Completing Post-Installation Tasks

After you confirm that the installation was successful, complete the applicable tasks in this chapter. Depending on your configuration, some tasks might not apply.

After you complete the applicable post-installation tasks, install the ArcSight Console. For more information, see Installing ArcSight Console.

To complete post-installation tasks:

  1. Configure reports to display in a non-English environment.

    To enable queries to retrieve international characters in string-based event fields, you must ensure that you store the characters correctly. For more information, see Configuring Reports to Display in a Non-English Environment.

  2. If you are running software ESM, tune the BIOS to improve performance.

    For more information, see Tuning the BIOS.

  3. If you want to connect a browser to a FIPS web server, configure the browser to support TLS by turning off SSL protocols and turning on TLS protocols.

    For example, in Internet Explorer:

    1. Select Tools > Internet Options.
    2. Select the Advanced tab.
    3. In the Security section, uncheck Use SSL 2.0 and Use SSL 3.0.
    4. Select the appropriate TLS options. For more information, see TLS Support.

  4. If you are running ESM in distributed correlation mode, add or remove cluster services as desired.

    ESM supports dynamic addition and removal of the following cluster services:

    • Aggregator
    • Correlator
    • Distributed cache (dcache)

    • Information repository (repo)

    After you add a service, as user arcsight, run the following command to start the service:

    /etc/init.d/arcsight_services start <service ID>

    If you want to configure a new node and add services, as user arcsight, you must stop and start all of the ESM services:

    /etc/init.d/arcsight_services stop all
    /etc/init.d/arcsight_services start all

    Before you remove a service, you must stop the service.

    For more information about adding cluster services, see the ESM Administrator's Guide.

  5. Install the ArcSight Platform.

    The ArcSight Platform enables you to visualize, identify, and analyze potential threats by incorporating intelligence from the multiple layers of security sources that might be installed in your security environment:

    • Real-time event monitoring and correlation with data from ESM
    • Analyzing end-user behavior with Interset

    To help you get started, the ArcSight Platform provides a Dashboard with a set of out-of-the-box widgets and dashboards. Users can organize the widgets into personalized dashboards.

    For information about deploying, configuring, and maintaining this product, see the Release Notes and the Administrator's Guide for the ArcSight Platform.

    Note: This release allows you to connect to a single ESM instance.

  6. If you want the ability to view Command Center from the ArcSight Platform, install ESM in the ArcSight Platform and then configure the ESM host in the ArcSight Platform. For more information, see the Administrator's Guide for the ArcSight Platform.

    This feature allows you to view Command Center from the ArcSight Platform without having to switch to the ESM host for Command Center. After you install ESM and configure the host in the ArcSight Platform, refresh the dashboard to display the Command Center menu in the ArcSight Platform. Click the menu to start Command Center. To go back to the ArcSight Platform dashboard from Command Center, use the ArcSight Platform menu from the Dashboard menu in Command Center.

  7. Configure Transformation Hub access.

    For more information, see the applicable topic:

  8. Configure integration with ServiceNow® IT Service Management (ITSM).

    For more information, see Configuring Integration with ServiceNow®.

  9. To change the method for authenticating users with the ArcSight Manager:

    1. As user arcsight, stop the ArcSight Manager:

      /etc/init.d/arcsight_services stop manager

    2. As user arcsight, from the /opt/arcsight/manager/bin directory, run the following command to start the managersetup wizard:

      ./arcsight managersetup -i console
    3. Advance through the wizard until you reach the authentication options screen.

    4. Select one of the following methods for authenticating users with the ArcSight Manager:

      • Password Based Authentication

        Log in with a user name and password.

      • Password Based and SSL Client Based Authentication

        Base authentication on the user name and password combination or the authentication of the client certificate by the Manager.

      • SSL Client Only Authentication

        Manually set up the authentication of the client certificate by the Manager.

      • OSP Client Only Authentication

        Allow ESM to use an existing One SSO Provider (OSP) (for example, from the ArcSight Platform) for authentication.

        Note: If you select this method, when you register a connector with ESM, specify the ESM user credentials and not the OSP credentials.

      • External SAML2 Client Only Authentication

        Configures the SAML2 client that is embedded in ESM to establish a trust relationship with your own external identity provider.

        Note: If you select this method, when you register a connector with ESM, specify the ESM user credentials and not the OSP credentials.

