Transformation Hub

For information about Configuring a SmartConnector as a Transformation Hub Producer, refer to Administrator's Guide to ArcSight Platform available on the ArcSight Documentation site.

Parameters

What to specify or select

Kafka Broker Host(s):Port(s)

This is a mandatory field.

You must specify at least one server. If there are multiple servers, then specify a comma-separated list of hostnames and ports to establish a communication with the Transformation Hub cluster. While it is not necessary to list all servers in the cluster, listed, if none of the servers listed can be contacted, the Connector cannot send events to Transformation Hub.
For example: kafka1.example.com:9093,kafka2.example.com:9093.
Kafka Broker on SSL/TLS

Determines whether events are sent with TLS encryption. Select one of the following options:

  • false - (default)
  • true - Select true to access the Kafka broker on SSL/TLS.

If you select true , you must provide the SSL/TLS Truststore Password and the location of the SSL/TLS Truststore File Path.

When Kafka Broker on SSL/TLS is set to true, a secure connection will be established with the Kafka broker(s) specified in the Kafka Broker Host(s):Port(s) field.

Note: If you want to set the Kafka Broker on SSL/TLS parameter to true, refer to the ArcSight Platform admin guide for instructions on performing the certificate trust exchange between the SmartConnector and Transformation Hub for the secure connection to work properly.
TH User Name

Specify the user name and password of the TH server to connect to the server over SSH or SCP. Connector connects to the TH server to fetch the server certificate and import into the truststore of the Connector, copies the Certificate Signing Request (CSR) to the server and gets the CSR signed.
TH Password

Receive Acknowledgment

This is a mandatory field.

Select a value to determine if and how the Connector waits for acknowledgment from Transformation Hub that it has received the event.
Select one of the following options:

  • None: Default. The Connector does not wait for acknowledgment. This can result in lost events if the receiving Kafka server fails. However, selecting this option provides a significantly higher throughput.
  • Leader: The Connector waits for acknowledgment from the primary Transformation Hub server for the event’s partition. This option protects against data loss in most circumstances while providing reasonable performance. However, selecting this option can affect the throughput.
  • All: The Connector waits for an acknowledgment from all Transformation Hub servers that contain a backup for the event’s partition. This protects against lost events in nearly all circumstances, but significantly reduces throughput.

Content Format

Kafka Topic

Select any of the following topics for the corresponding content format:

Content Format Kafka Topic
Avro

th-arcight-avro

Supports ArcSight 2020.3 or later. Supports Avro events to be sent to Transformation Hub.
Note: ArcSight 2020.3 refers to the third release of ArcSight in the year 2020.
CEF (for IPv4)

th-cef

Supports IPv4. Use with Logger 6.3.0 or later versions.

Selecting CEF (for IPv4) allows to configure content format for Logger/Investigate/Hadoop/3rd parties.
CEF (for IPv4 and IPv6)

th-cef

Supports IPv4 and IPv6. Use with Logger 6.4.0 or higher versions. In addition to IPv6 support, this option adds support for long values for Bytes In/Out fields.

Selecting CEF (for IPv4 and IPv6) allows to configure content format for Logger 6.4 or higher/IPv6/Investigate.
ESM Binary

th-binary_esm

Supports all versions of ESM.

For more information, refer to the Support Matrix for ArcSight ESM guide, available on the ArcSight Enterprise Security Manager (ESM) Documentation page.

Selecting ESM Binary allows to configure content format for ESM.

Note: The default Content Format is CEF (for IPv4 and IPv6) and Kafka Topic is th-cef. However, you can change the content format as required.
Compression Type

Compression reduces disk space and network bandwidth requirements.

Select the compression algorithm used (gzip, zstd, none) when Transformation Hub copies events, such as when routing events between Topics.

  • gzip - is the default value.
    Note: The zstd algorithm performs better than gzip, but requires Kafka client library version 2.1.0 or later.

  • Zstd - only is supported in Transformation Hub 3.3 and SmartConnector 8.0.0. If your Transformation Hub version is 3.2, use gzip as a compression type. This compression type works only for Logger 7.0, ESM 7.2, IDI 1.1, or their later versions.
ESM Version for ESM Topic

Select the ESM version number of the desired ESM topic. If you do not select any value, the latest version of ESM is considered.

This field is mandatory when the Content Format is selected as ESM Binary.
Schema Registry Host:Port

Specify the host:port of the Schema Registry node to fetch schema using HTTPS.

Use the FQDN or the IP address for the Virtual IP of the master node of the Transformation Hub to achieve high availability. In this case, if the primary node fails, the Virtual IP will automatically migrate to a failover master node and the connector will still be able to access the schema registry without having to reconfigure the connector. If Transformation Hub is configured with only a single master node, use the FQDN or IP address of that master node.

Use 32081 as the port unless it is customized in your environment.

Note: For an AWS environment, use the cluster DNS hostname:32081.

This field is mandatory when the Content Format is selected as Avro.

SSL/TLS Truststore File Path

Specify the location of the SSL/TLS truststore file. This is required to access HTTPS Schema Registry for Avro or the TLS-based secure communication for the Kafka brokers.
It is optional for Text-based communication with Kafka brokers.

This field is mandatory when the Content Format is selected as Avro or when Kafka Broker on SSL/TLS is set to true.
SSL/TLS Truststore Password

Specify the password for the SSL/TLS truststore file.

This field is mandatory when the SSL/TLS Truststore File Path is specified.
Use SSL/TLS Client Authentication

Determines whether a client certificate is used for TLS to identify the Connector. Select one of the following options:

  • false - (default)
  • true - Select true if client authentication is enabled for Kafka broker, Schema Registry, or both.

If you select true, ensure that the Kafka Broker on SSL/TLS is enabled. You must also provide values for the SSL/TLS Keystore File Path, SSL/TLS Keystore Password, and SSL/TLS Key Password parameters.

Note: If you want to set the Use SSL/TLS Client Authentication parameter to true, refer to the Administrator's Guide to ArcSight Platform for instructions on performing the certificate trust exchange between the SmartConnector and Transformation Hub for the secure connection to work properly.
SSL/TLS Keystore File Path Specify the location of the SSL/TLS keystore file path for client authentication.
Organizational Unit (OU) Specify the name of your organizational unit.
Organization (O) Specify the name of your organization.
Location (L) Specify the name of your city or locality.
State (ST) Specify the name of your state or province.
Country (C) Specify the two-letter country code for this unit.