ArcSight

OpenText ArcSight is a SIEM and log management ecosystem. Tenzir integrates with ArcSight through open interfaces such as CEF, Syslog, Kafka, and the ArcSight Logger REST API.

ArcSight products also have proprietary interfaces, including SmartMessage and ESM binary event transport. Tenzir does not provide dedicated operators for those protocols. Prefer CEF over Syslog, CEF over Kafka, or Logger REST search when you connect ArcSight and Tenzir.

Choose an integration path

Use the interface that matches where ArcSight sits in your deployment:

Goal	ArcSight interface	Tenzir operators and functions
Send events to Logger or a CEF Syslog SmartConnector	CEF or Syslog receiver over TCP	fn`print_cef`, `write_syslog`, `to_tcp`
Send CEF datagrams to Logger	CEF UDP receiver	fn`print_cef`, `to_udp`
Publish events to Transformation Hub	Kafka topic `th-cef`	fn`print_cef`, `to_kafka`
Receive forwarded ArcSight events	CEF or Syslog over TCP or UDP	`accept_tcp`, `accept_udp`, `read_cef`, `read_syslog`, fn`parse_cef`
Read from Transformation Hub	Kafka topic `th-cef`	`from_kafka`, fn`parse_cef`
Query stored Logger events	Logger REST search service	`from_http`

See the ArcSight documentation for Logger receivers, SmartConnector destinations, CEF, Transformation Hub Kafka topics, Logger forwarding, and Logger REST search.

Send events to ArcSight Logger

ArcSight Logger can receive events through receivers such as CEF TCP, CEF UDP, and SmartMessage. If you want ArcSight to parse Tenzir events as CEF, format the event with fnprint_cef first.

For a TCP receiver, wrap the CEF payload in Syslog and connect to the Logger or SmartConnector endpoint:

subscribe "detections"
cef = this.print_cef(
  cef_version="0",
  device_vendor="Tenzir",
  device_product="Tenzir",
  device_version="6",
  signature_id=event_type? else "tenzir.event",
  name=event_name? else "Tenzir event",
  severity=string(severity? else 5),
)
message = cef
facility = 4
severity = 6
hostname = "tenzir-node"
app_name = "tenzir"
to_tcp "arcsight-logger.example.com:515" {
  write_syslog
}

Replace arcsight-logger.example.com:515 with the host and port of your Logger receiver or SmartConnector destination. Use TLS options on to_tcp if the receiver expects TLS.

If you configured a CEF UDP receiver, send one CEF message per datagram:

subscribe "detections"
cef = this.print_cef(
  cef_version="0",
  device_vendor="Tenzir",
  device_product="Tenzir",
  device_version="6",
  signature_id=event_type? else "tenzir.event",
  name=event_name? else "Tenzir event",
  severity=string(severity? else 5),
)
to_udp "arcsight-logger.example.com:514", message=cef

Prefer TCP when you need delivery feedback, connection-level TLS, or receiver backpressure. UDP is useful only when your ArcSight receiver is explicitly configured for CEF datagrams.

Publish CEF to Transformation Hub

ArcSight Transformation Hub is Kafka-based. SmartConnectors use the th-cef topic for CEF events, so Tenzir can publish CEF messages with to_kafka:

let $options = {
  "bootstrap.servers": "kafka1.example.com:9093,kafka2.example.com:9093",
  "security.protocol": "ssl",
  "ssl.ca.location": "/etc/tenzir/arcsight-th-ca.pem",
}

subscribe "detections"
cef = this.print_cef(
  cef_version="0",
  device_vendor="Tenzir",
  device_product="Tenzir",
  device_version="6",
  signature_id=event_type? else "tenzir.event",
  name=event_name? else "Tenzir event",
  severity=string(severity? else 5),
)
to_kafka "th-cef", message=cef, options=$options

Adapt the options record to match the Kafka settings of your Transformation Hub deployment. The Kafka operators pass these options to librdkafka.

Receive ArcSight events in Tenzir

Use Tenzir as a CEF or Syslog receiver when a SmartConnector, Logger forwarder, or another ArcSight component sends events to a network destination.

For raw CEF over TCP, listen with accept_tcp and parse the byte stream with read_cef:

accept_tcp "0.0.0.0:1514" {
  read_cef
}
publish "arcsight"

For Syslog-wrapped CEF over TCP, parse Syslog first, then parse the CEF payload from the Syslog message body:

accept_tcp "0.0.0.0:514" {
  read_syslog
}
cef_message = message? else content?
this = cef_message.parse_cef()
publish "arcsight"

For UDP forwarding, receive one datagram per event. The following example expects raw CEF datagrams:

accept_udp "0.0.0.0:1514"
this = data.parse_cef()
publish "arcsight"

Read from Transformation Hub

Consume CEF messages from the th-cef topic with from_kafka and parse each Kafka message with fnparse_cef:

let $options = {
  "bootstrap.servers": "kafka1.example.com:9093,kafka2.example.com:9093",
  "security.protocol": "ssl",
  "ssl.ca.location": "/etc/tenzir/arcsight-th-ca.pem",
}

from_kafka "th-cef", options=$options
this = message.parse_cef()
publish "arcsight"

ArcSight can also use an Avro topic for normalized events. Tenzir does not have a first-class ArcSight Avro parser, so use th-cef when you want to process Transformation Hub events with built-in Tenzir operators.

Query ArcSight Logger

ArcSight Logger exposes a REST search service for stored events. The API is session-oriented: log in, create a search session, fetch results, close the search session, and log out. Use this path for scheduled backfill or targeted queries, not for live forwarding.

After you have a Logger user session and search session, use from_http to fetch events:

let $logger = "https://logger.example.com:9000"
let $user_session = secret("ARCSIGHT_LOGGER_SESSION")
let $search_session = secret("ARCSIGHT_LOGGER_SEARCH_SESSION")
let $headers = {
  "Content-Type": "application/json; charset=UTF-8",
}
let $body = {
  user_session_id: $user_session,
  search_session_id: $search_session,
  fields: [
    "deviceEventClassId",
    "deviceVendor",
    "deviceReceiptTime",
    "sourceAddress",
    "destinationAddress",
  ],
}

from_http f"{$logger}/server/search/events", headers=$headers, body=$body {
  read_json
}

The response includes the Logger result metadata and event rows for the selected fields. Shape the returned fields in TQL after you select the fields in the Logger search query.