Release Notes

ArcSight SmartConnector
Release 4.7.4.5335
July 10, 2009

ArcSight Confidential

Release Notes
ArcSight SmartConnector
Release 4.7.4.5335
July 10, 2009
Copyright 2009 ArcSight, Inc. All rights reserved. ArcSight, the ArcSight logo, ArcSight TRM, ArcSight NCM, ArcSight
Enterprise Security Alliance, ArcSight Enterprise Security Alliance logo, ArcSight Interactive Discovery, ArcSight Pattern
Discovery, ArcSight Logger, FlexConnector, SmartConnector, SmartStorage and CounterACT are trademarks of ArcSight,
Inc. All other brands, products and company names used herein may be trademarks of their respective owners.
Follow this link to see a complete statement of ArcSight's copyrights, trademarks and acknowledgements:
http://www.arcsight.com/company/copyright/ .
This document is ArcSight Confidential.

SmartConnector Release 4.7.4.5335 Release Notes

Page ii

ArcSight Confidential

Contents
SmartConnector Release 4.7.4.5335 ...............................................................................................1
Important Note for Versions of ArcSight Manager Prior to 3.5 SP3..................................................1
To Apply This Release..............................................................................................................1
New Connectors ...........................................................................................................................1
Connectors with New Device Versions Supported ..............................................................................1
SmartConnector Enhancements......................................................................................................2
Connector End-of-Life Notices ........................................................................................................2
Issues Closed ..............................................................................................................................3
Available Beta Support..................................................................................................................4
Beta SmartConnectors.............................................................................................................4
Scanner FlexConnectors...........................................................................................................5
Known Issues or Limitations ..........................................................................................................5
New and Updated SmartConnector Documentation............................................................................7

SmartConnector Release 4.7.4.5335 Release Notes

Page iii

SmartConnector Release 4.7.4.5335

These notes describe how to apply this latest release of ArcSight's SmartConnectors, as well as providing other
information about recent changes and open and closed issues.

Important Note for Versions of ArcSight Manager Prior to 3.5 SP3

Do not install this new SmartConnector release until you complete these steps.
As announced previously, for easy reference, SmartConnector versioning now reflects the timing of each release. If
you are running versions of ArcSight ESM Manager prior to version 3.5 SP3, make the following modifications
to ensure that zones and categorizations match up and install properly. Modify these properties in the
config/server.properties file in your ArcSight ESM Manager version 3.5 pre-SP3 installation:
zone-mapping.aup.agent.version.max=9.9.9.9999.7
console-category.aup.agent.version.max=9.9.9.9999.7
Restart the ArcSight Manager for this change to take effect.
If you will be upgrading your ArcSight ESM Manager in the near future, by waiting until that time to install this
SmartConnector release, you can avoid an additional ArcSight ESM Manager restart.

To Apply This Release

Download the appropriate executable for your platform as well as the zipped file of SmartConnector Configuration
Guides for the release. For a successful SmartConnector installation, follow the installation procedures documented
in the individual SmartConnector Configuration Guides.
To ensure the most current configuration guides are available with each SmartConnector release, they are offered in
a separate downloadable file from the ArcSight Customer Support site rather than as part of the SmartConnector
installation process. Create a folder for the documentation (such as c:\ArcSight\Docs) and unzip the file there. Then
double-click index.html to access the individual configuration guides.
To keep support information current, each SmartConnector Configuration Guide contains a link to a separate
document entitled "SmartConnector Product and Platform Support." You also can access this document from the
index.html or SmartConnectorReadMe.htm file downloaded with the documentation.

