Endpoint Protection

 View Only
  • 1.  SEP & Arcsight

    Posted Dec 01, 2009 10:00 AM

    Good day,

    To get right to it, my organization uses Arcsight as our network correlator and I am having issues getting Arcsight to work with SEP. While this problem might need to be thrown to the Arcsight forums, I figured we might give it a shot here.

    Our setup:

    64Bit Windows Server 08 SEPM Server 11.0.5002.333 (asdfsep1)
    64Bit Windows Server 08 SEPM Server 11.0.5002.333 (asdfsep2)
    32Bit 2005 Microsoft SQL Server (standard) 09.00.4053 - database for our clients (asdf115)

    According to Arcsight documentation they (Arcsight) are pulling the plug (Dec 09) on Syslog support for SEP so our only option is to pull data directly from the SQL database.

    Using the SEP DB connector provided by Arcsight we have attempted to install it (on the connector server) with the information it's requesting, which is the database path, name, username and password. The following error is what we see when we attempt to finalize installing the connector:

    Unable to detect database version.
    Tried version [11]. ERROR: [No suitable driver found for jdbc:microsoft:sqlserver://ASDF115:1433;ASDFSEP11]

    The above shows the correct SQL server name, port, and database name using jdbc as our driver authenticating through the SEP DB connector.

    We have 3 people that have attempted to figure this out, we have all tried installing this software and have all done it the same way, with the same result. Anyone have any ideas?

    (Did I say Arcsight enough?)

    -Eddie-



  • 2.  RE: SEP & Arcsight
    Best Answer

    Posted Dec 01, 2009 12:16 PM
    Well Arcsight got back with us (took a week) and much to our surprise...

    We had a space that needed to be removed from the driver url syntax (atleast thats what the main Arsight Admin is telling me)

    Fixed!


  • 3.  RE: SEP & Arcsight

    Posted Dec 02, 2009 02:20 AM
    thanks


  • 4.  RE: SEP & Arcsight

    Posted Dec 02, 2009 02:20 AM
    is there a collector or agent needs to install for arcsight to get the los from sep?