ArcSight connectors master index: Smart, CEF, Flex and more
This document contains information on which source devices can send events to ArcSight and how. You will find here pointers to information on ArcSight supported devices, partner provided connectivity solutions and community contributed technology. In addition, the document includes guidelines, best practices and tips & tricks on configuring and connecting source devices.
ArcSight supported devices
- List of supported devices
- - review the documentation to determine the support source device versions and additional pre-requisites.
- Connectors supporting IPv6
3rd party connectors and parsers
This section contains information helpful in connecting to sources not supported by ArcSight:
- Flex: Contributed flex connectors and parsers
- Event collection systems that interface with ArcSight
- CEF: CEF compatible products not certified and therefore not listed above.
- Configuration: Tips and trick for configuring and using connectors and sources, usually applies to ArcSight native smart connectors, in which case this information should be used in conjunction with the official documentation for those smart connectors.
- Event info: Information above events from the source.
- Apps: Device specific content packs.
CEF, Configuration, Event Info and Apps are used to clearly tag entries based on their type. Commercial solutions are tagged as "(Commercial)".
- (CEF) Guardium (now IBM InfoSphere Guardium)
- (CEF) F5:
- Cisco ACE
- WebSense / ForcePoint:
- Fixes for ArcSight SmartConnector:
- Activate Content: P-Websense Security
- (CEF) FortiAnalyzer
Intrusion Prevention Systems (IPS)
Web Application Firewalls
- (CEF) Citrix Netscaler WAF
- Incapsula (a cloud based web application firewall)
Authentication, Identity and Access management
- RSA Identity Management Service 8.x syslog flex connector
- Vasco IdentiKey WUC sub-parser
- Symantec VIP Enterprise Gateway
End point security
- (Configuration) Symantec end point protection deployment tips:
- Symantec Endpoint Protection Manager 12.1.4 with embedded sybase DB SC connector
- (specifically doc attached to this comment)
- (Configuration) SEP smart connector affecting performance of SEPM
- McAfee VirusScan Enterprise WinC sub-parser
- Dr.Web (for more info on this AV see here)
- (CEF) Comodo MyDLP
- (CEF) Symantec DLP (Vontu):
Data center security
- (CEF) Trend Micro Deep Security - instruction and mapping can be found in the admin guide. Search for "Syslog Integration (SIEM)".
- Nessus - a script to retrieve Nessus scans into files.
- SSL Framework - Connector and content for Qualys SSL Labs
- STIX and TAXII:
- Sample STIX - IP Watchlist - XML Flex Connector
- - script to send STIX as CEF to ArcSight
- (CEF) AlientVault Open Threat Exchange
- : mostly about gathering the info with a hint on how to get it into arsight
Operating systems & system utilities
- Snare - An open source product for collecting events. Sometimes used by our customers to overcome different limitations with ArcSight windows event collection (see this thread). Commercial option available.
- NXlog - An open source product for collecting events. Sometimes used by our customers to overcome different limitations with ArcSight windows event collection (see this thread). Commercial option available.
- Microsoft Windows 2008 R2 Terminal Services
- Windows Server Update Services (WSUS) flex
- (Configuration) Better way to integrate AIX with Full parsing
- (Commercial) CorreLog CorreLog Agent for IBM z/OS Mainframe with dbDefender™ for DB2 is a CEF certified solution for collecting Mainframe events including RACF, TSO Logons, Production Job ABENDs, TCP/IP Connections, FTP File Transfers, CA Top Secret, ACF2, and DB2 accesses.
- Connector IBM RACF for z/OS - IBM JCL for preprocessing events for the connector
Cloud and virtualization
- (Syslog, Partial implementation)
- AWS - ArcSight has an out of the box AWS CloudTrail connector.
- The following are alternatives using JSON file download and a JSON flex connector. They can be useful as a starting point for AWS sources ArcSight does not support out of the box:
- LogStash, HP Helion and OpenStack
- (CEF) HyTrust Cloud Control (see admin guide) - an hypervisor security system.
- (Configuration) - guidelines augmenting the SmartConnector manual on how to configure Box.com to enable connection
- Microsoft Azure log Integrator and Installation instructions - the integrator collects logs from various Azure sources and creates JSON files. Microsoft provides the flex connector to read those.
Networking and web
- Citrix NetScaler - apart from the native ArcSight support:
- (Commercial) Obrela connector for pfSense
- (CEF) Aruba ClearPass
- (CEF) Apache in CEF
- Microsoft DNS Logging and Diagnostics:
- Juniper / Pulse Secure:
- Oracle 12c Unified Table
- (Configuration) MySQL ID Based Flex Connector (Windows) - step by step guide for installing it, covering missing points in the official guide
- (Configuration) Override for ArcSight Microsoft SQL Server Multiple Instance Audit DB to solve the TextData field truncation
- (Flex) Oracle TimesTen in memory DB (information on this product here)
- Exchange Mailbox Events audit data
- (Commercial) AgileSI (SAP) - AgileSI is is a complete security solution for SAP based on ArcSight which includes a comprehensive SAP event collection technology.
- (Commercial) Logbinder SP (Sharepoint)
- (Commercial) Logbinder EX (Exchange)
- (Commercial, CEF) FairWarning - connects ArcSight with many different HealthCare applications including AllScripts, Cerner, EPIC, GE HealthCare & Siemens:
- Full list of FairWarning supported applications available here
- - A Protect conference customer use case of using FairWarning with ArcSight
Additional information about CEF integrations and Smart Connectors
- ForeScout: ArcSight integration video
- CyberArk: ArcSight integration video
- IXIA Anue (action connector): white paper, video
- RSA NetWitness Sample Syslog Auditing File
- HP inc. Printers - the following augment the information in the smart connector guide:
Other (non event source) integrations
This section will evolve into a separate resource over time. for now the information is collected here
- - a script for use as a rule action providing an alternative to ESM built-in notifications allowing additional flexibility.
If a device or the version of the device is not supported?
Support for minor versions not specifically listed in the manual
If a minor version is not explicitly called out in the manual it may still be supported. specifically, apart from minor exceptions, the following generally holds:
- A version is supported if in between two tested and documented versions.
- A minor/minor version (i.e. x.y.z) is supported if the minor version (x.y) or a similar minor/minor version (x.y.w) was tested and documented.
- Create a parser override or a flex connector. Those can be created by the anyone. Refer to the for details
- Parser overrides may require getting an the original obfuscated parser. HPE is providing those parsers to customers who request them on a need basis. Contact support to request one.
Creating a smart connector feature request
If HPE down not support a device or a device version that you use, they recommend that you file a feature request to help prioritize the needed update. Support will ask you to collect many details and even ask for a log file sample.
Python malware intelligence feed for ArcSight ESM
I got missing page when navigating to list of support devices
We can't find that page, but here's the good news - we've got other ways to find what you need.
Is there an updated version of this document HPE ArcSight Connector supported products (4aa5-3404.pdf) as I can see the HPE ArcSight Connector supported platform for installation is still showing CentOS upto 7.1 and Microsoft Windows Server® upto 2012 Standard?