10 Configuring Integration with ArcSight SIEM

Topics

How Oracle AVDF Integrates with HP ArcSight SIEM

The HP ArcSight Security Information Event Management (SIEM) system is a centralized system for logging, analyzing, and managing messages from different sources. The Audit Vault Server forwards messages to ArcSight SIEM from both the Audit Vault Server and Database Firewall components of Oracle AVDF.

You do not need to install additional software if you want to integrate ArcSight SIEM with Oracle AVDF. You configure the integration by using the Audit Vault Server console.

Messages sent to the ArcSight SIEM Server are independent of any other messages that may be sent from Oracle AVDF. This means you can send standard syslog messages to a different destination.

Oracle AVDF categorizes the messages that can be sent to ArcSight SIEM. There are three categories:

  • System - syslog messages from subcomponents of the Audit Vault Server and Database Firewall components of Oracle AVDF

  • Info - specific change logging from the Database Firewall component of Oracle AVDF

  • Debug - a category that should only be used under the direction of Oracle Support

Enabling the HP ArcSight SIEM Integration

When you enable the ArcSight SIEM integration, the settings take effect immediately. You do not need to restart the Audit Vault Server.

To enable ArcSight SIEM integration:

  1. Log in to the Audit Vault Server console as a super administrator.

  2. Click the Settings tab.

  3. From the System menu, click Connectors, and scroll down to the HP ArcSight SIEM section.

    Description of arcsight_config.gif follows
    Description of the illustration ''arcsight_config.gif''

  4. Specify the following:

    • Enable ArcSight event forwarding: Select this check box to enable ArcSight SIEM integration.

    • ArcSight destinations: Depending on the communications protocol you are using, enter the IP address or host name of the ArcSight server in the UDP field, or its IP address, host name, and port in the TCP field. This setting enables the syslog log output to be sent to this ArcSight server in Common Event Format (CEF).

    • Event categories: Select any combination of message categories depending on which type of messages that are needed in the ArcSight server.

    • Limit message length: You can choose to limit the message to a specified number of bytes.

    • Maximum message length (bytes): If you selected Limit message length, enter the maximum length that you want. The range allowed is 1024 to 1048576 characters.

  5. Click Save.