We try to send demo data from ArcSight to Security Analytics LogDecoder.
tcpdump shows that the logdecoder device receives the messages from network, but NwLogDecoder don't decode it.
NwLogDecoder produces following warning in /var/log/messages:
Jan 16 11:49:00 LogDecoder nw: [SYSLOG] [warning] Unidentified content from xxx.xxx.xxx.xxx received on receiver: 'CEF:0|Test|Test|Test|Test|Test|Test|Test'
Could anyone help?