Remote File Systems

Your system can mount Network File System (NFS 3.0 only) and CIFS (Windows) shares. As a result, it can read log files and event data from UNIX, Linux, Windows remote hosts, and any Network Attached Storage (NAS) solutions based on these operating systems. You need to establish a CIFS mount before you can add a file-based connector on a Windows system to ArcSight Management Center.

Managing a Remote File System

Make sure the following requirements are met before you mount a share.

File System Type

Requirements

CIFS (Windows)

  • A user account that has access to the shared drive exists on the Windows system.

  • The folder to which you are establishing the mount point is configured for sharing.

  • Note: NTLMv2 and NTLMv2i authentication are supported.

NFS

  • Grant your ArcSight system read and write permission on the NFS system.

  • The account used for mounting must use the numeric ids 1500 for uid, or 750 for gid.

To add a Remote File System mount:

  1. Click Setup > System Admin from the top-level menu bar.

  2. Click Remote File Systems in the Storage section in the left panel.
    The Remote File Systems form is displayed.

  3. Click Add from the top left side of the page and enter values for the following fields in the resulting form.

    Parameter

    Description

    Select File System Type

    Whether you want to mount an NFS or a CIFS share.

    NFS Settings

    Name

    A meaningful name for the mount point. The name cannot contain spaces. This name is used locally on your system to refer to the mount point, and needs to be specified when configuring archive settings for data that will be stored on the share.

    Hostname / IP Address

    The name or IP address of the host to which you are creating the mount.

    Remote Path (for NFS)

    The folder on the remote host that will act as the root of the network file system mount. For example, /public/system_logs.

    Make sure that only this system can write to the location you specify in this field. If multiple systems (or other systems) mount this location and write to it, data on this location will be corrupted.

    Mount Options

    AutoFS options. For example, ro for read-only from the remote host, rw for read-write, or hard to keep retrying until the remote host responds.

    Note: Even if you configure rw permission at your mount point, rw permission is not granted to the remote host if the host is configured to allow read-only access.

    Note: NTLMv2 and NTLMv2i authentication are supported.

    Description

    A meaningful description of the mount point.

    CIFS Settings

    Name

    A meaningful name for the mount point. The name cannot contain spaces. This name is used locally on your system to refer to the mount point, and needs to be specified when configuring archive settings for data that will be stored on the share.

    Location

    Enter the share name in one of the following ways:

    • Share name in this format:

      <IP Address> or <Hostname>:<share_name>

      For example, 198.0.2.160:myshare

      This folder needs to be configured for sharing. (Typically, to configure a Windows folder for sharing, right click on the folder name > Properties > Sharing.)

      Caution: when mounting from a Windows Server 2008 in cluster, you must use the Hostname and not the IP address for a successful mount.

    • UNC path

      For example, //198.0.2.160/myshare

    Mount Options

    Autofs options. For example, ro for read-only from the remote host, rw for read-write, or hard to keep retrying until the remote host responds.

    Note: Even if you configure rw permission at your mount point, rw permission is not granted to the remote host if the host is configured to allow read-only access.

    Important: For log file connectors (for example, the Symantec AntiVirus connector), you need to enable the directio option so that ArcSight Management Center can process new events. Enter rw,directio in the File System Mount Options field.

    Description

    A meaningful description of the mount point.

    Credentials for CIFS

    Username

    The name of the user account with read-write privileges to the Windows share.

    Make sure the username is prefixed with the domain information. For example, tahoe\arcsight.

    Password

    The password for the user name specified above.

  4. Click Add.

    All mount points are created under /opt/mnt. Note the name of the mount point you create. You need to specify this name when adding a connector that will use this share to ArcSight Management Center.

To edit a Remote File System mount: 

Note: You cannot edit a mount point if it is in use. The Edit link is displayed only if the mount point can be edited.

  1. Click Setup > System Admin from the top-level menu bar.

  2. Click Remote File Systems in the Storage section in the left panel.

  3. Select the mount point you want to edit, and click Edit from the top left side of the page.

  4. Change the field values.

  5. Click Save.

To delete a Remote File System mount: 

Note: You cannot delete a mount point that is in use. The Delete link is displayed only if the mount point can be deleted. Once stopped, expect up to a two minute delay before the mount can be edited or deleted.

  1. Click Setup > System Admin from the top-level menu bar.

  2. Click Remote File Systems in the Storage section in the left panel.

  3. Select the mount point you want to delete, and click Delete from the top left side of the page.