Is it possible to forward logs from ArcSight Logger to McAfee Receiver?
If so then how can I separate those logs which was initially collected at ArcSight Logger?
Did you try by adding the arcsight logger as a data source with the syslog relay activated for syslog-ng ? After that you should either add all relayed data sources manually or use the auto-learn data sources feature.
Tell me if this works for you. I've did this but only for syslog-ng relayed messages, not for arcsight.
I am getting all logs which are forwarded by ArcSight Logger but unable to get them for individual data sources. Everything is showing up under ArcSight Logger data source.
I tried by adding child data sources and clients under Logger but no avail!
Don't add them as client or child because this means you will use the same parser for all data sources behind your arcsight logger.
Each data source behind your arcsight logger needs to be added either manually as a normal data source or with the auto learn data sources feature.
But as I said in my previous post, this is not syslog-ng so it might not work.
ArcSight Logger is sending all logs in CEF format.
For example, I have a DC which is sending logs to Logger and I can see them in McAfee ESM. However, source IP is always Logger IP and when I am looking into raw packet, I can see the DC IP address.
Wondering, if there is a way to separate them?
Please take a look into following setting.
I can see that log is from 192.168.10.100 but that is in CEF format and only recognized as from Logger (192.168.10.158).
No, it was not showing up correctly, not the expected format when Syslog-ng is used.
Try using Logger IP as parent data source (for Syslog-ng) and then individual IP addresses of log sources for client data sources. If the forwarded log format from ArcSight is correct then it should work.