topic Re: How to get data data from ArcSight Connectors in All Apps and Add-ons

How to get data data from ArcSight Connectors

Paolo_Prigione — Wed, 16 Nov 2011 11:01:39 GMT

The integrating Splunk with Arcsight document, states it is possible to feed Splunk with data coming straight from a Connector. Do you have any idea how this is possible?

The ArcSight website is not as full of infos as Splunk's...
And, yes, I know this might not be the right community, but it's the one I happen to trust.

Paolo

Re: How to get data data from ArcSight Connectors

gooza — Mon, 28 Sep 2020 10:06:52 GMT

I highly recommend using http://splunk-base.splunk.com/apps/22280/cef-common-event-format-extraction-utilities

it parse the arcsight cef format quit easily

as for time stamps extractions I recommend adding the following in the relevent stanza in porps.conf:

TIME_PREFIX = \s(end|rt)\=

TIME_FORMAT = %10S%3n

MAX_TIMESTAMP_LOOKHEAD = 350

Re: How to get data data from ArcSight Connectors

gooza — Wed, 16 Nov 2011 11:25:07 GMT

If you meant how to configure the arcsight agent to send the data out to splunk , let me know and I'll send you instructions on how to ...

run the command ..installdir\current\bin\arcsight agentsetup

choose yes to start the wizardmode
choose I want to add/remove/modify arcsight Manager destinations
choose add new destination
choose raw syslog
add the information of the splunk input you prepared choose the protocol.

hope this helps.

Re: How to get data data from ArcSight Connectors

Paolo_Prigione — Wed, 16 Nov 2011 11:38:13 GMT

Hi, thanks for the reply. Yes, I meant how to configure the Connectors.

Re: How to get data data from ArcSight Connectors

Paolo_Prigione — Wed, 16 Nov 2011 12:03:22 GMT

Hi gooza. So, it is possible to configure an Arcsight Connector to send data to a 3rd party receiver in CEF over Syslog format. Thank you very much

Re: How to get data data from ArcSight Connectors

gooza — Wed, 16 Nov 2011 12:08:25 GMT

Yes , I sent you the instructions how,

Re: How to get data data from ArcSight Connectors

Paolo_Prigione — Tue, 06 Dec 2011 11:19:44 GMT

Just wondering: is it possible to forward CEF data to splunk from Logger itself to Splunk? This would limit the effort on the connectors as, I'm told, you need quite a number of them even for small environments

Re: How to get data data from ArcSight Connectors

dotan_patrich77 — Thu, 29 Mar 2012 12:25:39 GMT

I'm a total noob, and trying to figured out how to configure the cef extraction utils app (http://splunk-base.splunk.com/apps/22280/cef-common-event-format-extraction-utilities) but cannot understand how to work it out

Can you help out in understanding what does it mean to do the following:
"Add REPORT-cefvenets = cefHeaders,cefKeys to relevant stanzas in order for this add-on to parse the events"
what file should i edit?

and secondly, can i apply the app on content that is loaded to splunk via the oneshot rest api?

Re: How to get data data from ArcSight Connectors

gooza — Thu, 29 Mar 2012 12:36:00 GMT

add to your props.conf file under the relevent stanza the row:

REPORT-cefevents = cefHeaders,cefKeys

you can read more on props.conf at

splunk Documentation

Re: How to get data data from ArcSight Connectors

Claw — Mon, 28 Sep 2020 12:19:57 GMT

Some updates to this thread
The CEF app needs to be updated with some small corrections. It will work with any Splunk version 4.1 or later.

Those corrections are listed below. props.conf and transforms.com will work nicely exactly as they are below. All of these are minor improvements and corrections on the advice above.

The default way to send data from an Arcsight Connector with be to a port. The default Arcsight Connector port is 8443

This is what is should look like.

props.conf

[cefevents]
MAX_TIMESTAMP_LOOKAHEAD = 350
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
TIME_PREFIX = \s(end|rt)=
pulldown_type = 1
REPORT-cefevents = cefHeaders cefKeys

transforms.conf

[cefHeaders]
REGEX = CEF:(?\d+)|(?[^|])|(?[^|])|(?[^|])|(?[^|])|(?[^|])|(?[^|])

[cefKeys]
REGEX = (?:_+)?(?<_KEY_1>[\w.:,[]]+)=(?<_VAL_1>.*?(?=(?:\s[\w.:,[]]+=|$||)))
REPEAT_MATCH = True
CLEAN_KEYS = 1

Re: How to get data data from ArcSight Connectors

Claw — Fri, 24 Aug 2012 22:04:25 GMT

Please ignore the REGEXES above, the editor screws them up.

We will get the proper examples posted in CEF (Common Event Format) Extraction Utilities App

Re: How to get data data from ArcSight Connectors

rakeshmukherjee — Mon, 15 Oct 2012 13:49:09 GMT

Hi, I would appreciate if you can send me the ArcSight connector to SPLUNK configuration instruction. Also what is a good architecture for an MSSP environment, Sending data from connector to SPLUNK or sending data from Logger to SPLUNK?

Re: How to get data data from ArcSight Connectors

gwong3 — Tue, 17 Feb 2015 15:14:01 GMT

Hello. If you still have the configuration on setting up Splunk to receive data from Connectors that'll be awesome! Can you send me a copy of your instructions? Thanks.

Re: How to get data data from ArcSight Connectors

dflodstrom — Tue, 24 Feb 2015 01:46:47 GMT

One option is to create a RAW syslog output destination on your ArcSight connector. On your Splunk server use rsyslog or similar to listen for the incoming syslog feed from the ArcSight connector. Use Splunk to monitor the file it writes. The file is still written to if you stop or restart Splunk.

Do you need more specific instruction?

Re: How to get data data from ArcSight Connectors

cladkins — Wed, 04 Mar 2015 15:50:44 GMT

I'd also like the instructions please.

Re: How to get data data from ArcSight Connectors

ManoharChinnaiy — Wed, 12 Aug 2015 09:53:04 GMT

Hi gooza, Please help me out how to configure arcsight agent to send data to splunk.

Re: How to get data data from ArcSight Connectors

woojacky — Thu, 12 Nov 2015 02:04:26 GMT

Hey gooza, could you send me the instructions for me to have a look? Appreciate!

Re: How to get data data from ArcSight Connectors

phil_wang — Thu, 24 Mar 2016 04:06:26 GMT

Hi Gooza,

Can you forward the document on how to configure the Arcsight agent to send data out to Splunk to me as well please?

Many thanks,

Re: How to get data data from ArcSight Connectors

woojacky — Thu, 24 Mar 2016 04:31:04 GMT

Hey Phil, I didn't get any information from Gooza as well. Nevertheless I worked it out internally with my network folks to eventually send data to Splunk from Arcsight. If you can wait till next Friday when I am back in office I will gladly share the information to you.

Re: How to get data data from ArcSight Connectors

dflodstrom — Thu, 24 Mar 2016 13:06:20 GMT

If you use a connector appliance to manage your ArcSight connectors you can just add a new destination and point it at your Splunk server.

Add Destination > Create a new destination > Raw Syslog. Enter IP/Host, Port, Protocol (UDP), and select 'false' for metadata.

Enable a UDP syslog listener on the port you specified for your destination and have Splunk read the file.