HP Arcsight is an enterprise Security Information and Event Management (SIEM) solution used to correlate structured event data for the purpose of detecting security activity and prove compliance. Unomaly can both receive data from Arcsight to analyze, as well as send alerts back to Arcsight for use in correlation rules, dashboards, and so on.

Forwarding log data from an Arcsight deployment to Unomaly can be done in three different ways. The choice will depend on the type and size of the Arcsight deployment.


Forwarding from SmartConnectors

One option is to forward logs from the SmartConnector. SmartConnector supports raw syslog and is the recommended way to send data to Unomaly. This method does not affect Unomaly configuration or performance. This is easily configured from the SmartConnector user interface, where you can direct the data to the IP address of the Unomaly instance.

Forwarding via a central SmartConnector

For deployments with multiple SmartConnectors, it will not be practical to configure each SmartConnectors to point to Unomaly. Instead, you can use a central SmartConnector to receive the data from multiple SmartConnectors and then forward the data to Unomaly. This follows the same configuration steps as the previous option using raw syslog as forwarding transport.

Forward from ESM or Logger

The ArcSight Embedded Systems Manager (ESM) or ArcSight Logger can only forward data in the ArcSight Common Event Format (CEF) Syslog (CEF Syslog). Because of this, Arcsight will significantly increase the size of the data compared to raw syslog. This will have a performance impact and require a configuration change in Unomaly on the max_event_objects setting. It is recommended to set it to 500 if you use CEF Syslog as input to avoid very long CEF messages to become truncated by Unomaly.