Highlighted
Acclaimed Contributor.
Acclaimed Contributor.
864 views

Logger CEF Log Forwarder to Express Issue

Jump to solution

Hi Friends,

Here is the deployment scenario:

Device sending (CEF) Logs --> Logger UDP 514 Receiver --> Logger CEF Forwarder --> ESM Destination (ArcSight Express)

Working Fine                                        Working                          Not Working                            No Logs sent.

So the logs are not getting forwarded (CEF Logs from the device directly) from the Logger to ArcSight Express. Filter condition is giving the log results in the logger, But the same filter is not forwarding any logs.

All other devices logs are getting forwarded without any problem. But the CEF logs received from devices are not getting forwarded.

This issue is similar to https://protect724.hp.com/message/42139#42139

Anyone came across this scenario and resolved it. ?

Labels (3)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Had to add failover destination over to ESM directly

View solution in original post

0 Likes
11 Replies
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Hi Friends,

Anyone found the solution for this. Are is this an another one of the ArcSight Logger Tool Limitation.

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Had to add failover destination over to ESM directly

View solution in original post

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.
Hi can you elaborate this please, I have the same issue
0 Likes
Highlighted
Absent Member.
Absent Member.

is this the best practice to send log directly to a receiver on the logger ?. without connector how logs will be normalized ?.

0 Likes
Highlighted
Established Member..
Established Member..

You are right, without connector how logs will be normalized but when end device itself is sending logs in CEF format then there is no need of connector if destination can receive directly and understand these logs.

If end device is sending CEF logs than it can be received by Logger CEF UDP or TCP receiver.

0 Likes
Highlighted
Absent Member.
Absent Member.

Can you please help me to get the list of devices which support CEF logs

Also please help me on below point

1 ) Currently we are getting 5k EPS per second for a single event source and currently we have same topology as above that event source sending log directly to TCP receiver. But currently I have not added forwarder into my logger, so my question is that getting directly 5k of log without connector will be good

2 ) Will connector will support 5k EPS if we use connector here

3 ) If we add ESM as a forwarder on my Logger then Is there will be delay in the log received by ESM

4 ) Will 5K EPS will be supported for forwarder

please help us

0 Likes
Highlighted
Established Member..
Established Member..

Create a separate thread for this plz.

0 Likes
Highlighted
Absent Member.
Absent Member.

hi Anwar , I have created a new query on the forum , mean while please help me to get the list of the devices which support CEF format 

0 Likes
Highlighted
Established Member..
Established Member..

Bookmark this.

Central location for all integration needs.

0 Likes
Highlighted
Absent Member.
Absent Member.

Hi bala ,

I am having the same issue , we have added TCP receiver in our logger and events are coming into the receiver directly from the event source device. Now when we are adding a forwarder we are not able to send to ESM , please suggest how we can resolve this issue.

0 Likes
Highlighted
Absent Member.
Absent Member.

Hi Bala ,

Please brief how this is resolved. I am facing the same problem and still I am not able to fix this.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.