New Connectors
SmartConnector for

Device Version Supported

Solaris Basic Security Module Syslog

10

Connectors with New Device Versions Supported

SmartConnector for

Device Version Supported

Check Point FW-1/VPN-1 OPSEC NG

R70

Juniper NetScreen IDP Syslog

4.1 5.0

McAfee FoundScan DB

6.7

McAfee IntruShield Manager Syslog

5.1

Qualys Vulnerability Scanner

6.5.118-1

SmartConnector Release 4.7.4.5335 Release Notes

Page 1

ArcSight Confidential

Connectors with New Product Support

SmartConnector for

New Product Supported

McAfee ePolicy Orchestrator DB

Rogue System Detection v2.0 with ePO 4.0

Rogue System Detection v1.0 with ePO 3.6

SmartConnector Enhancements
In each SmartConnector release, updates and enhancements are made to the field mappings for individual
SmartConnectors. If you use any of the SmartConnectors listed in the "Issues Closed" section of these release
notes, be aware that installing the updated SmartConnector can impact your created content.
ArcSight advises you to verify your content before deploying the SmartConnector into your production
environment.
FIPS Compliance
Under the Information Technology Management Reform Act (Public Law 104-106), the Secretary of Commerce
approves standards and guidelines that are developed by the National Institute of Standards and Technology
(NIST) for Federal computer systems. These standards and guidelines are issued by NIST as Federal
Information Processing Standards (FIPS) for government-wide use.
ArcSight has added support for SmartConnector installation in FIPS-compliant mode. See the connectors under
New and Updated SmartConnector Documentation for a list of connectors with this new support.
McAfee ePolicy Orchestrator DB
Added support for HIPS, Rogue System Detection, and MA events. See the SmartConnector Configuration
Guide for specific products and versions now supported.
Microsoft DHCP File
Added support for processing of multiple log files.
Symantec Endpoint Protection DB
Added support for Network Access Control events.

Connector End-of-Life Notices

Symantec Endpoint Protection Syslog Support ending 12/31/2009
Currently, ArcSight supports Symantec Endpoint Protection through two integration pointsSyslog and
Microsoft SQL Server Database. While a syslog-based connector generally provides benefits such as ease of
use, it has been discovered over time that the Symantec Endpoint Protection syslog does not offer the level of
normalization necessary for effectively building and maintaining a connector.
Symantec Endpoint Protection integrates multiple endpoint security components into one integrated solution.
For every component (AntiVirus, Spyware, Network Threat Protection, and so on) there could be many different
event types , necessitating the development of sub-message patterns for each of the event types. The Microsoft
SQL database, on the other hand, allows one query to be built for each component, making a database
connector a much more viable and scalable integration solution.
Given its technical limitation, we have decided to phase out support for Symantec Endpoint Protection event
collections via syslog. Although we will continue to invest in and enhance the database connector, our current
plan is to discontinue support for the syslog-based Symantec Endpoint Protection connector by December 31,
2009. ArcSight strongly encourages customers who are currently using this syslog connector to migrate to the
Symantec Endpoint Protection DB connector in the next few months. In the meantime, any parsing issues with
the syslog connector will be handled on a case-by-case basis.

SmartConnector Release 4.7.4.5335 Release Notes

Page 2

ArcSight Confidential

Check Point Firewall-1 4.1 OPSEC

This connector has reached end of life and has been removed from SmartConnector builds.
Cisco PIX/ASA/FWSM Syslog
Support for version 5.x has been removed.

Issues Closed
SmartConnector for

Number

Description

All SmartConnectors

58006

Entries in the name resolver cache normally are refreshed after the
Time To Live (TTL), but if that refresh is substantially delayed, the
normal algorithm disregards the cached value after double the TTL.
There is a new property (name.resolver.cache.no.ttl) that can be set
in agent.properties. When this property is set to true, the name
resolver cache entries will continue to be used indefinitely.

All SmartConnectors

56959

Previously, aggregation could cause memory issues and a null pointer

exception. This problem has been fixed.

Blue Coat Proxy SG File

55963

When s-ip was populated with an IP address (s-ip can contain an IP or

a web URL) and the connector did the resolution, a device was created
for what was a target host. This resulted in a device being created for
every website or host accessed through the Blue Coat proxy, causing
issues with managers and databases. This problem has been fixed.

56915

Previous problems with URL and URI field resolution have been fixed.

Check Point FW-1/VPN-1

OPSEC NG

29167

Updated severity mappings for the Check Point AD connector. See the
SmartConnector for Check Point FW-1/VPN-1 OPSEC NG
Configuration Guide for detailed mapping information.

Cisco Secure ACS

56813

The ESM Manager previously threw an exception due to a long

additional data name sent from the connector. The connector has been
modified to fix this problem.

Fortinet FortiGate Syslog

57333

An exception was thrown when a comma appeared where only integers

were expected. The parser has been updated to fix this problem.

