Forum Sentry administrators may wish to integrate Sentry logging with the HP ArcSight Logger product. While ArcSight Logger supports collection of logging data in a variety of formats, the simplest way to send the Sentry logs to ArcSight is via the Syslog protocol.
All three of the Sentry logs (Audit, System, and Access) can be sent to any Syslog server, including HP ArcSight Logger. Sentry supports both RFC 3164 and RFC 5424 Syslog versions, with either UDP or TCP protocols. With TCP, Sentry can use SSL with the connection to secure the data during the transfer.
Attached is the v9.1 Logging Guide which details the configuration of the Sentry Remote Syslog policies.
Figure 1: Sentry Remote Syslog Policy
Within ArcSight Logger, the default UDP Receiver has been confirmed to accept the UDP Syslog data from Forum Sentry.
Figure 2: ArcSight Logger interface showing real-time and historic log message from Forum Sentry.
One of the key components to monitoring Sentry appliances is alerting based on specific log messages and logging events. This is best accomplished with the use of Remote Syslog policies writing the log data off to a remote Syslog server such as HP ArcSight Logger.
For more information and best practices for monitoring the Sentry deployment, please see: