By event I mean every event with an event ID. From the description above, it looks like data model is translated into events?
In any case though, it looks like you create a "search description" within the SPLUNK app for CEF and using that search description SPLUNK Enterprise writes the data in CEF to the Syslog receiver you specify.
What about other receivers such as Sourcefire, Tripwire, Symantec, Mcafee, etc.?
SPLUNK app for CEF looks like it may work for Syslog data but I don't know about other different log types.
Also, I have info from others out in the field regarding the SPLUNK to ArcSight integration:
"Two things it doesn't seem to address is the timing issues and health monitoring. It's aim is to fix the formatting issues so you can use a standard ArcSight connector in a standard configuration but it doesn't seem to address any other the other issues with relaying events through Splunk. Two of the biggest problems with relaying your events through Splunk is the timing issues it creates with late events and the lack of device/health monitoring that you would normally have if you were getting it straight from a An ArcSight connector. I can elaborate further if needed but it is my understanding that the Splunk CEF app only addresses formatting it doesn't address delivery, event time or health monitoring issues which plague that configuration."
... View more