    5. If you selected OSP Client Only Authentication, provide the following information:

      • Host name and port of the OSP server

      • Tenant name that you specified for the OSP

    6. If you selected External SAML2 Client Only Authentication, provide the following information:

      • Either the SAML2 metadata URL or the location of the SAML2 metadata file to be uploaded

      • Location of the certificate that the external identity provider uses for signing SAML2 requests

        Note: The certificate must be in PEM format.

      After configuration of the External SAML2 Client Only Authentication method is complete and you restart the manager, you can find the manager’s metadata at https://<manager-host-name:manager-port>/osp/a/esm/auth/saml2/spmetadata.

    7. Advance through the wizard and complete the configuration.

      For more information about managersetup, see the ESM Administrator's Guide.

    8. If you are running in FIPS mode and using External SAML2 Client Only Authentication, run the migrate_fips_osp_keystore script to update the keystore that the OSP uses:

      /opt/arcsight/manager/bin/arcsight migrate_fips_osp_keystore

    9. As user arcsight, restart the ArcSight Manager:

      /etc/init.d/arcsight_services start all

Configuring Reports to Display in a Non-English Environment

The tasks in this section apply only if you plan to generate PDF reports that use international characters. The ARIALUNI.TTF font is required to configure the reports.

To configure reports to display international characters:

  1. On the ArcSight Manager host, place the ARIALUNI.TTF file in the appropriate folder. For example, /usr/share/fonts/<your folder>.

  2. Add the following line to the sree.properties file, located in the /opt/arcsight/manager/reports/ directory by default:

    font.truetype.path=/usr/share/fonts/<your folder>

  3. Stop and start the ArcSight Manager:

    /etc/init.d/arcsight_services stop manager
    /etc/init.d/arcsight_services start all

  4. On the ArcSight Console host operating system, install the Arial Unicode MS font if it is not already present.

  5. From <ARCSIGHT_HOME>/current/bin/scripts, modify console.bat (on Windows) or console.sh (on Macintosh) to append the JVM option " -Dfile.encoding=UTF8" to the ARCSIGHT_JVM_OPTIONS section.

    Note: The coding is set correctly on Linux. Modifications are not required.
  6. From the console Preferences menu (Edit > Preferences > Global Options > Font), set Arial Unicode MS as the default font.

  7. Set font preferences for your reports.

    For more information, see the ArcSight Console User's Guide.

Tuning the BIOS

If you are running software ESM, you can tune the BIOS to improve server performance.

To tune the BIOS:

  1. Disable HyperThreading.

    This setting exists on most server class processors (for example, Intel processors) that support hyper threading. AMD processors do not have an equivalent setting.

  2. Disable Intel VT-d.

    This setting is specific to Intel processors and is likely to be present on most recent server class processors. AMD processors have an equivalent setting called AMD-Vi.

  3. Set Power Regulator to Static High Performance.

    This setting tells the CPU(s) to always run at high speed, rather than slowing down to save power when the system senses that load has decreased. Most recent CPUs have an equivalent setting.

  4. Set Thermal Configuration to Increased Cooling.

    This setting increases the server fan speed to avoid issues with the increased heat that results from constantly running the CPU(s) at high speed.

  5. Enable the Minimum Processor Idle Power Package State setting.

    This setting tells the CPU not to use any of its C-states (various states of power saving in the CPU).

  6. Set Power Profile to Maximum Performance.

    This setting results in the following changes:

    • QPI power management (the link between physical CPU sockets) is disabled.
    • PCIe support is forced to Gen 2.
    • C-states are disabled.
    • Lower speed settings on the CPUs are disabled so that the CPUs constantly run at high speed.

Configuring Transformation Hub Access - Non-FIPS Mode

This section describes how to configure ESM to access Transformation Hub when FIPS mode is not enabled.

To configure ESM access to Transformation Hub in non-FIPS mode:

  1. As user arcsight, stop the ArcSight Manager:

    /etc/init.d/arcsight_services stop manager

  2. As user arcsight, from the /opt/arcsight/manager/bin directory, run the following command to start the managersetup wizard:

    ./arcsight managersetup -i console

    Advance through the wizard until you reach the Transformation Hub screen.

  3. Provide the following information:

    1. Specify the host name and port information for the nodes in Transformation Hub. Include the host and port information for all worker nodes. Use a comma-separated list (for example: <host>:<port>,<host>:<port>).

