Release Notes ArcSight SmartConnector 7.0.4.7088 June 30, 2014
Release Notes ArcSight SmartConnector 7.0.4.7088 June 30, 2014 Copyright 2014 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Follow this link to see a complete statement of ArcSight's copyrights, trademarks and acknowledgements: http://www.hpenterprisesecurity.com/copyright. This document is confidential. SmartConnector Release 7.0.4.7088 Release Notes Page ii
Contents SmartConnector Release 7.0.4.7088... 1 To Apply This Release... 1 New Connectors... 1 New Device, Component, or OS Version Support... 1 SmartConnector Enhancements... 2 Fixed Issues... 2 Connector End-of-Life Notices... 2 SmartConnectors Support Ending... 2 SmartConnectors No Longer Supported... 3 SmartConnector Device Versions No Longer Supported... 4 New and Updated SmartConnector Documentation... 4 SmartConnector Release 7.0.4.7088 Release Notes Page iii
SmartConnector Release 7.0.4.7088 These notes describe how to apply this latest release of ArcSight's SmartConnectors, as well as providing other information about recent changes and open and closed issues. To Apply This Release Download the appropriate executable for your platform from the Support Web site (http://support.openview.hp.com), as well as the separate downloadable zip file of SmartConnector Configuration Guides (which should be unzipped in a folder you create for the documentation). Both 32-bit and 64-bit executables are available for download. The 64-bit installation executables contain a subset of available SmartConnectors. See your platform's 64-bit SmartConnector installer for the list of available connectors, or see the document "SmartConnectors Available for 64-Bit Platforms" listed on the SmartConnector Documentation page on Protect 724 (https://protect724.hp.com/community/arcsight/productdocs/connectors) or in the SmartConnector Configuration Guide zip file available for download from the Support Web Site. For a successful SmartConnector installation, follow the installation procedures documented in the individual SmartConnector Configuration Guides. The most current configuration guides are available with each SmartConnector release in a separate downloadable file from the Support Web site (http://support.openview.hp.com) rather than as part of the SmartConnector installation process. Create a folder for the documentation (such as c:\arcsight\docs) and unzip the file there. Then double-click index.html to access the individual configuration guides. New Connectors SmartConnector for Device Version Supported Cisco Wireless LAN Controller SNMP Cisco Airespace (MIB 4.0) HP Printers Syslog RSA Identity Management Service SNMP 8.0 New Device, Component, or OS Version Support SmartConnector for ArcSight FlexConnector SNMP 3.0 Aruba Mobility Controller Syslog 7210, 7270 IBM WebSphere File 8.5 Multiple HP printers (See configuration guide for details.) Kaspersky DB Security Center 10.0 Microsoft SQL Server Multiple Instance Audit DB SQL Server 2014 New Device, Component, or OS Version Proofpoint Enterprise Protection and Enterprise Privacy Syslog 7.2 Sourcefire Defense Center estreamer 5.3 VMware ESX/ESXi Syslog 5.5 VMware Web Services 5.5 SmartConnector Release 7.0.4.7088 Release Notes Page 1
SmartConnector Enhancements Confidential In each SmartConnector release, updates and enhancements are made to the field mappings for individual SmartConnectors. If you use any of the SmartConnectors listed in the "Fixed Issues" section of these release notes, be aware that installing the updated SmartConnector can impact your created content. HP advises you to verify the content you created before deploying the SmartConnector into your production environment. All ArcSight FlexConnectors Enhanced map files to set a field based on an expression similar to one found in a parser, using other fields in the event as possible inputs. [CON-14158] All Syslog File SmartConnectors Syslog File connectors supported on Windows platform. [CON-12199] IBM SiteProtector DB Siteprotector to use AlertName for Device Event Class ID 500K. [CON-14018] NOTE: DECID has changed from XFID to AlertName. McAfee Web Gateway File Added support for AccessDenied and FoundViruses log types [CON-14094] Microsoft Forefront Threat Management Gateway File A new internal property, isalogfiletimezoneid, was added to specify the log file rotation time zone. Users only need to specify the value for this property when the log file rotation time zone is different from the connector host time zone. The possible values are valid time zone IDs, for example, GMT, PST, EST, etc. [CON-14107] Microsoft Windows Event Log Unified Mapped Failure Information:Status to an ArcSight field [CON-13871] Snort Multiple File Added support for payload retrieval. [CON-13505] Fixed Issues SmartConnector for Number Description All SmartConnectors CON-14170 Previously, if the Enable Batching (per event) parameter was configured to a value of 600, it would cause a large number of lost events when the destination was ESM, unless the http.transport.queuesize property in the agent.properties file was adjusted to a higher value. Now that condition is detected to avoid event loss. For best performance, the Enable Batching (per event) value should not be set to values higher than 300 for ESM destinations unless the http.transport.queuesize property has been set to a significantly higher value. Increasing the connector s memory may also be necessary for larger batch sizes. Check Point OPSEC NG CON-13471 Error corrected in parser for event.devicecustomdate2. Citrix NetScaler Syslog CON-14064 Connector was not parsing some v 9.2 events completely. This issue has been fixed. Connector End-of-Life Notices SmartConnectors Support Ending Ending 12/31/2014 Red Hat Enterprise Linux (RHEL) 6.1 64-bit platform Red Hat Enterprise Linux (RHEL) 6.2 64-bit platform Red Hat Enterprise Linux (RHEL) 5.7 32-bit and 64-bit platforms SmartConnector Release 7.0.4.7088 Release Notes Page 2
