Configuring Audit Forwarding

To configure audit forwarding, you must install a single syslog connector in an ArcSight Management Center container. (The connector may be the only connector in the container.) The procedure for configuring audit forwarding differs for Software ArcSight Management Center and ArcSight Management Center Appliance.

If ArcSight Management Center has been installed by a root user, the syslog connector must also be configured under the root user.

If the installation was by a non-root user, the syslog connector must be configured under the non-root user.

If loopack (127.0.0.1) is selected for the host IP address, on the syslog audit connector, the protocol must be set to RAW TCP.

For Software ArcSight Management Center

To configure audit forwarding for Software ArcSight Management Center:

  1. Install the local Syslog Daemon connector to /opt/arcsight/connector.

  2. Configure audit forwarding for the container that has the Syslog Daemon connector. Refer to Configuring Audit Forwarding to a Specific Destination.

  3. Click System Admin from the menu bar. In the navigation tree, select the newly-installed syslog connector and enable audit forwarding.

For ArcSight Management Center Appliance

To configure audit forwarding for ArcSight Management Center Appliance:

  1. In the menu bar, click Node Management.

  2. In the navigation tree, select the default location. Then, in the management panel, select the local host.

  3. Select the container in which to install the syslog connector.

  4. Click Add Connector and select syslog as the connector to be installed.

  5. Configure audit forwarding for the container that has the Syslog Daemon connector. Refer to Configuring Audit Forwarding to a Specific Destination.

  6. Click System Admin from the menu bar. In the navigation tree, select the newly-installed syslog connector and enable audit forwarding.