Skip to content

Vendor - MicroFocus Arcsight

Product - Arcsight Internal Agent

Ref Link
Splunk Add-on CEF https://github.com/splunk/splunk-add-on-for-cefdownloads/

Sourcetypes

sourcetype notes
cef Common sourcetype

Source

source notes
ArcSight:ArcSight Internal logs

Index Configuration

key source index notes
ArcSight_ArcSight ArcSight:ArcSight main none

Filter type

MSG Parse: This filter parses message content

Options

Variable default description
SC4S_LISTEN_CEF_TCP_PORT empty string Enable a TCP port for this specific vendor product using a comma-separated list of port numbers
SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TCP_PORT empty string Deprecated equivalent of above variable. This is included for backward compatibility and will be removed in a future version. Do not use in new installations.
  • NOTE: Set only one set of CEF variables for the entire SC4S deployment, regardless of how many ports are in use by this CEF source (or any others). See the “Common Event Format” source documentation for more information.

Verification

An active site will generate frequent events use the following search to check for new events

Verify timestamp, and host values match as expected

index=<asconfigured> (sourcetype=cef source="ArcSight:ArcSight")

Product - Arcsight Microsoft Windows (CEF)

Ref Link
Splunk Add-on CEF https://bitbucket.org/SPLServices/ta-cef-for-splunk/downloads/
Splunk Add-on CEF https://bitbucket.org/SPLServices/ta-cef-microsoft-windows-for-splunk/downloads/
Product Manual https://docs.imperva.com/bundle/cloud-application-security/page/more/log-configuration.htm

Sourcetypes

sourcetype notes
cef Common sourcetype

Source

source notes
CEFEventLog:System or Application Event Windows Application and System Event Logs
CEFEventLog:Microsoft Windows Windows Security Event Logs

Index Configuration

key source index notes
Microsoft_System or Application Event CEFEventLog:System or Application Event oswin none
Microsoft_Microsoft Windows CEFEventLog:Microsoft Windows oswinsec none

Filter type

MSG Parse: This filter parses message content

Options

Variable default description
SC4S_LISTEN_CEF_TCP_PORT empty string Enable a TCP port for this specific vendor product using a comma-separated list of port numbers
SC4S_LISTEN_CEF_UDP_PORT empty string Enable a UDP port for this specific vendor product using a comma-separated list of port numbers
SC4S_ARCHIVE_CEF no Enable archive to disk for this specific source
SC4S_DEST_CEF_HEC no When Splunk HEC is disabled globally set to yes to enable this specific source
SC4S_WWW_XXX_MICROFOCUS_ARCSIGHT_YYY_ZZZ no Deprecated equivalents of the above variables. These are included for backward compatibility, and will be removed in a future version. Do not use in new installations.
  • NOTE: Set only one set of CEF variables for the entire SC4S deployment, regardless of how many ports are in use by this CEF source (or any others). See the “Common Event Format” source documentation for more information.

Verification

An active site will generate frequent events use the following search to check for new events

Verify timestamp, and host values match as expected

index=<asconfigured> (sourcetype=cef (source="CEFEventLog:Microsoft Windows" OR source="CEFEventLog:System or Application Event"))