Transcription
Micro Focus SecurityArcSight Load BalancerSoftware Version: 8.2.0Configuration GuideDocument Release Date: May 2021Software Release Date: May 2021
Configuration GuideLegal NoticesMicro FocusThe Lawn22-30 Old Bath RoadNewbury, Berkshire RG14 1QNUKhttps://www.microfocus.comCopyright Notice Copyright 2021 Micro Focus or one of its affiliatesConfidential computer software. Valid license from Micro Focus required for possession, use or copying. Theinformation contained herein is subject to change without notice.The only warranties for Micro Focus products and services are set forth in the express warranty statementsaccompanying such products and services. Nothing herein should be construed as constituting an additional warranty.Micro Focus shall not be liable for technical or editorial errors or omissions contained herein.No portion of this product's documentation may be reproduced or transmitted in any form or by any means, electronicor mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose otherthan the purchaser's internal use, without the express written permission of Micro Focus.Notwithstanding anything to the contrary in your license agreement for Micro Focus ArcSight software, you mayreverse engineer and modify certain open source components of the software in accordance with the license terms forthose particular components. See below for the applicable terms.U.S. Governmental Rights. For purposes of your license to Micro Focus ArcSight software, “commercial computersoftware” is defined at FAR 2.101. If acquired by or on behalf of a civilian agency, the U.S. Government acquires thiscommercial computer software and/or commercial computer software documentation and other technical data subjectto the terms of the Agreement as specified in 48 C.F.R. 12.212 (Computer Software) and 12.211 (Technical Data) of theFederal Acquisition Regulation (“FAR”) and its successors. If acquired by or on behalf of any agency within theDepartment of Defense (“DOD”), the U.S. Government acquires this commercial computer software and/orcommercial computer software documentation subject to the terms of the Agreement as specified in 48 C.F.R.227.7202-3 of the DOD FAR Supplement (“DFARS”) and its successors. This U.S. Government Rights Section 18.11 is inlieu of, and supersedes, any other FAR, DFARS, or other clause or provision that addresses government rights incomputer software or technical data.Trademark NoticesAdobe is a trademark of Adobe Systems Incorporated.Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation.UNIX is a registered trademark of The Open Group.Documentation UpdatesThe title page of this document contains the following identifying information:lSoftware Version numberlDocument Release Date, which changes each time the document is updatedlSoftware Release Date, which indicates the release date of this version of the softwareTo check for recent updates or to verify that you are using the most recent edition of a document, go /documentationMicro Focus Load Balancer 8.2.0Page 2 of 110
Configuration GuideSupportContact InformationPhoneA list of phone numbers is available on the Technical SupportPage: ntact-informationSupport Web ht Product o Focus Load Balancer 8.2.0Page 3 of 110
ContentsOverviewWhy Use Load Balancer?Load Balancer Features778How Load Balancer WorksSyslog-based Load BalancingSupport for Single-line EventsFor TLSUsing CA Signed CertificatesConfiguring TLS CertificatesConfiguring the Syslog NG ServerGenerating a Certificate Signing RequestGetting the CSR Signed by the CAImporting the Digitally Signed Certificates into Load BalancerFor TCPFor UDPFile-based Load BalancingRouting PoliciesLoad Balancer Modes9999910101011111313131314Installation and ConfigurationSystem RequirementsGeneral SetupHardware RequirementsSoftware or Platform RequirementsSmartConnector RequirementsDownloading Load BalancerVerifying Your FilesPreparing for DeploymentConfiguring the Ethernet ConnectionInstalling the Load BalancerInstalling Load Balancer in Console ModeInstalling the Load Balancer in GUI ModeUninstalling Load BalancerConfiguring Load BalancerConfiguring Load Balancer in Standalone ModeConfiguring Load Balancer in HA ModeConfiguration 232323252727Page 4 of 110
