Payload

"Payload" refers to the information carried in the body of an event network packet, as distinct from the packet's “header” data. (See Events.) While security event detection and analysis usually centers on header data, packet payload () may also be significant for historical analysis purposes.

Typically, devices discard payloads after a certain period of time. As described in Working with Event Payloads, you can retrieve, preserve, view, or discard payloads using the ArcSight Console. Since event payloads are relatively large, they are not stored by default. Instead, you can request payloads from devices, for selected events, through the ArcSight Console. If the payload is still held on the device, the SmartConnector retrieves it and sends it to the Console. (See SmartConnectors.)

Payloads are downloaded and stored only on demand. Whether an event has a payload to store is visible in event grids. Unless you specifically request to do so, only the event's "payload ID" (information required to retrieve the payload from the event source) is stored. Payload retention periods are controlled by the configuration of each source device.

A payload that has already been downloaded and stored in the database can either be manually selected and deleted, or removed based upon the event-retention policy.

If the payload's format is not recognized by the database, its data will not be lost; instead it appears "unparsed" in the event. The event name attribute generally contains the complete data in this case.

Micro Focus Security Community
All Documentation
Support
Education
Send Us Feedback

Close

We welcome your comments!

You can either:

Open an email window.

Or copy the information below to an email client and send the email to Documentation-Feedback@microfocus.com.

Help Topic ID:

Product:

Topic Title:

Feedback: