Installing Syslog NG Daemon as a Forwarding Agent

To collect CloudWatch events, you must configure Syslog NG Daemon smartconnector as a forwarding agent.

1. Launch the EC2 Instance in a public subnet and a private subnet.

2. Launch a terminal emulator, the log in to the public EC2 instance using the key.

3. Upload the key of the private EC2 instance to the public EC2 instance.

4. From the public EC2 instance, run the following command:

   chmod 600 testprivate.pem

5. SSH to the private instance using the following command:

   ssh ec2-user@private-ip-address -itestprivate.pem

6. Using an appropriate terminal emulator, upload the Syslog NG Daemon installer to public EC2 instance.

7. Use the following command to copy the Syslog NG Daemon installer to the private EC2 instance:

   scp -i testprivate.pem ArcSight-<versionnumber>.0-Connector-Linux64.bin ec2-user@private-ip-address:/home/ec2-user/.

8. Install and configure the Syslog NG Daemon SmartConnector in the private instance.

9. Select 1.0 as the CEF File version.

10. Configure the protocol as default TLS.

11. Configure the port.

12. Select CSV File or CEF File as the destination. If you use any ArcSight product such as Logger or ESM, select the destination appropriately.

    Note: To emit the Avro output, select Transformation Hub as the destination.

13. Run the SmartConnector as a standalone process or as a service.

14. Upload the <ARCSIGHT_HOME>/current/user/agent/remote_management.p12 certificate to the /certs folder in the S3 bucket.