My events go from Load Balancer to ArcMC to ESM and Logger.
One thing you would notice with Syslog events when you check from the ESM or Logger, the Device Address feild is the ArcMC appliance, and not the actual event source, this was noticed for a couple of devices.
To solve this issue, I had to edit the lbConfig.xml file on the load balancer to add the parameter "syslog.address.prepend.mode" and set it to "always" as the default was "disabled".
Now that fixed the issue and event device address is showing as it should be, but that created a new issue, with other syslog sources as some events are no longer being parsed correctly and that's due to adding the information from the load balancer.
The solution would be to set the "syslog.address.prepend.mode" to "scan", but this might cause performance issue as per the load balancer documentation.
My alternative would be to configure multiple routing policies with different parameter options "always" and "disabled", but this will force me to split my syslog event sources where each will use different syslog port to match different routing policies.
I already shared this with ArcSight support team and we both agreed on this. I wanted to share this with the community to discuss, anyone would suggest a better solution?