Configuration nfiguration ExamplesConfiguring MemberHosts in Standalone ModeConfiguring MemberHosts as PeerConfiguring MemberHosts as Primary-SecondarySyslog Load Balancing Routing Rule ExampleFile Load Balancing Routing Rule ExampleSample Configuration FileStarting LoadBalancerInstalling Load Balancer as a ServiceStarting or Stopping the Load Balancer ServiceLoad Balancer Service CommandsLoad Balancer Service-related LogsInterpreting LogsLoad Balancer REST APIConfigurationLoad Balancer API ReferenceRetrieving a List of Routing RulesRetrieving Details of a Routing RuleCreating a Routing RuleDeleting a Routing RuleEnabling a Routing RuleDisabling a Routing RuleRetrieving a List of SourcesRetrieving Details of a SourceCreating a SourceDeleting a SourceRetrieving a List of DestinationsRetrieving Details of a DestinationCreating a DestinationDeleting a DestinationRetrieving a List of Destination PoolsRetrieving Details of a Destination 61626366676869707072737576787980Page 5 of 110
Configuration GuideCreating a Destination PoolDeleting a Destination PoolAdding a Destination to a Destination PoolDeleting a Destination From a Destination PoolREST API Common ErrorsLoad Balancer TroubleshootingLoad Calculators Not Initialized or Destination Monitoring Not WorkingDestination Configured with SCP Protocol but File Delivery FailsSources Relocated Away from [x] of [y] Destinations in Routing RuleWarning Message in Passive or Secondary Node LogsCalculating Loads for RoutingConfiguration File Templates with Callout InformationStandalone Mode Configuration File TemplateHA Mode Configuration File TemplateSend Documentation Feedback81838385878888888990909292101110Page 6 of 110
OverviewArcSight SmartConnector Load Balancer provides a “connector-smart” load balancingmechanism by monitoring the status and load of SmartConnectors. Currently it supports twotypes of event sources and SmartConnectors. One distributes the syslog input stream to syslogconnectors using TLS, TCP, or UDP protocol and the other downloads files from a remote serverand distributes them to the file-based connectors. Note that the TLS protocol is supported forthe SmartConnector for Syslog NG Daemon only.Load Balancer ensures efficiency by distributing the load to a pool of SmartConnectors. LoadBalancer supports high availability configuration with active and standby nodes. It distributesthe events received to one or more SmartConnectors predefined in the SmartConnector pool.Load Balancer is aware of the following information for SmartConnectors defined asthe SmartConnector pool:llAvailability (up or down) – Load Balancer monitors SmartConnectors for availability. Eventsare not forwarded to a SmartConnector if it is not running (down). Instead, events areforwarded to the next available SmartConnector in the pool per the defined load-balancingalgorithm rules.SmartConnector Load - CPU usage, memory usage, and queue drop rate for events.Why Use Load Balancer?Often a varying volume of events from the event source makes it difficult to configure theconnector and there could be an outage in continuous event collection if any connectors godown. Load Balancer addresses these problems by distributing the events acrossSmartConnectors and by redistributing the events to available connectors if any connectors aredown.Load Balancer provides support to devices generating varying volumes of events,where:lOverloaded connectors result in event loss and delayed collectionlUnder-utilized connectors result in wasted resourceslManual and tedious sizing and maintenance is necessarylOne connector becomes a single point of failureOverviewPage 7 of 110
Configuration GuideLoad Balancer is a solution for:lConnector-smart load balancinglLoad balancing for TCP protocol without keeping the sessions stickylLoad balancing for fileslAn aggregation-preferred routing policy, which sends events from a single device to thesame connector up to a certain threshold.Load Balancer together with the SmartConnector pool provides availability, reliability,and scalability as below:llLoad Balancer supports High Availability (HA). If the active Load Balancer node is down, apassive Load Balancer node becomes an active node and continuously collects the events.If a SmartConnector is down, Load Balancer forwards the events to the next availableconnector in the SmartConnector pool per the load balancing rules.Load Balancer FeaturesLoad Balancer supports the following:lHigh availability (HA) mode, which can be configured with two hosts.lSyslog type of input stream or batch files on FTP server.lSyslog-based and file-based SmartConnectors as destinations.lTLS, TCP, and UDP protocol for syslog-type input or connectors.Note: TLS is supported on the SmartConnector for Syslog NG Daemon only.llThree routing policies — round robin, weighted round robin, and aggregation preferred.Event batching (TCP only) for better aggregation at the destination connector and betternetwork throughput.lEmail notification for up or down status on member hosts and destination connectors.lLoad and health monitoring of connector destinations.lLoad Balancer runs either as a service or standalone application.llTLS encryption is supported between devices and Load Balancer, Load Balancer andSmartConnectors, or both.Load Balancer accepts connections from both TCP and UDP on the same port.Load Balancer FeaturesPage 8 of 110
