User`s guide
Technical white paper
28
log4j.appender.cef1=com.hp.esp.arcsight.cef.appender.Log4jAppender
log4j.appender.cef1.deviceVendor=HP
log4j.appender.cef1.deviceProduct=CSA
log4j.appender.cef1.deviceVersion=3.1
log4j.appender.cef1.transportType=SYSLOG
log4j.appender.cef1.hostName=192.x.x.x
log4j.appender.cef1.port=514
log4j.appender.cef1.layout=org.apache.log4j.PatternLayout
log4j.appender.cef1.layout.ConversionPattern=%d [%-18t -%x] %-5p %C.%M - %m%n
log4j.appender.cef1.useCefHeader=true
log4j.appender.cef1.eventName=MOEEvent
Similar event types are defined for the other applications that comprise CloudSystem Enterprise including:
Cloud Service Automation – CSAEvent
– Note – this event is not added as part of the CSA 3.1 installation. This was added by modifying the CSA server
log4j.properties file with the addition of the following line:
log4j.appender.cef1.eventName=CSAEvent
– C:\Program Files\Hewlett-Packard\CSA\jboss-as-7.1.1.Final\standalone\deployments\csa.war\WEB-
INF\classes\log4j.properties
• OOEvent – Operations Orchestration
• OORASEvent – Operations Orchestration RAS
• SiteScope Event – SiteScope
• UCMDBEvent – UCMDB
The ArcSight documentation, User’s Guide HP ArcSight SmartConnectors, explains how to configure an HP ArcSight Connector
on each of the Windows operating systems that comprise CloudSystem Enterprise. In the screen shot below we are
searching on failed logon. Just prior to this search we attempted to login to oo.fog.cloud.internal, this server hosts our Cloud
Service Automation and Operations Orchestration applications. As you can see in Figure 30 below, the failed logon attempts
are captured and reported in the HP ArcSight Logger.
Figure 30. Logger Failed Logon Event
Looking at the Logger Analyze screen in Figure 30, we can see that the search criteria was failed logon in the Last 5 minutes.
Out of 999 events that were logged during the five minute reporting period, four of these events were failed logons.