cancel
Showing results for 
Search instead for 
Did you mean: 

Install ArcSight Connector 7.13 on ePO 5.10

Jump to solution

The ePO 5.10 now has two databases   ePO_HBSSEPO and ePO_HBSSEPO_Events

MicroFocus specifies that ArcSight connector 7.13 supports ePO 5.10

When creating an SQL 2016 account for the connector, is default database:
master     or    ePO_HBSSEPO      or   ePO_HBSSEPO_Events?

role is set to public,  if using master as default,  both ePO_HBSSEPO and ePO_HBSSEPO_Events are checked in mapping along with public and db_reader

How is explicit CONNECT and SELECT  specified for SQL 2016?

Then when installing the connector and specifying the server and database, which database is specified?  ePO_HBSSEPO or ePO_HBSSEPO_Events?

I will also look to post on an ArcSight forum, but I am hoping someone here already has experience with this.

Thank you

1 Solution

Accepted Solutions
LKS McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 8

Re: Install ArcSight Connector 7.13 on ePO 5.10

Jump to solution

Hi ccastbr,

Here is the answer to your question.

When creating an SQL 2016 account for the connector, is default database:
master     or    ePO_HBSSEPO      or   ePO_HBSSEPO_Events?

Always master.  Because the master database contains all of the system level information for SQL Server and all of the login details.

How is explicit CONNECT and SELECT  specified for SQL 2016?

Sorry i do not understand this question. Could you please clarify me which one in SQL database are you referring. 

Then when installing the connector and specifying the server and database, which database is specified?  ePO_HBSSEPO or ePO_HBSSEPO_Events?

EPO_HBSSEPO as both the databases are interlinked. 

Was my reply helpful?

If you find this post useful, please give it a Kudos! Also, please don't forget to select "Accept as a Solution" if this reply resolves your query!

View solution in original post

7 Replies
LKS McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 8

Re: Install ArcSight Connector 7.13 on ePO 5.10

Jump to solution

Hi ccastbr,

Here is the answer to your question.

When creating an SQL 2016 account for the connector, is default database:
master     or    ePO_HBSSEPO      or   ePO_HBSSEPO_Events?

Always master.  Because the master database contains all of the system level information for SQL Server and all of the login details.

How is explicit CONNECT and SELECT  specified for SQL 2016?

Sorry i do not understand this question. Could you please clarify me which one in SQL database are you referring. 

Then when installing the connector and specifying the server and database, which database is specified?  ePO_HBSSEPO or ePO_HBSSEPO_Events?

EPO_HBSSEPO as both the databases are interlinked. 

Was my reply helpful?

If you find this post useful, please give it a Kudos! Also, please don't forget to select "Accept as a Solution" if this reply resolves your query!

View solution in original post

Re: Install ArcSight Connector 7.13 on ePO 5.10

Jump to solution

Thank you for the reply.      I had set that up as you indicated, but I have errors when the installer attempts connection to the database.   

"How is explicit CONNECT and SELECT  specified for SQL 2016?

Sorry i do not understand this question. Could you please clarify me which one in SQL database are you referring. "

I have the same issue!   The ArcSight manual lists required SQL User Privileges:

"Confirm with the ePO database administrator that the SQL user authenticating to the database has been granted the following:
-Explicitly assigned permissions for CONNECT
-Explicitly assigned permissions for SELECT
-Public role
-db_datareader role"

I believe I have the last two - no idea how to set the first two.  I am not even sure if that is my issue.

I am using ArcSight-7.13.0.8178.0-Connector-Win64

 

Thank you!

cdinet McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 8

Re: Install ArcSight Connector 7.13 on ePO 5.10

Jump to solution

For the first 2, please get with your dba, or you can follow MS instructions:

https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/getting-sta...

Honestly, pulling data directly from the database can cause performance issues.  You might want to look at using a syslog server to forward events to arcsight.  That syslog server would need to support tls 1.2.  

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: Install ArcSight Connector 7.13 on ePO 5.10

Jump to solution

We did get the syslog server to work, however, parsing is much less effective than we are used to.   I would love to get syslog publishing to work but it is unclear what we need to do regarding a parser for the ArcSight logger.        We tried the syslog-ng connector with RFC 5424 header enabled, and we see the parser selected by the logger is "arcsight:10:120"          Unlike the epo_db, the message is not parsed into the same fields using syslog.       Is there a parser you are aware of that we need on our logger?

cdinet McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 8

Re: Install ArcSight Connector 7.13 on ePO 5.10

Jump to solution

I am not aware of any.  Perhaps someone with more knowledge on arcsight can weigh in with comments.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: Install ArcSight Connector 7.13 on ePO 5.10

Jump to solution

After a little trial and error I  have the 7.13 up and working.  Unlike the syslog publishing solution, the messages are parsed fully into the ArcSight logger.  I would like to transition to syslog, but will be waiting on improvements in the parser.       

I actually did not have to anything specific for the CONNECT and GRANT.

Thanks for the help.

cdinet McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 8

Re: Install ArcSight Connector 7.13 on ePO 5.10

Jump to solution

To answer your questions....

When creating an SQL 2016 account for the connector, is default database:
master or ePO_HBSSEPO or ePO_HBSSEPO_Events?  You connect only to the epo_hbssepo database, not the events db.

How is explicit CONNECT and SELECT  specified for SQL 2016?  I don't know if that is any different than sql 2014 or other versions - you might need to check with your dba for that.

 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community