Regular Contributor.
Regular Contributor.
185 views

Logs Not receiving in the ESM

Hi All,

I am in a situation , I have a syslog server they are acting as a forwarder. I am not able to see logs in the ESM.

---------

Let me brief : 

Syslog server (10.5.8.9 -- random) it has 4 more connector installed . the syslog server acting as a forwarder towards the ESM. 

Protocol UDP 514 .

Log are been forwarded to syslog server on 514 , from syslog server it been forwarded via different protocol number. 

Challenge

----------------------

I can see the logs reaching to syslog server when i do tcp dump on it. but i am not able to identify the reason why its not been forwarded to ESM (how to troubleshoot at connector level ). 

 

 

 

 

 

0 Likes
2 Replies
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: Logs Not receiving in the ESM

Suraj,

 

you cannot send events directly to ArcSight ESM without an Arcsight Smart Connector.

To send something to ArcSight ESM you need to configure first an ArcSight Smart Connector in your case Syslog Connector type ( which will listen on 514 UDP or TCP port). Your Syslog server must forward his events to the Syslog Connector.

The picture will be:

SysSlog Server ===> Smart Connector ( Syslog Type ) ====> ESM

For more information regarding how the ArcSight products Smart Connector and ESM are working, you can find in the following link: https://community.microfocus.com/t5/ArcSight-Product-Documentation/ct-p/productdocs

Best Regards,

 

Daniel

Highlighted
Regular Contributor.
Regular Contributor.

Re: Logs Not receiving in the ESM

I founded the solution
------------------------------
-- The server was configured with syslog-ng , then the forwarding was done.

-- 4 connectors were installed & all of them have been configured to received log's via syslog-ng .
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.