Did you try by adding the arcsight logger as a data source with the syslog relay activated for syslog-ng ? After that you should either add all relayed data sources manually or use the auto-learn data sources feature.
Tell me if this works for you. I've did this but only for syslog-ng relayed messages, not for arcsight.
I am getting all logs which are forwarded by ArcSight Logger but unable to get them for individual data sources. Everything is showing up under ArcSight Logger data source.
I tried by adding child data sources and clients under Logger but no avail!
Don't add them as client or child because this means you will use the same parser for all data sources behind your arcsight logger.
Each data source behind your arcsight logger needs to be added either manually as a normal data source or with the auto learn data sources feature.
But as I said in my previous post, this is not syslog-ng so it might not work.
ArcSight Logger is sending all logs in CEF format.
For example, I have a DC which is sending logs to Logger and I can see them in McAfee ESM. However, source IP is always Logger IP and when I am looking into raw packet, I can see the DC IP address.
Wondering, if there is a way to separate them?
Yes. Syslog relay feature.