ArcSight Forwarder Connector. Let's go wherever we want
- Tutorial
In this article, I will share my experience in uploading events from ArcSight ESM. I will consider the functionality in detail and provide step-by-step instructions for setting up the ArcSight Forwarder Connector, as well as describe interesting life hacks.

To begin with, let's figure out why events are generally sent from Arcsight ESM (after all, they live well in the database).
- Your company has several ESM servers and the task is to send events to the central ArcSight ESM for global correlation

- You have a third-party system (such as ELK) to which you need to send events from ArcSight

- Syslog events sending in CEF format
- Uploading events to a CSV file for further work
We can implement all these points using the ArcSight Forwarder Connector, but the initial configuration starts on the ArcSight ESM itself:
First, create an account that will be used to upload events from ESM.
In the navigation panel, go to the “Users” section and in the “Customer User Groups” directory, create our own “Forwarder Events” directory.

Click on the newly created “Forwarder Event” group and create a user, for example, “fwd”.

For the new user, you need to set the account type and password.
User Type = Forwarding Connector

Now we need to create a filter for those events that we want to unload from Arcsight ESM. To do this, select the “Filters” section in the navigation panel and create a filter with the necessary conditions.
For example, I plan to unload all correlation events from ESM, so my filter will look like this:

After the filter is created, it must be applied to the Forwarder Events group, which includes the user fwd.
Go to the navigation panel in the “Users” section and select “Edit Access Control” for the “Forwarder Events” group.

Next, in the “ACL Editor”, go to the “Events” tab and click “Add” to add our previously created filter

. That's all Arcsight ESM settings completed
After creating an account and filtering on the Arcsight ESM, we can begin to install and configure the Arcsight Forwarder Connector
First of all, we need to make our file executable:
chmod +x ArcSight-7.5.0.7986.0-SuperConnector-Linux64.binNow we proceed with installing the connector itself: We
./ArcSight-7.5.0.7986.0-SuperConnector-Linux64.binlook at the information, press “Enter” and specify the installation directory:
/opt/arcsight/forwarder
Then we refuse to create links by selecting “4” and confirm the installation.

In the end we will receive information about the successful installation and further instructions on how to start the connector customizer.

Now do the preliminary configuration.
Launch ./runagentsetup.sh
/opt/arcsight/forwarder/current/bin/runagentsetup.shSelect the item “Add a Connector” and the type “ArcSight Forwarding Connector (Enhanced)”

Next, the connector will offer you to hide the parameter entry (login / password)

Now we set the parameters of the ESM server from which we will collect events and specify the parameters of the previously created “fwd” account

Now we need to import the ArcSight ESM certificate into our connector

When the integration with ESM was successful, the connector will offer you several options for transmitting events.

Next, I will describe the settings for each of the options
Setting destination types:

Now we indicate the name of the connector that will appear on the ESM destination server.

Import the certificate for the connector

. This completes the setup. It remains to determine only the connector start parameter. We can install the connector as a service with automatic start, or as an application that needs to be started manually.
/opt/arcsight/forwarder/current/bin/arcsight agents
I usually choose to create a service with automatic start.

On the destination server, check the registration of the connector and the arrival of events on it


We give a name to our recipient and select the type of events received.

Now we go to the configuration on the connector. We

set the parameters for connecting to Logger and indicate our created Receiver - FWD_ESM

Import the certificate for the connector

Check the arrival of events on ArcSight Logger


check the arrival of events, for example, in ELK



Tricks for working with Arcsight Forwarder Connector
To do this, we need to specify the ID connector and user ID as a parameter, as well as register all this in the ESM configuration file.
You can find out the
cat /opt/arcsight/forwarder/current/user/agent/agent.properties | grep entityid
ID of the connector using the fwd user ID command in his ESM profile.

Next, we need to add an additional parameter to the server.properties file on the Arcsight ESM
server.
/etc/init.d/arcsight_services stop allWe stop the server. We enter the parameters.
vi /opt/arcsight/manager/config/server.propertieseventstream.cfc=(connectro ID).(forwarder user ID)
We start the ESM server.
/etc/init.d/arcsight_services start allNow the correlation events will be unloaded together with the base
/opt/arcsight/forwarder/current/bin/runagentsetup.shSelect “

Add Modify Connector” Next, “Add, modify, or remove destinations”

Next, select which destination will be filtered

Select “Modify destination settings”

In this menu, all connector settings are set . In our case, point 10 is needed - Filters

Assign filtering: in my case, discard all events that are NOT EQUAL to the value in the deviceVendor field.

Thus, we can send a diverse stream of events to the Forwarder Connector and scatter events to the destination source we need.

vi /opt/arcsight/forwarder/current/user/agent/agent.wrapper.confEnter the following lines (do not go wrong with the serial numbering of wrapper.java.additional)
wrapper.java.additional.10=-Dfile.encoding=UTF8
wrapper.java.additional.11=-Duser.language=ru
wrapper.java.additional.12=-Duser.region=RU
As a result, we can observe that ArcSight has a lot of possibilities for integration, both with its systems and with external sources. But for the sake of truth, it’s worth saying that the flow of events is gradually increasing, the same events must be sent to several sources, there must be a constant interaction of different systems ... and here the possibilities of an ordinary connector end.
Therefore, Micro Focus engineers developed a new architecture, called ArcSight Data Platform. A distinctive feature of this architecture is the ArcSight Event Broker product, which serves to route a huge stream of events to various systems (ESM, Logger, UEBA, Investigate, Hadoop, etc.) and is capable of processing more than 500,000 EPS !!!