      Note: You must specify the host name and not the IP address.

      Transformation Hub can only accept IPv4 connections from ESM.

      If the Kafka cluster is configured to use SASL/PLAIN authentication, ensure that you specify the port configured in the cluster for the SASL_SSL listener.

    2. Specify the topics in Transformation Hub from which you want to read. These topics determine the data source.

      For more information, see the Administrator's Guide for the ArcSight Platform.

      Note: You can specify up to 25 topics using a comma-separated list (for example: topic1,topic2). ESM will read Avro-format events from any topic where the name contains "avro" in lower case. For example, th-arcsight-avro.

    3. Import the Transformation Hub root certificate to ESM's client truststore.

      Transformation Hub maintains its own certificate authority (CA) to issue certificates for individual nodes in the Transformation Hub cluster. ESM needs that CA certificate in its truststore so that it will trust connections to Transformation Hub. For information about obtaining the certificate, see the information about viewing and changing the certificate authority in the Administrator's Guide for the ArcSight Platform. You might need to contact the Transformation Hub administrator to obtain the CA certificate if you do not have sufficient privileges to access the Transformation Hub cluster.

      On the Transformation Hub master node, run the following command to generate the ca.crt root certificate file in the /tmp folder:

      /opt/arcsight/kubernetes/scripts/cdf-updateRE.sh > /tmp/ca.crt

      Copy /tmp/ca.crt to a local folder on the ESM server. After you provide the path to the certificate, the wizard imports the Transformation Hub root certificate into ESM's client truststore

    4. If the Kafka cluster is not configured to use SASL/PLAIN authentication, leave the authentication type as None. If the Kafka cluster is configured to use SASL/PLAIN authentication, select SASL/PLAIN as the authentication type.

    5. If you selected SASL/PLAIN as the client authentication type, specify the user name and password for authenticating to Kafka.

    6. If you specified an Avro topic, specify the host name and port for connecting to the Schema Registry in the format <host name:port>.

      Note: The default port for connecting to the Schema Registry is 32081.

      Transformation Hub runs a Confluent Schema Registry that producers and consumers use to manage compatibility of Avro-format events.

      The wizard uses this information to connect to the Schema Registry, read the Avro schemas for the Avro topic that you specified, and verify that the topic contains Avro events that are compatible with ESM. If ESM cannot retrieve the Avro schemas for the Avro topic that you specified and compare it to the Event 1.0.0 schema that is packaged with ESM, or if incompatible schemas are detected, the wizard generates warning messages but allows you to continue. In some cases, you might already know that Transformation Hub will use a compatible schema when the Manager is running.

    7. If you choose to configure the Forwarding Connector to forward CEF events to Transformation Hub and then configure Transformation Hub to filter Avro events, use filters to ensure that ESM does not receive duplicate events. You might want to use filters to accomplish the following:

      • Filter out desired events from Connectors so that ESM does not process them.
      • Filter out ESM's correlation events that were forwarded (CEF events that the Forwarding Connector sent to th-cef) so that ESM does not re-process its own events.

      If you do not configure filtering, ESM must consume from the th-arcsight-avro topic. If you configure filtering, ESM must consume from the mf-event-avro-esmfiltered topic. For information about configuring filters or local and global event enrichment in Transformation Hub, see the Administrator's Guide for the ArcSight Platform.

    The wizard validates the connection to Transformation Hub. If there are any issues, you will receive an error or warning message. If the wizard does not generate error or warning messages and you are able to advance to the next screen, the connection is valid.

  4. Advance through the wizard and complete the configuration.

    For more information about managersetup, see the ESM Administrator's Guide.

  5. As user arcsight, restart the ArcSight Manager:

    /etc/init.d/arcsight_services start all

  6. To verify that the connection to Transformation Hub is working, look for the following line in server.log:

    Transformation Hub service is initialized

Setting Up SSL Client-Side Authentication Between Transformation Hub and ESM - Non-FIPS Mode

Before setting up client-side authentication with Transformation Hub, you must import the Transformation Hub root certificate into the ESM truststore.

Transformation Hub maintains its own certificate authority (CA) to issue certificates for individual nodes in the Transformation Hub cluster. ESM needs that CA certificate in its truststore so that it will trust connections to Transformation Hub. For information about obtaining the certificate, see the information about viewing and changing the certificate authority in the Administrator's Guide for the ArcSight Platform. You might need to contact the Transformation Hub administrator to obtain the CA certificate if you do not have sufficient privileges to access the Transformation Hub cluster.

