Sending Argus Data to ArcSight

John Kennedy wilson.amajohn at gmail.com
Mon Jan 14 11:50:04 EST 2013


The type of data I am sending to ArcSight is network flow data.  What I am
trying to do with that information in ArcSight is identify rogue servers
that could potentially be storing or transmitting regulated data not under
my purview. I am still researching ways to identify these types of systems.

The installation of the SmartConnector on the Argus host was not too
difficult. Upon installation, the SmartConnector asks for a path to ra and
a path to an ra.conf file.  I re-named the rarc file to ra.conf and made
the recommended changes to the timestamp in the conf file.  Once the
connector was started, I saw data immediately.


John

On Sun, Nov 25, 2012 at 3:20 PM, Dave Edelman <dedelman at iname.com> wrote:

> John,****
>
> ** **
>
> I have quite of bit of data that I collect and process using Argus and the
> clients and some of that ends up in CEF format for ingestion by ArcSight. I
> don’t have any SmartConnectors that deal directly with Argus data.****
>
> ** **
>
> It would be helpful to have a few more details about the type of data you
> would be sending to ArcSight and even more important than that, how you
> would be using the data. SIEM  products frequently end up being
> repositories for huge amounts of data and miniscule amounts of information
> if they don’t have adult supervision. ****
>
> ** **
>
> --Dave****
>
> ** **
>
> ** **
>
> *From:* argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu[mailto:
> argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] *On Behalf Of
> *John Kennedy
> *Sent:* Wednesday, November 21, 2012 2:14 PM
> *To:* Argus
> *Subject:* [ARGUS] Sending Argus Data to ArcSight****
>
> ** **
>
> All,****
>
> ** **
>
> Does anyone have any experience setting up an ArcSight SmartConnector for
> Argus?  I am curious how it is working out in your environment as well as
> if there is any impact to ArcSight. ****
>
> ** **
>
> Thanks****
>
> ** **
>
> John****
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130114/f07efbd9/attachment.html>


More information about the argus mailing list