Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
farid.merchant@ Respected Contributor.
Respected Contributor.

ArcSight SmartConnector Parser Build is now available

We are pleased to announce that ArcSight SmartConnector Parser Update build is now available for download from the HPE Marketplace web site and the HPE SSO Download Portal.

 Note about SmartConnector Releases

To support newer device versions and to fix parsing issues more rapidly, as of release v7.3.0, the connector framework and connector parser updates are now delivered as separate releases. The connector parser update builds will be released monthly on ArcSightMarketplace, whilst enhancements to the connector framework (including latest parser updates) are released on a three-monthly cycle and available as usual on the SSO Portal.

 You can download parser releases to your workstation to be applied on standalone connectors, or for ease of upgrade and integration, starting with ArcSight Management Center (ArcMC) version 2.5,  you can use ArcMC to retrieve parser releases directly from ArcSight Marketplace for locally/remotely managed connectors.

 NB: Users of ArcMC pre v2.5 and all versions of ConnApp will need to upgrade to ArcMC v2.5 or later to benefit from the streamlined  Parser Update deployment method described above.

 Each connector parser release is supported and certified with the most recent connector framework release, thus:

  • 7.5.1 and 7.5.2 Connector Parser builds will be supported and certified on the 7.5.0 Connector Framework
  • 7.6.1 Connector Parser builds will be supported and certified on the 7.6.0 Connector Framework

And so on.


Parser Enhancements has been made for the following connectors:

  • Cisco IOS Syslog
  • Citrix NetScaler Syslog
  • HPE Operations Manager I Web Services
  • HPE ProCurve Syslog
  • HPE UX Syslog
  • Linux Audit Syslog

 New Device, Component, or OS Version Support 

  • Barracuda Email Security Gateway Syslog (formerly Barracuda Networks Spam Firewall NG Syslog) 8.0
  • Cisco IronPort Email Security Appliance File 10.0
  • Cisco IronPort Email Security Appliance Syslog 10.0
  • McAfee ePolicy Orchestrator DB DLP 10.0 with ePO 5.3
  • Rapid7 NeXpose XML File  6.3

Check Point OPSEC NG

Check Point has updated their servers to be able to use SHA-256 certificates. A newer LEA client is needed to support these SHA-256 certificates. Because the SmartConnector for Check Point OPSEC NG does not use this new LEA client, the connector can no longer connect to collect events. The recommendation is to use the SmartConnector for Check Point Syslog to collect Check Point events. Note that the R77.30 Add-On on the Security Management Server or Multi-Domain Server is required for syslog event collection (see sk105412 at: http://supportcontent.checkpoint.com/solutions?id=sk105412).

 There are many more parsing issues fixed and enhancements delivered with this release. Please read the SmartConnector Release Notes for additional information.

The SmartConnector datasheet listing the SmartConnectors can be download here.

Verify that you have a SmartConnector license before installing these connectors. The SmartConnector license entitlement is included within ADP, or else bundled with ESM or Logger if you have not yet migrated to the ADP licensing model.

You can find documentation and release notes on Protect 724 here.

If you have any questions, please contact Customer Support at: https://softwaresupport.hp.com/.

Thank you,

HPE Security ArcSight SmartConnector Product Team


2 Replies
Honored Contributor.. Karlo_Luiten Honored Contributor..
Honored Contributor..

Re: ArcSight SmartConnector Parser Build is now available

Don't see it on SSO (yet)? 7.6.0 is the latest available...

[edit] got it from Marketplace

Knowledge Partner Knowledge Partner
Knowledge Partner

Re: ArcSight SmartConnector Parser Build is now available

Hello Protect724, Hello ArcSight,

seems the introduction of "IPv6 support" in SC version 7.4.0 added some issues to the SC.

some old methods that tend to have some undocumented features (i.e long to IPv4 without using any __<functiuon>) seems to be gone. ( https://community.saas.hpe.com/t5/ArcSight-Questions/Check-Point-OPSEC-NG-connector-parsing-errors/qaq-p/1519247#M58388 )  

So i can only advise everybody to check their agent.logs for any kind of parsing errors.

The Checkpoint SC for example does not create events (so they are not shipped to logger / esm) if the field "Destination Translated Address" is present.

Happy searching (sadly no easter eggs)!



The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.