How to set Email Injest Parser module for Arcsight

[johnuc]

Hello,
The sample parser modules on the SCOT /opt/scot/lib/Scot/Parser/ does not have for ArcSight.

Can i adapt the parser for the splunk.pm.
Do i need to make a change on the "parse_message” function"
thanks

[toddbruner]

I do not have access to ArcSight, so I'm afraid I can only provide rudimentary advise.

Splunk parser could definitely be used as a "template" to create your arcsight parser. There is also a "generic" and a "snort" parser included as well.

The concept is the same for all though. Read the email body, and create a data structure for an Alertgroup then return that.