Connectors in Transformation Hub (CTH)

To reduce the computational overhead and workload on a syslog SmartConnector infrastructure, you can make use of Connectors in Transformation Hub (CTH) instead.

CTH Functionality

Operationally, Micro Focus SmartConnectors hold two main responsibilities:

Collection: A SmartConnector collects data from various sources.
Processing: A SmartConnector processes the collected data into enriched security event data and posts them to a destination.

With CTH, the two functions of SmartConnector are handled in a slightly different manner. CTH takes advantage of the massive scalability of the robust Transformation Hub streaming architecture by moving the computationally intensive processing step directly to Transformation Hub.

Collection: The collection step is performed by a dedicated Collector component, which gathers raw syslog data and publishes it to a dedicated syslog topic in Transformation Hub. As the name suggests, a Collector is a lightweight component responsible solely for collecting syslog data and passing it along to a dedicated CTH topic. A Collector is deployed on a VM or server using ArcMC.
Processing: The CTH component reads the data from the Collector destination, then parses, normalizes, enriches, and filters this data. It posts the data to a dedicated Transformation Hub topic for availability to any desired consumer. CTHs are deployed as Kubernetes pods within the CDF infrastructure.

CTH includes the majority of the functionality of ArcSight syslog connectors, except for data collection, which is handled by the lightweight Collector component instead. For more information about CTH configuration, consult the ArcSight Syslog Connector User Guide.

In Transformation Hub 3.3.0 and later, CTHs support FIPS mode.

Advantages of CTH

CTH has the following advantages over traditional SmartConnector architecture.

Hardware consolidation in the data collection layer where Collectors are deployed, due to the logical separation of collection and processing. A single data feed from a Collector can replace multiple SmartConnector feeds.
Improved stability, easy horizontal scalability, and improved load balancing as data flows increase with time or fluctuate during operations.
Ease of deployment, since CTHs are deployed with a single click in the ArcMC management console.
Raw syslog data is now available in the CTH topic and can be shared with any desired consumer.

Limitations of CTH

CTH presently supports the processing of syslog data only.
Upgrades to CTH are performed by upgrading Transformation Hub, rather than by upgrading CTH itself.

Deploying and Managing CTH

Installation and management of CTH is performed on a managed Transformation Hub though the ArcMC management console. Consult the ArcMC Administrator’s Guide for instructions on how to deploy and manage CTH.

Destination Topics

Collectors should only be configured with the th-syslog topic as a destination (and no other destinations).

Valid routing topic destinations for CTH include the following:

th-cef
th-binary_esm
th-cef-other

In addition, custom CTH source and destination topics might be configured on Transformation Hub. (Custom topics might only be created for CEF data.)

Collector/CTH Supported Security Modes

Collector destinations can support the following security modes:

Plain text (no security mode selected)
FIPS only
TLS only

Collector security mode can be set during Instant Deployment in the ArcMC console. See the ArcMC Administrator's Guide for more information.

CTH source and destinations can support the following security modes:

TLS + Client Authentication (default setting)
FIPS + Client Authentication (automatically set when enabling FIPS mode in Transformation Hub.
Plain text (no security mode selected)
TLS only
FIPS only

If desired, CTH's plain text, TLS-only, and FIPS-only modes can be set in ArcMC after deployment.