Configuration Guide

SmartConnector for Apache Tomcat File

February 14, 2014

Configuration Guide

SmartConnector for Apache Tomcat File

February 14, 2014

Copyright © 2013, 2014 Hewlett-Packard Development Company, L.P.Confidential computer software. Valid license from
HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software,
Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under
vendor's standard commercial license.

The information contained herein is subject to change without notice. The only warranties for HP products and services
are set forth in the express warranty statements accompanying such products and services. Nothing herein should be
construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions
contained herein.

Follow this link to see a complete statement of ArcSight's copyrights, trademarks and acknowledgements:
http://www.hpenterprisesecurity.com/copyright.

The network information used in the examples in this document (including IP addresses and hostnames) is for illustration
purposes only.

This document is confidential.

Revision History
Date Description
02/14/2014 Added the "Log Rotation - File Name Pattern" section.
11/15/2013 First edition of this Configuration Guide.
 Configuration Guide

SmartConnector for Apache Tomcat File

This guide provides information for installing the SmartConnector for Apache Tomcat File and
configuring the device for event collection. This SmartConnector is supported on the Linux platform.
Apache Tomcat version 7.0 is supported.

See the section "Device Event Mapping to ArcSight Data Fields" later in this document for the specific
events mapped to fields in the ArcSight database.

Product Overview
Tomcat is an application server from the Apache Software Foundation that executes Java servlets and
renders Web pages that include Java Server Page coding. The Apache Tomcat Server is developed
and maintained by an open community of developers under the auspices of the Apache Software
Foundation.

Configuration
For information on configuring Apache Tomcat to send events to the ArcSight SmartConnector, please
see: http://tomcat.apache.org/tomcat-7.0-doc/logging.html#Documentation_references

Make sure that you are using Apache's default log formats.

Install the SmartConnector

Before you install any SmartConnectors, make sure that the ArcSight products with which the
connectors will communicate have already been installed correctly (such as ArcSight ESM or ArcSight
Logger). This configuration guide takes you through the installation process with ArcSight Manager
(encrypted) as the destination.

For complete product information, read the Administrator's Guide as well as the Installation and
Configuration guide for your ArcSight product before installing a new SmartConnector. If you are
adding a connector to the Connector Appliance, see the ArcSight Connector Appliance Administrator's
Guide for instructions, and start the installation procedure at step 3.

Before installing the SmartConnector, be sure the following are available:

 Local access to the machine where the SmartConnector is to be installed

 Administrator passwords

Unless specified otherwise at the beginning of this guide, this SmartConnector can be installed on all
ArcSight supported platforms; for the complete list, see the SmartConnector Product and Platform
Support document, available from the HP SSO and Protect 724 sites.

1 Download the SmartConnector executable for your operating system from the HP SSO site.

Confidential 3
SmartConnector for Apache Tomcat File

2 Start the SmartConnector Installer by running the executable.

Follow the installation wizard through the following folder selection tasks and installation of the core
connector software:

Introduction
Choose Install Folder
Choose Install Set
Choose Shortcut Folder
Pre-Installation Summary
Installing...

