Identifying ArcMC deployment scenario

ArcSight Management Center can be deployed wherever Connectors are needed.

You can choose any one of the following deployment scenarios:

ArcSightLogger

Logger receives events from device and sends to Connectors, but lacks the depth of Connector management found in ESM.

• A Logger-only deployment benefits from ArcSight Management Center in many ways, and provides most, but not all, ESM’s management function (for example, it does not contain the filter designer). ArcSight Management Center also offers features that ESM does not, such as bulk operations (enabling control of many Connectors at one time).

• ArcSight Management Center also can configure Connectors with failover destinations, providing central failover control when redundant Loggers are deployed. All or some Connectors can be configured to send events to a second Logger or to an event file in the case of communication failure with the primary destination.

  For more information about Logger, see ArcSight Logger SmartMessage Pool (encrypted) .

ArcSight ESM

Deploying ArcSight Management Center in an ESM environment centralizes connector upgrade, log management, and other configuration issues.

ESM and Logger

Management Center centralizes control when events are sent to ESM and Logger simultaneously. In one scenario, all events are sent to Logger while only high-value events are sent to ESM (for further analysis, for example). In another scenario, all events are sent to both, but Logger implements a longer retention policy.

Although each connector has specific destination parameters, Management Center allows “bulk” management of connectors, eliminating the need to manually access each remote connector host to add or change destinations.

For more information about Management Center, see the ArcSight Management Center Administrator’s Guide.