The following article will provide the step-by-step guidelines for setting up Arcsight logger on EC2.

Getting Started

Before doing the actual installation setup, follow these initial steps.

  1. Follow this link - you'll need it for downloading the *.bin file of the arcsight logger.
  2. Next, you will need to create a login to download the logger using your relevant credentials.
  3. Once logged in, one can download the arcsight logger.
  4. Copy the installer to your EC2 instance by using “scp” as shown below in the image:

Setting It Up

Now you should be ready to get to the meat of the matter. Please review the steps below:

1. Launch an Instance

I) Go to community AMI check Redhat

II) Select a Redhat 7.x Image

2. Select Instance Type

Select a m4x.large Image

3. Request a Spot

4. Create three volumes

  1. Create a /dev/sdb volume of 55 GB
  2. Create a /dev/sdc volume of 8 GB

5. Add tags to your instance

6. Open Ports in your Security Group

  1. Open port 9000 as this is the default port when installing arcsight as a non-root user.
  2. Open port 443 for https, as this is the default port used when installing as a root user.
  3. Launch the instance and login.

7. Configuring the Instance : Create a directory called arsight

Navigate to your /opt directory and create a directory called arcsight.

8. Configuring the Instance (I)

Change the format of the Volume with commands below:

  1. sudo mkfs.ext4   /dev/xvdb
  2. sudo mkfs.ext4   /dev/xvdc

9. Configuring the Instance (II)

Mount and change the etc/fstab

  1. sudo mount  /dev/xvdb  /opt/arcsight
  2. sudo mount  /dev/xvdc  /tmp
  3. Navigate to /etc/fstab

And add the below lines:

  1. /dev/xvdb          /opt/arcsight     ext4       defaults,nofail  0 2
  2. /dev/xvdc          /tmp                  ext4       defaults,nofail  0 2

10. Configuring the Instance (III)

Editing logind.conf

  1. Navigate to /etc/systemd directory and open the logind.conf (Might need to be a sudo user).

Make sure the file has a below entry:

  1. RemoveIPC=No
  2. if the entry for “RemoveIPC“ is not there, add it and equal to it “no”

After making the changes restart systemd-logind service with the below command

  1. systemctl restart systemd-logind.service

11. Configuring the Instance (IV)

Create a user and a user group

  1. Login into your EC2 instance
  2. Run the commands shown in the image to create a user called ‘arcsight' and a usergroup called 'arcsight’

12. Configuring the Instance (V)

Grant permission

  1. Grant permission for the arcsight user for /opt/arcsight directory

13. Configuring the Instance (VI)

Unset Display

  1. Since we are installing arcsight in the console mode:

14. Configuring the Instance (VII)

Increasing user process limit and max no of process file

  1. Navigate to the /etc/security/limits.d folder
  2. Open the 20.nproc.conf file as sudoer in a editor
  3. Erase the existing records in the file
  4. Add the records as shown in the image and save the file
  5. Reboot the instance

And run the command ulimit -a

It should print the output as below

  1. open files 65536
  2. max user processes 10240

15. Configuring the Instance (VIII)

Install zip and give permision to the “/tmp”

Run the commands below:

  1. chmod 755 /tmp (optional if doing installation as sudoer)
  2. yum install zip unzip -y

16. Begin installation

  1. Start the setup in the console mode and make sure you are a sudoer

17. Installation Directory

  1. Accept the license agreement by pressing ENTER
  2. And specify the installation directory as /opt/arcsight
  3. Remember this is the same directory on which you have mounted the /dev/xvdb volume of 55 GB

18. Installing...

19. Specify the non root user, port

We need to specify the non root user that we have created "arcsight".

Select arcisght logger to run as a service:

20. Arcsight Logger Installation

It asks for a langauge -> press enter to select Default

21. Begin the configuration

Press enter to start the configuration

22. Configuration Almost Complete!

Once the configuration is complete, a URL is given to start arcsight

NOTE : the url has a private IP of the ec2 machine launched, instead of that use the public IP

Press Enter to complete the setup:

23. Check if logger is installed and running

Once completed:

  1. Navigate to the directory where arcsight is installed.
  2. and run the command as shown in the figure.

Done!

Metron Security provides on-demand and effective approaches to managing third-party integrations for security ecosystems. Since 2014, Metron has delivered automation solutions for over 150 security applications along with several hundred custom automation solutions.

For more information - www.metronlabs.com