The attached file 'HP Helion OpenStack and ArcSight - Final.zip' contains the resources listed below. Please watch the short 6 min. video of this integration (no audio) before proceeding.
- Logstash configuration file
- ArcSight FlexConnector for HOS
- ArcSight ESM Content Package for HOS
The instructions are in both the attached video (no audio) and the technical whitepaper: http://www8.hp.com/h20195/V2/GetDocument.aspx?docname=4AA5-8025ENW&cc=us&lc=en
This is version 1.0 of the FlexConnector (the regex needs to be cleaned up a bit). Updates for this parser will be posted here until HP ArcSight officially supports OpenStack. Feel free to re-purpose the attached Logstash config file to forward events in real-time from Logstash to ArcSight, Syslog-NG, Splunk, rsyslog, etc., etc. Enjoy!
IMPORTANT: This integration should work for any flavor of OpenStack (not just Helion) as long as OpenStack is configured to send JSON over Syslog. Please view this link for additional companies on OpenStack, your customer may be one of them: https://www.openstack.org/foundation/companies/
Helpful OpenStack audit logging resources: