The ArcSight ESM system is a centralized system for logging, analyzing, and managing events from different sources. The OES server can forward events to ArcSight ESM with the help of ArcSight smart connector.
The Storage Services Auditing Client Logger (VLOG) output can be integrated with ArcSight using any of the following ArcSight smart connector type:
Perform the following task to integrate VLOG with ArcSight using Syslog Pipe smart connector type:
Create a named pipe by executing the “mkfifo” command. For example, mkfifo /var/tmp/syspipe
Configure smart connector with type “Syslog Pipe” and named pipe absolute path, /var/tmp/syspipe
Run the vlog utility with the option, /opt/novell/vigil/bin/vlog -d -f cef -o /var/tmp/syspipe
Perform the following task to integrate VLOG with ArcSight using ArcSight CEF folder follower scanner smart connector type:
Configure the smart connector to listen on vlog output directory. For example, /root/vlogs
Run vlog utility with the option, /opt/novell/vigil/bin/vlog -d -f cef -R 100MB -o /root/vlogs/vlog_cef_output.cef -t
NOTE:For the ArcSight smart connector folder follower scanner to process the *.cef files, we have to create a trigger file with the name *.cef_ready. The “-t” option is introduced to do this automatically when provided along with format type CEF. For other formats, an option will create the trigger file without any name. If needed, we can provide any custom extension as the argument to the “-t “option.
Log files once processed will be renamed as, vlog_cef_output<timestamp>.cef_processed