All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to get data data from ArcSight Connectors

Paolo_Prigione
Builder
‎11-16-2011 03:01 AM

The integrating Splunk with Arcsight document, states it is possible to feed Splunk with data coming straight from a Connector. Do you have any idea how this is possible?

The ArcSight website is not as full of infos as Splunk's...
And, yes, I know this might not be the right community, but it's the one I happen to trust.

Paolo

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gooza
Communicator
‎11-16-2011 03:25 AM

If you meant how to configure the arcsight agent to send the data out to splunk , let me know and I'll send you instructions on how to ...

run the command ..installdir\current\bin\arcsight agentsetup

choose yes to start the wizardmode
choose I want to add/remove/modify arcsight Manager destinations
choose add new destination
choose raw syslog
add the information of the splunk input you prepared choose the protocol.

hope this helps.

View solution in original post

Reply
Solved! Jump to solution

woojacky
New Member
‎11-11-2015 06:04 PM

Hey gooza, could you send me the instructions for me to have a look? Appreciate!

0 Karma
Reply
Solved! Jump to solution

ManoharChinnaiy
New Member
‎08-12-2015 02:53 AM

Hi gooza, Please help me out how to configure arcsight agent to send data to splunk.

0 Karma
Reply
Solved! Jump to solution

cladkins
Engager
‎03-04-2015 07:50 AM

I'd also like the instructions please.

0 Karma
Reply
Solved! Jump to solution

gwong3
Engager
‎02-17-2015 07:14 AM

Hello. If you still have the configuration on setting up Splunk to receive data from Connectors that'll be awesome! Can you send me a copy of your instructions? Thanks.

0 Karma
Reply
Solved! Jump to solution

Paolo_Prigione
Builder
‎12-06-2011 03:19 AM

Just wondering: is it possible to forward CEF data to splunk from Logger itself to Splunk? This would limit the effort on the connectors as, I'm told, you need quite a number of them even for small environments

0 Karma
Reply
Solved! Jump to solution

gooza
Communicator
‎11-16-2011 04:08 AM

Yes , I sent you the instructions how,

0 Karma
Reply
Solved! Jump to solution

tnoelOTS
Explorer
‎07-15-2016 08:52 AM

Gooza,

Could you send me the instructions also please?

0 Karma
Reply
Solved! Jump to solution

Paolo_Prigione
Builder
‎11-16-2011 04:03 AM

Hi gooza. So, it is possible to configure an Arcsight Connector to send data to a 3rd party receiver in CEF over Syslog format. Thank you very much

0 Karma
Reply
Solved! Jump to solution

Paolo_Prigione
Builder
‎11-16-2011 03:38 AM

Hi, thanks for the reply. Yes, I meant how to configure the Connectors.

0 Karma
Reply
Solved! Jump to solution

gooza
Communicator
‎11-16-2011 03:18 AM

I highly recommend using http://splunk-base.splunk.com/apps/22280/cef-common-event-format-extraction-utilities

it parse the arcsight cef format quit easily

as for time stamps extractions I recommend adding the following in the relevent stanza in porps.conf:

TIME_PREFIX = \s(end|rt)\=

TIME_FORMAT = %10S%3n

MAX_TIMESTAMP_LOOKHEAD = 350

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...