I'm helping customer now to migrate from rsa enVision to RSA SA. He wants to do minimum work during this prosess and to save all previos configuration. On RSA enVision we are getting logs from ArcSight Connector through syslog in CEF format and all works good. But for RSA SA this is "Unidentified content". How can we managed it?
ArcSight Smart Connector can't send logs in proper (for RSA SA) format.
Also we are trying to send these logs to Virtual Remote Collector, if it matters.