Acclaimed Contributor.
Acclaimed Contributor.

ArcSight connectors master index: Smart, CEF, Flex and more

This document contains information on which source devices can send events to ArcSight and how. You will find here pointers to information on ArcSight supported devices, partner provided connectivity solutions and community contributed technology. In addition, the document includes guidelines, best practices and tips & tricks on configuring and connecting source devices.

ArcSight supported devices

3rd party connectors and parsers

This section contains information helpful in connecting to sources not supported by ArcSight:

  • Flex: Contributed flex connectors and parsers
  • Event collection systems that interface with ArcSight
  • CEF: CEF compatible products not certified and therefore not listed above.
  • Configuration: Tips and trick for configuring and using connectors and sources, usually applies to ArcSight native smart connectors, in which case this information should be used in conjunction with the official documentation for those smart connectors.
  • Event info: Information above events from the source.
  • Apps: Device specific content packs.

CEF, Configuration, Event Info and Apps are used to clearly tag entries based on their type. Commercial solutions are tagged as "(Commercial)".

Security systems

Gateway security

Intrusion Prevention Systems (IPS)

Web Application Firewalls

Authentication, Identity and Access management

End point security

Data center security

  • (CEF) Trend Micro Deep Security - instruction and mapping can be found in the admin guide. Search for "Syslog Integration (SIEM)".



Threat Intelligence

Operating systems & system utilities

Cloud and virtualization

  • (Syslog, Partial implementation)
  • AWS - ArcSight has an out of the box AWS CloudTrail connector.
  • LogStash, HP Helion and OpenStack
  • (CEF) HyTrust Cloud Control (see admin guide) - an hypervisor security system.
  • (Configuration) - guidelines augmenting the SmartConnector manual on how to configure Box.com to enable connection
  • Microsoft Azure log Integrator​ and Installation instructions  ​- the integrator collects logs from various Azure sources and creates JSON files. Microsoft provides the flex connector to read those.

Networking and web



  • Office365
  • Exchange Mailbox Events audit data
  • (Commercial) AgileSI (SAP) - AgileSI is is a complete security solution for SAP based on ArcSight which includes a comprehensive SAP event collection technology.
  • (Commercial) Logbinder SP (Sharepoint)
  • (Commercial) Logbinder EX (Exchange)
  • (Commercial, CEF) FairWarning - connects ArcSight with many different HealthCare applications including AllScripts, Cerner, EPIC, GE HealthCare & Siemens:
    • Full list of FairWarning supported applications available here
    • - A Protect conference customer use case of using FairWarning with ArcSight

Additional information about CEF integrations and Smart Connectors

Other (non event source) integrations

This section will evolve into a separate resource over time. for now the information is collected here

  • - a script for use as a rule action providing an alternative to ESM built-in notifications allowing additional flexibility.

If a device or the version of the device is not supported?

Support for minor versions not specifically listed in the manual

If a minor version is not explicitly called out in the manual it may still be supported. specifically, apart from minor exceptions, the following generally holds:

  • A version is supported if in between two tested and documented versions.
  • A minor/minor version (i.e. x.y.z) is supported if the minor version (x.y) or a similar minor/minor version (x.y.w) was tested and documented.


  • Create a parser override or a flex connector. Those can be created by the anyone. Refer to the for details
  • Parser overrides may require getting an the original obfuscated parser. HPE is providing those parsers to customers who request them on a need basis. Contact support to request one.

Creating a smart connector feature request

If HPE down not support a device or a device version that you use, they recommend that you file a feature request to help prioritize the needed update. Support will ask you to collect many details and even ask for a log file sample.

Python malware intelligence feed for ArcSight ESM

29 Replies
Trusted Contributor.. Trusted Contributor..
Trusted Contributor..


thanks. It's enough for me.


Nice collections Ofer.

Super Contributor.. Super Contributor..
Super Contributor..


I got missing page when navigating to list of support devices


We can't find that page, but here's the good news - we've got other ways to find what you need.

Acclaimed Contributor.
Acclaimed Contributor.


Super Contributor.. Super Contributor..
Super Contributor..

Hi All

Is there an updated version of this document HPE ArcSight Connector supported products (4aa5-3404.pdf) as I can see the HPE ArcSight Connector supported platform for installation is still showing CentOS upto 7.1 and Microsoft Windows Server® upto 2012 Standard?



Community Manager Community Manager
Community Manager

The ArcSight connectors documentation can be found here: https://community.softwaregrp.com/t5/ArcSight-Connectors/tkb-p/connector-documentation

Hope you'll find the doc you are looking for!?

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.