• Optimized log collection for 180+ sources plus support for custom and homegrown sources
• Secure and reliable audit-quality log collection
• Powerful log collection infrastructure for log management and SIEM

Organizations archive and analyze log data for a broad set of reasons ranging from security monitoring to IT operations and from regulatory compliance to fraud detection. A log collection infrastructure layer that simplifies and optimizes the aggregation of logs across a broad range of event sources and hundreds of locations is the foundation layer of log management and security information and event management (SIEM) platforms that support these uses.

The various devices, hosts and applications that generate logs span hundreds or even thousands of physical locations and log collection infrastructures must therefore scale to meet the needs of large, distributed heterogeneous networks while delivering secure and reliable audit quality log collection with traffic management controls and simplicity in deployment and ongoing administration.

ArcSight Connector technology addresses these core challenges around log collection through a powerful log aggregation and optimization interface layer that also represents the foundation for its broader log management and SIEM platform.

Breadth and Depth of Device Support
The ArcSight library of out-of-the-box SmartConnectors provide source optimized collection for 180+ commercial products. These products span the entire stack of event-generating source types from network and security devices up through databases and commonly used enterprise applications.

In addition, the ArcSight FlexConnector framework provides a wizard-driven interface to build collection logic and contextualize logs from legacy and home grown sources which are critical to use cases such as compliance, fraud and insider threat.
>Read more about ArcSight supported products

Audit Quality Log Collection
ArcSight Connectors offer an easily deployable and manageable localized collection option for remote offices which ensures end-to-end security and availability of log data. ArcSight Connectors offer local caching which mitigates the impact of connectivity loss between remote offices and central log aggregation points that would otherwise lead to loss of critical event data that may be the missing link in an audit or investigation. ArcSight Connectors also support automated failover to a secondary ArcSight Logger or ArcSight ESM Manager in the event that the primary destination is unavailable.

Log Traffic Management
Remote offices such as retail stores often lack high bandwidth WAN links to data centers. Additionally, any available bandwidth needs to be prioritized for business-critical transactional traffic. To address these challenges, ArcSight Connectors offer granular bandwidth controls, compression of logs in transit, as well as prioritization and batching of log data by time and severity.

Hardware or Software Deployment Options
ArcSight Connectors are available in a range of plug-and-play ArcSight Connector Appliances or as software-based deployments. ArcSight Connector Appliances can be easily deployed and remotely managed while providing a localized, agent-less, collection option. For locations where no additional rack space is available but where spare computing cycles are available on existing servers, ArcSight Connectors offer the flexibility of software-based deployments while still delivering strong centralized management capabilities.

Centralized Management of Log Collection Infrastructure
ArcSight Connectors minimize ongoing administrative overhead through support for universal and/or selective definition, alteration and roll out of log collection parameters and configuration settings across all appliance and software based ArcSight Connectors, from a centralized web-based interface.

Distributed Processing
ArcSight Connectors are architected to efficiently offload the ArcSight log management and SIEM platforms from centrally processing tasks which are just as efficiently executed at the point of collection. To this end, ArcSight Connectors can also perform a variety of functions, including:

• Collection of raw logs in conjunction with parsing of individual log events and mapping both their values and schema into a universal event taxonomy. This plays a significant role in enabling cross-device searches, reporting and correlation.
• Categorization or additional classification of events using a common, human-readable format which saves the end user from having to be an expert in reading the output from myriad devices from multiple vendors. Categorization is then leveraged in ArcSight ESM and ArcSight Logger to create vendor or source-independent metadata objects梖ilters, rules, reports and dashboards梬hich also avoids unnecessary content explosion.
• Optional filtering of data that is extraneous to analysis and is not required for retention by regulatory requirements or corporate policies, such as system health alerts.

ArcSight Platform Integration
As the end device interfacing layer in the ArcSight platform, ArcSight Connectors provide a comprehensive, robust, scalable and easily manageable collection infrastructure that can be used across its log management and SIEM modules, ArcSight Logger and ArcSight ESM, respectively. This is a distinct advantage of the integrated ArcSight platform, and it avoids the deployment of multiple collection infrastructures that would be necessitated if distinct vendor solutions were used for log management and SIEM. This benefit applies to appliance or software based deployments of ArcSight Connectors.