Logger Release Summary€¦ · 01.05.2020 · • Logger L7600 Appliances support RAID -level...
Transcript of Logger Release Summary€¦ · 01.05.2020 · • Logger L7600 Appliances support RAID -level...
Brian WolffChief PreSales Architect ArcSightUpdated 01/19/2020
Logger Release SummaryWhat’s new since Logger 6.0
Logger Release Contents
• Logger Release 6.1• Logger Release 6.2• Logger Release 6.3• Logger Release 6.4• Logger Release 6.5• Logger Release 6.6• Logger Release 6.61• Logger Release 6.7• Logger Release 6.71• Logger Release 7.0
• This presentation documents the continued investment in ArcSight Logger over time.
• To understand WHY you should upgrade to the latest capabilities, please click on the link one version higher than your current installed product version.
• All versions are represented so that you may review capabilities that you are not currently aware of.
April 30 2020
June 30 2020
Jan 31 2021
May 30 2021
December 31 2021
Release Version EOS Date
Dec 31 2019
Dec 31 2019
Appliance EOL: Gen 8 – March 31 2021
Logger Release 7.0.1
Logger Documentation and Videos
• Logger Documentation and helpful Videos can be located at: https://community.microfocus.com/t5/Logger-Documentation/ct-p/LoggerDoc
3
Logger Release 6.1
• Improved Summary page includes: • An enhanced look and feel. • Donut Charts on the summary page by default. You can change the chart type as desired. Available chart
types for the summary page are donut, column and table.• Improved Charts that update in real time as events come in.
• Improved Search page includes: • The ability to select multiple fields in the search results to add them to the query.• The ability to expand all Raw events with one click. • The ability to clear search filter with one click.
• Improved Search includes: • Case insensitive search for super-indexed fields.• A new Insubnet Operator that enables you to search for IP addresses using subnetting. • New Eval Operator functions that improve searchability. • Lookup file updates, including the ability to schedule automatic lookup file update.
Logger 6.1
Logger 6.1• Improved Archiving includes:
• The ability to index archived data, which improves query performance for existing archives.
• An updated Event Archive page that displays Index status and Archive size.
• Improved Reporting includes:
• A new GB / Day report.
• Added support for ArcSight Interactive Discovery.
• The ability to display report run parameters on the report result.
• Report templates that have been updated to include query start and end time in header/footer.
• A new drop-down menu for reports.
• An improved layout of the menu options for Reports.
• Improved Dashboard page includes:
• A new look and feel for all dashboards.
• Dashboards that update in real time as events come in.
• A new Event Count dashboard that displays details of received and forward events in the past day.
• A new Monitor Dashboard that provides easy way to monitor Logger status.
Logger 6.1• Improved Configuration options include:
• An updated Data Volume Restrictions page that includes a color-coded bar graph that displays the last 30 days of usage.
• The option to email yourself the Data validation result. • An updated license page that displays the units of ingestion in GB/day.• A new option to copy configuration backups to a selected location such as a USB drive, local
machine, or remotely mounted file system. • Receivers are now enabled by default when you create them.
• Improved Administration includes: • A new net-SNMP implementation that provides updated SNMP polling and notifications and supports
SNMP v2c, SNMP v3, and MIB II. • Updated Self-Signing SSL certificates that now use SHA-256.
Logger 6.1• Improved Manageability through ArcMC includes:
• The ability to set up and deploy multiple Loggers quickly and uniformly with Initial Configurations.
• The ability to manage Logger peering centrally across multiple Loggers.
• The ability to manage Logger Forwarder configuration including Logger Connector Forwarder, Logger ESM Forwarder, Logger TCP Forwarder, and Logger UDP Forwarder.
• The ability to upgrade Loggers in bulk from v6.0 to 6.1
• The ability to manage users, privileges, and roles centrally
• The ability to monitor, report on, and create alerts for Logger usage and license entitlements. For more information on ArcMC features and installation, refer to the ArcSight Management Center Administrator's Guide.
• Other enhancements include: • The maximum number of real time alerts you can enable at any time has been increased from 5 to 25.
