Here is the deployment scenario:
Device sending (CEF) Logs --> Logger UDP 514 Receiver --> Logger CEF Forwarder --> ESM Destination (ArcSight Express)
Working Fine Working Not Working No Logs sent.
So the logs are not getting forwarded (CEF Logs from the device directly) from the Logger to ArcSight Express. Filter condition is giving the log results in the logger, But the same filter is not forwarding any logs.
All other devices logs are getting forwarded without any problem. But the CEF logs received from devices are not getting forwarded.
This issue is similar to https://protect724.hp.com/message/42139#42139
Anyone came across this scenario and resolved it. ?
You are right, without connector how logs will be normalized but when end device itself is sending logs in CEF format then there is no need of connector if destination can receive directly and understand these logs.
If end device is sending CEF logs than it can be received by Logger CEF UDP or TCP receiver.
Can you please help me to get the list of devices which support CEF logs
Also please help me on below point
1 ) Currently we are getting 5k EPS per second for a single event source and currently we have same topology as above that event source sending log directly to TCP receiver. But currently I have not added forwarder into my logger, so my question is that getting directly 5k of log without connector will be good
2 ) Will connector will support 5k EPS if we use connector here
3 ) If we add ESM as a forwarder on my Logger then Is there will be delay in the log received by ESM
4 ) Will 5K EPS will be supported for forwarder
please help us
Hi bala ,
I am having the same issue , we have added TCP receiver in our logger and events are coming into the receiver directly from the event source device. Now when we are adding a forwarder we are not able to send to ESM , please suggest how we can resolve this issue.