ArcSight L750MB Logger Centos installation

Since ArcSight Protect 2010 in September 2010, the Logger model L750MB has been integrated in the ArcSight Logger product catalog. In our previous blog post we have analyse the Logger L750MB features and limits. We will resume here some of the features and limitations provided by L750MB and provide an installation guide for Centos 5.x

Features :

Connector appliance features are disabled.
Alerting module features are enabled.
Reporting module features are enabled.
SAN storage feature is disabled.
Logger peering features are disabled.

Limits :

10 devices maximum supported.
Maximum number of daily collected data is 750 MB
EPS rate is limited to a maximum of 60
maximum data retention is 50 GB

OS & Hardware requirements

You can install L750MB Logger on these following certified operating systems :

Red Hat Enterprise Linux (RHEL), version 5.4, 64-bit
Oracle Enterprise Linux (OEL) 5.4, 64-bit
CentOS, version 5.4, 64-bit

or on these others supported operating systems :

Red Hat Enterprise Linux (RHEL), version 4.x, 64-bit
CentOS, version 4.x, 64-bit

Virtual Machine installation of the above listed OS is supported. You will not able to install the Logger on an existing machine how is running MySQL or PostgreSQL. We recommend you a complete dedicated operating system for the installation. You will also need a synchronized NTP for all your infrastructure. A synchronized time is a key factor for Log Management. After the installation you will need one of the following supported browser, with Adobe Flash Player plug-in :

Internet Explorer: Versions 7 and 8
Firefox: Versions 3.0 and 3.5

For hardware requirements we recommend you :

CPU : 1 or 2 Core
Memory : 4 – 12 GB
Disk Space : 120 GB

Storage strategy & retention policy requirements.

As ArcSight Logger L750MB has a limit of 50GB maximum data retention, your storage strategy and retention policy will be simple to define, just follow the ArcSight recommended installation,  and then we will change it by the ArcSight Logger Web interface.

By the recommended installation ArcSight Logger will initialize the Storage Volume to the maximum authorized, aka 50 GB, and the Storage Volume has to be on local disk, on a NFS, or SAN mount point. You will not be able to increase the size of the Storage Volume above 50GB with the L750MB, and once the Storage Volume size is configured the only way to resize the Storage Volume is to reinstall every thing.

Also, with the recommended installation ArcSight Logger will initialize the maximum of 6 Storage Groups. Two of these Storage Groups are inherent to the Logger and are named “Default Storage Group” and “Internal Event Storage Group“. if you choose to not create the maximum of 6 Storage Groups, you will not further able to create more Storage Groups. Here under the default Storage Groups configuration :

[TABLE=14]

You will be able to resize all Storage Groups, we recommend you to, until you understand the concept of “Devices”, “Device Groups” and “Storage Rules”, to not touch the “Internal Event Storage Group” definition and to provided the maximum size to the “Default Storage Group“. You will have then this configuration :

[TABLE=15]

Installation

First of all you will need an updated Centos 5.4 installation, just follow the Centos installation procedures. You will need to configure IP addresses, DNS and NTP configuration before starting the Logger installation procedure. As ArcSight Logger

Create an arcsight user and group :

ArcSight user add
ArcSight user add

Give a password to the arcsight user :

ArcSight user password
ArcSight user password

Upload “ArcSight-logger-5.0.0.5355.2.bin” installation binary and your “arcsight_logger_license.lic” license file in the arcsight home directory.

Make the installation binary executable :

ArcSight Logger chmod
ArcSight Logger chmod

To install the Logger in console mode execute the following command :

ArcSight Logger Console mode installation
ArcSight Logger Console mode installation

On the first prompt press enter to display the license agreement and accept the terms of agreement.

ArcSight Logger licence agreement
ArcSight Logger licence agreement

Provide the installation directory, in “/home/arcsight”, and then press enter to begin the continue the installation.

ArcSight Logger installation folder
ArcSight Logger installation folder
ArcSight Logger installation
ArcSight Logger installation

After the end of the installation, you will need to press “enter” to initialize the Logger. This initialization may take several minutes.

ArcSight Logger initialization
ArcSight Logger initialization
ArcSight Logger successful initialization
ArcSight Logger successful initialization

When initialization is done you will have to configure the Logger, by a configuration wizard. To start this wizard in console mode, please type the following command.

ArcSight Logger configuration
ArcSight Logger configuration
ArcSight Logger configuration in console mode
ArcSight Logger configuration in console mode

The license file location will be asked.

ArcSight Logger License file
ArcSight Logger License file

Choose the typical installation type if you are not familiar with ArcSight Logger indexing, storage groups, and storage volume. Also don’t forget that the L750MB will not permit you to go above a theoretically 50GB storage. As described above we will change to Storage Groups settings further.

ArcSight Logger installation type
ArcSight Logger installation type

When the complete configuration is finished we recommend you to not start directly the logger and reboot the server.

ArcSight Logger installation startup
ArcSight Logger installation startup

After the reboot log you on the server with the arcsight user to start the logger with the following commands.