3 When the installation of SmartConnector core component software is finished, the following window
is displayed.

4 Select Add a Connector and click Next.

5 Select Apache Tomcat File and click Next.

6 Enter the required SmartConnector parameters to configure the SmartConnector, then click Next.

4 Confidential
 Configuration Guide

Parameter Description
Folder The absolute path to the location of the log files, such as 'c:\Program Files\Apache Software
Foundation\Apache2.2\logs\' on a Windows platform) or '/var/log/apache/' on a UNIX platform.
File Name The log file name ('filename.2013-*.log') has three parts:
Pattern
- Part 1: ('filename') is the file
- Part 2: ('2013_*') is the date
- Part 3: ('.log' or '.txt') is the file type
- For example: 'apache_tomcat_file.2013-11-15.log'; or 'catalina.2013-11-15.txt'; or
'localhost_access_log.2013-10-10.txt'
See the section "Log Rotation - File Name Pattern" for details on log file rotation.
Log Type Select the appropriate option from the drop-down list: 'apache_tomcat_file' or
'apache_tomcat_access_file':
- Select apache_tomcat_access_file if the file name includes localhost_access and has the
following event format: “%h %l %u %t "%r" %s %b”. An example of the
apache_tomcat_access_file would be the file name created by the default setting. For
example: localhost_access_log.2013-10-10.txt (Note the file type is .txt, not .log.)
For example:
10.10.3.108 - tomcat [11/Apr/2012:16:43:24 -0700] "GET /manager/status HTTP/1.1" 200
5636
- Select apache_tomcat_file if the file name includes catalina, host-manager, localhost, and
manager. Also, an event has two lines. For example:
+ The first line maps to regex: \\w{3} \\d+, \\d+ \\d+:\\d+:\\d+ \\w+ \\S+.*
+ The second line maps to regex:
(ALL|FINEST|FINER|FINE|CONFIG|INFO|WARNING|SEVERE):.*
For example:
Apr 11, 2012 4:43:15 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["ajp-bio-8009"]
NOTE: Click Add again to add additional log types. Folder paths can be changed too.

Confidential 5
SmartConnector for Apache Tomcat File

7 Make sure ArcSight Manager (encrypted) is selected and click Next. For information about the
other destinations listed, see the ArcSight SmartConnector User's Guide as well as the
Administrator's Guide for your ArcSight product.

8 Enter the Manager Host Name, Manager Port, and a valid ArcSight User Name and Password.
This is the same user name and password you created during the ArcSight Manager installation.
Click Next.

9 Enter a name for the SmartConnector and provide other information identifying the connector's use
in your environment. Click Next; the connector starts the registration process.

10 The certificate import window for the ArcSight Manager is displayed. Select Import the certificate
to the connector from destination and click Next. If you select Do not import the certificate to
connector from destination, the connector installation will end.

6 Confidential
 Configuration Guide

The certificate is imported and the Add connector Summary window is displayed.

11 Review the Add connector Summary and click Next. If the summary is incorrect, click Previous
to make changes.

12 The wizard now prompts you to choose whether you want to run the SmartConnector as a stand-
alone process or as a service. If you choose to run the connector as a stand-alone process, skip
step 13. If you choose to run the connector as a service, the wizard prompts you to define service
parameters. See "Run the SmartConnector" later in this guide for more information.

Confidential 7
SmartConnector for Apache Tomcat File

13 Enter the service parameters and click Next. The Install Service Summary window is displayed.

14 Click Next.

To complete the installation, choose Exit and click Next. To enable FIPS-compliant mode, choose
Continue, click Next, and continue with "Enable FIPS Mode."

Enable FIPS Mode

15 After choosing Continue and clicking Next after connector installation, choose Enable FIPS Mode
and click Next. A confirmation window is displayed when FIPS mode is enabled.

16 Click Next. To complete installation of FIPS support, click Exit. To enable FIPS Suite B mode,
click Continue.

17 On the window displayed, select Modify Connector.

18 Select Add, Modify, or remove destinations and click Next.

19 Select the destination for which you want to enable FIPS Suite B mode and click Next.

20 Select Modify destination parameters and click Next.

21 When the parameter window is displayed, select FIPS with Suite B 128 bits or FIPS with Suite B
192 bits for the FIPS Cipher Suites parameter. Click Next.

22 The window displayed shows the editing changes to be made. Confirm and click Next to continue.
(To adjust changes before confirming, click Previous.)

23 A summary of the configuration changes made is displayed. Click Next to continue.

24 Click Exit to exit the configuration wizard.

For some SmartConnectors, a system restart is required before the configuration settings you made
take effect. If a System Restart window is displayed, read the information and initiate the system
restart operation.