• Cumulative output of the ESM forwarders has been increased to 7.5K EPS.
• Scalable distributed searches across up to 40 peers. across multiple Loggers.
..40Loggers
Return
Logger Release 6.2
Logger 6.2• Improved Performance
• The search speed of the Logger L7600 Appliance is significantly improved over the L7600:• Super-indexed search is 49% faster• Indexed search is 32% faster• Keyword search is 27% faster
• Chart Operator search speed is now 1500% faster running on the ArcSight L7600:• 5 million events—from 20 minutes to 10 seconds• 355 million events—from nearly 5 hours to 19 minutes
• Improved scale• Storage capacity increased from 8 TB to 12 TB per instance• Super-indexed search maximum partition size increased to accommodate 12 TB
• Enhanced Encryption• Logger L7600 Appliances support RAID-level encryption with no performance impact• Encrypted Appliances support data migration
Logger 6.2• Other Features
• All ESM fields now available in Logger field sets
• Content override option
• Migration support for Connector Appliance data to ArcMC for L3X00 appliances.• Forced initial password change
• Digitally signed reports
• Updated CIPs Packages for PCI 4.0 and ITGov• Improved Reports performance
• Support for Federal Information Processing Standard (FIPS)
For details about these features, see the ArcSight Logger 6.2 Administrator’s Guide, available from the• ArcSight Product Documentation Community on Protect 724.
Return
Logger Release 6.3
Logger 6.3• Search Improvements
• Enhanced Logger peer search capabilities and support:• Up to 100 peers• Up 100 concurrent peer searches• Improved peer search performance
• Search fields are now color coded for easy identification and index status:• Indexed fields: Green• Super indexed fields: Dark Green• Metadata fields: Light gray• CEF fields: Light green
• Updated User Interface • For ADP Loggers, a new ADP License Volume page • Improved usability and updated look and feel
Logger 6.3 (continued)• New and Enhanced Logger Receivers
• Now supporting CEF 1.0 • New Event Broker receiver enables support for ADP Event Broker • For Logger Appliances, an automatic firewall configuration script makes updating the firewall fast and easy (See "Firewall Rules"
on page 8 for more information)
• A New Approach to Logger Licenses • Independent license support for ADP ArcSight Loggers and standalone ArcSight Loggers • All new and upgraded Loggers include a Trial license
• Other New Features and Capabilities • Capacity pooling support for ADP Loggers is now available to help redistribute and manage the total capacity of your environment• Users can now use HTTP Strict Transport Security Protocol (HSTS) to ensure that their browsers always connect to Logger over
HTTPS • Digital signature support for Logger reports is now available on reports configured with this option
• For details about these features, see the ArcSight Logger 6.3 Administrator’s Guide, available from the ArcSight Product Documentation Community on Protect 724l
Return
Logger Release 6.4
• Search Improvements• Search for IPv6 data• Index the request URL field• Run Multiple searches in the same browser session• View and access searches for the Active Search list on the Seach
main page• Administrators can set the number of concurrent searches and
search expiry time value
Logger 6.4
• Reporting Improvements• Open up to ten Report tabs, so you can move easily from screen to screen
as you create, manage, and generate concurrent reports. • Create Smart reports that can support multiple queries, offer new chart
types, and create Smart dashboards. • Create Smart dashboards that display the results of multiple queries on
one dashboard, as well as rich text, slide show, and web page widgets. • Create new report chart types, including Sunburst, Funnel, Pyramid, Tree
maps, Counter, Gauge, and Packed circles.
Logger 6.4
• Other Updates• Updated Event Broker receiver adds support for Event Broker 2.0, including TLS Client
Authentication. • Logger can now send and receive data in CEF v0.1, v1.0 and raw data formats. CEF 1.0 enables
Logger to send and receive IPv6 data. • Incorporated FIPS Bouncy Castle libraries provide improved security and enables support for
TLS 1.2. • Updated localization for supported languages (Japanese, Traditional Chinese and Simplified
Chinese).
