Hello!
I'm helping customer now to migrate from rsa enVision to RSA SA. He wants to do minimum work during this prosess and to save all previos configuration. On RSA enVision we are getting logs from ArcSight Connector through syslog in CEF format and all works good. But for RSA SA this is "Unidentified content". How can we managed it?
ArcSight Smart Connector can't send logs in proper (for RSA SA) format.
Also we are trying to send these logs to Virtual Remote Collector, if it matters.
What version of NetWitness are you using ?
Is the Common Event Format (CEF) parser enabled and installed on the log decoders ?
can you provide a sample format of the logs that are being sent from the arcsight connector ?