Note: You must specify the Transformation Hub host name and not the IP address when configuring Transformation Hub access.

To import the Transformation Hub root certificate into an ESM truststore:

Note: Before completing the steps below, verify whether the Transformation Hub root certificate has previously been imported into ESM. If it has, you do not need to re-import it.

  1. From the Transformation Hub server, copy the certificate from /opt/arcsight/kubernetes/scripts/cdf-updateRE.sh > /tmp/ca.crt to a location on the ESM server.

  2. Use the keytool command to import the root CA certificate into the ESM truststore:

    /opt/arcsight/manager/bin/arcsight keytool -store clientcerts -importcert -file <absolute path to certificate file> -alias <alias for the certificate>

    For example:

    /opt/arcsight/manager/bin/arcsight keytool -store clientcerts -importcert -file /tmp/ca.crt -alias alias1

To enable client-side authentication between Transformation Hub and ESM:

  1. Obtain your company's root CA certificate, an intermediate certificate, and key pair and place them in /tmp with the following names:

    • /tmp/intermediate.cert.pem
    • /tmp/intermediate.key.pem
    • /tmp/ca.cert.pem
  2. Verify that Transformation Hub is functional and that client authentication is configured.

  3. As user arcsight, stop the ArcSight Manager:

    /etc/init.d/arcsight_services stop manager

  4. If /opt/arcsight/manager/config/client.properties does not exist, create it using an editor of your choice.

  5. Change the store password for the keystore, keystore.client, which has an empty password by default. This empty password interferes with the certificate import:

    /opt/arcsight/manager/bin/arcsight keytool -store clientkeys -storepasswd -storepass ""

  6. Run the following command to update the empty password of the generated key services-cn in the keystore to be the same password as that of the keystore itself. When prompted, enter the same password that you entered for the store password:

    /opt/arcsight/manager/bin/arcsight keytool -store clientkeys -keypasswd -keypass "" -alias services-cn

  7. Run the following command to update the password in config/client.properties:

    /opt/arcsight/manager/bin/arcsight changepassword -f config/client.properties -p ssl.keystore.password

  8. Generate the keypair and certificate signing request (.csr) file. When generating the keypair, enter the fully qualified domain name of the ArcSight Manager host as the common name (CN) for the certificate.

    Run the following commands:

    /opt/arcsight/manager/bin/arcsight keytool -store clientkeys -genkeypair –dname "cn=<your host's fully qualified domain name>, ou=<your organization>, o=<your company>, c=<your country>" -keyalg rsa -keysize 2048 –alias ebkey -startdate -1d -validity 366
    /opt/arcsight/manager/bin/arcsight keytool -certreq -store clientkeys -alias ebkey -file ebkey.csr

    where ebkey.csr is the output file where the .csr is stored.

  9. Sign the .csr with the Transformation Hub root certifcate. On the Transformation Hub server, the root certificate is located at /opt/arcsight/kubernetes/ssl/intermediate.cert.pem and the key is called ca.key.

    Run the following command on either the Transformation Hub server or a different server with a functional openssl (as long as you have the intermediate.cert.pem and intermediate.key.pem available):

    openssl x509 -req -CA ${INTERMEDIATE_CA_CRT} -CAkey ${INTERMEDIATE_CA_KEY} -in <full path to the esm csr> -out <full path and file name for storing the generated cert> -days 3650 -CAcreateserial -sha256

    For example:

    openssl x509 -req -CA /tmp/intermediate.cert.pem -CAkey /tmp/intermediate.key.pem -in /tmp/ebkey.csr -out /tmp/signedIntermediateEBkey.crt -days 3650 -CAcreateserial -sha256

    You must specify all file locations with the full path.