18
Logger 6.4
Concurrent Searches
Capability:
Multiple searches can be started and running concurrently in memory.
Search results can be accessed until it is expired.
Number of searches and expiry time is configurable.
Benefit: Increase Analyst’s productivity by having multiple concurrently running searches and ability to fetch the results of recently completed searches.
•
•
•
•
•
Improved Reporting and Visualizations
Capability:
Multiple tabs within reports
Smart Grid – Excel like grids for event data.
Trends or forecasting
Several New chart types
Smart Dashboards
Right-click to save charts as Image
Benefit: Ease of use. Pictures are worth 1000 words
New VisualizationsTreemap Packed Circle Gauges with customizable threshold
Funnel Pyramid Sunburst Single value with customizable threshold
Return
Logger Release 6.5
Logger 6.5Annotation in reporting
• Documentation• Logger cheat sheets are now available for quick reference
• Licensing• ADP Logger has an option to disable ArcMC license management.• Both ADP Logger license and the capacity can be applied in logger
Logger 6.5
ADP Logger Standalone Mode
Capability:
Convert ADP Logger to Standalone Logger
- ADP Logger
Requires ArcMc for License Management
License capacity pooling is possible
- Standalone Logger
Logger base license and capacity to be added in Logger
Benefit: Path to G9 ADP Logger appliances, operations ease for Logger-only customers, and MSSPs, enable air-gapped deployment of ADP Logger
• Reporting Enhancements• Logger filters and saved searches can be used to create reports• Charts rendered on reports can be saved as images (SVG,PNG & JPEG)• Reports can be embedded in emails
Logger Release 6.5
Logger Search Query on Reports
Capability:
After the initial analysis on the logger search page, a report can be created from the search query.
Advanced visualizations can be created.
Pre-created Logger filters and saved searches can be used to create reports
Benefit: Analysts needn't have to be fluent in SQL. Reports gets all of Logger search features and performance. Reports can view all CEF fields like Logger search.
• Storage Enhancements • Archived events created in Logger 6.5 are automatically indexed
Logger Release 6.5
Event Archive with Indexes
Capability:
Starting Logger 6.5 event archives will have the index information in them.
Eliminates the need to re-index archives.
Benefit: Valuable Time and Space saver.
# of Events
Re-Index Time Saved
Space Saved
11 Million 7 minutes 45 MB
22 Million 14 minutes 90 MB
44 Million 49 minutes 187 MB
Logger 6.4 Event Archives
Logger 6.5 Event Archives
• Security Enhancements• Upgrade from SHA-1 to SHA-2 algorithm strengthens communication
between:• Connectors and receivers• Event Broker and Receivers• Forwarders and ESM
Logger Release 6.5Return
46
Logger Release 6.6
• SecureData allows users to decrypt values in "Classic" and "Smart" tabular reports and reports with graphs.
• When Smart Reports are loaded, the browser displays the set of data of the current page, improving its performance.
Reporting Enhancements
• SecureData Decryption allows users to decrypt the grid values of regular searches and searches with graphs from the Search tab. For searches with a chart, the system displays a warning message about encrypted fields used in aggregate operations.
48
Search EnhancementsReturn
49
Logger Release 6.61
• Security Enhancements• SMTP Auth Support including TLS.
• Updated localization for supported languages: Japanese, traditional Chinese and simplified Chinese.
• Users can add up to 48 customer storage groups if there’s enough storage volume available. Adding more storage groups in Logger is determined by the partition size and the storage volume available.
50
6.61 EnhancementsReturn
51
Logger Release 6.7
• GlobalEvent ID – based on generator IDs, GlobalEventID enables the user to set unique identifiers for incoming and existent internal events. This union between the unique identifiers is immutable and cannot be detached.
• Report Improvements:• New Delivery options FTP and Secure FTP are available in Scheduled Reports > Shared Folder• The new home page provides direct access to Smart Report Designer. View Dashboard, Job
Execution Status, Report Execution Status, Recent Reports, iPackager, Deploy Report Bundle, Published Reports, and the list of Favorite report objects
• In Report Configuration, the Scheduler Job Dispatch Threads and Maximum Concurrent Reports options have been added.
