How do we configure and import ArcSight CEF data in 4.6?

asked 31 Oct '14, 03:02

Aditya's gravatar image

accept rate: 6%

Here are the steps to import ArcSight data in 4.6 -

  1. Create a new data source with the device type as Arcsight (CEF). Please make sure that Arcsight (CEF) device type is present in the dropdown (registered).
  2. Give the filename and prefix as Arcsight. For Arcsight CEF data imports, the application goes against the Device Product field in the CEF feed.
  3. Navigate to Step-2 (Select Events to Import). Expand the More Settings tab and enable the 'Use CEF Parser?' option to yes. Specify the CEF properties filename (i.e. '', make sure the file is present under '$SECURONIX_HOME/conf/ folder)
  4. Click on Save and Next. Create the necessary correlation rules.
  5. Before firing the import, make sure that there is a folder named 'data' under '$SECURONIX_HOME/agent/'. If this folder is not present, create this folder under the agent directory.

These are the steps to configure and import Arcsight data in Profiler 4.6


answered 31 Oct '14, 03:10

Aditya's gravatar image

accept rate: 6%

In these, second steps is optional.


answered 03 Nov '14, 00:31

Praful's gravatar image

Praful ♦♦
accept rate: 5%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: 31 Oct '14, 03:02

Seen: 1,350 times

Last updated: 03 Nov '14, 00:31