I'm finding lots of info on sending Syslog data from SPLUNK to Arcsight but nothing else?
Where is the info on Windows Event Logs? Sourcefire? Macafee EPO, + thousands of other vendors that there is no info about.
Where can I find some info on this please?
I would really appreciate it.
I got some info from an ArcSight engineer that Splunk recently brought out its own App that will preserve log data in the same format that it receives it and I am lead to believe that it does a lot of the processing to make sure that the data coming out of SPLUNK is in the same format that comes in from the different vendors.
It should make it simpler to do and easier to manage, but at the moment I haven't had the chance to look at this and I can't comment directly.
Maybe someone else has done this or knows more about this?
Thanks in advance.
What you're talking about here is just forwarding the data from SPLUNK in SPLUNK's CEF format.
The real question I have here is how can we get the data in a format that ArcSight can accept.
The Splunk Real-Time Output App shows how it can be used to forward CEF events to the ArcSight Syslog connector.
I don't see how the Real-Time Output App can be used to forward SPLUNK CEF events to other connectors.
The CEF events coming out of SPLUNK ARE NOT, I repeat, ARE NOT in the same format as the ArcSight CEF events!
Syslog connector is probably the only ArcSight connector that can easily accept the SPLUNK CEF events because of the similarities with the Syslog protocol and event format.
This is a recipe for disaster when it comes to integrating other vendor products!!!
How in the heck are you supposed to preserve the integrity of the events when the format is not the same coming out as it is going in???!!!
This is really what I'm trying to get at in regards to my original question. I would really like to see your reply to this question.
I'm talking about sending a copy of the raw events to a third party system, without applying any format to them. Works for any raw data, provided the third party system understands the raw data.