• The user can configure the legend position in the Smart Report.• In SmartReportDesigner section, a query object menu and refresh option have been added.• Report Status tab has been added to the report vertical menu.• Charts can be split into one per element on an x-axis field.
52
6.7 Features
• Unified Query for Search Group Filter• The user is able to create new Search Group filters based on AUSM search type of query. This is supported on
searches and reports.
• Logger SMB v2 supports with CIFS• Samba servers V2 have CIFS remote file system support.
• CIFS mount from Logger to Windows 2008/2012 R2 server (hardened)• Logger supports CIFS over Windows Server 2008/2012 R2 (hardened) by using special security flags.
• Retention Policy for Archives• Similar to LIVE Event Data’s retention policy, a new feature has been introduced to manage the retention of
archives in days.
• Collecting Logger deployment environment information• A new feature is added in the Retrieve logs page. The user can now either include the customer environment
deployment info/stats as part of the retrieve logs package or add it without retrieving all the logs.
53
6.7 Features
• Custom Fields Enhancement• CEF fields with auto suggestion in addition to “ad.” fields can be added to the Logger event
schema.
• Increased Storage Volume Size on a Software Logger• Users can extend their storage volume size up to 16TB contrasting with the previous 12TB
limitation.
54
6.7 Features
Summary of Enhancements• Support for 100 Peers• Search for IPv6 data• Index the requestURL field• Multiple tabs within reports• Smart reports • Smart dashboards• Annotating a report.• New report chart types (Sunburst, Funnel,
Pyramid, Tree maps, Counter, Gauge, and Packed circles)
• Multiple data source in single report• Trend Lines on Reporting charts• Event Broker receiver with TLS Client
Authentication• CEF v1.0 support to send and receive IPv6 data• Incorporated FIPS Bouncy Castle libraries
provide improved security and enables support for TLS 1.2
• Updated localization for Japanese, Traditional Chinese and Simplified Chinese
• SHA2• TLS 1.2
• Light & Dark Theme• Secure and Authenticated SMTP• Right-click to save charts as SVG, PNG or
JPEG• Embed reports in a email in addition to
attaching and linking• Increase in storage groups – can add up to
48• Global Event ID• Software Loggers can store up to 16TBs• Archive retention policy• Report Improvements:
New FTP and SFTP delivery options Unified Query for Search Group Filter Logger SMB v2 support for CIFS CIFS mount from Logger to Windows
2008/2012 R2 server Retention Policy for Archives Collect Logger Deployment
environment information CEF fields with auto suggestion And more
Return
56
Logger Release 6.71
This is a maintenance release that addressed and resolved issues found in previous version.
57
6.71 Maintenance ReleaseReturn
58
Logger Release 7.0
• 24TB of event storage per Logger (software or L7700 appliances)• EPS License Support (post-filtering and pre-aggregation pricing model)• Search Improvements:
• A new UI for Logger search with features like color-coded query strings, event details, event comparisons, grid view, raw event view, column view, etc. This is available in addition to Classic Search UI.
• Starting with data collected by Logger 7.0, you can now create searches based on the time the event occurred (End Time) in addition to the Logger receipt time.
• Number of concurrent searches can be modified up to 25 maximum.• Search hit limits functionality can now be increased to display up to 10 million events per
search.
59
7.0 Enhancements
• Report Improvements• Data Science – Ability to use Python’s Data Science/Predictive analytics capabilities with
reporting. • Reporting on ArcSight Investigate – Uses the ArcSight Investigate Vertica database as a data
source in Logger reporting. This enables you to create reports on Investigate data. • IP to GeoMapping – Ability to convert IP address to geo location and create maps within reports. • Scheduled empty reports can be suppressed if needed. • Ability to save the reports as Private or Public.• Peer search and reporting perf improvements
• Out of the Box Content• New reports cover up-to-date threats, including cloud attacks, latest vulnerabilities, OWASP top 10
Framework, as well as additional security scenarios across the defense on-depth layer.
