Decommissioned ArcSight connectors still on the audit
Connectors you retired years ago can still surface on an audit report as though they were live. Decommissioned ArcSight connectors still on the audit are the clearest example of a finding built from a registry rather than from real event flow, and they are among the easiest charges to strip out with evidence.
Every mature ArcSight deployment carries a layer of sediment. Sources get switched off, projects end, infrastructure is replaced, and the connectors that fed those sources are frequently left registered because deregistration is a housekeeping step that rarely makes it onto anyone's priority list. None of that is a compliance problem. It becomes one only when an audit reads the registry as a live inventory and prices every entry as a consuming component.
Why decommissioned connectors stay on the books
A connector that has been retired at the source often remains registered in connector management. It forwards no events, occupies no real capacity, and represents no licensed consumption, yet it persists as a line in the configuration. Operations teams have no reason to clean it up because it does nothing, and the platform keeps the record because the platform is designed to remember. The result is a registry that overstates the live estate by whatever fraction of connectors have been quietly decommissioned over the years.
A finding priced on the registry charges list price, back maintenance, and audit cost on connectors that have not forwarded an event in years. Removing them does not reduce real entitlement, it corrects a count that was never measuring use.
The evidence that removes a dead connector
A decommissioned connector comes off the count when you can show it is not forwarding events in the measurement window. That evidence lives in the buyer's own operational data, not in the registry, which is precisely why the buyer is the right party to produce it. Event flow records, source status, and infrastructure decommission dates together establish that a registered component is an artifact rather than a live consumer. Once that is documented, the component cannot reasonably carry a charge.
- Event flow records. A connector that forwards zero events across the window is not consuming the platform.
- Source status. If the underlying log source was retired, the connector that fed it has nothing to forward.
- Decommission dates. Infrastructure change records tie the retirement to a date that predates the measurement window.
Why the vendor count rarely catches this
The compliance team builds its number from discovery output and registered component lists. Those sources capture existence, not activity. Without the buyer's operational data, the audit has no way to distinguish a connector that processes millions of events a day from one that was switched off two years ago. Both appear identical in the registry. This is not a flaw the buyer should rush to fix for the vendor by handing over a raw export. It is a gap the buyer fills on its own terms, with a reconstruction that separates live from dead.
Handle it inside the notice window
OpenText gives seven days notice before an audit and the right to copy relevant records. The discipline during that window is to control the channel and to avoid letting a registry export become the uncontested baseline. A registry handed over without context invites every dead connector to be priced. A registry handed over alongside event flow evidence, or better, a reconstruction that has already removed the artifacts, never gets that far. Preparation here is not defensive paperwork, it is the difference between a count of 600 and a count of 380.
A recent engagement
The banking matter recorded as case file E-03 settled a combined EPS and connector finding of $6.0M at $1.8M, a 70 percent reduction. A meaningful share of the connector side came from exactly this category: components that had been decommissioned at the source but never deregistered. Once the live estate was mapped against event flow, the dead entries fell away and the count argument was effectively over. The pattern repeats across deployments because decommissioned connectors are not an exception, they are the predictable residue of a platform that has run for years.
Keep the estate clean going forward
The same reconstruction that wins the audit argument is worth keeping current afterward. An inventory that ties every connector to a live source and a real environment, refreshed periodically, means the next measurement starts from a clean baseline rather than from years of accumulated registrations. That is also the foundation for a forward agreement with defined metrics, where the count that matters is the live estate and not the historical one.
The cost of leaving a dead connector unchallenged
It is worth being concrete about what a single unchallenged dead connector costs, because the agreement makes the math unforgiving. On a finding, the licensee is deemed to have acquired the license at the then current list price, owes back maintenance and support, owes first year maintenance on the newly deemed license, and reimburses the audit cost. A connector that has forwarded nothing for two years therefore does not cost a list price once. It costs list price plus a stack of maintenance and recovery charges, repeated for every dead entry left on the count. Multiply that by the dozens of retired connectors a mature deployment accumulates and the dead weight alone can account for a substantial fraction of the total finding. That is why removing artifacts is not housekeeping pedantry. It is direct money.
Distinguishing retired from merely idle
One nuance deserves care. A connector that is idle in the measurement window is not automatically a retired connector. Some sources are seasonal, some forward events only during specific operations, and some are legitimately part of the production estate while quiet for a given window. The reconstruction handles this by looking past a single window where the data supports it, and by tying idle connectors to the status of their underlying source. A connector whose source was formally decommissioned is retired. A connector whose source is live but quiet is idle and stays on the production map. Drawing that line carefully protects the credibility of the whole reconstruction, because a defense that over claims is as easy to dismiss as a finding that over counts.
Dead connectors on your ArcSight finding?
We separate live connectors from retired registrations using your own event data, then reprice the count. To put a defense team on the file, open a case or download the ArcSight EPS defense briefing.
Get The Number Down →Related field notes
These notes from the ArcSight and Security audit defense cluster cover the connector count in depth. Each links back to the complete OpenText audit defense playbook for 2026.
- how to challenge an ArcSight connector headcount
- ArcSight connector counting in an OpenText audit
- ArcSight SmartConnector and collector counting
- how ArcSight non production and lab data is counted
- reconciling ArcSight entitlements before an audit
If you have received an OpenText or Micro Focus audit notice, the first seven days shape every week that follows. OpenText Audit Defense is an independent, buyer side practice founded in 2020 by former vendor compliance leadership. We have defended more than 200 audits, cut the average finding by 68 percent, and mitigated more than $90M in claims against vendor positions. We do not resell OpenText software and we are not affiliated with OpenText Corporation. To open a case, use the contact form on this site.