This document contains all the information required to install and configure the Panda SIEMFeeder ArcSight Connector v1.00.00.
The purpose of this connector is to send the files that Panda Importer downloads from the Panda Security cloud to the ArcSight SIEM server. These files log all the actions taken by the programs installed on the computers belonging to the customer?s IT infrastructure, and which are monitored by Panda Adaptive Defense 360 and Panda Adaptive Defense. The downloaded files will be stored in a folder on the computer and sent to the ArcSight SIEM server, which will interpret and automatically incorporate them into its database.
To successfully send the files downloaded by Panda Importer to the ArcSight SIEM server, the following requirements must be met:
- Install the Panda Importer program. Read this article to get the program and information on how to install and configure it.
- Install the ArcSight SmartConnector program on the same computer on which the Panda Importer program was installed, or on a computer capable of accessing the shared directories in which Panda Importer stores the information downloaded from the Panda Security cloud. Read this article for information on how to get the program and check this information on how to install and configure it.
- Download and unzip the connectorconfig-files.zip file. This file contains the following two files:
- Agent.properties, with the environment basic settings.
- SiemImporter.sdkrfilereader.properties, with the correspondence between the fields in the log files downloaded by Panda Importer and the fields defined in the ArcSight SIEM server.
To successfully install Panda SIEMFeeder ArcSight Connector v1.00.00, a series of parameters must be specified for it to run correctly. Additionally, it is necessary to import the certificate that will ensure the encryption of the data to be transmitted between the computer with the ArcSight SmartConnector program installed and the ArcSight SIEM server.
Note: Before you start the process, see section Installation requirements. The screenshots displayed in this article may not exactly match what you see in the version installed by your administrator.
Para instalar el conector, sigue los pasos siguientes:
- Install the ArcSight SmartConnector program. Refer to section Installation requirements for information on how to get the program and its installation guide.
- When the process is complete, select Add a Connector and click Next.
- For the connector to automatically send the files stored by Panda Importer in the chosen folder to the SIEM server, select ArcSight Flex Connector Regex Folder File from the Type drop-down menu. Then, click Next.
Configuring the connector parameters
- Complete the following fields:
- Log Unparsed Events: select True from the drop-down menu.
- Log Folder: enter the path where the files downloaded by Panda Importer are stored.
- Configuration File: enter SiemImporter.
- Copy the SiemImporter.sdkrfilereader.properties file that you previously downloaded, to the
/opt/arcsight/connectors/SiemImporter/current/user/agent/flexagent directory and click Next.
Configuring the destination parameters
Enter the name or IP address of the computer that contains the ArcSight manager, as well as the user name and password, and click Next.
Describing the connector
Enter the required data for describing the connector (Name, Location, Device Location, Comment).
Importing the certificate
For the connector to work properly, it is necessary to import the certificate that ensures the encryption of the communication between the computer with the SmartConnector program installed and the computer that contains the ArcSight manager. To do this:
- Select the option to import the certificate and click Next.
- Verify the connector data is correct and click Next.
Configuring the connector as a service or as an application
Finally, select whether to install the connector as an application or as a service/daemon.
Click Next and then Exit to finish the process.
Final installation adjustments
For the connector to work properly, it is necessary to update a number of entries in the agent.properties file stored in /opt/arcsight/connectors/SiemImporter/current/user/agent/. To do so, copy the specified content to the file provided by Panda Security, which you previously downloaded. The entries to edit are as follows:
- agents.destination.xxx (all rows starting with agents.destination)