ArcSight transformation hub and event broker licensing
The component that moves events between the parts of an ArcSight platform is easy to overlook until an audit puts a price on it. ArcSight transformation hub and event broker licensing turns on what the authorization counts, throughput, topics, nodes, or some combination, and a finding that picks the most expensive reading of an internal data pipe is the kind of number that does not survive a careful reading of the agreement.
ArcSight came into the OpenText estate through the Micro Focus acquisition that closed on January 31, 2023, and the broader platform is governed by the Additional License Authorizations rather than the OpenText EULA. The transformation hub, which earlier generations of the product knew as the event broker, is the messaging layer that carries events from connectors into the platform and out to the components that consume them. Because it sits in the middle of the data flow, an audit can attach a metric to it that double counts traffic the buyer already licenses elsewhere, and that is where the finding inflates.
What the transformation hub does and why licensing it is contested
The transformation hub is a distributed messaging layer. Events arrive from connectors, land on topics, and are read by consumers such as the event storage tier, search, or downstream analytics. The same event can pass through the hub on its way to more than one consumer, which is the architectural point of a broker: it decouples producers from consumers so that one stream can serve many uses. The licensing question is whether that decoupling becomes a multiplier in the audit, with the hub measured as though every consumer of an event represented a separate licensed flow.
A defensible reading starts from what the buyer actually licensed. If the platform is sized on a sustained event rate, the hub is part of the machinery that delivers that rate, not an independent product to be metered a second time. The authorization is the place that settles this, because it defines the unit the hub is counted in, if it is counted separately at all.
An internal messaging layer carries the same event to multiple consumers by design. A finding that counts each consumer path as a separate licensed flow turns one stream into many, and the authorization rarely supports that reading.
Where an event broker finding overreaches
Several patterns push a transformation hub or event broker finding above the defensible figure, and each is a line to test against the agreement rather than a number to concede.
- Topic counting as a proxy for use. Treating the number of configured topics as a licensable unit, when topics are an internal organisation of the same licensed stream.
- Consumer multiplication. Counting an event once per consumer that reads it, so a single ingested stream is measured several times over.
- Node and broker instance counts. Counting cluster nodes that exist for resilience and scale rather than to license additional throughput.
- Throughput attributed to the hub and the platform both. Charging the same event rate against the connectors, the hub, and the storage tier as though each were independent.
The discipline that resolves these is the same one that governs ArcSight EPS burst versus sustained measurement: establish the single, sustained, licensed rate and refuse to let internal architecture turn it into several. A platform that decouples producers and consumers is efficient, not noncompliant.
Reconstruct the pipeline against the authorization
The four Rs apply directly. Respond inside the seven day notice window and hold a single controlled channel, so the platform architecture is described once rather than reconstructed by the vendor from partial diagrams. Reconstruct the effective position by reading the authorization for whether the transformation hub is licensed separately and in what unit, then mapping the event flow to show where the licensed rate actually sits. Rebut the finding line by line where it counts topics, consumers, or nodes as independent licensed flows. Resolve on terms that fix how the messaging layer is treated so the next audit does not reopen the same internal pipe.
Preparing this before any vendor measurement runs is the high leverage move. Our note on reconciling ArcSight entitlements before an audit walks through assembling the entitlement and architecture record that makes the reconstruction credible.
A recent engagement
The anonymised banking matter recorded as E-03 saw an ArcSight EPS and connector finding open at $6.0M and settle at $1.8M, a 70 percent reduction. Part of the work was refusing to let the platform architecture inflate the count: the same telemetry that passed through the messaging layer to several consumers was held to one licensed rate rather than counted at each hop. The reduction came from mapping the data flow and reading the authorization together, so the figure reflected the stream the buyer licensed rather than the number of internal paths that stream travelled.
Hold the hub to the licensed stream
With ArcSight transformation hub and event broker licensing more than most components, the finding depends on whether anyone insists that an internal messaging layer is part of delivering the licensed rate, not a separate product to meter. A buyer that accepts a topic or consumer multiplier is paying several times for one stream. The defensive discipline is to read the authorization for how the hub is counted, map the event flow to the single licensed rate, and rebut every line that turns architecture into a multiplier. Most of the reduction available on an event broker finding comes from that one refusal, held firmly and documented from the agreement.
Facing a finding that meters your event broker twice?
We read the authorization for how the transformation hub is counted, map the event flow to the licensed rate, and rebut the multipliers line by line. To get a defense team on the file, open a case or download the ArcSight EPS defense briefing.
Get The Number Down →Related field notes
These notes from the ArcSight and Security audit defense cluster cover throughput, connectors, and platform architecture. Each links back to the complete OpenText audit defense playbook for 2026.
- ArcSight EPS burst versus sustained measurement
- how ArcSight data volume metrics inflate a finding
- ArcSight high availability nodes and licensing
- ArcSight ESM versus Logger licensing compared
- reconciling ArcSight entitlements before an audit
If an OpenText or Micro Focus audit notice has landed, the first seven days carry more weight than any week that follows. OpenText Audit Defense is an independent, buyer side practice founded in 2020 by former vendor compliance leadership. We have defended more than 200 audits, brought the average finding down by 68 percent, and mitigated more than $90M in claims against vendor positions. We do not resell OpenText software and we are not affiliated with OpenText Corporation. To open a case, use the contact form on this site.