Hi Community,
I hope you all are doing well!
I just need to double check with you that the ESM cant consume from the th-cef topic of the THUB, however it can receive logs in CEF Format directly from connectros?
Any explaination?
Ali Maher
Cybersecurity
DevOps Cloud
IT Operations Cloud
Hi Community,
I hope you all are doing well!
I just need to double check with you that the ESM cant consume from the th-cef topic of the THUB, however it can receive logs in CEF Format directly from connectros?
Any explaination?
Ali Maher
Hello Ali,
ESM never received events in CEF format but in binary. ArcSight Logger as destination recevies event in CEF format.
That's why on TH, you can see that there is th-cef topic for CEF consumers, th-binary_esm for ESM as a consumer, and so on...
ESM can also consume events in avro format - you just need to configure ESM to consume events from one of avro topics (th-arcsight-avro).
By the way, there is an automatic process in TH that converts CEF to avro format: th-c2av-processor-x, so whatever th-cef topic receives, it will be converted and "stored' in th-arcsight-avro topic.
Hope this helps
Mladen
Ok thanks for your detailed reply!
This automatic process (CEF To Avro Conversion) doesn't need to build CEF2AVRO Route on the ArcMC Manged the TH?
Once the Th receives a cef format will convert it to avro format by itself?
Ali Maher