All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get data data from ArcSight Connectors

Paolo_Prigione
Builder
‎11-16-2011 03:01 AM

The integrating Splunk with Arcsight document, states it is possible to feed Splunk with data coming straight from a Connector. Do you have any idea how this is possible?

The ArcSight website is not as full of infos as Splunk's...
And, yes, I know this might not be the right community, but it's the one I happen to trust.

Paolo

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gooza
Communicator
‎11-16-2011 03:25 AM

If you meant how to configure the arcsight agent to send the data out to splunk , let me know and I'll send you instructions on how to ...

run the command ..installdir\current\bin\arcsight agentsetup

choose yes to start the wizardmode
choose I want to add/remove/modify arcsight Manager destinations
choose add new destination
choose raw syslog
add the information of the splunk input you prepared choose the protocol.

hope this helps.

View solution in original post

Reply
Solved! Jump to solution

woojacky
New Member
‎11-11-2015 06:04 PM

Hey gooza, could you send me the instructions for me to have a look? Appreciate!

0 Karma
Reply
Solved! Jump to solution

ManoharChinnaiy
New Member
‎08-12-2015 02:53 AM

Hi gooza, Please help me out how to configure arcsight agent to send data to splunk.

0 Karma
Reply
Solved! Jump to solution

cladkins
Engager
‎03-04-2015 07:50 AM

I'd also like the instructions please.

0 Karma
Reply
Solved! Jump to solution

gwong3
Engager
‎02-17-2015 07:14 AM

Hello. If you still have the configuration on setting up Splunk to receive data from Connectors that'll be awesome! Can you send me a copy of your instructions? Thanks.

0 Karma
Reply
Solved! Jump to solution

Paolo_Prigione
Builder
‎12-06-2011 03:19 AM

Just wondering: is it possible to forward CEF data to splunk from Logger itself to Splunk? This would limit the effort on the connectors as, I'm told, you need quite a number of them even for small environments

0 Karma
Reply
Solved! Jump to solution

gooza
Communicator
‎11-16-2011 04:08 AM

Yes , I sent you the instructions how,

0 Karma
Reply
Solved! Jump to solution

tnoelOTS
Explorer
‎07-15-2016 08:52 AM

Gooza,

Could you send me the instructions also please?

0 Karma
Reply
Solved! Jump to solution

Paolo_Prigione
Builder
‎11-16-2011 04:03 AM

Hi gooza. So, it is possible to configure an Arcsight Connector to send data to a 3rd party receiver in CEF over Syslog format. Thank you very much

0 Karma
Reply
Solved! Jump to solution

Paolo_Prigione
Builder
‎11-16-2011 03:38 AM

Hi, thanks for the reply. Yes, I meant how to configure the Connectors.

0 Karma
Reply
Solved! Jump to solution

gooza
Communicator
‎11-16-2011 03:18 AM

I highly recommend using http://splunk-base.splunk.com/apps/22280/cef-common-event-format-extraction-utilities

it parse the arcsight cef format quit easily

as for time stamps extractions I recommend adding the following in the relevent stanza in porps.conf:

TIME_PREFIX = \s(end|rt)\=

TIME_FORMAT = %10S%3n

MAX_TIMESTAMP_LOOKHEAD = 350

Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...