Configuring the Deployed Capabilities

Refer to System Hardware Sizing and Tuning Guidelines in the ArcSight Platform 22.1 Technical Requirements for your workload. It might specify additional settings beyond what is described below.

You are now ready to deploy and then configure your deployed capabilities. The Pre-Deployment Configuration page displays to configure the products and capabilities chosen at the start of the installation process. This section explains the process of configuring deployed capabilities on a supported platform for both on-premises and cloud deployments.

Describing Parameters
Reviewing Settings That Must Be Set During Deployment
ArcSight Database
Transformation Hub
Fusion
Intelligence

Describing Parameters

The following parameters are mentioned in one or more of the example install config files.

Transformation Hub

For the TH yaml, see the following:

Name	Description
routing-processor1-replicas	Specifies the number of Routing Stream Processor Instances to start for the Group 1 Stream Processor. Routing Stream Processors convert incoming CEF events based on predefined rules associated with a unique source Topics. Group numbers are dynamically assigned by Transformation Hub. Tune the number of instances based on throughput requirements.
th-init-noOfTopicPartitions	For newly created Kafka Topics, specifies the number of partitions assigned to each Topic. Default is 6. A Partition is the unit of parallelism in Kafka, enabling write operations on both the Producer and Broker to be performed concurrently. This is a key tuning property.
transform-processor-replicas	Specifies the number of CEF-to-Avro Stream Processor Instances to start. CEF-to-Avro Stream Processors convert incoming CEF events from th-cef topic to Avro format and route these events to th-arcsight-avro topic.
th-init-kafkaRetentionBytesForVertica	Specifies the size, in gigabytes, of the retention log for th-arcsight-avro and mf-event-avro-enriched Topics (Avro primary Topics). Default is 60 GB. This is a key tuning property. This log is associated with Avro processing. It is uncompressed and might require up to 7 times more space than compressed data. When this log size is exceeded, event data will be dropped.
th-init-kafkaRetentionBytes	Specifies the size, in gigabytes, of the retention log for each Kafka Topic. Default is 60 GB. This is a key tuning property. When the retention log exceeds the size limit, event data will be dropped.
enrichment-processor1-replicas	Specifies the number of Enrichment Stream Processor Group Instances to start. Enrichment Stream Processors transform incoming events based on the set of enabled event enrichment features, and route these events to one or more destination Topics. Enrichment examples include adding Global Event IDs and event integrity checking. Tune the number of instances based on throughput requirements.
th-enrichment-processor-group1-source-topic	Specifies the source Topic to be used by the Enrichment Stream Processor Group.
th-enrichment-processor-integrity-enabled	Indicates whether to generate a verification event that accompanies a batch of events for checking the integrity of parsed fields in each event. Recon uses this verification event to check event integrity. Also, specify a value for ‘Verification event batch size’.
th-enrichment-processor-integrity-batch-size	Specifies the number of events to be associated with a verification event. A lower value indicates fewer associated events need to be included in the batch for integrity checks; however, it will also result in higher resource consumption by generating more verification events.

Recon

For the Recon yaml, see the following:

Name	Description
interset-elasticsearch-data-instances	Specifies the number of Elasticsearch data processing instances.
interset-elasticsearch-index-replicas-count	Specifies the number of replicas for each Elasticsearch index. 0 means no copy, only use that value when having no HA/Production requirement.
interset-logstash-event-buffering	Specifies the internal queuing model to use for event buffering. Specify memory for legacy in-memory based queuing; persisted for disk-based queuing.
interset-logstash-instances	Specifies the number of Logstash instances.
recon-enable	Indicates whether to explore events in Recon in addition to Intelligence.

Reviewing Settings That Must Be Set During Deployment

This section describes configuration settings that must be set during deployment. Additional settings can be modified after deployment by browsing to the CDF Management Portal.

For more information on a setting, hover over the setting to display the setting tooltip, then set the values accordingly.

The following products require configuration settings to be set during deployment.

ArcSight Database
Transformation Hub
Fusion
Intelligence

ArcSight Database

If you deployed the ArcSight database and you configure SmartConnectors to use the CEF format when you send events to the Transformation Hub, in the Transformation Hub tab, ensure the # of CEF-to-Avro Stream Processor instances to start is set to at least 1 or what is specified in ArcSight Platform Technical Requirements for your workload.

On the Fusion tab, ensure that you set these configuration settings for your environment:

Enable Database
Use SSL for Database Connections

The SSL configuration requires components to be in a running state before proceeding with the database secured configuration. To apply secure communication to the database, proceed with Completing the Database Setup for AWS S3.
Database Host

The host list of the database node's IP, that is node1-IP, node2-IP,..., upto nodeN-IP.

Database Application Admin User Name
Database Application Admin User Password
Search User Name
Search User Password
Database Certificate(s)
Database Host Name(s)

Transformation Hub

If you deployed Transformation Hub, in the Transformation Hub tab, ensure the following are set to the number of Kafka worker nodes in your deployment or what is specified in ArcSight Platform Technical Requirements for your workload.

# of Kafka broker nodes in the Kafka cluster (th-kafka-count)
# of ZooKeeper nodes in the ZooKeeper cluster (th-zookeeper-count)
# of replicas assigned to each Kafka Topic (th-init-topicReplicationFactor) (This setting must be set to 1 for a single worker deployment, and 2 for a 3-node environment.)

On the Transformation Hub tab, configure the following security settings based on how you planned to secure communications as described in the Securing Communication Among Micro Focus Components section.

FIPS and Client-Authentication are available during installation only.

Allow plain text (non-TLS) connections to Kafka (th-kafka-allow-plaintext)
Enable FIPS 140-2 Mode (th-init-fips)
Connection to Kafka uses TLS Client Authentication (th-init-client-auth)
# of message replicas for the __consumer_offsets Topic (th-init-kafkaOffsetsTopicReplicationFactor)
Schema Registry nodes in the cluster (th-schema-registry-count)
# of replicas assigned to each Kafka Topic (th-init-topicReplicationFactor)

If you are deploying ESM, configure your Enrichment Stream Processor Group source Topic according to the scope for which you want to leverage ESM's event enrichment capability. For more information, refer to Enrichment Stream Processors.

Fusion

If you deployed Fusion, on the Fusion tab:

Modify the Client ID (sso-client-id) and Client Secret (sso-client-secret) to a unique value for your environment.
If you are deploying Transformation Hub and configured # of Enrichment Stream Processor Group instances to start (enrichment-processor1-replicas) with a value greater than zero (default is 2), which means Enrichment Stream Processor will be enabled, the Fusion ArcMC Generator ID Manager must be enabled with a sufficient range of IDs because the Enrichment Stream Processor automatically requests generator IDs from the Fusion ArcMC in the same cluster as needed for its processing. To enable the Fusion ArcMC Generator ID Manager, configure Enable Generator ID Manager (arcmc-generator-id-enable) to True (default is True) and set the the values of Generator ID Range Start (arcmc-generator-id-start) and Generator ID Range End (arcmc-generator-id-end) to provide a range of at least 100 between them. A range of 100 should be sufficient for common scenarios with a comfortable buffer, but you could also make the range larger if you have configured a large number of Enrichment Stream Processor instances or other components that use Generator IDs from this Fusion ArcMC instance.
Maximum Search Results: This value specifies number of results that a search can return. Maximum limit is 10 million events.

It is important to choose a range that does not overlap with the Generator ID Manager range configured in any other ArcMC instances in your organization, otherwise different events with duplicate Globally Unique Event IDs could be created.

Intelligence

If you deployed Intelligence, on the Intelligence tab, ensure you set these configuration settings for your environment:

Number of Database Nodes (interset-vertica-number-of-nodes)

Ensure that you change any password to a unique value for your environment.

HDFS NameNode (interset-hdfs-namenode)
Elasticsearch Index Replicas Count (interset-elasticsearch-index-replicas-count)
H2 Password (interset-h2-password)
Elasticsearch Password (interset-elasticsearch-password)
Analytics KeyStore Password (interset-analytics-keystore-password)
Investigator KeyStore Password (interset-api-keystore-password)
SearchManager KeyStore Password (searchmanager-api-keystore-password)
Logstash KeyStore Password (interset-logstash-keystore-password)
H2 KeyStore Password (interset-h2-keystore-password)

Consider the following:

If the topic name specified for the Avro Event Topic field is not the default topic, then use Transformation Hub's Avro routing rules using ArcMC 2.96 or later to filter Avro events from the default topic. Create a routing rule with the source topic as mf-event-avro-enriched and destination topic as the topic name you have provided in the Avro Event Topic field. For more information, see Creating a Route.

For Analytics Configuration-Spark, set the values based on the data load. For information about the values for Spark, see System Hardware Sizing and Tuning Guidelines in the ArcSight Platform 22.1 Technical Requirements for your workload.
For the Data Identifiers to Identify Machine Users field, if you need to consider only human users for licensing, ensure that you provide appropriate values to identify and filter out the machine users from licensing. For more information, contact Micro Focus Customer Support.

If you are specifying details under the Hadoop File System (HDFS) Security section, consider the following:

If you are enabling Kerberos Authentication, then, before selecting kerberos in Enable Authentication with HDFS Cluster, ensure you configure the Kerberos Authentication. For more information, see Enabling and Configuring Kerberos Authentication.
The Kerberos details that you provide in Kerberos Domain Controller Server, Kerberos Domain Controller Admin Server, Kerberos Domain Controller Domain, and Default Kerberos Domain Controller Realm will be considered only if you select kerberos in Enable Authentication with HDFS Cluster. They are not valid if you select simple.
If you are enabling Kerberos Authentication, then you must enable Enable Secure Data Transfer with HDFS Cluster.
If you disable Enable Secure Data Transfer with HDFS Cluster, the database and HDFS will use the same communication standard as Intelligence 6.2.