Forwarding Events from Sentinel or Access Manager Analytics Server to Splunk / ArcSight


This cool solution explains how Sentinel can be configured to forward events from Sentinel or Access Manager Analytics Server to 3rd party Syslog Servers like Splunk and ArcSight.

By default, Splunk runs Syslog on UDP 514 and TCP 1514. These ports may be different in your Splunk environment.

By default, ArcSight ESM or Logger, the Syslog runs on UDP 514 or 8514 port. For the TCP port it runs on 515 or 8515 depending on the configuration.

It is advisable to get the details from the respective Admins and make sure the network connectivity has been established between Sentinel, Splunk, and ArcSight servers.

Let's take a use case that Sentinel needs to be configured to forward all events of SEV 4 & 5 to Splunk which is running on on UDP port 514, and all events of SEV 0 - 5 need to be forwarded to ArcSight which is running on on TCP Port 515.


Step 1:


Configure Integrators for SPLUNK and ArcSight

Open Sentinel Control Center -> Configuration -> Configuration Menu -> Integrator Manager.

Click the Green “ ”  Icon at the bottom and configure it as –

Select Integrator: Syslog


Service Category: SIEM – Security Event Management

Click Next.

Host: (IP Address of Splunk server)

Port: 514

Protocol: UDP

Send complete event data: Enable

Click Next,

Click Next in the Integrator Properties window,

Click on “Test Configuration”.

Click OK, then Finish.

A new Integrator named SPLUNK will be available in Integration Manager.

Use the similar steps to create an Integrator for ArcSight as well.

Host: (IP Address of ArcSight / Logger server)

Port: 515

Protocol: TCP

Send complete event data: Enable

Close the Integrator Manager.


Step 2:


Now both Integrators are ready. It's time to create Action.

From Sentinel Control Center -> Configuration menu -> Action Manager.

Click Add.

Action Name: Log to SPLUNK

Action: Event Forwarder

Integrator: SPLUNK (select from dropdown)

Click Save.

Now create Action for ArcSight as well.

Action Name: Log to ArcSight

Action: Event Forwarder

Integrator: ArcSight (select from dropdown)

Click Save.

Both Actions are added.

Close Action Manager and Sentinel Control Center.


Step 3:


Let’s create Routing Rules.

Open Sentinel Web Console -> Routing -> Event Routing Rules -> Create.

Name: Forward Events to SPLUNK

Criteria: (sev:[4 TO 5])

Route to the following services: All

Perform the following action: “Log to SPLUNK”.

Click Save.

Now create Rule for ArcSight as well.

Name: Forward Events to ArcSight

Criteria: (sev:[0 TO 5])

Route to the following services: All

Perform the following action: “Log to ArcSight”.

Click Save.

Make sure both rules are enabled.

Now Sentinel will keep on forwarding events to SPLUNK and ArcSight.


Managing Integrators -

Managing Actions -

Creating Event Routing Rules:


How To-Best Practice
Comment List