60
Reporting Improvements
• 8 new dashboards display a holistic overview of organizational risks, as well as different security scenarios such as malware and attacks, MITRE ATT&CK events reported from ESM and DGA events.
• Bonding /Trunking of NICs L7600 Appliances• Logger appliance can now receive events from the 2 network interfaces simultaneously from
a single IP.
• Gen 10
61
Dashboards and Hardware
• Data Corruption Fixes• Logger´s Take me to feature can take you directly to the Report´s object• Logger 7.0 Reports will not Support Classic Dashboards. During the upgrade, Logger
will migrate all to New Dashboards (Classic Dashboard migration tool)• Rebranding ADP -> Security Open Data Platform• Localization• Several Library updates
62
Other Notable Changes
Logger 7.024 TB of Storage
Why?Need to collect more data, from more sources and retain in for more time.
Adding more Loggers is one solution.
Adding more storage to a logger is another solution.
64
24 TB of Storage
65
24 TB of Storage - Storage Group, Storage Volume
24 TB in Storage Volume.
12 TB for Default Storage Group and 5GB for Internal
Logger 7.0New Search UI
Event Grid
Drag and Drop Columns
Resizable columns
Three types Events results Grid
Grid View
Raw Event View
Column View
Event Details Hide/show null field values
Expand/collapse field categories
Event Comparison
Query Syntax Highlight
Open Filter and Saved Search
Field set selector
Date Picker
67
UI Improvements – Search (Demo)
68
New Search UI - Query with Syntax Highlight
69
New Search UI - Grid View
70
New Search UI - Grid + Raw Event View
71
New Search UI - Raw Event View
72
New Search UI - Event Details
73
New Search UI - Compare Events Select a few events Ctl-Click then press
Logger 7.0Search Based on Event Occurred Time
Logger Receipt Time Vs Event Occurred Time Logger Receipt Time The time at which Logger received the event.
Referred on Logger UI as “Logger Receipt Time”.
Event Occurred Time The time at which event actually occurred. Usually device generates this time. If not, Connectors or Logger.
Referred on Logger UI as End Time.
Available only for the event data collected after upgrading to 7.0 Event occurred time will not make use of bloom filters for 7.0
release. Will be added in upcoming release.
75
Search Based on Event Occurred Time (End Time)
77
Search based on Event Occurred Time- Option to select Receipt Time or End Time – Search Time field
Logger 7.0EPS Licensing
Events are counted post-filtering and pre-aggregation at connectors.
All events reaching logger without connectors are counted.
Terms and Calculations: STEP1: Calculation of Events Per Day (EPD) – Events Per Day is the total number of events generated in a twenty-
four hour clock period. The clock is calculated based on UTC time starting at 00:00:00 and ending at 23:59:59, regardless of any local times that may be in use.
STEP 2: Calculation of Sustained EPS (SEPS) – Sustained EPS is the “constant” Events Per Second that the system sustained within the twenty-four hour clock period. It normalizes peaks and valleys and gives a better indication of use. The formula used for this calculation is (EPD/((60*60)*24))
STEP 3: Calculation 45 day moving median (MMEPS) – Utilizing the SEPS information recorded per day, a moving median EPS value will be identified. The Median value is calculated using a 45 day data set, and shifting the calculation window one day every twenty-four hours after the first 45 days. The official clock for calculation purposes is defined by UTC 00:00:00 to 23:59:59 regardless of local time.
IN COMPLIANCE: The customer (Licensee) is determined to be in compliance with the license agreement so long as the MMEPS value indicators remain at or below the purchased licensed capacity
OUT OF COMPLIANCE: The customer (Licensee) is determined to be in violation of the license agreement when there is presence of three or more consecutive MMEPS value indicators that the purchased license capacity has been exceeded
79
EPS Licensing
Logger 7.0 can work with both GB/day and EPS license. Ability to use License capacity across Loggers is possible. Version of connector –7.13.0 P1 and above – can generate agent:050
with information needed for EPS licensing.