  10. Import the intermediate certificate and CA certificate from Transformation Hub into the ESM client truststore:

    /opt/arcsight/manager/bin/arcsight keytool -store clientcerts -alias <alias for the certificate> -importcert -file <absolute path to certificate file>

    For example:

    /opt/arcsight/manager/bin/arcsight keytool -store clientcerts -alias thintcert -importcert -file /tmp/intermediate.cert.pem

    /opt/arcsight/manager/bin/arcsight keytool -store clientcerts -alias thcert -importcert -file /tmp/ca.cert.pem

  11. On the ESM server, run the following command to import the signed certificate (the -out parameter in the above openssl command):

    /opt/arcsight/manager/bin/arcsight keytool -store clientkeys -alias ebkey -importcert -file <path to signed cert> -trustcacerts

    For example:

    /opt/arcsight/manager/bin/arcsight keytool -store clientkeys -alias ebkey -importcert -file /tmp/signedIntermediateEBkey.crt -trustcacerts

  12. To verify that the configuration is complete and that the connection to Transformation Hub is valid, run managersetup and ensure that there are no errors.

  13. Start the ArcSight Manager:

    /etc/init.d/arcsight_services start all

Configuring Transformation Hub Access - FIPS Mode (Server Authentication Only)

This section describes how to configure ESM to access Transformation Hub when FIPS mode is enabled. FIPS 140-2 is the only supported FIPS mode.

To configure ESM access to Transformation Hub in FIPS Mode:

  1. As user arcsight, stop the ArcSight Manager:

    /etc/init.d/arcsight_services stop manager

  2. From the Transformation Hub server, copy the certificate from /opt/arcsight/kubernetes/scripts/cdf-updateRE.sh > /tmp/ca.crt to a location on the ESM server.

  3. Use the keytool command to import the root CA certificate into the ESM client truststore:

    /opt/arcsight/manager/bin/arcsight keytool -store clientcerts -importcert -file <absolute path to certificate file> -alias <alias for the certificate>

    For example:

    /opt/arcsight/manager/bin/arcsight keytool -store clientcerts -importcert -file /tmp/ca.crt -alias alias1

  4. As user arcsight, run the following command from the /opt/arcsight/manager/bin directory to start the managersetup wizard:

    ./arcsight managersetup -i console

    For more information about managersetup, see the ESM Administrator's Guide.

  5. Provide the following information:
    Note: You do not need to provide the path to the Transformation Hub root certificate, as it has already been imported.

    1. Specify the host name and port information for the nodes in Transformation Hub. Include the host and port information for all nodes and not just the master node. Use a comma-separated list (for example: <host>:<port>,<host>:<port>).

      Note: You must specify the host name and not the IP address.

      Transformation Hub can only accept IPv4 connections from ESM.

      If the Kafka cluster is configured to use SASL/PLAIN authentication, ensure that you specify the port configured in the cluster for the SASL_SSL listener.

    2. Specify the topics in Transformation Hub from which you want to read. These topics determine the data source.

      For more information, see the Administrator's Guide for the ArcSight Platform.

      Note: You can specify up to 25 topics using a comma-separated list (for example: topic1,topic2). ESM will read Avro-format events from any topic where the name contains "avro" in lower case. For example, th-arcsight-avro.

    3. If the Kafka cluster is not configured to use SASL/PLAIN authentication, leave the authentication type as None. If the Kafka cluster is configured to use SASL/PLAIN authentication, select SASL/PLAIN as the authentication type.

    4. If you selected SASL/PLAIN as the client authentication type, specify the user name and password for authenticating to Kafka.

    5. If you specified an Avro topic, specify the host name and port for connecting to the Schema Registry in the format <host name:port>.

      Note: The default port for connecting to the Schema Registry is 32081.

      Transformation Hub runs a Confluent Schema Registry that producers and consumers use to manage compatibility of Avro-format events.

      The wizard uses this information to connect to the Schema Registry, read the Avro schemas for the Avro topics that you specified, and verify that the topics contain Avro events that are compatible with ESM. If ESM cannot retrieve the Avro schemas for the Avro topics that you specified and compare them to the schema that is packaged with ESM, or if incompatible schemas are detected, the wizard generates warning messages but allows you to continue. In some cases, you might already know that Transformation Hub will use a compatible schema when the Manager is running.

    6. If you choose to configure the Forwarding Connector to forward CEF events to Transformation Hub and then configure Transformation Hub to filter Avro events, use filters to ensure that ESM does not receive duplicate events. You might want to use filters to accomplish the following:

      • Filter out desired events from Connectors so that ESM does not process them

      • Filter out ESM's correlation events that were forwarded (CEF events that the Forwarding Connector sent to th-cef) so that ESM does not re-process its own events.

      If you do not configure filtering, ESM must consume from the th-arcsight-avro topic. If you configure filtering, ESM must consume from the mf-event-avro-esmfiltered topic. For information about configuring filters or in local and global event enrichment Transformation Hub, see the Administrator's Guide for the ArcSight Platform.

