ArcSight Technical Note

Integrating ArcSight with the Remedy Action Request System

Document Status

The information in this note applies to:

ArcSight Manager ArcRemedyClient Remedy ARS v5.0, v6.3 or higher

SUMMARY

The ArcSight ESM system integrates with the Remedy Action Request System using an application called ArcRemedyClient. Remedy can be used to provide supplemental or alternative ticketing, tracking and workflow support for ArcSight security event data. This is useful for customers who are already using Remedy as their centralized ticketing system.

ArcRemedyClient can send events to Remedy without using the ArcSight Case Management System, or it can be configured so that Remedy supplements ArcSight Case Management.

ArcRemedyClient runs in the background, as a service, transferring data from ArcSight to Remedy. ArcRemedyClient can also be configured to update the ArcSight database with Remedy status.

SUPPORTED VERSIONS AND PLATFORMS

ArcRemedyClient is currently supported on Windows, Solaris, and Linux platforms. ArcSight supports integration with Remedy Action Request System 5.0 or higher (including Remedy ARS v6.3).

ArcRemedyClient releases are independent of ArcSight Manager releases. Typically, the latest ArcRemedyClient will work with any ArcSight Manager release.

INSTALLATION

The ArcRemedyClient application is available from ArcSight Support. ArcRemedyClient is distributed in the form of a zip file named ArcRemedyClient.3.0.x.zip. The same zip file is provided for all supported platforms.

Install ArcRemedyClient on the same machine as the ArcSight Manager using these steps:

1 Extract the zip file to a directory on the Manager machine. For Solaris, log in with the ArcSight Manager account (usually ‘arcsight’) and extract the contents of the zip file to /export/home/arcremedy/arcremedyclient.

2 Make sure that Java Runtime Environment v1.4.2 is in your path. If it is not, install it (the JRE is available from http://java.sun.com), or set your path to find the ArcSight Manager’s JRE, in the jre/bin directory under the Manager’s installation

ArcSight Technical Note 1

ArcSight Technical Note

directory. To check the version of the Java executable in your path, run java –version.

3 Establish the background service. On Windows, install ArcRemedyClient as a service by running the command bin\arcremedyclientsvc –i. On Solaris, make sure that execute permissions are turned on for all files in bin, bin/wrapper/solaris, and startup/solaris. Run startup/solaris/runAsRoot.sh –i as root to install the daemon. Edit the file /etc/init.d/arcremedyclient and set the Remedy install directory path and the OS user name that the daemon should run as.

4 Configure ArcRemedyClient by specifying the Remedy user name, password, Remedy ARS server name, and the path to the ArcSight Manager home directory. On Windows, add these parameters to bin\arcremedyclientsvc.bat. On Solaris, add these parameters to bin/arcremedyclientsvc.

REMEDY FORMS

Remedy displays ArcSight security event data in screen forms. A sample form called “ArcSight Ticket” is provided with the ArcRemedyClient (form/sample.def and form/sample.xml). Your Remedy forms indicate which ArcSight event fields ArcRemedyClient must transfer. Use the Event Inspector in the ArcSight Console to decide which event fields are of interest in Remedy.

Edit config/arcremedyclient.properties to specify the ArcSight security event fields you want to transfer to Remedy. Use “internal names” in the properties file rather than the “display names” shown in the Event Inspector. For example, use “attackerAddress” for the field that is listed in the Event Inspector as “Attacker Address.” To convert a display name to an internal name, remove all spaces and start the field name with a lowercase letter. Remedy fields also use internal names instead of display names.

The sample “ArcSight Ticket” form looks like this in Remedy:

Note that field labels do not have to match ArcSight field names exactly.

ArcSight Technical Note 2

ArcSight Technical Note

STARTING THE BACKGROUND SERVICE

On Windows, start the ArcSight Remedy Client service from the Services control manager. From the Start menu, open the Control Panel. Open Administrative Tools and run the Services control manager. Right click on ArcSight Remedy Client and choose Start from the menu.

