SIEM Specific Instruction

How to configure SIEM applications to optimally receive logs.


ArcSight recommends that you name the certificate syslog-ng.

To name the certificate:

Convert the key to p12 format:

openssl pkcs12 -inkey syslogServer.key -in syslogServer.crt -export -out syslog-ng.p12 -name "syslogng-alias" -password pass:changeit

To make sure the environment variable ARCSIGHT_HOME is the connector install directory:

  1. Run the certificates manager on the Linux KDE console: $ARCSIGHT_HOME/current/bin/arcsight agent keytoolgui

  2. From the File menu, open the keystore: $ARCSIGHT_HOME/current/jre/lib/security/cacerts (password "changeit").

  3. From the menu, select Import Trusted Certificate.

  4. From the file dialog, select Ca.pem and save it.

  5. Save and close the certificate manager.

To edit the file to enable mutual authentication:

Use vi $ARCSIGHT_HOME//current/user/agent/

  1. Change this value to true: -> true

  2. Add these lines to the end:



  3. Run: /etc/init.d/arc_connector_name restart


  1. Generate the server pem file:

    cat syslogServer.crt syslogServer.key RootCA.pem > splunk.pem

  2. Update the inputs.conf file on the Splunk server:

    vi /opt/splunk/etc/apps/search/local/inputs.conf


    serverCert = /etc/ssl/my-certs/splunk.pem

    sslPassword = <Challenge Password>

    requireClientCert = true


    index = <Index>

  3. Update the server.conf file on the Splunk server

    vi /opt/splunk/etc/system/local/server.conf


    sslRootCAPath = /etc/ssl/my-certs/RootCA.pem

  4. Restart Splun

    /opt/splunk/bin/splunk restart


  1. In the Authentication Mode field, select TLS And Client Authentication.

    When you use Client Authentication, you must provide the absolute path to the client certificate.

  2. Upload the Check Point certificate and private key to QRadar and provide the absolute path to those under the Provide Certificate option.