Since ArcSight Protect 2010 in September 2010, the Logger model L750MB has been integrated in the ArcSight Logger product catalog. In our previous blog post we have analyse the Logger L750MB features and limits. We will resume here some of the features and limitations provided by L750MB and provide an installation guide for Centos 5.x
Features :
Connector appliance features are disabled.
Alerting module features are enabled.
Reporting module features are enabled.
SAN storage feature is disabled.
Logger peering features are disabled.
Limits :
10 devices maximum supported.
Maximum number of daily collected data is 750 MB
EPS rate is limited to a maximum of 60
maximum data retention is 50 GB
OS & Hardware requirements
You can install L750MB Logger on these following certified operating systems :
Red Hat Enterprise Linux (RHEL), version 5.4, 64-bit
Oracle Enterprise Linux (OEL) 5.4, 64-bit
CentOS, version 5.4, 64-bit
or on these others supported operating systems :
Red Hat Enterprise Linux (RHEL), version 4.x, 64-bit
CentOS, version 4.x, 64-bit
Virtual Machine installation of the above listed OS is supported. You will not able to install the Logger on an existing machine how is running MySQL or PostgreSQL. We recommend you a complete dedicated operating system for the installation. You will also need a synchronized NTP for all your infrastructure. A synchronized time is a key factor for Log Management. After the installation you will need one of the following supported browser, with Adobe Flash Player plug-in :
Internet Explorer: Versions 7 and 8
Firefox: Versions 3.0 and 3.5
For hardware requirements we recommend you :
CPU : 1 or 2 Core
Memory : 4 – 12 GB
Disk Space : 120 GB
Storage strategy & retention policy requirements.
As ArcSight Logger L750MB has a limit of 50GB maximum data retention, your storage strategy and retention policy will be simple to define, just follow the ArcSight recommended installation, and then we will change it by the ArcSight Logger Web interface.
By the recommended installation ArcSight Logger will initialize the Storage Volume to the maximum authorized, aka 50 GB, and the Storage Volume has to be on local disk, on a NFS, or SAN mount point. You will not be able to increase the size of the Storage Volume above 50GB with the L750MB, and once the Storage Volume size is configured the only way to resize the Storage Volume is to reinstall every thing.
Also, with the recommended installation ArcSight Logger will initialize the maximum of 6 Storage Groups. Two of these Storage Groups are inherent to the Logger and are named “Default Storage Group” and “Internal Event Storage Group“. if you choose to not create the maximum of 6 Storage Groups, you will not further able to create more Storage Groups. Here under the default Storage Groups configuration :
[TABLE=14]
You will be able to resize all Storage Groups, we recommend you to, until you understand the concept of “Devices”, “Device Groups” and “Storage Rules”, to not touch the “Internal Event Storage Group” definition and to provided the maximum size to the “Default Storage Group“. You will have then this configuration :
[TABLE=15]
Installation
First of all you will need an updated Centos 5.4 installation, just follow the Centos installation procedures. You will need to configure IP addresses, DNS and NTP configuration before starting the Logger installation procedure. As ArcSight Logger
Create an arcsight user and group :
Give a password to the arcsight user :
Upload “ArcSight-logger-5.0.0.5355.2.bin” installation binary and your “arcsight_logger_license.lic” license file in the arcsight home directory.
Make the installation binary executable :
To install the Logger in console mode execute the following command :
On the first prompt press enter to display the license agreement and accept the terms of agreement.
Provide the installation directory, in “/home/arcsight”, and then press enter to begin the continue the installation.
After the end of the installation, you will need to press “enter” to initialize the Logger. This initialization may take several minutes.
When initialization is done you will have to configure the Logger, by a configuration wizard. To start this wizard in console mode, please type the following command.
The license file location will be asked.
Choose the typical installation type if you are not familiar with ArcSight Logger indexing, storage groups, and storage volume. Also don’t forget that the L750MB will not permit you to go above a theoretically 50GB storage. As described above we will change to Storage Groups settings further.
When the complete configuration is finished we recommend you to not start directly the logger and reboot the server.
After the reboot log you on the server with the arcsight user to start the logger with the following commands.
The “loggerd” command is located in “/home/arcsight/current/arcsight/logger/bin” directory. If the startup is successful you will have this return.
The “loggerd” command can have these following arguments.
Now you can log in ArcSight Logger Web interface on port 9000 with https and you will have the following login page.
The default login is “admin“, and the default password is “password“, please change it 🙂 To change your password just go in the “System Admin” menu, then in the “Change Password” sub-menu.