On Solaris, login as root and run /etc/init.d/arcremedyclient start. Check the file logs/arcremedyclient.log for any startup errors. The log file will be rotated after every 10 MB and ten log files will be kept, by default.

HOW IT WORKS

ArcSight security events and cases are transferred to the Remedy ARS by the ArcSight Remedy Client service, as shown in the following diagram.

ArcSight security events and cases can be transferred to Remedy manually or automatically. To send an event to Remedy manually, right-click one or more selected events in the ArcSight Console and choose Export to External System from the context menu. The export command is also available for Cases in the Navigator panel. The rule action Export to External System can be used in any rule to send an event to Remedy automatically.

ArcSight Technical Note 3

ArcSight Technical Note

The ArcSight Manager exports event and case data in ArcSight XML archive format in the Manager’s archive/exports directory. The Manager will import data from any ArcSight XML archive format files that it finds in the archive/imports directory. The Manager checks for import and export files every minute, by default.

ArcRemedyClient is a Java application which monitors the ArcSight Manager’s import and export directories and connects to the Remedy Action Request System over RPC protocol using the Remedy ARS API. ArcRemedyClient creates a new Remedy ticket for each exported event found in the Manager’s archive/exports directory and deletes the event file if successful. ArcRemedyClient does not update existing Remedy tickets. When Remedy creates the new ticket, ArcRemedyClient notifies the ArcSight Manager of the new ticket ID, which is then stored in the External ID field of the case.

Events that have been successfully sent to Remedy are marked with a red flag in the ArcSight Console event inspector. Cases that been successfully sent to Remedy are marked with a red flag next to the case in the Navigator panel.

GETTING REMEDY STATUS

Once ArcRemedyClient has created a Remedy ticket for a security event, the Remedy system is used to perform workflow operations on that ticket. ArcRemedyClient can optionally be configured to import ticket status from Remedy for use in ArcSight, but it is not recommended and is usually not necessary.

To configure the ArcRemedyClient to poll Remedy for updates made to a specific Remedy form, follow these steps:

1 Specify the Remedy form and field name in config/arcremedyclient.properties.

2 Specify the name of the ArcSight case field where the updated Remedy value should be set. This may require modifying the case configuration file config/archive/handler/external.case.xml. For example, if you want to keep track of changes to a field called “stage,” it must be added to the archive configuration.

3 Restart the ArcRemedyClient service after any change to the configuration.

ArcRemedyClient uses the same /archive/imports mechanism to update status as it does to record ticket numbers as External IDs.

ArcSight Technical Note 4

ArcSight Technical Note

TROUBLESHOOTING

For troubleshooting, it may be more convenient to run ArcRemedyClient from the command line rather than as a service. To run from the command line, run bin\arcremedyclient.bat on Windows or bin\arcremedyclient on Solaris. In production, ArcRemedyClient should be run as a service.

When ArcRemedyClient is run as a service, it logs its activites in logs/arcremedyclient.log. Check this file occasionally to ensure that the service is running without errors.

Contact ArcSight Support for help if necessary. Be prepared to upload all files in the logs directory, the exported Remedy form, and the file config/arcremedyclient.properties.

Last Reviewed: 4/27/2006 Keywords: Manager, Remedy, ArcRemedyClient

This technical note contains confidential information proprietary to ArcSight, Inc. Any party accepting this document agrees to hold its contents confidential, except for the purposes for which it was intended.

Copyright © 2001-2006 ArcSight, Inc. All rights reserved.

ArcSight, the ArcSight logo, ArcSight ESM, ArcSight Enterprise Security Alliance, ArcSight Enterprise Security Alliance logo, FlexConnector, SmartConnector and CounterAct are trademarks of ArcSight, Inc. All other brands, products and company names used herein may be trademarks or registered trademarks of their respective owners.

Please visit http://www.arcsight.com/copyrightnotice to see a complete statement of ArcSight's copyrights, trademarks, and acknowledgements.

ArcSight Technical Note 5