Everyone is back at work today, and I have to refine my problem statement now that I have an ArcSight person to help me. The messages are readable, however, they are not parsed at the ArcSight Logger.
We do use the ArcSight syslog-ng connector and it is set up to accept TLS connections.
The epo messages appear un-parsed in the "Name" field.
When we enable RFC 5424, the message is parsed better, however, not quite the same fields and information as the ePO DB connector. It does not look like it was completed parsed as it would with epo_db.
Looking at a message in the logger that has been captured with RFC 5424 enabled, we see the parser selected by the logger is "arcsight:10:120"
The RHEL systems are not using the RFC 5425, so we will add a second syslog-ng connector and a different port for the ePO, however, I am disappointed that we cannot search the data the same way. I am not convinced the messages are parsed correctly.