How to Setup ArcSight on EC2 [2023 Walkthrough]

The following article will provide the step-by-step guidelines for setting up Arcsight logger on EC2.

How to Setup ArcSight on EC2 [2023 Walkthrough]
ArcSight Integration

The following article will provide step-by-step guidelines for setting up ArcSight Logger on EC2.

Getting Started

Before doing the actual installation setup, follow these initial steps:

  1. Follow this link - you'll need it for downloading the *.bin file of the ArcSight Logger.
  2. Next, you will need to create a login to download the Logger using your relevant credentials.
  3. Once logged in, one can download the ArcSight Logger.
  4. Copy the installer to your EC2 instance by using “scp” as shown below in the image:

Setting It Up

Now you should be ready to get to the meat of the matter. Please review the steps below:

1. Launch an Instance

I) Go to community AMI and check Red Hat

II) Select a Red Hat 7.x Image

2. Select Instance Type

Select a m4.xlarge Image

3. Request a Spot

4. Create three volumes

  1. Create a /dev/sdb volume of 55 GB
  2. Create a /dev/sdc volume of 8 GB

5. Add tags to your instance

6. Open Ports in your Security Group

  1. Open port 9000 - as this is the default port when installing ArcSight as a non-root user.
  2. Open port 443 for https - as this is the default port used when installing as a root user.
  3. Launch the instance and login.

7. Configuring the Instance : Create a directory called ArchSight

Navigate to your /opt directory and create a directory called arcsight.

8. Configuring the Instance (I)

Change the format of the volume with commands below:

  1. sudo mkfs.ext4 /dev/xvdb
  2. sudo mkfs.ext4 /dev/xvdc

9. Configuring the Instance (II)

Mount and change the etc/fstab

  1. sudo mount /dev/xvdb /opt/arcsight
  2. sudo mount /dev/xvdc /tmp
  3. Navigate to /etc/fstab

And add the below lines:

  1. /dev/xvdb /opt/arcsight ext4 defaults,nofail 0 2
  2. /dev/xvdc /tmp ext4 defaults,nofail 0 2

10. Configuring the Instance (III)

Editing logind.conf

  1. Navigate to /etc/systemd directory and open the logind.conf (Might need to be a sudo user).

Make sure the file has the following entry:

  1. RemoveIPC=No

If the entry for “RemoveIPC“ is not there, add it and equate it to “no”.

After making the changes, restart systemd-logind service with the below command:

  1. systemctl restart systemd-logind.service

11. Configuring the Instance (IV)

Create a user and a user group

  1. Login into your EC2 instance
  2. Run the commands shown in the image to create a user called ‘arcsight' and a usergroup called 'arcsight’

12. Configuring the Instance (V)

Grant permission

  1. Grant permission for the ArcSight user for /opt/arcsight directory

13. Configuring the Instance (VI)

Unset Display

  1. Since we are installing ArcSight in the console mode:

14. Configuring the Instance (VII)

Increasing user process limit and max. no. of process files

  1. Navigate to the /etc/security/limits.d folder
  2. Open the 20.nproc.conf file as sudoer in an editor
  3. Erase the existing records in the file
  4. Add the records as shown in the image and save the file
  5. Reboot the instance

And run the command ulimit -a

It should print the output as below:

  1. open files 65536
  2. max user processes 10240

15. Configuring the Instance (VIII)

Install zip and give permision to the “/tmp”

Run the commands below:

  1. chmod 755 /tmp (optional if doing installation as sudoer)
  2. yum install zip unzip -y

16. Begin installation

  1. Start the setup in the console mode and make sure you are a sudoer

17. Installation Directory

  1. Accept the license agreement by pressing ENTER
  2. Specify the installation directory as /opt/arcsight
  3. Remember, this is the same directory on which you have mounted the /dev/xvdb volume of 55 GB

18. Installing...

19. Specify the non root user, port

We need to specify the non root user that we have created "arcsight".

Select ArcSight Logger to run as a service:

20. ArcSight Logger Installation

It asks for a langauge -> press enter to select Default.

21. Begin the configuration

Press enter to start the configuration.

22. Configuration Almost Complete!

Once the configuration is complete, a URL is given to start ArcSight:

NOTE : The url has a private IP of the ec2 machine launched, instead of that, use the public IP.

Press Enter to complete the setup:

23. Check if logger is installed and running

Once completed:

  1. Navigate to the directory where ArcSight is installed.
  2. Run the command as shown in the figure.

Done!

Metron Security provides on-demand and effective approaches to managing third-party integrations for security ecosystems. Since 2014, Metron has delivered automation solutions for over 200 security applications along with several hundred custom automation solutions.

For more information - www.metronlabs.com

If you are considering any custom cybersecurity solution that focuses on the resources and needs of your organization, please send a note to connect@metronlabs.com.