Design of sending events/logs to SIEM/Arcsight

Posted on 2016-10-21
Last Modified: 2016-10-26
The attached screen is the most Tripwire has for syslog
 configuration/setting, so does this mean Tripwire simply
 send all its TE messages to a syslog/SIEM (Arcsight in our case)?

 With other security products that I’ve used in the past that send
 events to Arcsight, they too don’t have any option to specify
 what (types) of events/alarms to send too: check out “Configure
 the manager to forward events to a syslog/SIEM” &  “Configure
  each protection module to forward events to a Syslog/SIEM” in
  the links below: there's no description/option of what events
  or logs that can be selected/filtered for forwarding to SIEM:
    and another product

 In the highly flexible UNIX/Linux, we can configure what logs (INFO, ERROR,
 FATAL) to send to a syslog server.

 Is there a design or security reason why various products above (& I suppose
 many other products) don't provide the option of specifying/configuring what
 logs/events to forward?  They don't want the monitored devices administrators
 or hackers who gain control of it to 'hide' or filter off events/logs?    ie all logs
 /events must be captured as a matter of security compliance?

 At SIEM end (Arcsight in our case), is there any option to specify which devices
 or IP are allowed to send logs to it or Arcsight simply takes in everything that
 conform to syslog/CEF as long as firewall rule is permitted for Udp 514 from
 the devices to Arcsight?    So it is at Arcsight end that we configure or define
 what logs/events to send Alarm/notifications to security admins?

 Does Splunk also allow any IP/devices in the network to send logs to it (as
 long as firewall rule is permitted)?  Does it have any option to specify what
 types of logs/events it accept (say logs that contain a certain string/text) ?

 When configuring windows to forward its events/logs to an SIEM/syslog,
 what are the types of events/logs being sent?  Everything in Event Viewer's
 security.evtx or system.evtx or application.evtx or ??    

 Do we need to install a syslog/SIEM agent in Windows to enable it to
 forward to SIEM/syslog or Windows has a built-in setting that allows us
 to specify the SIEM/syslog IP to send to just like Tripwire, Deep Security
 & websense?

I just login to our Windows AD/Domain controller server:
 there are simply no  Arcsight agent/connector service running
 nor installed (under c:\Program Files or c:\Program Files (x86) )
 in it though in the Arcsight, this AD/DC server does send logs/
 events to the Arcsight.
 I issued 'netstat -an 1 | find ":514"  '  for 3 minutes but don't
 see any connection from this AD/DC to the Arcsight?  How
 does it forward events/logs to the Arcsight?
Question by:sunhux
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Author Comment

ID: 41853493
LVL 63

Accepted Solution

btan earned 500 total points
ID: 41853726
More often than not you'll want to use the Syslog format as it is generally accepted.  The RFC3164 format that we use is composed of three parts.  The first part is called the PRI, the second part is the HEADER, and the third part is the MSG. So most of the device should be able to send syslog and based on its protocol it can have more details like the "Facility" and "severity" level which are indicated in the PRI part.

The Arcsight supported CEF format and is slightly different to Syslog format. It's always a good idea to check with the provider so that it can be support your SIEMS as it expects those formatted log messages to arrive in. There is Arcsight connector to do the CEF formatting if the device source does not support it - see the supported list.

For Tripwire, you should explore event sender. As a whole if using Tripwire Enterprise is already an ArcSight CEF-certified solution, so you can combine its detailed change and configuration data with security event information in ArcSight ESM, these can
include leading indicators and key metadata in the security data it sends to ArcSight—for example, severities, asset- and test-based risk scoring, and alert information.

For deepsecurity , you should be able to configure this setting and more - see the use of DataExportTool @

The list of Facilities available:
0             kernel messages
1             user-level messages
2             mail system
3             system daemons
4             security/authorization messages
5             messages generated internally by syslogd
6             line printer subsystem
7             network news subsystem
8             UUCP subsystem
9             clock daemon
10            security/authorization messages
11            FTP daemon
12            NTP subsystem
13            log audit
14            log alert
15            clock daemon
16            local use 0  (local0)
17            local use 1  (local1)
18            local use 2  (local2)
19            local use 3  (local3)
20            local use 4  (local4)
21            local use 5  (local5)
22            local use 6  (local6)
23            local use 7  (local7)

The list of severity Levels:
0       Emergency: system is unusable
1       Alert: action must be taken immediately
2       Critical: critical conditions
3       Error: error conditions
4       Warning: warning conditions
5       Notice: normal but significant condition
6       Informational: informational messages
7       Debug: debug-level messages
based on RFC

For websense, you should be able to customize as well taking example of one of the websense solution RiskVision that can configure which logs to send by selecting one or more Threat levels. By default, malicious and suspicious incident logs are forwarded. You need to check with the provider for the specific servers.

For window event log, you will need an agent like Snare or Syslog_ng to send the syslog to the SIEMs. the default evt or evtx is not of that syslog  format and SIEMS will not support the windows raw log if it is not in syslog format.

For Splunk to receive the log from other device, it can still work like a syslog server and able to query
Splunk Enterprise can act as a syslog server or a syslog message sender. It should not be substituted for such a server in regular use. This is because Splunk Enterprise modifies syslog data by default as part of the indexing process (it assigns a timestamp and a host to the event.)
.. and can do as SIEMS covering aspects like compliance, application security, fraud detection, IT operations, application management, web intelligence and business analytics.

Featured Post

Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Read about achieving the basic levels of HRIS security in the workplace.
Is your computer hacked? learn how to detect and delete malware in your PC
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question