Rapid7 NeXpose XML File

45363

The connector no longer creates assets with blank Host Name fields.

IBM Lotus Domino DB

51709

The parser has been updated to fix problems that previously caused a
fatal exception at connector startup.

McAfee ePolicy
Orchestrator DB
McAfee HIPS DB
McAfee HIPS Multiple DB

57190

When running connectors for both McAfee ePO DB and McAfee HIPS
DB that pull events from the same database, some event duplication
previously occurred. The McAfee HIPS DB connectors no longer
collect anti-virus events. The McAfee ePolicy Orchestrator DB
connector now collects HIPS events. See the SmartConnector
Configuration Guides for more information.

MessageGate Syslog

56767

Previously, the connector set the Device Receipt Time year to 1970 for
MessageGate events without a date | time. This problem has been
fixed.

Microsoft Windows Event

Log Unified

53335

SID translation for security events 538, 540, and 576 previously did not
occur. This problem has been fixed.

54480

Previously, SID translation failed when the SID contained double

hyphens. This problem has been fixed.

SmartConnector Release 4.7.4.5335 Release Notes

Page 3

ArcSight Confidential

SmartConnector for

Number

Description

Microsoft Windows Event

Log Unified

56002

The connector now continues to map correctly, even when the 'Reason'
field is missing from the raw event for security event 529.

56254

Workstation Name and Source Address fields are now mapped

correctly for security event 537 events.

57249

Mapping problems for security event 565 have been fixed.

57157

Implemented SID re-translation and multi-threaded SID translation.

NIKSUN NetDetector
Syslog

56811

The parser has been updated to accommodate previously unparsed

events.

Oracle Audit DB

58319

The connector was not verifying connection with all configured

databases during connector configuration. This problem has been
fixed.

58363

Previously, when the connector was configured to connect to multiple

databases, it connected only to the last configured database. This
problem has been fixed.

57004

The following mappings have been updated:

Symantec Endpoint
Protection DB

Allowed or Blocked is mapped to Device Action

HOST_NAME is mapped to Device Custom String 2
LOCATION_NAME is mapped to Device Custom String 5.

Symantec Endpoint
Protection Syslog

57393

A parser problem discovered with Security Risk Found (Heuristic Scan)

events has been fixed.

Tenable Nessus File

50148

The parser has been modified to parse multiple OS occurrences.

Available Beta Support

For the enhancements or fixes for SmartConnectors listed in this section, formal release after testing and
documenting will be available in a future SmartConnector release. It is up to your discretion whether to update your
installed connectors with this build. Contact ArcSight Customer Support for more information if you are interested in
any of these items.
Localization for Microsoft Windows Event Log Unified Connector
Beta support has been added for the localization of security events for the Simplified and Traditional Chinese,
French, and Japanese languages.
FlexConnector for Multiple Database Instances
Beta support is provided to correct a problem in which, for the multiple database connector, events from a
database table that uses negative BIGINT IDs were not collected, or events from a database table that uses
positive BIGINT IDs were collected repeatedly.
Red Hat Enterprise Linux 5.3 (RHEL 5) AS 64-bit JVM
Beta support for this platform is available.
nCircle Scanner XML3 File
Beta support for device version 6.8.

Beta SmartConnectors
SmartConnector for Lancope SMC Web Services
This SmartConnector obtains flows, probes, and host snapshots from Lancope StealthWatch Management
Console (SMC) and can, optionally, generate ArcSight events. Lancope SMC version 5.8 is supported.
SmartConnector Release 4.7.4.5335 Release Notes

Page 4

ArcSight Confidential

Scanner FlexConnectors
ArcSight FlexConnector Developer's Guide for complete information on Scanner FlexConnector beta support for
the following:

ArcSight FlexConnector for Scanner DB

ArcSight FlexConnector for Scanner Text Reports
ArcSight FlexConnector for Scanner XML Reports

Known Issues or Limitations

ArcSight FlexConnector CounterACT
When "ArcSight FlexConnector CounterACT" is selected for installation, a popup window asks whether you
want to use the configuration wizard to define the CounterACT commands. Answering "Yes" causes an error
that shuts down connector installation. Select "No" for successful installation of the FlexConnector. When "No"
is selected, the installation sequence asks for the CounterACT properties file name, which should have already
been authored manually. This problem will be fixed in a future SmartConnector release.
ArcSight Threat Response Manager CounterACT
If you install the CounterACT connector on a system running Java JRE 1.6, perform these steps on that system
after installation is complete:
In the following procedure, ARCSIGHT_HOME is the directory where the CounterACT connector software is
installed.
On Linux or Unix:
1.