    The wizard validates the connection to Transformation Hub. If there are any issues, you will receive an error or warning message. If the wizard does not generate error or warning messages and you are able to advance to the next screen, the connection is valid.

  6. Advance through the wizard and complete the configuration.

  7. As user arcsight, restart the ArcSight Manager:

    /etc/init.d/arcsight_services start manager

  8. To verify that the connection to Transformation Hub is working, look for the following line in server.log:

    Transformation Hub service is initialized

Setting Up SSL Client-Side Authentication Between Transformation Hub and ESM - FIPS Mode

Before setting up client-side authentication with Transformation Hub, you must import the Transformation Hub root certificate into the ESM truststore and the Transformation Hub intermediate certificate into the ESM keystore. Before you begin this task, verify whether the certificates have previously been imported into ESM. If they have, you do not need to re-import them.

Transformation Hub maintains its own certificate authority (CA) to issue certificates for individual nodes in the Transformation Hub cluster. ESM needs that CA certificate in its truststore so that it will trust connections to Transformation Hub. For information about obtaining the certificate, see the information about viewing and changing the certificate authority in the Administrator's Guide for the ArcSight Platform. You might need to contact the Transformation Hub administrator to obtain the CA certificate if you do not have sufficient privileges to access the Transformation Hub cluster.

Note: You must specify the Transformation Hub host name and not the IP address when configuring Transformation Hub access.

To enable client-side authentication between Transformation Hub and ESM:

  1. Copy ca.cert.pem and intermediate.cert.pem from Transformation Hub to a location on the ESM server.

  2. From the Transformation Hub server, copy the certificate from /opt/arcsight/kubernetes/scripts/cdf-updateRE.sh > /tmp/ca.crt to a location on the ESM server.

  3. Use the keytool command to import the root CA certificate into the ESM truststore:

    /opt/arcsight/manager/bin/arcsight keytool -store clientcerts -importcert -file <absolute path to certificate file> -alias <alias for the certificate>

    For example:

    /opt/arcsight/manager/bin/arcsight keytool -store clientcerts -importcert -file /tmp/ca.crt -alias alias1

  4. Use the keytool command to import the intermediate certificate into the ESM keystore:

    /opt/arcsight/manager/bin/arcsight keytool -store clientkeys -importcert -file <absolute path to certificate file> -alias <alias for the certificate>

    For example:

    /opt/arcsight/manager/bin/arcsight keytool -store clientkeys -importcert -file /tmp/intermediate.cert.pem -alias alias2

  5. As user arcsight, stop the ArcSight Manager:

    /etc/init.d/arcsight_services stop manager

  6. Generate a keypair:

    /opt/arcsight/manager/bin/arcsight keytool -store clientkeys -genkeypair -dname "cn=<fully-qualified domain name of the host>, ou=<organizational unit>, o=<organization name>, c=<country code>" -keyalg rsa -keysize 2048 -alias <alias name> -startdate -1d -validity 366

  7. Generate a certificate signing request file:

    /opt/arcsight/manager/bin/arcsight keytool -certreq -store clientkeys -alias <alias name> -file <filename>.csr
  8. Copy the .csr file to the Transformation Hub master node.

  9. On the Transformation Hub master node, generate the signed certificate:

    openssl x509 -req -CA /opt/intermediate_cert_files/intermediate.cert.pem -CAkey /opt/intermediate_cert_files/intermediate.key.pem -in /opt/<file name>.csr -out /opt/<file name>.crt -days 3650 -CAcreateserial -sha256
  10. Copy the signed certificate to the ESM server.

  11. On the ESM server, import the signed certificate:

    /opt/arcsight/manager/bin/arcsight keytool -store clientkeys -alias <alias name> -importcert -file <absolute path to the certificate file> -trustcacerts

  12. As user arcsight, run the following command from the /opt/arcsight/manager/bin directory to start the managersetup wizard:

    ./arcsight managersetup -i console

    For more information about managersetup, see the ESM Administrator's Guide.

  13. Provide the following information:

    Note: You do not need to provide the path to the Transformation Hub root certificate, as it has already been imported.

    1. Specify the host name and port information for the nodes in Transformation Hub. Include the host and port information for all nodes and not just the master node. Use a comma-separated list (for example: <host>:<port>,<host>:<port>).