Ending 09/30/2014 All SmartConnectors Event collection from Microsoft Windows XP platforms Event collection from Microsoft Windows 2000 platforms Platform support for Microsoft Windows XP platforms SmartConnectors No Longer Supported Ended 06/30/2014 CA SiteMinder File (Legacy) Lancope StealthWatch Syslog (Legacy) - Use the SmartConnector for Lancope StealthWatch Management Console Web Services. Microsoft Exchange Message Tracking Log File (Legacy) - Use the SmartConnector for Microsoft Exchange Message Tracking Log Multiple Server File. Microsoft SQL Server Audit DB (Legacy) - Use the SmartConnector for Microsoft SQL Server Audit Multiple Instance DB. Oracle SYSDBA Audit File (Legacy) - Use the SmartConnector for Oracle SYSDBA Audit Multiple Folder. SAP Real-Time Security Audit File (Legacy) - Use the SmartConnector for SAP Real-Time Security Audit Multiple Folder File. Secure Computing Webwasher CSM File (Legacy) - Use the SmartConnector for McAfee Web Gateway File. Ending 09/30/2014 Note: The following connectors will be end-of-life because they are no longer supported by the vendors. Alcatel Syslog Cisco Aironet Syslog Cisco Security Agent File CyberGuard Firewall Syslog Intrusion Computer Misuse Detection System Intrusion SecureNet Provider DB Intrusion SecureNet Provider SNMP ipolicy Intrusion Prevention Firewall Syslog Lucent Brick Managed Services File McAfee Entercept McAfee Entercept DB Nagios Syslog Network Appliance NetCache File Newbury WiFi Watchdog Syslog Oblix NetPoint File RSA ClearTrust File SANA Primary Response SNMP Securify SecurVantage SNMP Symantec Enterprise Firewall File Symantec Enterprise Firewall SNMP Symantec Gateway Security/Enterprise Firewall File Symantec Gateway Security/Enterprise Firewall NG File Symantec Intruder Alert File Symantec Intruder Alert SNMP Symantec ManHunt DB Symantec ManHunt Syslog Symantec NetRecon NRD File Symantec Network Security Syslog Symantec SESA DB Trend Micro Asset Scanner DB Tripwire File Reader for NT/2000 Visionael ESP DB (Visionael Security Audit DB) SmartConnector Release 7.0.4.7088 Release Notes Page 3
SmartConnector Device Versions No Longer Supported Ended 11/15/2013 Sourcefire Defense Center estreamer (older versions) - Support has ended for Sourcefire versions 3.0, 4.0, 4.0.2, 4.1, 4.5, 4.5.1, 4.6, 4.6.1, 4.7, 4.8, 4.8.1, and 4.8.2. New and Updated SmartConnector Documentation The following SmartConnector documentation has been added or updated for this release. Arbor Networks Peakflow Syslog Updated supported versions. ArcSight FlexConnector Developer s Guide Added GA support for SNMP v3, Appendix E: XML FlexConnector Development Example, and properties to the Folder Follower FlexConnector Properties section. See guide for details. Aruba Mobility Controller Syslog Added support for Aruba Mobility Controllers 7210 and 7270 (OS version 6.3) Barracuda Web Appliance Firewall Syslog Updated vendor and connector name (formerly NetContinuum Web Firewall Syslog). Blue Coat Proxy SG Multiple Server File Corrected the process for changing the 'processingthread' and 'monitorinterval' parameters for a folder. Brocade BigIron Syslog Updated vendor name from Foundry. Cisco Wireless LAN Controller SNMP Added GA support for Cisco Airespace (MIB 4.0). HP Printers Syslog First edition of this configuration guide. IBM SiteProtector DB Updated mappings for Device Event Class ID and Device Action: added Source NT Domain mapping. IBM WebSphere File Added support for WebSphere 8.5. Kaspersky DB Added support for Kaspersky Security Center 10.0. McAfee epolicy Orchestrator DB Updated parameter screens. McAfee Web Gateway File Added support for 'AccessDenied' and 'FoundVirus' log types for v7.4. Microsoft SQL Server Multiple Instance Audit DB Added support for SQL Server 2014. Proofpoint Enterprise Protection and Enterprise Privacy Syslog Added support for Messaging Security Gateway 7.2. RSA Identity Management Service SNMP Added GA support for RSA Identity Management Service 8.0 and SNMP 3.0. SmartConnector Product and Platform Support Added RHEL 5.7 64-bit platform to End of Life notices. SmartConnectors with 64-Bit Support Document listing SmartConnectors with 64-bit support. SmartConnector Release 7.0.4.7088 Release Notes Page 4
Snort Multiple File Payload support is now available for this connector. Sourcefire Defense Center estreamer Added support for version 5.3. Symantec Endpoint Protection DB Added minimal privileges procedure. VMware ESX/ESXi Syslog Added device support for ESX/ESXi Server v5.5. VMware Web Services Added support for ESX/ESXi Server v5.5. SmartConnector Release 7.0.4.7088 Release Notes Page 5