In the ARCSIGHT_HOME/jre6/lib directory, create a sub-directory called endorsed with read, write, and
execute permissions.

2.

Copy the ARCSIGHT_HOME/lib/agent/saaj.jar file to the sub-directory called endorsed, which you
created in step 1.

On Windows:
1.

In the ARCSIGHT_HOME\jre6\lib directory, create a sub-directory called endorsed with read, write, and
execute permissions.

2.

Copy the ARCSIGHT_HOME\lib\agent\saaj.jar file to the sub-directory called endorsed, which you
created in step 1.

Aruba Mobility Controller Syslog

Due to Aruba product limitations, the Aruba Networks Mobility Controller syslog messages can only be
processed by the syslog daemon connector, not by the syslog pipe or syslog file connector. The
SmartConnector processes the security events only.
Cisco CiscoWorks
The ArcSight SmartConnector for CiscoWorks Syslog supports a limited set of syslog messages originating
from a specific CiscoWorks component. Full CiscoWorks syslog support will be certified in an upcoming
SmartConnector release.
Cisco NetFlow File
The connector currently listens to all traffic on the specified port rather than by individual IP address. This issue
is being addressed and will be fixed in a future SmartConnector release.
DB SmartConnectors on Windows Server 2003 R2 Enterprise x64 that use ODBC System DSN
We have found that the JDBC/ODBC bridge driver "sun.jdbc.odbc.JdbcOdbcDriver" does not work with the
ODBC System data sources created using Control Panel -> Administrative Tools -> Data Sources (ODBC)
on the Windows Server 2003 R2 64-bit platform. To use this driver, create ODBC System data sources using
the executable at c:\Windows\SysWOW64\odbcad32.exe. This opens up the same type of graphical user
interface as the Control Panel -> Administrative Tools -> Data Sources (ODBC), but it creates the Data
sources using the 32-bit drivers.

SmartConnector Release 4.7.4.5335 Release Notes

Page 5

ArcSight Confidential

IBM Lotus Domino DB

ArcSight has identified a potential problem with the IBM Domino ODBC driver that can cause data duplication
when using ArcSights SmartConnector for IBM Lotus Domino DB. We have been able to reproduce a customer
issue in which the Domino connector can inadvertently send duplicate data to the ArcSight ESM Manager or
ArcSight Logger. This SmartConnector uses IBMs Domino ODBC driver to retrieve data from the Domino
server; ArcSight has traced the issue to an incorrect result set returned by this ODBC driver. Based upon our
lab testing, the issue may be related to large log.nsf files (a file size of 1.6Gb in our lab, but size might depend
upon Dominos server hardware).
This cause for this data duplication issue has not yet been confirmed with IBM, but we are currently seeking
their assistance. In our lab, once the log was cleaned up, reducing its size in the process, the problem
disappeared and IBMs Domino ODBC driver started returning correct result sets. Until we receive further
information from IBM regarding this issue, customers are advised to periodically monitor the data sent by the
connector and, in particular, the size of the log.nsf file to make sure it does not grow too large.
The SmartConnector for IBM Lotus Domino SNMP has been developed for situations in which this known issue
occurs.
Lancope SMC Web Services Beta
ArcSight Lancope SMC Web Services connector logs the inaccurate message Failed to execute command in
agent.log and also sends an internal ArcSight event for this, even when the command is successfully executed
and receives the response from the connector. This is only a case of inaccurate logging of an inaccurate internal
event and has no impact on the connector's command response and event generating capabilities.
Microsoft ISA Multiple Server File
The SmartConnector for Microsoft ISA Multiple Server cannot be run as a service when it is run remotely.
Microsoft Windows Event Log Unified
The following known limitations exist for the current release of this connector:

In some cases, the description of specific Windows events may not be captured into individual ArcSight
event fields. When this happens, the missing information is captured in the Raw Event field and the agent
log displays a warning that it has received an unmatched number of keys and values for a particular
Windows event ID. This can be addressed by a parser fix. See the "Troubleshooting" section for an
example of how to resolve these key values.