      Note: You must specify the host name and not the IP address.

      Transformation Hub can only accept IPv4 connections from ESM.

      If the Kafka cluster is configured to use SASL/PLAIN authentication, ensure that you specify the port configured in the cluster for the SASL_SSL listener.

    2. Specify the topics in Transformation Hub from which you want to read. These topics determine the data source.

      For more information, see the Administrator's Guide for the ArcSight Platform.

      Note: You can specify up to 25 topics using a comma-separated list (for example: topic1,topic2). ESM will read Avro-format events from any topic where the name contains "avro" in lower case. For example, th-arcsight-avro.

    3. If the Kafka cluster is not configured to use SASL/PLAIN authentication, leave the authentication type as None. If the Kafka cluster is configured to use SASL/PLAIN authentication, select SASL/PLAIN as the authentication type.

    4. If you selected SASL/PLAIN as the client authentication type, specify the user name and password for authenticating to Kafka.

    5. If you specified an Avro topic, specify the host name and port for connecting to the Schema Registry in the format <host name:port>.

      Note: The default port for connecting to the Schema Registry is 32081.

      Transformation Hub runs a Confluent Schema Registry that producers and consumers use to manage compatibility of Avro-format events.

      The wizard uses this information to connect to the Schema Registry, read the Avro schemas for the Avro topics that you specified, and verify that the topics contain Avro events that are compatible with ESM. If ESM cannot retrieve the Avro schemas for the Avro topics that you specified and compare them to the schema that is packaged with ESM, or if incompatible schemas are detected, the wizard generates warning messages but allows you to continue. In some cases, you might already know that Transformation Hub will use a compatible schema when the Manager is running.

    6. If you choose to configure the Forwarding Connector to forward CEF events to Transformation Hub and then configure Transformation Hub to filter Avro events, use filters to ensure that ESM does not receive duplicate events. You might want to use filters to accomplish the following:

      • Filter out desired events from Connectors so that ESM does not process them

      • Filter out ESM's correlation events that were forwarded (CEF events that the Forwarding Connector sent to th-cef) so that ESM does not re-process its own events.

      If you do not configure filtering, ESM must consume from the th-arcsight-avro topic. If you configure filtering, ESM must consume from the mf-event-avro-esmfiltered topic. For information about configuring filters or local and global event enrichment in Transformation Hub, see the Administrator's Guide for the ArcSight Platform.

    The wizard validates the connection to Transformation Hub. If there are any issues, you will receive an error or warning message. If the wizard does not generate error or warning messages and you are able to advance to the next screen, the connection is valid.

  14. Advance through the wizard and complete the configuration.

  15. As user arcsight, restart the ArcSight Manager:

    /etc/init.d/arcsight_services start manager

Configuring Integration with ServiceNow®

This section describes how to integrate with ServiceNow® after completing the installation and how to customize the forms for exporting cases and events from ESM to ServiceNow®. ESM can integrate with the ServiceNow® IT Service Management (ITSM) and ServiceNow® Incident Management schemas.

ESM includes configuration files for customizing the export forms in /opt/arcsight/manager/config/externalCaseManagement by default. To customize the ITSM export form, use the SN_ITSM_incident.json configuration file. To customize the Incident Management export form, use the SN_SI_incident.json configuration file. You can customize the export forms as follows:

The configuration files include example customizations.

Note: You can export multiple events at the same time. Use the export.external.ticketsystem.ui.events.max parameter in the console.properties file to specify the maximum number. The default is 10, but you can increase or decrease that setting to meet the needs of your environment. For more information, see the ArcSight Console User's Guide.

To configure ESM to integrate with ServiceNow®:

  1. As user arcsight, stop the ArcSight Manager services:

    /etc/init.d/arcsight_services stop manager

  2. As user arcsight, from the /opt/arcsight/manager/bin directory, start the managersetup wizard:

    ./arcsight managersetup -i console

    Advance through the wizard until you reach the ServiceNow® screen.

  3. Specify the ServiceNow® URL and, if necessary, the proxy URL that is used to connect to the internet.
  4. (Conditional) If you want to use a global ID to authenticate connections to ServiceNow, click Yes, and then specify the user name and password.

  5. Advance through the wizard and complete the configuration.

    For more information about managersetup, see the ESM Administrator's Guide.

