huksley
commented
7 years ago Hi Ralf. CEF format is really experimental as I don`t have access to ArcSight to validate format is correct.
If you will assist in testing, I can try to improve it.
Closed ralfbergs closed 7 years ago
huksley
commented
7 years ago Hi Ralf. CEF format is really experimental as I don`t have access to ArcSight to validate format is correct.
If you will assist in testing, I can try to improve it.
ralfbergs
commented
7 years ago Hi Ruslan. We do have ArcSight, but I'm currently not in a position to test. I just chose CEF because I'm pretty clueless about these formats, and thought the "most advanced" format is the best to choose.
In the future we need to send to one ArcSight connector, then I can revisit CEF.
huksley
commented
7 years ago Then I suggest you to use structured format. It should work fine with both arcsight and syslog and provide extended (fields) metadata about events.
If you will have ability to test CEF with ArcSite then I will be happy to fix CEF format.
ralfbergs
commented
7 years ago "Structured" is indeed what I'm using now, it's working fine. Thank you.
I created an output with protocol
tcpand message formatcef. No output was sent to the destination. When I changed to formatstructured, data was sent.This is about release 2.1.1 of the plugin.