User`s Guide

1 About SmartConnectors











 have been developed. These sub-connectors have individual configuration guides that provide setup information and mappings for the particular application. These sub-connectors include:

CA eTrust AntiVirus Windows Event Log

Microsoft Active Directory Service Windows Event Log

Microsoft WINS Windows Event Log

Oracle Audit Windows Event Log

RSA ACE Server Windows Event Log

Symantec Mail Security Windows Event Log

Syslog Connectors

Syslog messages are free-form log messages prefixed with a syslog header consisting of a numerical code (facility + severity), timestamp, and host name. They can be installed as a syslog daemon, pipe, or file connector. Unlike other file connectors, a syslog connector can receive and process events from multiple devices. There is a unique regular expression that identifies the device.













Syslog Daemon connectors listen for syslog messages on a configurable port, using port 514 as a default. The default protocol is UDP, but other protocols such as Raw

TCP are also supported. It is the only syslog option supported for Windows platforms.

Syslog Pipe connectors require syslog configuration to send messages with a certain syslog facility and severity.

The Solaris platform tends to under perform when using Syslog Pipe connectors. The operating system requires that the connector (reader) open the connection to the pipe file before the syslog daemon (writer) writes the messages to it. When using Solaris and running the connector as a non-root user, using a Syslog Pipe connector is not recommended. It does not include permissions to send an HUP signal to the syslog daemon.

Syslog File connectors require syslog configuration to send messages with a certain syslog facility and severity. For high throughput connectors, Syslog File connectors perform better than Syslog Pipe connectors because of operating system buffer limitations on pipe transmissions.

Raw Syslog connectors do no parsing and takes the syslog string and puts it in the rawEvent

field as-is. The Raw Syslog destination type takes the rawEvent field and sends it as-is using whichever protocol is chosen (UDP, Raw TCP, or TLS). The Raw

Syslog connector is always used with the Raw Syslog destination. The event flow is streamlined to eliminate components that do not add value (for example, with the Raw

Syslog transport the category fields in the event are ignored, so the categorization components are skipped).

Syslog NG Daemon connectors support Syslog NG version 3.0 for BSD syslog format. Beta support is provided for collection of IETF standard events. This

SmartConnector is capable of receiving events over a secure (encrypted) TLS channel from another SmartConnector (whose destination is configured as CEF Syslog over

TLS), and can also receive events from devices.

CEF Encrypted Syslog (UDP) connectors allows connector-to-connector communication through an encrypted channel by decrypting events previously encrypted through the CEF Encrypted Syslog (UDP) destination. The CEF

SmartConnectors lets ESM connect to, aggregate, filter, correlate, and analyze events from applications and devices that deliver their logs in the CEF standard, using the syslog transport protocol.

14 ArcSight SmartConnectors User’s Guide Confidential