81
EPS Licensing
82
EPS Licensing – When old version of connector are sending events
83
License Usage UI with EPS License
7.0 with EPS license Exported pdf file
84
Sample MMEPS calculation
Logger 7.0Gen 10 Appliances
86
Logger Gen 10 (Tentative GA – Jan 4th 2020)DL 360 Gen 10 L7700 Spec 2 x Xeon-G 5118
2 x 12 core = 24 cores
12 x 16 GB = 192 GB RAM 10 GB NIC
2 port Ethernet
2 port SFP
4 x 10TB SAS 7.2K LFF = 40TB HDD 30 TB with RAID 5
24 TB of live Event Data
Logger 7.0Reporting – Data Science
On Logger reporting, Python Data Science can be used to extract knowledge and gain insights form security data collected in Logger.
Python installed on OS (Redhat/CentOS) is used
Data Science Libraries included in Logger bits scikit_learn, numpy, pandas, etc.
Turned off by default
Admin Guide Note to turn on Data Science
Python can be used for non data science aspects as well
88
Reporting – Data Science
Create Query object MySQL / Logger search Query
Data Science Step Python Script Learning and predicting
Format/Other steps
Create Report Grid
Chart
89
Data Science / Predictive Analytics
Data Science Engine component – while creating a reporting Query Object
Python Script of Data Science Engine component
Analyze firewall traffic based on port, and determine probability success for traffic to each port.
Compare future events to see if they conform to model. (i.e. if traffic on port 1234 is 90% fail, I need to pay attention to every success access attempt on that port)
91
Sample Data Science Usecase- Anas Hadidi
Logger 7.0Reporting – On Investigate data
93
Reporting on ArcSight Investigate
Configure Vertica Create Query Object Create Reports Schedule
Publish
Export
Charts / Maps
Data Science
Logger 7.0Reporting – IP to Geo
MaxMind Library is used for converting IP to Geo location. Latest MaxMind is available with Logger 7.0
Context updates used by ESM will be used by Logger as well
Download Context update file from Entitlements portal
Logger Configuration -> Import Content
95
Reporting – IP to Geo
96
Report with IP to Geo – Recon Activity
Logger 7.0Out of the Box Content Updates
Major rework of content after 4 years 100+ New Reports Device Monitoring – OS, Anti-Virus, Networking, IDS-IPS, DGA, etc
Foundation – Intrusion, MITRE, Networking, Vulnerability, etc
OWASP
Cloud – CSA-Treacherous-12
8 New Dashboards Malware Overview
DGA
MITRE
Attack and Suspicious Activity, etc.98
Logger Out of the Box Content
99
OWASP\A 7 - Cross-Site Scripting\XXS Vulnerabilities(Top Events)
100
OWASP\A 2 - Broken Authentication\Broken Authentication Events (Signatures)
101
MITRE Events
102
MITRE - Radar Overview
103
DGA – Clients by Outgoing Bytes to DGA Domains
104
DGA Domains by Client IP Overview
Good for spotting DNS Tunneling only form the graph
105
DGA – Radar Overview
106
DGA Dashboard
Logger 7.0Performance Improvements
Peer Search – RPC calls
Reporting – Logger Search reports parameter fix
110
Performance Improvements – Search – 6.7x vs 7.0
111
Performance Improvements – Search – Gen 9 vs Gen 10
Logger 7.0Rebranding ADP -> Security Open Data Platform (SODP)
• 1 unified license model
• 1 unified license metric for each core product
• Core Product focus
• Separate Software from Hardware
ArcSight SODP
ArcSight MarketplaceFree and Paid Content | Compliance Packages
ArcSight Licensingfour core products – volume licensed
ArcSight ESM
based on Events per Second
ArcSight Secure Open Data PlatformIncluded in each core product – also sold separately
ArcSight Investigate
based on Events per Second
Interset UEBA
based on Entities
ArcSight Logger
based on Events per Second
115
Security Open Data Platform (SODP), Guest Data and Targets
• SODP includes:
• ArcMc- management of all solution components and licensing
• Transformation Hub (New name for Event Broker)
• Smart Connectors- includes Flex Connector, Quick Flex and Connector Load balancer
• SODP components are included in every core product
• e.g. “100 EPS Logger Standard Edition” entitles to use the SODP components for ingestion up to 100 EPS
• SODP can be purchased separately if no core product needed/wanted
