Smoothwall has to be integrated with Archsight
We are having a serious problem with smoothwall that cannot transfer its logs to Arcsight because there is no any integration feature right now. Syslog does not transfer webfilter log either..There must be solution about it.
We’re aware of the growing desire to be able to integrate with SIEM tools. But there are no current plans to do it – but it will be considered for future additions to the roadmap.
Craig Fearnsides commented
The following can be used from your *nix server on a frequent basis (up to every two seconds), this is the exact command that Smoothwall uses to synchronise logs from a child:
rsync --recursive --append --inplace --size-only --rsh="ssh -p 222 -i path/to/private.key" --compress-level=3 --exclude='*gz$' --include='access\.log.*' --exclude='*' replication@<smoothwall.IP.or.hostname>:/var/log/woodshed/local/guardian3/data/
You can add additional public keys to /var/replication/hosts.
/var/log/woodshed/local/guardian3/data/ contains hardlinks to the current /var/log/dansguardian3/access.log file and are created on rotation with the current epoch appended.