FireAMP integration to ArcSight.

Hi Community,


We currently have an ArcSight Deployment project. We already have syslog daemon connector on our ArcMC with the default setup. Then the FireAMP admin configured the syslog on their server to send to our ArcMC.

We are receiving unparsed logs from FireAMP with deviceVendor as Unix.

We have exported the rawEvents from the logger (for flexconn development) but it looks like the logs are not that useful and are just informational.

  • Have anyone experienced integrating FireAMP to ArcSight? 
  • Do you have sample of the flex script we can use?
  • Do we need to configure anything else on the FireAMP server to get more logs?


Thanks for the help.

2 Replies
Fleet Admiral
Fleet Admiral

I would also like to add that Cisco introduced a new script for eStreamer integration, as eStreamer is the "supported" way for these type of devices to connect to ArcSight (like sourcefire, firecenter, AMP etc).

It is recommended to use this new script instead of the old perl script in the documentation below.

You would need to make an inquire to your Cisco Support to get a copy of their new eNcore script, you would be looking at the "eNcore-cli script".

This makes the integration 10 times easier, as you just put this script on your cef syslog connector, the script contacts eStreamer, gets you the logs, and pipes it into your cef-syslog connector as fully parsed CEF.

All topics and replies made is based on my personal opinion, viewpoint and experience, it does not represent the viewpoints of MicroFocus.
All replies is based on best effort, and can not be taken as official support replies.
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.