Getting Data In

Where can I find information on sending data other than syslog from Splunk to ArcSight?

Explorer

I'm finding lots of info on sending Syslog data from SPLUNK to Arcsight but nothing else?

Where is the info on Windows Event Logs? Sourcefire? Macafee EPO, + thousands of other vendors that there is no info about.

Where can I find some info on this please?

I would really appreciate it.

0 Karma

Explorer

I got some info from an ArcSight engineer that Splunk recently brought out its own App that will preserve log data in the same format that it receives it and I am lead to believe that it does a lot of the processing to make sure that the data coming out of SPLUNK is in the same format that comes in from the different vendors.

It should make it simpler to do and easier to manage, but at the moment I haven't had the chance to look at this and I can't comment directly.

Maybe someone else has done this or knows more about this?

Thanks in advance.

0 Karma

SplunkTrust
SplunkTrust

No need for any app, the URL I posted earlier already describes how to send the raw data to a 3rd party system as it comes into Splunk.

Explorer

What you're talking about here is just forwarding the data from SPLUNK in SPLUNK's CEF format.

The real question I have here is how can we get the data in a format that ArcSight can accept.

The Splunk Real-Time Output App shows how it can be used to forward CEF events to the ArcSight Syslog connector.

I don't see how the Real-Time Output App can be used to forward SPLUNK CEF events to other connectors.

The CEF events coming out of SPLUNK ARE NOT, I repeat, ARE NOT in the same format as the ArcSight CEF events!

Syslog connector is probably the only ArcSight connector that can easily accept the SPLUNK CEF events because of the similarities with the Syslog protocol and event format.

This is a recipe for disaster when it comes to integrating other vendor products!!!

How in the heck are you supposed to preserve the integrity of the events when the format is not the same coming out as it is going in???!!!

This is really what I'm trying to get at in regards to my original question. I would really like to see your reply to this question.

Please Explain...

0 Karma

SplunkTrust
SplunkTrust

I'm talking about sending a copy of the raw events to a third party system, without applying any format to them. Works for any raw data, provided the third party system understands the raw data.

SplunkTrust
SplunkTrust

Explorer

Is it even possible to integrate non-Syslog data from SPLUNK to ArcSight?

Can you even send real-time events from Windows Event Logs to ArcSight?

I would really like to know...

0 Karma