SID translation is supported on a best-effort basis, but there may be a few instances when SIDs cannot be
successfully translated. This could happen due to network issues, the host could be busy and may not
respond, or the SID could be unresolvable, which results in the connector being unable to translate the SID.
The connector attempts to translate all the SIDs by default. If the first translation attempt fails, the connector
retries three times. If translation still fails, SID translation can be enabled in multi-threaded mode by setting
the parameter sidguidtranslationmultithreaded to true. See "Troubleshooting" or "Advanced Common
Configuration Parameters for SID Translation" for more configuration information.

GUID translation is not currently supported.

Solsoft Version Support

The Solsoft CounterAct SmartConnector may not work with Solsoft version 7.0.2 and later versions.
As of connector release 4.7.1.5233, a newer version of Apache AXIS library is being used for the web services
client. This could affect the operation of the SmartConnector for Solsoft CounterAct, which used an older
version of the Apache AXIS library. The workaround for this problem is to rename the library file named
all-axis-libs.jar under lib/agent/axis to another name (for example, all-axis-libs.jar.bak).
Symantec Endpoint Protection Syslog
For some Network Thread Detection events, there may be none, one, or multiple sets of IP information for the
same host. Currently, for such events, the host name and IP address is not mapped to the destination host
name and address fields; the entire network information is mapped to the message field. Sub-parsing and
mapping of these events to the appropriate fields will be available in a future SmartConnector release.

SmartConnector Release 4.7.4.5335 Release Notes

Page 6

ArcSight Confidential

New and Updated SmartConnector Documentation

The following SmartConnector documentation has been added or updated for this release.
Technical Notes for Installing FIPS-Compliant SmartConnectors
Technical notes describing the process for installing FIPS-compliant connectors are provided via hot links in
the applicable SmartConnector configuration guides.
Aladdin eSafe Gateway File
Updated mapping information and global update to installation procedure for FIPS support.
Blue Coat Proxy SG File
Added new Device Address mapping to x-bluecoat-proxy-primary-address for all supported log types;
added configuration information for including this field. Updated field mappings. Removed configuration
steps for getting AV events through this connector; this function is not available at this time. Global update
to installation procedure. Global update to installation procedure for FIPS support.
Check Point FW-1/VPN-1 OPSEC NG
Added support for Check Point FW-1/VPN-1 OPSEC NG R70. Global update to installation procedure for
FIPS support. Updated severity mappings for Advanced Security Log.
Cisco PIX/ASA/FWSM Syslog
Removed support for version 5.x. Global update to installation procedure for FIPS support.
Juniper NetScreen IDP Syslog
Added support for NetScreen versions 4.1 - 5.0. Global update to installation procedure for FIPS support.
McAfee ePolicy Orchestrator DB
Added support for Rogue System Detection and MA events. Integrated HIPS event coverage into ePO DB
connector. Global update to installation procedure for FIPS support. Reference added for JDBC driver
Connector Appliance upload information.
McAfee FoundScan DB
Added support for FoundScan version 6.7. Reference added for JDBC driver Connector Appliance upload
information.
McAfee IntruShield Manager Syslog
Added support for McAfee Network Security Manager v5.1 events. Global update to installation procedure
for FIPS support.
Microsoft IIS File
Added Request URL File Name field mapping. Global update to installation procedure for FIPS support.
Microsoft DHCP File
Added support for multiple log files. Global update to installation procedure for FIPS support.
Microsoft Windows Event Log Unified
Updated Features and Enhancements and Known Limitations for SID translation updates. Added
"Advanced Common Configuration Parameters for SID Translation" and updated Troubleshooting. Added
beta support for the localization of security events for the Simplified and Traditional Chinese, French, and
Japanese languages.
NetContinuum Web Firewall Syslog
Updated mappings information and global update to installation procedure for FIPS support.
Qualys Vulnerability Scanner DB
Added support for version 6.5.118-1.
Rapid7 NeXpose File
Updated field mappings and global update to installation procedure for FIPS support.
RSA ClearTrust File
Updated mapping information and global update to installation procedure for FIPS support.
SmartConnector Release 4.7.4.5335 Release Notes

