ArcSight Integration

Integration with the ArcSight Enterprise Security Management (ESM) system and a Cloud Integration Point (CIP) enables Wi-Fi Cloud to send events to the designated ArcSight server. The ArcSight server is configured to accept messages that contain detailed event information in ArcSight Common Event Format (CEF). Wi-Fi Cloud requires the IP address or the host name and port on which the ArcSight server receives events. You can also send audit log messages from Wi-Fi Cloud to an ArcSight server.

For more information about CIP mode, see Wi-Fi Cloud Integration with Third-Party Controllers using CIP.

To add an ArcSight server:

  1. Open Discover.
  2. Select System > Third-party Servers > ArcSight Integration.

Screenshot of the ArcSight Integration configuration page in Discover

  1. Select the Enable ArcSight Servers check box.
  2. Click Add ArcSight Server.

Screen shot of the Add ArcSight Server page in Discover

  1. Configure these options:
  • ArcSight Server IP Address / Hostname — IP address or host name of the ArcSight server the Wi-Fi Cloud communicates with.
  • Port Number — Port number of the ArcSight server to which data is sent.
  • Cloud Integration Point (CIP) — If you use a Cloud Integration Point on your network, select a primary and secondary CIP-enabled WatchGuard AP that you want to use to communicate with Wi-Fi Cloud.
  • Enabled — Click this check box to enable CEF messages and audit logs generated by Wi-Fi Cloud to be sent to the ArcSight server.
  • Forward Events — Send CEF messages to the ArcSight server.
  • Forward Audit Logs — Send audit log messages to the ArcSight server.
  1. Click Done.

Current Status displays the status of the ArcSight integration service.

  • Running — The service is running.
  • Stopped — The service has stopped.

If the host name of the server cannot be resolved, the status displays an error: "Cannot resolve hostname for one or more destination servers”.