Save any work on your computer or desktop and shut down any other running applications (including the
ArcSight Console, if it is running), then shut down the system.

Complete any Additional Configuration required, then continue with the "Run the SmartConnector."

For connector upgrade or uninstall instructions, see the SmartConnector User's Guide.

Run the SmartConnector

SmartConnectors can be installed and run in stand-alone mode, on Windows platforms as a Windows
service, or on UNIX platforms as a UNIX daemon, depending upon the platform supported. On
Windows platforms, SmartConnectors also can be run using shortcuts and optional Start menu entries.

If the connector is installed in stand-alone mode, it must be started manually and is not automatically
active when a host is restarted. If installed as a service or daemon, the connector runs automatically

8 Confidential
 Configuration Guide

when the host is restarted. For information about connectors running as services or daemons, see the
HP ArcSight SmartConnector User's Guide.

To run all SmartConnectors installed in stand-alone mode on a particular host, open a command
window, go to $ARCSIGHT_HOME\current\bin and run: arcsight connectors

To view the SmartConnector log, read the file $ARCSIGHT_HOME\current\logs\agent.log; to

stop all SmartConnectors, enter Ctrl+C in the command window.

Device Event Mapping to ArcSight Fields

The following section lists the mappings of ArcSight data fields to the device's specific event definitions.
See ArcSight 101 for more information about the ArcSight data fields.

Apache Tomcat File Mappings to ArcSight ESM Fields

ArcSight ESM Field Device-Specific Field
Connector (Agent) Severity High = SEVERE, Medium = WARNING, Low = INFO, CONFIG, FINE,
FNER, FINEST, ALL
Destination Host Name hostname
Device Action action
Device Custom Number 1 Process Time
Device Custom Number 2 Server Startup Time
Device Custom String 1 Packet Name
Device Custom String 2 Class Name
Device Custom String 3 Servlet Container
Device Custom String 4 Catalina Type
Device Custom String 5 Protocol Handler
Device Custom String 6 Servlet Engine
Device Event Class ID message
Device Product 'Tomcat'
Device Receipt Time Timestamp(DateTime,"MMM dd, yyyy HH:mm:ss a")
Device Severity severity
Device Vendor 'Apache'
File Path filePath
FileName fileName
Message MessageContent
Name message

Apache Access File Mappings to ArcSight ESM Fields

ArcSight ESM Field Device-Specific Field

Application Protocol http
Connector (Agent) Severity High = 400..599, Medium = 300..399, Low = 0..299
Destination Process Name 'apache'
Device Custom IPv6 Address 2 Source IPv6 Address
Device Custom Number 1 _safeToLong(Token12)
Device Custom String 3 Length

Confidential 9
SmartConnector for Apache Tomcat File

ArcSight ESM Field Device-Specific Field

Device Custom String 4 Referer
Device Custom String 5 Token13
Device Event Class ID ReturnCode
Device Process Name 'apache'
Device Product 'Tomcat'
Device Receipt Time Date
Device Severity ReturnCode
Device Vendor 'Apache'
Name message
Request Client Application UserAgent
Request Method Method
Request URL URL
Source Address One of Address(SourceHost)
Source User ID UserID
Transport Protocol TCP

Log Rotation - File Name Pattern

You can use the File Name Pattern parameter to get data rotation. A typical scenario could be, the
device writes to xyz.timestamp.log on a daily basis. At a specified time, the device creates a new daily
log and begins to write to it. The connector detects the new log and terminates the reader thread to the
previous log after processing is complete. The connector then creates a new reader thread to the new
xyz.timestamp.log and begins processing that file. To enable this log rotation, set the File Name
Pattern parameter to a date format, as shown in the example below:

FileName.'yyyy-MM-dd'.FileSuffix

Where for a data file name of foo.2013-09-23.log

fileName = foo
'yyyy-mm-dd' = current date
FileSuffix = .log

10 Confidential