ArcSight connector counting in an OpenText audit
ArcSight connectors are an easy thing for an audit to overcount and a hard thing for a buyer to disprove without preparation. Connector counting in an OpenText audit inflates a finding when decommissioned connectors, duplicates, and non production instances are all tallied as if every one were a live licensed component.
SmartConnectors and collectors are the components that gather events from log sources and feed them into ArcSight. Depending on the agreement, they can carry their own license dimension or interact with the EPS and volume metrics. Either way, the count matters, and the count is rarely as clean as the audit report implies. Connectors accumulate over years, get cloned for testing, get replaced without being removed, and leave configuration artifacts behind. An inventory built from configuration files rather than from live operation will overstate the real number.
How OpenText arrives at a connector count
The compliance team builds the count from discovery output and configuration data, often a connector management inventory or the manager's registered component list. That source captures everything that has ever been registered, including connectors that no longer forward a single event. Because the audit remedy stacks list price, back maintenance, and audit cost onto every counted unit, a registry inflated by dead entries produces a finding inflated by the same multiple.
The four categories that inflate the count
- Decommissioned connectors. A connector that was retired but never deregistered still appears in the inventory. It forwards no events and consumes no entitlement in operation, yet it lands on the count unless challenged.
- Duplicates and clones. Connectors copied for testing or migration can register under new identifiers while representing the same logical source, doubling the tally.
- Non production instances. Connectors in lab, staging, and proof of concept environments are frequently swept into the production count even when the agreement scopes the metric to production use.
- High availability pairs. A connector configured for failover may present as two registered components when only one is processing events at any time.
A registry of 600 connectors can resolve to 380 live production connectors once retired entries, clones, failover partners, and lab instances are removed. The finding is built on 600. The defensible number is 380.
How we challenge a connector headcount
We reconstruct the connector estate independently rather than accept the registry at face value. The reconstruction distinguishes connectors that are actively forwarding events from those that merely exist in configuration, and it maps every registered component to a real log source in a real environment. Connectors that forward no events, that duplicate another source, or that run outside production scope come off the count. We then reconcile the corrected inventory against the entitlement and reprice the finding to the defensible figure.
This is the connector half of the banking matter recorded as case file E-03, where the combined EPS and connector finding of $6.0M settled at $1.8M. Splitting burst from sustained reduced the EPS side, and correcting the connector inventory reduced the count side. The two lines reinforced each other, and the overall reduction reached 70 percent.
Preparing before the count is taken
The strongest position is to know your own connector estate before the audit measures it. A clean, current inventory that ties every connector to a live source and an environment is the evidence that defeats an inflated count. During the seven day notice window, take over the channel, decline to hand over a raw registry export without context, and reconstruct the real estate on your terms. If you can show which connectors are live and which are artifacts, the count argument is largely won before it begins.
Why connector inventories drift over time
Connector counts inflate for a reason that has nothing to do with overuse and everything to do with how security operations actually run. Over the life of a SIEM deployment, sources are onboarded constantly, connectors are cloned to test new parsing rules, failover partners are stood up, and old sources are switched off at the source without anyone returning to deregister the connector that fed them. None of this is negligence. It is the normal residue of a platform that has been in service for years. The registry remembers everything, but operations only use a fraction of it at any moment. An audit that reads the registry as a live inventory is therefore reading history, not current consumption.
This is why the connector line is so reliably reducible. The gap between registered and live is not an edge case to be argued, it is the default state of any mature deployment. The work is simply to measure it, and the measurement belongs to the buyer because the buyer holds the operational data that shows which connectors forward events today.
What a defensible connector reconstruction contains
When we reconstruct a connector estate, the deliverable is an inventory that an auditor cannot wave away. For each registered component we establish three things: whether it is forwarding events in the measurement window, which real log source it represents, and which environment it sits in. A component that fails the first test is an artifact. A component that duplicates another logical source is a clone. A component outside production scope is out of metric where the agreement says so. Only the components that pass all three tests belong on the count.
- Live versus registered. Event flow data separates connectors that work from connectors that merely exist.
- Source mapping. Each live connector ties to a distinct source, exposing duplicates and clones.
- Environment scope. Production, staging, and lab are distinguished so non production instances can be removed where the metric allows.
- Failover resolution. High availability pairs are collapsed to the single component actually processing events.
With that inventory in hand, the count argument is no longer the buyer's word against the registry. It is a documented reconciliation that holds up line by line.
Have an ArcSight finding on the table?
A connector count built from a registry rather than from live operation is almost always too high. We reconstruct the effective license position before any vendor script runs, then challenge the finding line by line. To put a defense team between you and the vendor, open a case or download the ArcSight EPS defense briefing.
Get The Number Down →Related field notes
These notes from the ArcSight and Security audit defense cluster go deeper on the mechanics referenced above, and each links back to the complete OpenText audit defense playbook for 2026.
- ArcSight SmartConnector and collector counting
- how to challenge an ArcSight connector headcount
- decommissioned ArcSight connectors still on the audit
- ArcSight high availability nodes and licensing
- reconciling ArcSight entitlements before an audit
If you have received an OpenText or Micro Focus audit notice, the first seven days shape every week that follows. OpenText Audit Defense is an independent, buyer side practice founded in 2020 by former vendor compliance leadership. We have defended more than 200 audits, cut the average finding by 68 percent, and mitigated more than $90M in claims against vendor positions. We do not resell OpenText software and we are not affiliated with OpenText Corporation. To open a case, use the contact form on this site.