ArcSight Data Platform - Logger

Technical Presentation Training, Level 320

Technical Field Enablement

1
September 2018
Agenda
 What is Logger?
 Standalone Logger
 ArcSight Data Platform – ADP Logger
 Logger Components & Architecture
 Logger Value Proposition
 Competition
 Why Logger?
 What is Logger?

3
What is Logger ?

 ArcSight Logger is a Universal Log Management solution that can Collect

Everything, Analyze Anything and can be Used Anywhere.
 ArcSight Logger unifies searching, reporting, alerting and analysis across
ANY type of enterprise log data.
 ArcSight Logger supports multiple deployment options and can be
installed as an Appliance or as Software on a physical or virtual machine.
 Supports Cyber Security, Compliance, IT Operations, GRC, and Log
Analytics. Logger is not just a security tool!
 Key piece in a security portfolio for long term high-integrity event
archiving and reporting
 What is Logger ?
In ADP, Logger consumes
events from Event Broker
ArcSight

Analytics
ArcSight
In standalone mode,

SIEM
Enterprise Hunt Data Third Party

DB
User Behavior
Security Tools Lake Applications
Analytics
consumes events from Management

Connectors and direct L L L L

Receivers

ArcSight Data

Management
Platform

Console
Quick Searches and Event Broker

Reports on years of data

Compliance, GRC, IT Ops,
Security Use Cases

Sources
12 TB addressable storage Data
Cloud Servers & Network Endpoint
Users Apps
per node Workloads loT

Scalable up to 100 peers

5
 Standalone Logger and ADP Logger

6
Standalone Logger and ADP Logger

 Same code, same features, just licensed differently

 All Loggers are licensed on GB of events ingested per day

 Standalone Logger
 Used without ADP
 Can consume events from raw devices or Connectors

 ADP Logger
 Consumes events from raw devices, Event Broker or from Connectors
 Consumption license centrally managed by ArcMC
 Logger Components & Architecture

8
 Logger Components
 Receivers
 Receives events from SmartConnectors, FlexConnectors, Files, Network Connections
 ADP Logger can also receive events from Event Broker
 Forwarders
 Forwards events to ArcSight ESM, other Connectors, other Syslog or any TCP or UDP downstream device
 Storage Groups
 Allow for the separation of events by retention period or by event type
 Search
 Google-like search for events, over time, use pipeline operators for transformations and quick charts
 Dashboards
 Visual summaries of activity over time, top entities
 Reports
 Repeatable, ad-hoc or scheduled, long term analysis and summary of events suitable for Management as well
as Analysts
 Lookups
 Dynamic comparisons with external sources of information, such as a list of malicious domains or blacklist IP
Addresses
 Alerts
 Both near real time and scheduled
9
 Quick time to value through log analysis and
dashboards
 Take advantage of
ArcSight CEF Categories
to quickly build powerful
searches
 All failed login attempts
across ANY device in your
organisation is as simple as
-categoryBehavior =
"/Authentication/Verify" AND
categoryOutcome = "/Failure"
 Logger easily turns your
searches in to
meaningful dashboards
used across your
enterprise
10
 120+ Searches, Filters and Reports Included
Dozens of search filters and
reports allow you to immediately
analyse and deliver quality
dashboards and reports within
minutes

Can be extended with

Compliance Packages such as
PCI, SOX, ISO

Easily build your own content

and share within the enterprise

11
 Storage Groups
 Up to 100 Storage Groups help segregate data with different access rights, retention
and priority
 Store highest priority events online for a longer period of time
 Prioritize storage so disk cost is reduced and optimised

12
 Scheduled and Real Time Alerts
 Be alerted in near-real time as
soon as a critical event occurs, such
as “A USB storage key was inserted
in to a critical server”

 Scheduled alerts allow for alerting

on single or multiple occurrences
over time, such as “Too many
failed login attempts to critical
assets in the last hour”

 Alerts can be actioned in Logger or

sent to other ArcSight components,
SNMP destinations and other
Syslog destinations

13
 Quick Searches
 Searches can be free text like
Google
 Start with a simple search and let
Logger help you define your next
search or pivot
 Turn a search in to a visualisation
easily

14
 ArcSight Data Platform Logger
Secure Data Integration
 Micro Focus Secure
Data provides Format-
Preserving Encryption
(FPE)
 ArcSight
SmartConnectors apply
the FPE to one or more
fields
 ArcSight Logger
provides on-demand
clear/FPE display, with
access defined by Role
15
 Logger Value Proposition

16
 Logger Value Proposition
 Straightforward event consumption for both standalone and
ADP
 Long term storage
 Quick search – google like search across fields and any text.
 Bloom filters allow unmatched speed across billions of events.
 Repeatable Reporting
 Scalable Performance, up to 12 TB per instance, and up to 100
peers. Log Management that scales.
 Typically less-expensive longer term storage thanks to high
levels of compression (around 7:1 – 10:1)
 Peer based searching allows transparent scale out without
operational disruption
 NIST 800 Compliant log archiving to NAS, DAS or any medium
with no time limit.
 Archive and hash digest all events to guarantee event integrity
 Granular Role Based Access – only the right people can see
sensitive information
17
 Competition

18
 Competition
 Splunk
 Multiple Splunk Data Models with varying normalization make Big Data analysis near-impossible
 More Expensive. Even more so as data volumes grow. Filtering & Aggregation are difficult and problematic.
 Poor Compliance solution – allows for deletion of events in data store
 LogRhythm
 Appliance-only offering
 Limited device support
 Custom log sources hard to support
 Elastic
 Takes a lot of time to configure and structure data (build your own filters)
 Fine grained JSON, XML and programming skills required to deliver near-Logger quality dashboards and
reports
 Is a plethora of applications, widgets and configuration files (Elastic, Kibana, Logstash and many plugins such
as GROK)
19
 Sizing and Capacity
 Software Logger
 5 GB / day minimum, steps of 5 GB/day up to 500 GB/day
 Appliance Logger
 L7600 5 GB / day minimum, steps of 5 GB/day up to 250 GB/day
 12 TB Addressable Storage per Logger instance
 Can mix and match peering to software and appliances
 Up to 100 peers – transparent searching across all peers
 High availability can be achieved by using
 Logger destination pools (from Smart Connector)
 HA appliances can be used to ingest a second copy of all events in case of primary failure

20
 Why Logger ?
 ArcSight Logger is a Universal Log
Management solution that can Collect
Everything, Analyze Anything and can
ArcSight

Analytics
be Used Anywhere. ArcSight

SIEM
Enterprise Hunt Data Third Party

DB
User Behavior
Security Tools Lake Applications
Analytics
 ArcSight Logger unifies searching, Management
reporting, alerting and analysis across
ANY type of enterprise log data. L L L L


ArcSight Data

Management
ArcSight Logger supports multiple

Platform

Console
deployment options and can be Event Broker
installed as an Appliance or as
Software or as a Virtual Machine.
 Supports Cyber Security, Compliance,
IT Operations, GRC, and Log Analytics

Sources
 Plays a key role in high-integrity long-
term event archiving and reporting Data
Servers &
within the ArcSight Data Platform Users Cloud Apps
Workloads
Network Endpoint loT

21
 Thank you.
www.microfocus.com

For more information, visit the

Sales or Partner Portal.
Make sure to fill out your
survey after the course!

22