Tuesday, September 11, 2007

"Headless" ArcSight Installs

This was brought up by a conference attendee yesterday, and I thought I'd throw my two cents out there for general consumption.

ArcSight has a very nice Java GUI interface for most of the things you need it to do. But if you work in an optimized and/or hardened UNIX environment, chances are pretty good your servers don't have an X-Windows display. This can make installing, upgrading, and managing ArcSight a bit of a hassle, but there are options.

All of the ArcSight installers support a text-only install mode. This is triggered by running the installer with the '-i console' flag. This gives you an old-school text interface (not curses, though having vt100/ANSI emulation is helpful for the password entry prompts) that walks you through the install wizard. You can also run $ARCSIGHT_HOME/bin/runxxxsetup.sh (where xxx is manager, agent, etc.) in text mode. It's a good idea to make sure that $DISPLAY is not set in your shell before you do. If it doesn't detect $DISPLAY, it will run in a text mode also.

However, there are a small number of tools that cannot be run in text mode for whatever reason. One example is 'arcsight database pc' which launches the PartitionArchiver configuration tool. In order to do run this tool, you need an X11 display. So here's how I do it.

1. Boot Linux workstation with X11 display. This is the default GUI for nearly every Linux distro - using something like Knoppix will work fine. It does not need to accept connections to port 6000 across the network (traditional X11 $DISPLAY does, but you don't allow X11 across security domains, right?).

2. Connect to UNIX server with 'ssh -X' which manually configures X11 tunneling over ssh.

3. If you will be su-ing to another user that is not root, run 'chmod 666 $HOME/.Xauthority' WARNING: Do not do this on any system with multiple users, untrusted services, etc. It should go without saying, but...

4. Run su to the user you need to become (root, arcsight_user, nobody, oracle, 4DGifts, whatever) and set 'XAUTHORITY=/your/ssh/user/home/dir/.Xauthority && export XAUTHORITY'

5. Run ArcSight GUI tools like 'arcsight database pc'

I have encountered (with Beryl on Fedora 7) some redraw issues. So be prepared that you might get a window with nothing in it. Also, be patient. The display is being redrawn over an old, inefficient protocol that is additionally being encrypted and tunneled. Performance is good on a LAN or fast WAN connection, but slower connections or connections with latency problems will have slower redraws.

No comments: