Arcsight Logger working with ArcSight ESM for unlimited number of devices

  • Document ID:KM00433950
  • Creation Date:21-May-2013
  • Modified Date:21-May-2013
    • Micro Focus Products:
      arcsight enterprise security manager 5.2
      arcsight logger appliance 5.3

Summary

Arcsight Logger working with ArcSight ESM for unlimited number of devices

Question

We want to monitor an unlimited number of devices. We ArcSight Lgr 250GB/day unlimited devices and a ESM-7415 which is limited to 500 devices.

In the following architecture: Arcsight SmartConnectors--->Arcsight Logger---->Arcsight ESM

Is it possible to manage an unlimited number of devices in ESM through this configuration, as the events are feed to Arcsigt ESM through Arcsight Logger?

Answer

As there is no “unlimited number of devices” for ESM, customer cannot monitor “unlimited ” devices, even when the events are forwarded from logger.
On the other hand, ESM only count the number of devices it saw for the license calculation, if some devices only need for log collection not for correlation, you can set the filter on logger, don’t forward some message to ESM, in this case, ESM won’t see the message, and will not count the device for license, thus the number of devices saw from ESM side will be less than the total number of devices.
Anyway if you need use the device’s log for correlation purpose, you must forward its log to ESM, and ESM will count it for license.