  6. As user arcsight, restart the ArcSight Manager:

    /etc/init.d/arcsight_services start manager

To customize the export form:

  1. Create a back up copy of the .json file that you will update (/opt/arcsight/manager/config/externalCaseManagement/SN_ITSM_incident.json or SN_SI_incident.json).
  2. Open /opt/arcsight/manager/config/externalCaseManagement/SN_ITSM_incident.json or SN_SI_incident.json in a text editor.

  3. Ensure that the main field is set to true.

    Note: The main field determines the schema to use. Set the field to true for only one of the files.

    If you change the schema that is in use, modify the service_name field in /opt/arcsight/manager/config/externalCaseManagement/service.json to reflect the schema that is in use. For example:

    • If you are using the ITSM schema, specify "service_name":"ServiceNow \u00AE ITMS".
    • If you are using the Incident Management schema, specify "service_name":"ServiceNow \u00AE SI".

  4. Modify the appropriate fields.

    Use this field... To modify...
    referenced_table

    the ServiceNow® table that contains the records that you want to reference (for example, sys_user or sys_group)

    The table must be a valid ServiceNow® table. You must define the table in a separate .json file. When you define the table, you must specify at least one field. For an example table definition, see /opt/arcsight/manager/config/externalCaseManagement/SN_sys_user.json or SN_sys_user_group.json.
    field_type

    the type of data that the field accepts

    Valid values are StringField, BooleanField, DateTimeField, IntegerField, and NumberField.
    display_name

    the display name for the field on the export form

    The name must be less than 20 characters. You can use this field for localization.
    show_in_ui

    the format for the field on the export form

    Valid values are FULL_ROW, HALF_ROW, TEXT_AREA, and NONE. To hide a field, specify NONE.
    required

    whether the field is required

    Valid values are true and false.
    mappings for cases

    map an ESM case to a ServiceNow® ticket field

    Specify esm_source as case and source_field_name as <name of ESM case>. For example:

    "mappings": [

    {

    "esm_source": "case",

    "source_field_name": "displayId"

    }

    ]

    "mappings": [

    {

    "esm_source": "case",

    "source_field_name": "name"

    }

    ]

    "mappings": [

    {

    "esm_source": "case",

    "source_field_name": "description"

    }

    ]

    "mappings": [

    {

    "esm_source": "case",

    "source_field_name": "summary"

    }

    ]

    "mappings": [

    {

    "esm_source": "case",

    "source_field_name": "createTime"

    }

    ]

    mappings for events

    map an event field to a ServiceNow® ticket field

    Specify esm_source as event and source_field_name as <name of event field>.

    Some examples of event field mappings:

    "mappings": [

    {

    "esm_source": "event",

    "source_field_name": "managerReceiptTime"

    }

    ]

    "mappings": [

    {

    "esm_source": "event",

    "source_field_name": "priority"

    }

    ]

    "mappings": [

    {

    "esm_source": "event",

    "source_field_name": "severity"

    }

    ]

    options

    format the field as a drop-down selection list with the specified values

    There are two methods for formatting a field as a drop-down list. If the display name and the value are the same, use the short form. If the display name and the value are different, use the long form.

    Example 1 (short form):

    "options": [

    "New",

    "In progress",

    "On hold",

    "Resolved",

    "Closed",

    "Canceled",

    ]

    In the short form example above, the label for the first selection in the drop-down list is "New," and the actual value that is assigned is "New."

    Example 2 (long form):

    "options": [

    {

    "display": "Low",

    "value": 3

    },

    {

    "display": "Medium",

    "value": 2

    },

    {

    "display": "High",

    "value": 1

    }

    ]

    In the long form example above, the label for the first selection in the drop-down list is "Low," and the actual value that is assigned is "3."
    checks

    equality checks between fields

    Valid values are ShouldNotBeEqual and ShouldBeEqual.

    For example:

    "checks": [

    {

    "type": "ShouldNotBeEqual",

    "columns": [

    "<field 1>",

    "<field 2>"

    },

    {

    "type": "ShouldBeEqual",

    "columns": [

    "<field 3>",

    "<field 4>"

    }

    ]

  5. Review the modifications and ensure that the format is valid.

  6. Save the file, and then stop and start the ArcSight Manager:

    /etc/init.d/arcsight_services stop manager
    /etc/init.d/arcsight_services start manager

    The customized export forms are available the next time you log in to the ArcSight Console.