Absent Member.
Absent Member.
221 views

Does anyone have an idea if Arcsight connectors can receive and parse logs of Symantec Endpoint product via syslog? Are the events via syslog useful compared with the ones we get via db?

Does anyone have an idea if Arcsight connectors can receive and parse logs of Symantec Endpoint product via syslog?  Are the events via syslog useful compared with the ones we get via db?

We have an ongoing PoC and my competition. Log Rythym and Q1 labs uses syslog to collect logs from this device?  We are talking to the sysads and we want to give them info why its better to get via DB vs. via Syslog.

Your answers are highly appreciated.

thanks

Labels (1)
0 Likes
3 Replies
Fleet Admiral Fleet Admiral
Fleet Admiral

Get events from DB safer. On syslog you may lost part of messages.

0 Likes
Absent Member.
Absent Member.

There is a specific connector for Symantec DB.  It categorizes events; I don't think the syslog connector will do as good a job categorizing the events received via syslog.  Categorization is a must for good correlation.

0 Likes

I am with Joel and Evgeny on this one.  The designed connector will have the correct assigned fields that correlate in between the two products.  That means less configuration than if you would syslog.  It also means writing rules etc. will be easier from your perspective.

Just remember though...with the Symantec SC using the DB, you will have to install JDBC drivers and setup ODBC connections on the connector box.  It also usually involves having a local login on the db for reading the events.

Every now and then you run into a permissions issue with DB connectors depending on how your DBA's are.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.