Open topic with navigation

Transformation Hub Destinations

A Transformation Hub (TH) Destination establishes a trusted connection between Logger and a Transformation Hub so that you can forward events.

Logger can forward these types of events to a Transformation Hub:

• Syslog events to an ArcSight Syslog SmartConnector that is connected to a Transformation Hub.

• AVRO Format events directly to a Transformation Hub using Logger TH Destinations. Events are translated from CEF/Syslog Format to AVRO Format by the Onboard Connector at forwarding time.

  Note: SSL/TLS Security is required for AVRO Destinations. You cannot set an AVRO destination with a Plain Text Connection.

• Common Event Format (CEF) events directly to a Transformation Hub using Logger TH Destinations. A TH Destination appears as a SmartConnector to an Arcsight Console.

  Note: You can only send cef 0 events.

Guidelines for TH Destination:

• Before adding Transformation Hub destinations in appliances, DNS must be configured. For more information, see System DNS

• For further details on each of the security options, see:
  • Setting a TH Destination using TLS + CA
  • Setting a TH Destination using TLS + CA and FIPS
  • Setting a TH Destination using TLS and FIPS
  • Setting a TH Destination using only TLS
  • Setting a TH Destination using No Security

• You can set as many TH destinations on the SmartConnectors as needed. However, Micro Focus ArcSight recommends that you create no more than two TH Destinations pointing to a single Transformation Hub.

• Do not use basic aggregation for Logger’s built-in SmartConnector as it is resource intensive. Instead, follow these steps on the ArcSight Console to configure field-based aggregation:

  • Ensure that Processor > Enable Aggregation (in seconds) is set to Disabled.
  • Right-click the connector and select inspect/edit/.

To create a TH Destination

1. From the Configuration > Data > TH Destination, click the Add button.

2. Enter the following parameters:

   Parameter	Description
   Name	A name for this destination.
   Initial Host Port	The initial host port Kafka nodes will start using.
   Kafka Broker Host:Port	The Transformation Hub worker nodes to which the forwarder will direct events. For secure connections, use port 9093. Otherwise, use 9092. Note: Make sure the name or IP address you specify in this field is the same used when configuring the worker nodes of the Transformation Hub.
   Connector Name	The SmartConnector name. The name of the agent that OBC creates to point to the destination.
   Connector Location	The physical location of the SmartConnector machine. To not specify a location, enter None.
   Logger Location	The Logger’s physical location.
   Content Format	Content format that will be transferred to the TH Destination. Avro: ArcSight 2020.3 or later. CEF (for IPv4): Logger 6.3.0 or earlier. CEF (for IPv4 and IPv6): Logger 6.4.0 or later. ESM Binary: ESM-only event format for all versions of ESM.
   Content Type	Type of content that will be transferred to the TH Destination. Select one of the following content types: Logger/Investigate/Hadoop/3rd parties Logger 6.4 or higher/IPv6/Investigate ESM
   Kafka Topic	The kafka topic that will establish the connection. Avro: Select th-arcsight-avro CEF (for IPv4): Select th-cef CEF IPv4 and IPv6: Select th-cef ESM Binary: Select th-binary_esm
   ESM Version for ESM topic	The desired ESM version to be used. Select one of the following ESM versions: 6.11.x 7.2.x 7.2.x
   Schema Registry Host:Port	Specify the host: port of the Schema Registry node to fetch schema using HTTPs. Tip: This is required when Avro content format is selected.
   Receive Acknowledgment	An acknowledge mode from partitions. Select one of the following modes: Leader None All
   Compression type	The compression type specifies the compression algorithm used when TH copies events. Select gzip algorithm (set by default) OR Select zstd algorithm for better performance. Tip: Zstd algorithm requires Kafka client library version 2.1.0 or above, Logger 7.0, ESM 7.2, and IDI 1.1, or above.
   Kafka Broker on SSL/TLS	Enables SSL/TLS. Select False to disable this option OR Select True to enable this option. Tip: If SSL/TLS authentication is enabled, the SSL/TLS Key Store file, and password options need to be filled out.
   SSL/TLS Trust Store file path	SSL/TLS Trust Store file to upload.
   SSL/TLS Trust Store password	Password for the SSL/TLS Trust Store.
   Use SSL/TLS Client Authentication	Enables CA authentication. Select False for no security options. OR Select True for SSL/TLS options. Tip: If CA authentication is enabled, the SSL/TLS Key Store file, and password options need to be filled out.
   SSL/TLS Key Store file path	An SSL/TLS Key Store file for CA authentication.
   SSL/TLS Key Store password	A password for the SSL/TLS Keystore.
   SSL/TLS Key password	A password for the SSL/TLS Key.

3. Click Save.

To delete a TH Destination:

From the Configuration > Data> TH Destination page.

1. Locate the TH Destination that you want to delete and click the Delete icon () on that row.
2. Confirm the deletion by clicking OK, or click Cancel to retain the Destination.
3. Repeat this process for each destination you need to delete.

Secure or Update the Logger SSL Configuration for TH Destinations

If you are using an RE External Communication Certificate signed by your Trusted Certificate Authority, instructions to secure or update the SSL configuration for TH destinations are provided in the Administrator's Guide to ArcSight Platform 22.1.

For specific information, see "Configuring Logger as a Transformation Hub Producer" in the Administrator's Guide to ArcSight Platform 22.1.