Receivers

Logger can receive text events, either sent through the network or read from a file. From the Receivers page, you can set up and configure the receivers that will capture event data, and populate each event with information about its origin. Some receivers capture streaming events transmitted over the network by devices, applications, services, and so on. Other types of receivers monitor individual files for events or monitor files selected from a directory tree, based on a pattern you specify. Since receivers can only receive events of a single source type, you should set up separate receivers for each type of log file.

To start receiving events, direct your event sources to the default receivers. For more information about the default receivers, refer to the Logger Installation guide.

Receiver types include UDP, TCP, SmartMessage, and three types of file based receivers, File Transfer, File Receiver, and Folder Follower Receiver.

Before the receiver can receive data, the port it is listening on must be opened through the firewall. For more information, see Firewall Rules.

You can configure the following types of receivers:

UDP Receiver: UDP receivers listen for User Datagram Protocol messages on the port you specify. Logger comes pre-configured with a UDP Receiver on port 514 or 8514, enabled by default. For Software Loggers, this port may vary based on the port numbers available at installation time.

CEF UDP Receiver: UDP receivers that receive events in Common Event Format.

TCP Receiver: TCP receivers listen for Transmission Control Protocol messages on the port you specify. Logger comes pre-configured with a TCP receiver on port 515 or 8515, enabled by default. For Software Loggers, this port may vary based on the port numbers available at installation time.

CEF TCP Receiver: TCP receivers that receive events in Common Event Format.

Transformation Hub Receiver: Transformation Hub receivers are consumers for the Transformation Hub's publish-subscribe messaging system. They subscribe to event topics and receive events in Common Event Format (CEF) from Transformation Hub.

File Receiver: Depending on the type of Logger, file receivers read log files from a local file system, Network File System (NFS), or Common Internet File System (CIFS). File receivers read single or multi-line log files. They provide a snapshot of a log file at a single point in time.

Folder Follower Receiver: Folder follower receivers actively read the log files in a specified directory as they are updated. If the source directory contains different types of log files, you can create a receiver for each type of file that you want to monitor. Logger comes pre-configured with folder follower receivers for Logger’s Apache Access Error Log, the system Messages Log, and Audit Log (when auditing is enabled). You must enable these receivers in order to use them.

File Transfer: File Transfer receivers read remote log files using SCP, SFTP, or FTP protocol. These receivers can read single- or multi-line log files. You can schedule the receiver to read a file or batch of files periodically.

Note: Be aware of the following when setting up file transfer receivers.

The SCP, SFTP, and FTP file transfer receivers depend on the FTP (File Transfer Protocol) SCP (Secure Copy Protocol) and SFTP (SSH file transfer protocol) clients installed on your system. Ensure that the appropriate client is installed on the system before you create the receiver.
The SCP and SFTP protocols on Logger Appliances are not FIPS compliant.

SmartMessage Receiver: SmartMessage receivers listen for encrypted messages from ArcSight SmartConnectors. Logger comes pre-configured with a SmartMessage receiver with the name “SmartMessage Receiver.” To use this receiver to receive events from a SmartConnector, set the Receiver Name to be “SmartMessage Receiver” when configuring the SmartConnector’s destination. For more information on SmartConnectors, see Using SmartConnectors to Collect Events.