This cool solution explains how Sentinel can be configured to forward events from Sentinel or Access Manager Analytics Server to 3rd party Syslog Servers like Splunk and ArcSight.

By default, Splunk runs Syslog on UDP 514 and TCP 1514. These ports may be different in your Splunk environment.

By default, ArcSight ESM or Logger, the Syslog runs on UDP 514 or 8514 port. For the TCP port it runs on 515 or 8515 depending on the configuration.

It is advisable to get the details from the respective Admins and make sure the network connectivity has been established between Sentinel, Splunk, and ArcSight servers.

Let’s take a use case that Sentinel needs to be configured to forward all events of SEV 4 & 5 to Splunk which is running on on UDP port 514, and all events of SEV 0 – 5 need to be forwarded to ArcSight which is running on on TCP Port 515.

Step 1:

Configure Integrators for SPLUNK and ArcSight

Open Sentinel Control Center -> Configuration -> Configuration Menu -> Integrator Manager.

Click the Green “+” Icon at the bottom and configure it as –

Select Integrator: Syslog


Service Category: SIEM – Security Event Management

Click Next.

Host: (IP Address of Splunk server)

Port: 514

Protocol: UDP

Send complete event data: Enable

Click Next,

Click Next in the Integrator Properties window,

Click on “Test Configuration”.

Click OK, then Finish.

A new Integrator named SPLUNK will be available in Integration Manager.

Use the similar steps to create an Integrator for ArcSight as well.

Host: (IP Address of ArcSight / Logger server)

Port: 515

Protocol: TCP

Send complete event data: Enable

Close the Integrator Manager.

Step 2:

Now both Integrators are ready. It’s time to create Action.

From Sentinel Control Center -> Configuration menu -> Action Manager.

Click Add.

Action Name: Log to SPLUNK

Action: Event Forwarder

Integrator: SPLUNK (select from dropdown)

Click Save.

Now create Action for ArcSight as well.

Action Name: Log to ArcSight

Action: Event Forwarder

Integrator: ArcSight (select from dropdown)

Click Save.

Both Actions are added.

Close Action Manager and Sentinel Control Center.

Step 3:

Let’s create Routing Rules.

Open Sentinel Web Console -> Routing -> Event Routing Rules -> Create.

Name: Forward Events to SPLUNK

Criteria: (sev:[4 TO 5])

Route to the following services: All

Perform the following action: “Log to SPLUNK”.

Click Save.

Now create Rule for ArcSight as well.

Name: Forward Events to ArcSight

Criteria: (sev:[0 TO 5])

Route to the following services: All

Perform the following action: “Log to ArcSight”.

Click Save.

Make sure both rules are enabled.

Now Sentinel will keep on forwarding events to SPLUNK and ArcSight.


Managing Integrators –

Managing Actions –

Creating Event Routing Rules:

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
By: vjohari
Oct 3, 2018
4:22 pm
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow