13.4 Example

SIEM solution for Filr is tested with ArcSight ESM and ArcSight Logger. This section gives you the details about how an ArcSight ESM is integrated with Filr.

13.4.1 ArcSight ESM Integration with Filr

ESM is a software solution that combines traditional security event monitoring with network intelligence, context correlation, anomaly detection, historical analysis tools, and automated remediation. It consolidates and normalizes data from devices across your enterprise network in a centralized view.

  • The connector can be configured from anywhere in the Filr server and has to be configured at each Filr appliance node. While configuring the user is prompted with paths to save related links and scripts. For information on the ArcSight Kafka Flex Connector configuration, see Kafka Flex Connector Documentation. Currently, the cluster-level configuration is not supported.

  • In the destination details, ensure that the content is set to CEF format. The CEF version is 1.0

  • The configuration parameters for the destination details are available on the server and zookeeper properties file available at /opt/novell/filr/kafka/config.

13.4.2 View the Event logs

When SIEM is enabled, SIEM solution and connector is configured, you can see the CEF events on ArcSight ESM Console. For information on enabling SIEM, see SIEM Integration in Filr 4.3: Administrative UI Reference.

  1. Login to the ESM web console.

  2. Select Event Search from the Events tab.

  3. Enter the connector name. For example, CefEvents for Filr. The CEF events are displayed.