When you configure Arpalert to send log data to USM Appliance, you can use the Arpalert plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:
|Device Type||Network Access Control|
|Data Source Name||Arpalert-syslog|
|Data Source ID||1792|
Note: The ArpAlert plugin does not capture arp-spoofing events, so you will need to use other tools such as arpwatch or arping to monitor for those types of events.
Before you configure the Arpalert integration, you must have the IP Address of the USM Appliance Sensor.
To configure Arpalert to send Syslog messages to USM Appliance
- Download the Arpalert archive from the official website, https://www.arpalert.org/arpalert.html and then compile the source code.
Note: You must compile the source code because packages are not provided.
A simple make install with root privileges will install the application on your computer.
./configure --prefix=/usr/local/arpalert && make &&
You can specify the install base directory with the --prefix parameter, included after the ./configure command. By default, the base directory is /usr/local/arpalert.
A default configuration file is located in the /usr/local/arpalert/etc/arpalert/arpalert.conf directory. The default parameter settings specified in this file can be used in most install environments.
Continuing with root privileges, launch the arpalert program using the following command:
The -d option launches the program in daemon mode. If you always want to run Arpalert in daemon mode, you can edit the Arpalert configuration file and replace daemon = false with daemon = true.
- Monitor the /var/log/messages file to see all the machines detected on your network. These machines are recorded in the /usr/local/arpalert/var/lib/arpalert/arpalert.leases file.
After all local network machines have been discovered, copy the /usr/local/arpalert/var/lib/arpalert/arpalert.leases file into the maclist.allow file:
cat /usr/local/arpalert/var/lib/arpalert/arpalert.leases > /usr/local/arpalert/etc/arpalert/maclist.allow
Note: Don't hesitate to add new mac addresses to this file.
- Restart the Arpalert daemon. Now, all new computers detected are probably intruders, so they are logged. You can run Arpalert with a script to alert you by email, for example, when a suspect computer is detected. Sample scripts are provided in the scripts directory.
For plugin enablement information, see Enable Plugins.
Additional Resources and Troubleshooting
For troubleshooting, see the vendor documentation.