Configuration GuideHow Load Balancer WorksLoad Balancer supports Syslog-based load balancing, file-based load balancing, and severaltypes of routing rules.Syslog-based Load BalancingSupport for Single-line EventsThe load balancer parses the input stream into a line but not to an event. It supports single-lineevent stream but not multi-lined events.For TLSFor TLS, you must use a SmartConnector for Syslog NG with TLS enabled. TLS is supported overTCP syslog connections. In the destination definition of the lbConfig.xml file, change theprotocol from tcp to tls. These are configurable per destination (listener).Using TLS, incoming events will be processed automatically, as long as a self-signed certificateis imported into any devices sending events to the Load Balancer. Also, you must set up CAsigned certificates if you want to use HA; otherwise, you will have to import the certificate forboth Load Balancers into all of the devices.Using CA Signed CertificatesLoad Balancer uses several digital, public-key certificates as part of establishing secure TLScommunications. During the initial configuration of Load Balancer, these certificates are selfsigned. In some circumstances, it might be necessary to obtain certificates digitally signed by acertificate authority (CA).You can replace the self-signed certificate with a certificate signed by a well-known CA, such asVeriSign, Thawte, or Entrust. You can also replace the self-signed certificate with a certificatedigitally signed by a less common CA, such as a CA within your company or organization.Note: There are many well-known CAs and identifying the commonly used CAs varies withcountry.How Load Balancer WorksPage 9 of 110
Configuration GuideConfiguring TLS CertificatesThis section provides instructions about configuring TLS certificates to get them digitally signedby a CA.Before configuring the TLS Certificates, add the following global parameters in thelbConfig.xml file to select the certificate and keystore. globalParameters properties property key "ssl.cert.file" value "LBTLS.cer"/ property key "ssl.keystore.file" value "LB"/ /properties /globalParameters Configuring the TLS certificates involves the following steps:l"Generating a Certificate Signing Request" belowl"Getting the CSR Signed by the CA" on the next pagel"Importing the Digitally Signed Certificates into Load Balancer" on the next pageConfiguring the Syslog NG ServerIf the input source is Syslog NG server and you want to configure TLS with the CA-signedcertificate enabled, you must add TLS function to the Syslog NG setup. For more information,refer to the Add TLS Function to the Syslog NG Setup section in the SmartConnector for SyslogNG Daemon Configuration Guide.Generating a Certificate Signing RequestTo obtain a digitally signed certificate, you must first generate a certificate signing request(CSR) that is presented to the CA.To generate one or more CSRs, perform the following steps on the Load Balancer server:1. Log in to the Load Balancer server as the root user.2. Create JKS Keystore and Keypair using the following in/#./keytool /loadbalancer/lbcert.jks storepass changeit -genkeypair -alias mykeyX -keysize 2048 -keyalg RSAConfiguring TLS CertificatesPage 10 of 110
Configuration GuideThe above command creates the lbcert.jks file. Enter the certificate subject informationand then press Enter to use the same password used for the keystore password.3. Generate the CSR by using the following in/#./keytool /loadbalancer/lbcert.jks storepass changeit -certreq -alias mykeyX dbalancer/lbreq.csrGetting the CSR Signed by the CAYou should get the CSR signed by the CA.To get the CSR signed by the CA:1. Submit the CSRs to the CA for signature.2. Obtain the signed certificate files from the CA.The details of how this is done depend on the CA. For more information, consult your CA.Importing the Digitally Signed Certificates into Load BalancerThis section provides instructions about importing the digitally signed certificates into LoadBalancer. Copy the files that contain the digital certificates signed by the CA to the LoadBalancer server. If the files are signed by an enterprise or organizational CA rather than a wellknown CA, you must copy the CA's self-signed root certificate to the Load Balancer server.You must import the intermediate, root, and signed certificates. You can specify the desiredalias names for the intermediate and root certificates. However, the signed certificate must beimported with the same alias that was used while creating a certificate pair, which iswebserver.To import the certificate files to the Load Balancer server:1. Log in to the Load Balancer server as the root user.2. Back up the loadbalancer.cer file present at the following /loadbalancer3. Import the trusted CA re/bin/#./keytool -importcert dbalancer/certnew.cer storepass changeit /loadbalancer/lbcert.jksThe CA certificate can be downloaded from the in-house CA server.4. Import the signed certificate:Getting the CSR Signed by the CAPage 11 of 110