ArcSight Logger startup after reboot
ArcSight Logger startup after reboot

The “loggerd” command is located in “/home/arcsight/current/arcsight/logger/bin” directory. If the startup is successful you will have this return.

ArcSight Logger loggerd status
ArcSight Logger loggerd status

The “loggerd” command can have these following arguments.

ArcSight Logger loggerd arguments
ArcSight Logger loggerd arguments

Now you can log in ArcSight Logger Web interface on port 9000 with https and you will have the following login page.

ArcSight Logger login page
ArcSight Logger login page

The default login is “admin“, and the default password is “password“, please change it 🙂 To change your password just go in the “System Admin” menu, then in the “Change Password” sub-menu.

ArcSight Logger Web user interface
ArcSight Logger Web user interface

To change the Storage Groups settings just go in the “Configuration” menu, then in the “Storage” sub-menu.

You have now an up and running logger, in a next blog post we will install the L750MB SYSLOG SmartConnector on a dedicated Linux server and the “SNARE” software on Windows to have  our first events.

20 thoughts on “ArcSight L750MB Logger Centos installation

  1. I have problem below when i was installing Arcsight logger.

    pre-install check failed: 32-bit compatibility libraries not found. these are required for logger to install and operate successfully

    I used belows.
    OS: CentOS-6.3-x86_64
    Package: ArcSight-logger-5.3.1.6838.0.bin

    Please explain what is wrong.

    1. i missed libc.so6 library.

      yum -y install libc.so.6

      thanks mike.

  2. I cannot use the “admin” user-ID with “password”password to log on into the Arcsight unix login once I have installed the arcsight free version via the virtual box. Do you have any idea on what is the correct default user/password? or Is there any step that I miss

  3. At RHEL 5.5 unable to install linux-version. There is message after extracting the JRE: “line 2506: Cannot start binary file”.

    1. I’m using CentOS 6.3 x64 and can verify that the installer works.

      For the sake of archiving information: On CentOS 6.3 32-bit I received an error message, “./ArcSight-logger-5.3.0.6684.0.bin: line 2506: /tmp/install.dir.3411/Linux/resource/jre/bin/java: cannot execute binary file.” Line 2506 is, “exec “$actvm” $options $lax_nl_java_launcher_main_class “$propfname” “$envPropertiesFiles” $cmdLineArgs.”

      1. Hi Eric J i have the same problem, did you find the fix, sorry my english

        1. No I haven’t, but it should just be a matter of getting and installing the missing libraries. I haven’t found what libraries, exactly, are needed for everything to work.

  4. Hello, i am installing the windows vhd, and am stuck at the message in the windows console:
    Before Logger will fully operate, you must perform a one-time setup of the Storage Volume Settings.

    I’m unable to find reference to anything in the console or the command line.
    Also, are there any arcsight message boards for support? I can’t find anything on HP’s lousy web site.
    Thanks.

  5. I download VHD-file with logger from HP-site. After configurint the Logger Virtual Machine, I connected to the Logger web-interface. After uploading license-file and save it, I was directed to System Admin web-partition and view banner-message: “Before Logger will fully operate, you must perform a one-time setup of the Storage Volume Settings”. But I don’t know, where are these settings.

  6. Thanks for your posts onLogger – I’m just getting started with it. Have installed it in a Centos VM – several hurdles as I didn’t expect it to be so picky on version and tried in Centos 6 to begin with. Then I hadn’t allocated enough space (min 10gb) and it seems to like a couple of gb or ram.
    Oddly, it’s also touchy when I move the VM to another box. On one system, it just won’t start successfully. Usually around 3 processes (inc receivers and processors) won’t start. I’m not finding the logs too helpful either. However, I have managed to get the connector and logger working on one system, just not the one I want it on..
    I’m trying to set up a test system on my presonal network with logger in a VM, the Windows SmartConnector to receive syslog events from SNARE on a Windows box and syslog feeds from my router, a NAS box and so on.

    Rgrds
    Peter

  7. Dear Sir,

    I already install it before, however, I forgot the password of admin. How can I recovery it.

  8. Hello, Eric.

    I keep getting this error at the step after specifying the Storage Volume 50 GBs.
    Error (Couldn’t get client for 127.0.0.1:5555)

    I restarted the box to see if any service needs to be started first or not. That did not help.
    Have you seen this error before?

    1. Hello Teddy,

      The Logger port 5555/TCP is related to the TCPServerService and more precisely to “Server remote service listening port”. You can find all related logs in $ARCSIGHT_HOME/current/arcsight/logger/logs/logger_server.log.

      Here under a sample of logs related to 5555/TCP port :

      - starting TCPServerService for port 127.0.0.1:5555
      - Remote server request service started
      - Starting alert collector
      start to bind on 127.0.0.1:5555 for remote service
      - Waiting for connections at port: 127.0.0.1:5555

      Before starting the logger is the port 5555/TCP used ? You could verify this with netstat -tan. Port 5555/TCP is required by logger.

      Regards

Comments are closed.