• For example to forward normalized data only to 3rd party or leverage Transformation Hub’s Kafka for non-ArcSight guest data
• Caution: 1 flat fee for each 3rd Party Destination (Pay per Target) still needed
GB/Day1 GB = 1x109 Bytes
EPS1 Event = 600 Bytes
5 100
12 250
25 500
50 1000
125 2500
250 5000
500 10000
1,250 25,000
2,500 50,000
• No need for ADP – ADP is discontinued
• Express is discontinued• All Express are now ESM• No artificial EPS limits –
grow as needed
No mandatory add-ons nor limits
Logger 7.0Localization
Update the localization strings in the logger application
Fixed the localization bugs
Doc Localization to Japanese
118
Localization
Upcoming & End of Support
Data Migration tool Archive Migration tool AWS Image Azure Image
127
Upcoming – Jan/Feb
Search results can be increased up to 10 Million Separate parameters for UI and API
Concurrent searches can be increased to 1000
Concurrent reports can be increased to 25
128
Increased Upper Limit
Appliance Gen 8 – March 31 2021
Software 6.4 and 6.5 – Dec 31 2019
6.6 – April 30 2020
6.61 – June 30 2020
6.7 – Jan 31 2021
6.71 – May 30 2021
7.0 – December 31 2021
129
Logger End of SupportReturn
137
Logger Release 7.0
138
The Security ArcSight Logger 7.0.1 release (L8316)
Indexing has been improved to process up to 30% more events per second.
Search Improvements:
The local only box can now be disabled in both, Classic and Search page by updating the
search.localOnlyChecked property accordingly.Superindexing is now available for search based on event time allowing to execute searches much faster.
Logger now supports up to 1 000 HTTPS simultaneous connections.
Technical Requirements
140
141
• Refer to the Logger Support Matrix, available on Micro Focus Community site for details on Logger 7.0.1 platform support.
142
Supported Platforms
Logger Release Summary
• But WAIT (embarrassed to say mine is PRE-6.0 and really, really, old)
• What about 5.x to 6.0
Logger 6.0• Improved User Interface (UI), including:
• New Take me to... search box for menu navigation. • Improved menu structure. • Updated digital gauges. • New ability to add a customized logo.
• Improved scalability, including: • Doubled local storage size. Each instance can support up to 8TB.• Increased speed of data indexing.
• Improved performance, including: • Faster UI response times. • Reduction in the size of the metadata generated. This decreases both the time it takes to retrieve the metadata and the amount of storage
space the metadata requires. This improves archive search speed. • New and improved data analytics, including: • New lookup operator enables you to augment data in Logger with data from an external file. This enables geo-tagging, asset tagging, user
identification, and so on, through static correlation. • New and improved version of the reporting engine.
Logger 6.0
• Faster searches in peered deployments, including: • Scalable distributed searches across up to 20 peers. Search speeds increase linearly with
the number of peers searched.• Performance enhancement to distributed searches for non-pipeline searches. To realize
these enhancements, all peers must be on Logger 6.0 or later, and the query must not include the regex, rex, parse, keys, transaction, extract, or lookup operators.
• Improved Data Access, including: • New RESTful Login and Search APIs. • API support for including peers in searches.
• New content, including: • New dashboards and fieldsets for security use-cases. • Added ability to import and export fieldsets.
Logger 6.0
• Other enhancements, including: • New hash validation of stored data. • Removal of the challenge response for SSH access to the Logger appliance.
• Managing Logger through ArcMC Logger 6.0 supports management through ArcMC 2.0.
• However, a new ArcMC Agent is required to manage it. • In order to manage Logger 6.0 through ArcMC, you must install the ArcMC Agent on
Logger. • If you are managing Logger through ArcMC already, you must install the newest version of
the ArcMC Agent before performing any management operations on Logger from ArcMC.
What’s holding you back for upgrading?