Configuration #./keytool /loadbalancer/lbcert.jks storepass changeit -importcert -alias mykeyX dbalancer/certsign.cer5. Convert Keystore to P12 re/bin/#./keytool -importkeystore er/loadbalancer/lbcert.jks srcstorepass changeit -deststorepass changeit -srcstoretype JKS deststoretype PKCS12 user/loadbalancer/LB.p126. Copy the converted P12 certificate to the ./current/user/agent folder, where thedestination connector is located.Note: The default name of the P12 certificate is remote management.p12 .7. Import the certificate files to the Syslog Daemon connector using the following ./keytool -importcert -file/tmp/certnew.cer -storepass changeit -alias mykey /lib/security/cacertsNote: The Syslog Daemon connector can now send TLS events to Load Balancer.8. Restart Load Balancer.The most common issues while using CA-signed certificatellllNo trace of connection (even though the internal logs show connection attempts),network or firewall issues, an incorrectly configured destination, or unable to listen on IPaddress.When using new certificates, an incorrectly configured clock can cause problems.Ensure that the time or time zone in all the systems match.Ensure that the Common Name field is set to the correct FQDN or IP address. If you useFQDN, ensure that your DNS server works correctly.If the P12 certificates at Load Balancer and SmartConnector do not match, then thefollowing exception occurs at SmartConnector:java.io.IOException: An existing connection was forcibly closed by theremote hostImporting the Digitally Signed Certificates into Load BalancerPage 12 of 110
Configuration GuideFor TCPWhen the source is a syslog-based network process and configured to use TCP protocol, theinput stream is parsed into event lines and bundled into a batch. Then the batch is distributedto one of the destinations in the destination pool.For UDPIf a routing rule is configured to use UDP protocol, event batching does not happen. Instead,each incoming event is distributed into one of the destinations configured in the routing policy.File-based Load BalancingLoad Balancer downloads files from an FTP server and distributes them to one of the locationsassociated with the file connectors. It supports batch files. File-based connectors that read andprocess files are good candidates for this feature.Routing PoliciesRouting policies are a set of rules that define the data distribution from a source to a set ofdestinations. Eligible sources are syslog servers or FTP servers. A destination pool consists ofone or more syslog or file connector destinations, all of the same type. Connector types cannotbe mixed within a single destination pool. Routing policies define event or file distribution rulesfrom a source to destination pool.The following routing policies are supported in Load Balancer:lllRound Robin: Distributes events, batches, or files to each available destination in thedestination pool in round robin fashion, beginning again at the start in a circular manner.File-based load balancing supports only the Round Robin policy.Weighted Round Robin: Distributes events in a round-robin fashion, but sends more eventsor batches to lightly loaded destinations.Aggregation Preferred: Events from the same source are sent to the same destination untila threshold is reached. Then, it will switch the routing to another destination. This routingpolicy is better suited if aggregation is enabled on connector destinations where events aresent to the same destination until certain load thresholds are met.For TCPPage 13 of 110