To change the Storage Groups settings just go in the “Configuration” menu, then in the “Storage” sub-menu.
You have now an up and running logger, in a next blog post we will install the L750MB SYSLOG SmartConnector on a dedicated Linux server and the “SNARE” software on Windows to have our first events.
Platform initializer failed while installing arcsight logger
I have problem below when i was installing Arcsight logger.
pre-install check failed: 32-bit compatibility libraries not found. these are required for logger to install and operate successfully
I used belows.
OS: CentOS-6.3-x86_64
Package: ArcSight-logger-5.3.1.6838.0.bin
Please explain what is wrong.
i missed libc.so6 library.
yum -y install libc.so.6
thanks mike.
I cannot use the “admin” user-ID with “password”password to log on into the Arcsight unix login once I have installed the arcsight free version via the virtual box. Do you have any idea on what is the correct default user/password? or Is there any step that I miss
The ANSWER to the missing libraries:
yum -y install libc.so.6
I am the best. Enjoy.
At RHEL 5.5 unable to install linux-version. There is message after extracting the JRE: “line 2506: Cannot start binary file”.
I found cause: there was 64-bit installer on x86 system.
I’m using CentOS 6.3 x64 and can verify that the installer works.
For the sake of archiving information: On CentOS 6.3 32-bit I received an error message, “./ArcSight-logger-5.3.0.6684.0.bin: line 2506: /tmp/install.dir.3411/Linux/resource/jre/bin/java: cannot execute binary file.” Line 2506 is, “exec “$actvm” $options $lax_nl_java_launcher_main_class “$propfname” “$envPropertiesFiles” $cmdLineArgs.”
It seems, though, the installer works on CentOS 6.3, there are libraries missing. Would you happen to know what those missing libraries are?
http://i.imgur.com/eRijd.png
Thanks
Hi Eric J i have the same problem, did you find the fix, sorry my english
No I haven’t, but it should just be a matter of getting and installing the missing libraries. I haven’t found what libraries, exactly, are needed for everything to work.
Hello, i am installing the windows vhd, and am stuck at the message in the windows console:
Before Logger will fully operate, you must perform a one-time setup of the Storage Volume Settings.
I’m unable to find reference to anything in the console or the command line.
Also, are there any arcsight message boards for support? I can’t find anything on HP’s lousy web site.
Thanks.
I download VHD-file with logger from HP-site. After configurint the Logger Virtual Machine, I connected to the Logger web-interface. After uploading license-file and save it, I was directed to System Admin web-partition and view banner-message: “Before Logger will fully operate, you must perform a one-time setup of the Storage Volume Settings”. But I don’t know, where are these settings.
excellent, this help so much!
thanks
Thanks for your posts onLogger – I’m just getting started with it. Have installed it in a Centos VM – several hurdles as I didn’t expect it to be so picky on version and tried in Centos 6 to begin with. Then I hadn’t allocated enough space (min 10gb) and it seems to like a couple of gb or ram.
Oddly, it’s also touchy when I move the VM to another box. On one system, it just won’t start successfully. Usually around 3 processes (inc receivers and processors) won’t start. I’m not finding the logs too helpful either. However, I have managed to get the connector and logger working on one system, just not the one I want it on..
I’m trying to set up a test system on my presonal network with logger in a VM, the Windows SmartConnector to receive syslog events from SNARE on a Windows box and syslog feeds from my router, a NAS box and so on.
Rgrds
Peter
Dear Sir,
I already install it before, however, I forgot the password of admin. How can I recovery it.
Hello, Eric.
I keep getting this error at the step after specifying the Storage Volume 50 GBs.
Error (Couldn’t get client for 127.0.0.1:5555)
I restarted the box to see if any service needs to be started first or not. That did not help.
Have you seen this error before?
Hello Teddy,
The Logger port 5555/TCP is related to the TCPServerService and more precisely to “Server remote service listening port”. You can find all related logs in $ARCSIGHT_HOME/current/arcsight/logger/logs/logger_server.log.
Here under a sample of logs related to 5555/TCP port :
- starting TCPServerService for port 127.0.0.1:5555
- Remote server request service started
- Starting alert collector
start to bind on 127.0.0.1:5555 for remote service
- Waiting for connections at port: 127.0.0.1:5555
Before starting the logger is the port 5555/TCP used ? You could verify this with netstat -tan. Port 5555/TCP is required by logger.
Regards
Hi Eric
I just received a new license and this tutorial helps me a lot, thank you!
Your welcome Rafael 🙂