Page 7

ArcSight Confidential

Solaris Basic Security Module Syslog

New configuration guide for new connector. Includes global update to installation procedure for FIPS
support.
Sun ONE Web Access Server
Updated mapping information and global update to installation procedure for FIPS support.
Symantec Endpoint Protection DB
Support added for Network Access Control events. Global update to installation procedure for FIPS
support. Reference added for JDBC driver Connector Appliance upload information.
The following configuration guides have been updated for FIPS support and to have a new reference to the ArcSight
Connector Appliance Administrator's Guide for JDBC driver upload instructions.
SmartConnectors using Microsoft SQL Server 2005 JDBC drivers with encryption enabled cannot be
installed in FIPS-compliant mode.
ActivCard AAA Server DB
Application Security AppDetective DB
eEye REM Security Management Console
eEye Retina Network Security Scanner (DSN-Based)
Harris STAT Scanner DB
IBM/ISS ICEcap Manager DB
IBM/ISS Internet Scanner DB
IBM/ISS RealSecure DB
IBM/ISS Site Protector DB
Intrusion SecureNet Provider DB
Lumension PatchLink Scanner DB
McAfee Desktop Firewall DB
McAfee ePO Asset Scanner DB
McAfee Host Intrusion Prevention DB
McAfee Host Intrusion Prevention Multiple DB
Microsoft Audit Collection System DB
Microsoft Operations Manager DB
Microsoft SQL Server Audit DB (Legacy)
Microsoft SQL Server Multiple Instance Audit DB
NetIQ Security Manager DB
Quest InTrust for Windows DB
Symantec Critical System Protection DB
Symantec ManHunt DB
Trend Micro Asset Scanner DB
Trend Micro Control Manager NG DB
The following configuration guides have been updated to add a link to installation information for FIPS compliant
connectors.
AirDefense Enterprise Syslog
Apache HTTP Server Access Log
Apache HTTP Server Error Log
Apache HTTP Server Syslog

SmartConnector Release 4.7.4.5335 Release Notes

Page 8

ArcSight Confidential

Arbor Networks Peakflow Syslog

ArcSight Common Event Format Syslog
ArcSight Common Event Format File
ArcSight Logger Streaming Connector
Aruba Mobility Controller Syslog
BEA WebLogic Server File
Blue Coat Proxy SG Syslog
Bro IDS File
CA eTrust SiteMinder File
CA Top Secret for z/OS File
Check Point Firewall-1 SAM
Check Pont Firewall-1 SNMP
Check Point FW-1/VPN-1 OPSEC NG (Legacy)
Cisco Catalyst OS Syslog
Cisco CiscoWorks Syslog
Cisco IDS RDEP
Cisco IPS SDEE
Cisco IronPort Email Security File
Cisco IronPort Email Security Syslog
Cisco IronPort Web Security File
Cisco Mobility Services Engine Syslog
Cisco PIX SNMP
Cisco Router Syslog
Cisco Secure ACS File
Cisco Secure ACS Syslog
Cisco Secure IDS Post Office
Cisco Security Agent File
eEye Retina Network Security Scanner DB
eEye Retina Network Security Scanner (RTD5) DB
Enterasys Dragon Export Tool File
Enterasys Dragon Server SNMP
F-Secure Anti-Virus File
Fortinet Fortigate Syslog
HoneyD Syslog
HP OpenVMS File
HP ProCurve Ethernet Switch SNMP
HP-UX Audit File
IBM AIX Audit File
IBM AS/400 Audit Journal File
IBM DB2 UDB Audit File
IBM Lotus Domino DB
IBM Lotus Domino SNMP
IBM Lotus Domino Web Server File
IBM NVAS for z/OS File