Configuration GuideLoad Balancer ModesLoad Balancer can be configured to run in three modes. To use the high availability feature,Load Balancer should be installed on two separate hosts sharing a virtual IP address. See thedetails at "Configuring Load Balancer in HA Mode" on page 25.lllStandalone mode: Load Balancer runs as a single host without supporting the highavailability feature. One host with a single static IP address is required to run Load Balancerin this mode.HA mode as peer: Load Balancer runs with two hosts. The host that starts first becomesactive and another host runs as passive until the first host goes down. The second hostbecomes active and stays active, even if the first host comes back up again.HA mode as primary-secondary: Load Balancer runs with two hosts. One host can bedesignated as the preferred active host. In this mode, the host marked as primary runs asactive node whenever it becomes available.Note: The High Availability feature, which is available using primary-secondary or peer mode,currently works only within the same subnet.Load Balancer can be deployed between any syslog source, including SmartConnectorsconfigured with CEF syslog or raw syslog destinations, or file source and SmartConnectors. Thefollowing diagram shows a Load Balancer deployment example running in HA mode. Both hostsshare the common virtual IP address to handle the connection fail-over when an active LoadBalancer host goes down. As shown in the diagram, Load Balancer can be used for threedifferent types of input sources and destination pool types.Load Balancer ModesPage 14 of 110
Configuration GuideWhen configuring the routing rule, source and destination types must match. If the source isTCP syslog, the connectors in the destination pool must be TCP syslog connectors. Likewise, ifthe source is a file type, the connectors on the destination must be file-based connectors thatexpect to handle files.When the routing rule is configured with TCP protocol, events received from the same sourceIP and port number are bundled into event batches. Event batching happens when any of thefollowing conditions are met: buffer size, number of events, or batching interval. The bundledevent batch, which is optional, is persisted by default on the hard drive before it is sent to thedestination connector in the e/{source}directory of thecurrently active node. Note that persisted event batches are not shared across the memberhosts and any unprocessed event batches awaiting bundling during the shutdown are sent whenLoad Balancer starts up again.Load Balancer ModesPage 15 of 110
Installation and ConfigurationThis section describes system requirements and getting started with Load Balancer, includingpre-deployment requirements, Ethernet configuration, Load Balancer installation, and LoadBalancer configuration.Load Balancer is an independent component, not packaged with SmartConnectors.System RequirementsThe following sections outline the minimum system requirements for ArcSight SmartConnectorLoad Balancer.For details about hardware, software or platform, and SmartConnector requirements, refer tothe Currently Supported SmartConnector Load Balancer Versions section in the ArcSight SecurityOpen Data Platform (SODP) Support Matrix guide, available on the Micro Focus SoftwareCommunity page.General SetupThe following section describes the software and platform requirements for all releases ofMicroFocus SmartConnector LoadBalancer.Servers should be dedicated to load balancing (not running other applications.)For high availability (HA), there should be two separate servers, one for the active or primaryLoadBalancer and another for standby or secondary Load Balancer. They will share a Virtual IPaddress, so they should be in the same network location.In addition, use the standard hardware required to deploy more than one SmartConnector tocreate the pool of SmartConnectors. See the SmartConnector documentation for details.Hardware RequirementslCPU: 2 CPU X 4 Cores each (2 x Intel E5620, quad core, 2.4 Ghz or better)lRAM: 16 GBlDisk: 60 GBlNumber of network interfaces—1 Dedicated Gig Ethernet interfaceNote: To achieve better performance, use a server with higher system specifications.Installation and ConfigurationPage 16 of 110
Configuration GuideSoftware or Platform RequirementslSupported: Red Hat Enterprise Linux (RHEL) 6.8, 6.9, 7.5, 7.6, 7.7, 7.8, 7.9, 8.1, 8.2, and 8.3(64-bit only)lCertified: Red Hat Enterprise Linux (RHEL) 7.7, 7.9 , 8.1, 8.2, and 8.3 (64-bit only)lSupported: CentOS Linux 6.8, 6.9, 7.5, 7.6, 7.7, 7.8, 7.9, 8.1, 8.2, and 8.3 (64-bit only)lCertified: CentOS Linux 7.6, 7.7 , 7.9, 8.1 ,8.2, and 8.3 (64-bit only)SmartConnector RequirementslSmartConnector release 7.12.x or laterlSyslog daemon, Syslog NG daemon, and file-based SmartConnectorDownloading Load BalancerDownload the 64-bit executable and the Security ArcSight SmartConnector Load BalancerConfiguration Guide from the Support website .For a successful Load Balancer installation, follow the installation procedures documented in"Installing the Load Balancer" on page 19.Verifying Your FilesMicro Focus provides a digital public key to enable you to verify that the signed software youreceived is indeed from Micro Focus and has not been manipulated in any way by a third party.For information and instructions, refer Micro Focus GPG or RPM Signature Verification.Preparing for DeploymentTo run in HA mode, ensure that the following pre-requisites are met:lHave two hosts with static IP addresses to install Load Balancer.lHave a single, unused address for the VIP to run Load Balancer in HA mode.lCreate an Ethernet configuration file to support failover migration.Configuring the Ethernet ConnectionBegin with creating an Ethernet configuration file to support failover migration.Software or Platform RequirementsPage 17 of 110
Configuration GuideTo configure the Ethernet connection:1. Before installation, identify the machine or machines where Load Balancer will beinstalled. To enable HA, two machines and one virtual IP address are needed (all in thesame subnet).2. If Load Balancer is run by a non-root user, be sure to give sudo capability to the user. Forexample, if arcsight is the user that installs and runs Load Balancer, add thearcsight user and add sudoer capability with NOPASSWD. See the followingexample:Note: Ignore this step if Load Balancer is installed as root.# adduser arcsightto the group.# sudo visudo// Creates arcsight group and adds the user// Add the following line, and exit.arcsightALL (ALL)NOPASSWD:ALLNote: Steps 3 and 4 can be skipped if Load Balancer is deployed in standalone mode.Note that step 3 and 4 can vary depending on the OS version and flavor. Use theinstructions as a reference. Get help from the network administrator to execute the stepsbelow.3. When using two machines for HA, create a network profile or Ethernet configuration fileon each machine. In the supported distributions of Linux, this file is usually located in the/etc/sysconfig/network-scripts directory.a. Go to the directory and verify that the file has the primary network interface (usually‘eth0’) configuration. The IPADDR value of this file should show the IP address assignedto this machine. A similar configuration file needs to be created for the virtual IPaddress.b. Log on as a privileged administrator and go to the directory where the Ethernet profilesare located.# cd /etc/sysconfig/network-scriptsc. Copy the default eth0 configuration to eth0:1.# cp ifcfg-eth0 ifcfg-eth0:1d. Edit ifcfg-eth0:1 to modify DEVICE to eth0:1 and IPADDR to a virtual IPaddress and save the file.Configuring the Ethernet ConnectionPage 18 of 110
Configuration GuideNote: ONBOOT must be set to noin order to prevent the VIP address from being boundto the host automatically upon system reboot. Otherwise, the virtual IP address needs tobe released manually when another host is running as the active node or it will lose theconnection from the source devices.DEVICE eth0:1IPADDR virtual-ip-address # for example, 10.0.0.0ONBOOT noNM CONTROLLED noARPCHECK noBOOTPROTO static4. Verify the full path of the ifup command, usually /sbin/ifup. Make note of the fullpath of the ifup command and Ethernet profile.Installing the Load BalancerBefore beginning your installation, obtain the Load Balancer binary (see "Downloading LoadBalancer" on page 17) and configure the Ethernet connection (see "Configuring the EthernetConnection" on page 17), if needed. If Load Balancer will be running in HA mode, install LoadBalancer on each host.The installer runs both in console mode and GUI mode. Follow the instructions in one of thefollowing sections for the appropriate mode:l"Installing Load Balancer in Console Mode" belowl"Installing the Load Balancer in GUI Mode " on page 22Installing Load Balancer in Console ModeTo install the Load Balancer files in console mode:1. Obtain the Load Balancer binary file and copy it to the desired location.2. Run the installer.Note: The ‘-i console’ mode is automatically selected by default if you do not usegraphical display or if the DISPLAY variable is not set. It can also be specifically invoked usingthe -i console switch as shown here.# sh ArcSightSCLoadBalancer- build-number .bin -i consolePreparing to install.Extracting the JRE from the installer archive.Installing the Load BalancerPage 19 of 110
Configuration GuideUnpacking the JRE.Extracting the installation resources from the installer archive.Configuring the installer for this system's environment.Launching installer.Graphical installers are not supported by the VM. The console mode willbe used instead. ArcSight SmartConnector Load BalancerInstallAnywhere)(created -----------------------------Preparing CONSOLE Mode Installation. Introduction-----------The ArcSight installer guides you through the installation of theArcSightSmartConnector Load Balancer.ArcSight recommends that you quit all other programs before continuingwiththis installation.Click the ‘Next’ button to proceed to the next window. If you want tochange something on
Overview tor-smart"loadbalancing tors.Currentlyitsupportstwo
