ArcSight n00b (Part 1)

by Bruce Brown | 1 Comment


ArcSight n00b

ArcSight for dummies.. is a an oxymoron because you cannot do ArcSight and be a dummy.  The system is overly complex with too many moving parts.

In a world of intuitive interfaces and user friendly complex systems Arcsight is “rocket surgery”.

The best I can do after 2 years with this log collecting, correlation beast is to tell what I have learned from my attempts at figuring it out.


What the HELL is ArcSight?

ArcSight is a security information & event manager (SIEM).  It collects security event logs from critical servers, internetworking devices, proxies, firewalls and other core network systems.  So systems like DNS servers, host based intrusion protection systems, intrusion detection systems and DHCP servers.  Usually, these logs are monitored by a security analyst.  You find SIEMs at medium to large organizations that have a lot to lose.  That is to say, they have assets of great value: data, services, information systems.  Since they must be online to conduct business, they may have a high exposure to the Internet and are under regular probing and or attack by numerous “threatsources” (attackers, malware, competitors).

ArcSight was bought be HP in 2010.  I am told by former ArcSight employees that this affected the quality of ArcSight.  But that is before my time.  The product seems great (aside from minor grievances <cough> Challenge Response Code <cough> and the employees very smart and very skilled.  HP seems to have kept much of the special sauce that makes ArcSight the top SIEM.

What Are the Components that Make up ArcSight?

Great question!  The main components of ArcSight (HP ArcSight..) are the following:

ArcSight ESM – ArcSight Event Security Manager is software for monitoring security events.  It allows real-time view of security events, can take security incidents that may be related to a larger attack and alert the analyst (correlation), it allows historical views of trends on a given network.

ArcSight Logger – Logger is a log management solution that is designed for high event throughput, long-term storage for rapid data analysis.  It allows the security analyst to type in and ip address (for example, and see how many times that system was attacked or accessed and with what type of packet.

Connectors – There are a few types of connectors but the main ones are the ConnectorAppliance and SmartConnetor.  A SmartConnector is software that collects event data from the network device and sends it to an ESM or Logger.   The ConnectorAppliance is a hardware solution that allows the management of many SmartConnectors.


So if you are new to ArcSight where do you start:

It really helps to have a background in information assurance/security analysis, networking, Linux and databases.  The learning curve seems to be having some comfort with all of this things.  Usually, IT professionals are very deep in one area and weak in most others.  If you are a true Jack of all trades, then you will like the challenge of ArcSight.  If you don’t have any experience with these things.  There are some other recommendations for ArcSight n00bs:

– ArcSight Certifications

– ArcSight Resources




SmartConnector Users Guide (2009), Connector Appliance Admin Guide v4.6 (2008), Logger QuickStart v5.2 (2011), ESM v5.2 101, Concepts for ArcSight ESM v5.2 (2012).


1 Comment on ArcSight n00b (Part 1)

  1. K
    January 13, 2015 at 9:14 pm (5 years ago)

    Nice Post, new in this field, and your post helped me jumpstart in SIEM


Leave a Reply

Your email address will not be published. Required fields are marked *

Comment *