SmartConnector Release 4.7.4.5335 Release Notes

Page 9

ArcSight Confidential

IBM NVAS Session for z/OS File

IBM RACF for z/OS File
IBM SDSF System Log for z/OS File
IBM System Log for z/OS File
IBM Tivoli Access Manager File
IBM Tivoli Access Manager XML File
IBM WebSphere File
IDMEF XML File
Ingrian DataSecure Syslog
Intersect Alliance SNARE for Windows Syslog
Intrusion Computer Misuse Detection System File
Intrusion SecureNet Provider SNMP
iPolicy Intrusion Prevention Firewall Syslog
ISC BIND Syslog
ISC DHCP Syslog
Juniper M Series Routers Syslog
Juniper NetScreen OS Syslog
Juniper NetScreen Security Manager Syslog
Juniper NetScreen SSL VPN Syslog
Juniper Steel-Belted Radius File
Lancope StealthWatch Syslog
Lucent Brick Managed Services File
Lumeta IPsonar File
Mazu Profiler DB
Mazu Profiler V3 DB
McAfee Antivirus VirusScan File
McAfee Entercept API
McAfee Entercept DB
McAfee IntruShield DB
McAfee Secure Internet Gateway Syslog
MessageGate Syslog
Microsoft Auditing Collection System
Microsoft Exchange Message Tracking Log File
Microsoft IAS File
Microsoft IIS Multiple Server File
Microsoft IIS Multiple Site File
Microsoft IIS Syslog
Microsoft ISA Multiple Server File
Microsoft ISA Server File
Microsoft ISA Server 2004 File
Mirage CounterPoint Syslog
Nagios Syslog
nCircle Scanner SNMP
nCircle Scanner XML2 File

SmartConnector Release 4.7.4.5335 Release Notes

Page 10

ArcSight Confidential

Network Appliance NetCache File

Newbury WiFi WatchDog Syslog
NFR Central Management and Sentivist Servers File
NFR Central Management Server File
NFR Host Intrusion Detection DB
NIKSUN NetDetector Syslog
NitroSecurity IPS Syslog
Nmap XML File
Nortel Contivity Switch Syslog
Novell Nsure Audit DB
Oblix NetPoint File
Oracle Audit DB
Oracle Audit Syslog
Oracle SYSDBA Audit Syslog
OVAL XML File
PureSight Content Filter DB
QoSient ARGUS
Radware DefensePro Syslog
RSA ACE Server Syslog
SaberNet NTSyslog Syslog
SANA Primary Response SNMP
SAINT Vulnerability Scanner
SAP Audit File
SAP Real-Time Audit File
SAP Real-Time Multiple Folder Audit File
Secure Computing Gauntlet Syslog
Secure Computing IronMail Syslog
Secure Computing SafeWord Premier Access File
Secure Computing Sidewinder Syslog
Securify SecurVantage SNMP
Sendmail Syslog
Snort DB
Snort File
Snort IDS (Barnyard) File
Snort Multiple File
Solaris Basic Security Module File
SonicWALL Firewall Syslog
Sourcefire Defense Center eStreamer
Sourcefire/Snort Sensor Syslog
Squid Proxy Server File
Stonesoft StoneGate Firewall Syslog
Sun ONE Directory Multiple Server File
Sun ONE Directory Server File
Sybari Antigen for Microsoft Exchange DB

SmartConnector Release 4.7.4.5335 Release Notes

Page 11

ArcSight Confidential

Sybase Adaptive Server Enterprise DB

Symantec AntiVirus Corporate Edition File and Multiple File
Symantec Endpoint Protection Syslog
Symantec Enterprise Firewall File
Symantec Enterprise Firewall SNMP
Symantec Enterprise Security Manager DB
Symantec ESM Reporting DB
Symantec Gateway Security/Enterprise Firewall File
Symantec Gateway Security/Enterprise Firewall NG File
Symantec Intruder Alert File
Symantec Intruder Alert SNMP
Symantec Mail Security Syslog
Symantec ManHunt Syslog
Symantec NetRecon NRD File
Symantec Network Security Syslog
Symantec SESA DB
Tenable Nessus NSR File
Tenable Nessus XML File
Tenable Nessus XML for Windows
TippingPoint UnityOne Syslog
TopLayer Attack Mitigator Syslog
Tripwire Enterprise Syslog
Tripwire Manager File
Type80 SMA_RT Syslog
Unix Login/Logout
VarySys PacketAlarm Syslog
Visionael Security Audit DB
Vontu CEF Syslog
Vormetric CoreGuard Syslog
Websense Web Security Suite SNMP
Webwasher CSM File

SmartConnector Release 4.7.4.5335 Release Notes

Page 12