Settings 65
storage appliance 1
using smartconnectors 7, 41
ArcSight Express Appliance
configuring 11
ArcSight Express Storage Appliance
configuring 7
ArcSight Forwarding Connector 2
default settings 62
setup 50
ArcSight Logger
default settings 63
ArcSight Manager 2
default settings 61
setup 50
transferring configuration 33
ArcSight Web 2
default settings 62
ArcSight Confidential
setup 50
C
changing
host name of ArcSight Express 56
IP address of ArcSight Express Appliance 54
client authentication
ArcSight Console 36
configuring
ArcSight Express Appliance 11
ArcSight Express Storage Appliance 7
Oracle Enterprise Linux 11
software components on ArcSight Express 22
web browser in Console 37
connecting
ArcSight Console to Manager 34
Console
installing 32
supported platforms 31
customizing
components on ArcSight Express 50
D
data retention
ArcSight Express 60
database 2
default settings
ArcSight Database 59
ArcSight Forwarding Connector 62
ArcSight Logger 63
ArcSight Manager 61
ArcSight Web 62
F
factory settings
restore 65
First Boot Wizard
fatal error 51
I
installing
ArcSight Console 31, 32
L
Logger 1
configuring 7
ArcSight Express Configuration Guide 73
Index
M
Manager 2
O
Oracle Enterprise Linux
configuring 11
overview
ArcSight Express communication 4
ArcSight Express deployment 3
ArcSight Forwarding Connector 50
ArcSight Manager 50
ArcSight Web 50
space based retention 60
starting
ArcSight Console 39
supported platforms
Console 31
T
Pre-installed software
ArcSight Express 1
Troubleshooting 49
Failed status 52
fatal error 51
Manager service failed 52
R
U
P
reconfiguring
ArcSight Console 40
reconnecting
Console to Manager 40
restarting
ArcSight Express wizard 23
S
setup
ArcSight Database 50
74 ArcSight Express Configuration Guide
uninstalling
ArcSight Console 40
user logs
ArcSight Console 38
W
Web 2
Web browser
configuring in Console 37
ArcSight Confidential