ArcSight Parser Writing: A Strategic Approach to Custom Log Parsing

SIEM Deployment & Configuration

ArcSight has long been a trusted SIEM platform for organizations that require advanced log management and correlation capabilities. While its SmartConnectors provide extensive support for a wide variety of data sources, real-world environments frequently include applications, systems, or devices that generate logs in proprietary or unsupported formats. To ensure these logs are not ignored, teams use ArcSight parser custom-built packages that extend SmartConnector functionality, enabling seamless parsing and normalization of otherwise unreadable data.

What is an ArcSight Parser?

An ArcSight parser is a deployable unit that contains parsing rules, field mappings, and normalization logic designed for SmartConnectors. It allows raw logs to be transformed into ArcSight’s Common Event Format (CEF), ensuring consistency and usability across dashboards, correlation rules, and reports. Instead of storing unstructured text, parcels make logs actionable by converting key attributes like user IDs, IP addresses, timestamps, and activities into ArcSight-recognized event fields.

Why Parsers Are Used in ArcSight

The need for parsers arises whenever an organization encounters log sources that ArcSight does not natively support. Without them, logs remain unparsed, which prevents correlation and creates blind spots. By writing parcels, teams can normalize events into a standard schema, making them compatible with ArcSight’s detection logic. For example, custom parcels may be written to support in-house applications, bespoke monitoring tools, or specialized systems unique to a particular industry. Once normalized, these logs provide the necessary context to identify anomalies, detect unusual behaviors, and generate meaningful reports.

Deployment Considerations

Parsers are deployed at the SmartConnector layer, which acts as the first point of ingestion in the ArcSight architecture. This ensures that parsing and normalization occur as close as possible to the raw data source, reducing processing overhead on the main SIEM platform. Depending on an organization’s environment, parcels may need to be deployed across multiple SmartConnectors to cover distributed log collection points. In large, global infrastructures, this ensures consistent parsing regardless of geography or business unit.

Worked Example: ArcSight Parser Writing From Raw Log to Parsed Event

Consider a simple raw log generated by a custom application:

 

2025-09-20 10:45:32 | User=jsmith | SrcIP=10.10.5.23 | Action=PrivilegeEscalation | Status=Failed

Without a parser, ArcSight would treat this as unstructured data. A custom parcel, however, can extract fields using regex and map them into ArcSight’s schema. For instance:

  • User → destinationUserName

  • SrcIP → sourceAddress
  • Action → deviceAction
  • Status → outcome

After the parser is applied, the event is normalized into CEF:

CEF:0 | CustomApp | PrivilegeModule | 1.0 | 1001 | Privilege Escalation Attempt |5| 

src=10.10.5.23
duser=jsmith

act=PrivilegeEscalation

outcome=Failed
rt=2025-09-20 10:45:32

Now the log is structured, queryable, and available for correlation rules. Analysts can create a rule that raises an alert if multiple failed privilege escalation attempts are detected within a short timeframe.

Best Practices

Parser development should always be carried out in a test environment with representative sample logs. Field mappings should conform to ArcSight’s CEF standards to ensure long-term compatibility with dashboards and correlation rules. Version control systems such as Git should be used to track updates as log formats evolve. Documentation of mappings and parsing logic is essential for SOC and engineering teams, and post-deployment validation should confirm that events are being parsed accurately.

Conclusion

ArcSight parsers provide the flexibility needed to integrate proprietary and unsupported log sources into the SIEM. By transforming raw data into normalized events, parcels enable organizations to maintain visibility across all systems, strengthen their use cases, and ensure consistent reporting. As the worked example shows, even a simple log line can be converted into a structured event that feeds directly into ArcSight’s powerful detection and monitoring framework. For any team working with diverse log sources, mastering parcel development and deployment is a critical skill that ensures no data is left behind.